Secret proximity is exposure
A credential does not need to be committed publicly to be risky. Broad agent-readable scope can move values into prompts, logs, summaries, patches, screenshots, or external tools.
Detection must preserve secrecy
CapitalGuard reports secret-like file paths and risk patterns while keeping raw secret values redacted from screens, reports, analytics, and support workflows.
Prevention requires blocked paths
Move secrets to managed vaults, rotate potentially exposed credentials, block secret-bearing paths, and require approval before agents inspect production configuration.
