feat(security): redact secrets from kernel outputs before they reach clients

[rgbkrk]

Summary

Automatically detect and redact leaked secrets (API keys, tokens, passwords) from kernel outputs before they reach any client — MCP agents, the UI, or the blob store.

When user code accidentally prints a secret (e.g. print(os.environ["OPENAI_API_KEY"])), nteract should catch it at the daemon level and replace it with asterisks before any downstream consumer sees the value.

Motivation

Notebooks are a common vector for accidental secret leakage. Users print environment variables during debugging, API keys show up in error tracebacks, and tokens appear in HTTP response dumps. Today, those values flow through to:

• The notebook UI (visible on screen, persisted in outputs)
• MCP clients and agents (who receive output text via text/llm+plain summaries)
• The blob store (persisted to disk)
• .ipynb files (if saved)

This is especially dangerous in agent-assisted workflows where outputs are automatically consumed by LLMs.

Approach

1. Detection: Match output text against known environment variable values from the kernel's environment. The daemon already knows the environment (it manages it).
2. Redaction: Replace matched values with *** or a redaction marker before writing to the blob store or broadcasting to clients.
3. Scope: Apply to all text MIME types in kernel outputs (text/plain, text/html, application/vnd.jupyter.stderr, error tracebacks).
4. Opt-out: Users should be able to disable redaction for specific notebooks or globally if they need raw output.

Prior art

• Password widget values are already filtered from text/llm+plain summaries (see output_resolver.rs)
• The runtime agent subprocess architecture means redaction can happen at a single chokepoint before outputs fan out to clients

Related

• Runtime agent sandboxing: contain kernel processes with OS-level isolation #1307 — Runtime sandboxing (complementary: sandboxing prevents access, redaction catches leaks)