Research · 2026-06-25

Reversible sentinels: masking secrets without losing context

design-docscrubr

The core trick behind SCRUBR: replace secrets with opaque authenticated placeholders the model can reason about, then restore the real values in the response — even mid-stream across fragmented SSE events.

Redaction destroys information: mask a database URL with [REDACTED] and the model can no longer tell you what is wrong with it. SCRUBR's design starts from the observation that the model does not need the value — it needs a stable, distinguishable reference.

The sentinel. Each detected secret is replaced by an opaque placeholder carrying a truncated HMAC-SHA256 tag. Sentinels are stable within a session (the same secret masks to the same placeholder, so the model can reason about "this credential" across turns), authenticated (a forged or corrupted sentinel fails verification rather than rehydrating), and meaningless off the proxy (the mapping lives in an AES-256-GCM-encrypted session vault, memory or Redis).

The round trip. Outbound, a single pass runs the whole detection stack — Aho-Corasick glossary, regex meta-engine, entropy, heuristic NER — at sub-millisecond, near-zero-allocation cost that stays roughly flat as rules grow. Inbound, the response is scanned for sentinels and the real values are restored before the client sees them.

The hard part is streaming. LLM responses arrive as SSE token events, and a sentinel can be split across any boundary. The rehydrator holds a bounded suffix window so a placeholder fragmented across chunks is still recognized and restored — correctly, and without buffering the stream into uselessness. This is the detail that separates the design from a regex in a proxy: the demo works either way, but production traffic streams.

The provider sees structure without substance; the user sees a fully reconstituted answer; the wire between them never carried the secret.

Canonical: scrubr repo · DESIGN.md (reversible-sentinel model + streaming rehydration)