AI-agent secrets are in transit when a request hits a third-party LLM router or MCP proxy, and that router's audit log is not a control: by the time it logs the request, the credential already crossed your perimeter in plaintext. The fix is to redact at egress, before the bytes leave.

In short:

A secret going to your own model provider on an Authorization header is the expected path. The same secret going to a router, gateway, or MCP proxy is a leak, because that host reads your plaintext.

boundary_leak_probe.py reads one JSON egress map and classifies every secret-bearing field by destination trust. On the leaky fixture: 3 requests, 2 of them to third-party intermediaries, 5 fields crossing the boundary, 6 rule-hits, 2 critical wallet secrets. Exit 1.

The 2 critical ones are an Ethereum private key and a BIP-39 mnemonic, sitting in MCP tool-call arguments headed to a proxy. Signer material should never transit any middleman.