Every developer using Claude, ChatGPT, or Codex has done this: select a bunch of files, paste them into the chat, and ask a question. It works — until two things quietly bite you.
Failure mode 1: you paste a secret
config.js, .env.local, a test fixture — it only takes one file with api_key = "sk-ant-..." in it, and now your key is sitting in a third-party prompt log. You won't get an error. You'll just have leaked a credential.
The fix is boring but essential: scan for secrets before the text ever leaves your machine. API keys have recognizable shapes — sk-ant-, sk-, AKIA..., ghp_..., -----BEGIN PRIVATE KEY-----. A pre-flight pass can mask them:
config.js → api_key = "<redacted:ANTHROPIC_KEY>"






