output_dlp

Detects and handles sensitive output before it reaches users or downstream systems.

What it mitigates

Credential leakage in command/model output
Accidental disclosure of API keys and tokens
Secret propagation into logs, chat, or external APIs

Recommended defaults

Profile	action
`local`	`deny`
`standard`	`redact`
`unbounded`	`alert`

Minimal config

moduleConfig:
  output_dlp:
    action: redact
    # customPatterns:
    #   - "sk-[A-Za-z0-9]{20,}"

Rollout tips

Start with redact to reduce breakage.
Escalate to deny for high-risk channels.
Track redaction counts in audit for policy tuning.