# `Condukt.Secrets`
[🔗](https://github.com/tuist/condukt/blob/0.16.5/lib/condukt/secrets.ex#L1)

Session-scoped secrets for agent tool execution.

`Condukt.Secrets` resolves trusted secret declarations into environment
variables while a session starts. The resolved values are not added to the
system prompt, user messages, or persisted session snapshots. Built-in tools
receive them through their execution environment when they spawn commands.

## Secret declarations

Configure secrets as a map or keyword list whose keys are the environment
variable names exposed to tools:

    MyApp.Agent.start_link(
      secrets: [
        GH_TOKEN: {:one_password, "op://Engineering/GitHub/token"},
        DATABASE_URL: {:env, "DATABASE_URL"}
      ]
    )

The built-in provider aliases are:

- `:one_password` or `:op` for `Condukt.Secrets.Providers.OnePassword`
- `:env` for `Condukt.Secrets.Providers.Env`
- `:static` for `Condukt.Secrets.Providers.Static`

Custom providers can be used directly:

    secrets: [
      API_TOKEN: {MyApp.Secrets.Vault, path: "agents/api-token"}
    ]

Later declarations for the same environment variable replace earlier ones.

## Redaction

Resolved secret values are exact-match redacted from tool results before they
are stored in the session history or sent back to the model. They are also
redacted from outbound user and tool messages as a final guard.

# `empty`

Returns an empty secrets container.

# `env`

Returns resolved environment variables as `{name, value}` tuples.

# `merge_env`

Merges trusted environment overrides with session secrets.

Session secrets win when the same variable is present in both places.

# `names`

Returns resolved secret environment variable names without values.

# `redact_messages`

Redacts resolved secret values from outbound messages.

# `redact_result`

Redacts resolved secret values from a tool result before it is stored.

# `redact_text`

Redacts resolved secret values from a binary.

# `redactor`

Returns a redactor spec for the resolved secrets.

The returned spec can be composed with any other `Condukt.Redactor` spec.
Returns `nil` when there are no resolved secrets.

# `resolve`

Resolves a user-supplied secret declaration into a secrets container.

---

*Consult [api-reference.md](api-reference.md) for complete listing*