Sweep
Find and redact secrets leaked into AI coding tool configurations. Scan the local config directories of Claude, Cursor, Windsurf, Codex, and Antigravity for exposed API keys, tokens, and credentials — then redact or delete them with an encrypted vault for recovery.
What It Does
Every time an AI coding agent runs in your project, it caches files, logs conversations, and stores paste buffers locally. If any of those files contain API keys, tokens, or credentials, those secrets now live in plaintext across multiple directories on your machine — outside your project, outside version control, outside your threat model.
Sweep scans these config directories using gitleaks, detects leaked secrets, and gives you three options:
Dry run. See what's exposed without changing anything.
Mask secrets in-place. Originals saved to encrypted vault.
Remove residue files entirely. Secrets saved to vault first.
Config files your tools need to function (settings.json, auth.json, .env) are never touched. Sweep only targets residue — file history, session logs, paste caches, and conversation dumps.
Why It Matters
A single .env file read by an AI agent during a debugging session can result in that file's contents being copied to multiple locations. These are not git-tracked. Secret scanners that run on your repo will never see them. But anyone with read access to your home directory can.
| Tool | Directory | Residue locations |
|---|---|---|
| Claude Code | ~/.claude | file-history, projects/**/**.jsonl, paste-cache, history.jsonl |
| Cursor | ~/.config/Cursor | logs, session data |
| Windsurf | ~/.codeium | logs, activity data |
| Codex | ~/.codex | sessions, vendor imports |
| Antigravity | ~/.antigravity | session data, caches |
Setup
Requirements
- gitleaks — the secret detection engine
- jq — JSON processing (used internally)
- openssl — vault encryption (ships with macOS and Linux)
- Python 3.8+ — Warden runtime
$ brew install gitleaks jqInstall Prismor
Sweep is part of the Warden CLI. Install Prismor if you haven't already:
$ git clone https://github.com/PrismorSec/immunity-agent.git ~/.prismor
$ bash ~/.prismor/scripts/init.sh .Usage
Scan (dry run)
See what's exposed without changing anything:
$ warden sweep[sweep] Found claude config: ~/.claude
[sweep] Found codex config: ~/.codex
[sweep] Scanning ~/.claude...
[sweep] Scanning ~/.codex...
[sweep] Found 1200 secret(s): 1197 in residue, 3 in config files
* anthropic-api-key (18 occurrences)
~/.claude/file-history/abc123/config@v1:102
...and 16 more
* stripe-access-token (48 occurrences)
...
[sweep] 3 secret(s) in config files (skipped)
[sweep] Dry run - no files modified.Scan a specific directory
$ warden sweep . # current directory
$ warden sweep /path/to/project # any folder
$ warden sweep ~/proj-a ~/proj-b # multiple foldersRedact secrets
Replace secrets in residue files with masked versions (e.g., sk-an****...), saving originals to an encrypted vault:
$ warden sweep --redactYour vault passphrase is shown once.
On first run, you'll be asked to create a passphrase to encrypt the vault. This passphrase cannot be recovered. If you lose it, the vault is permanently locked. Store it in a password manager or encrypted note — not in a file inside these config directories.
Delete residue files
For cases where you'd rather remove the files entirely. Requires your vault passphrase to authorize (prevents rogue agents from deleting evidence):
$ warden sweep --cleanRestore from vault
$ warden sweep --show-vault # inspect vault
$ warden sweep --restore --all # restore everything
$ warden sweep --restore --file ~/.claude/file-history/abc # restore one fileRedact without backup (purge mode)
If you've already rotated the leaked keys and don't need recovery:
$ warden sweep --redact --purgeNo vault is created. No recovery is possible. Use this when the correct response to a leak is rotation, not restoration.
Parameters
| Flag | Description |
|---|---|
| (positional) | Directories to scan (default: AI tool config dirs) |
| --redact | Mask secrets and save originals to encrypted vault |
| --clean | Delete files containing secrets (passphrase required) |
| --restore | Restore secrets from vault |
| --show-vault | Display vault contents (passphrase required) |
| --purge | With --redact: skip vault, no recovery |
| --all | With --restore: restore all entries |
| --file PATH | With --restore: restore only this file |
Environment variables
| Variable | Description |
|---|---|
| PRISMOR_SWEEP_PASS | Vault passphrase for non-interactive / CI use |
| PRISMOR_HOME | Override Prismor home directory (default: ~/.prismor) |
Examples
Example 1: First-time audit of your machine
You've been using Claude Code and Cursor for months. You want to know what's leaked.
# Step 1: See the damage
$ warden sweep
# Found 847 secret(s): 840 in residue, 7 in config files
# Step 2: Redact everything in residue
$ warden sweep --redact
# Creates vault, masks 840 secrets. Config files untouched.
# Step 3: Verify
$ warden sweep
# Found 7 secret(s): 0 in residue, 7 in config files
# Clean. Only intentional config secrets remain.Example 2: Scanning a project before sharing
You're about to share a project folder with a colleague or push to a public repo. Sweep it first:
# Scan and redact just this project
$ warden sweep ./my-project --redact
# Or be aggressive - delete any file with leaked secrets
$ warden sweep ./my-project --cleanThe Vault
All redacted secrets are stored in a single encrypted file:
- Encrypted with AES-256-CBC + PBKDF2 via OpenSSL
- Protected by a passphrase you choose on first run
- Accumulates entries across runs (one file, not many)
- Each entry records: file path, line, column, original secret, mask, detection rule, and timestamp
The passphrase is never stored anywhere. If you lose it, the vault cannot be decrypted. Store it in a password manager.