CRUMB is designed for portable context, which means it is easy to copy, paste, share, commit, and attach.
That portability is useful, but it also means safety checks matter.
Use crumb lint before sharing or committing sensitive CRUMBs:
crumb lint handoff.crumb --secrets --strictSupported checks:
- likely secrets and credentials
- suspicious or malformed headers
- large raw logs
- token-budget overruns from
max_total_tokensandmax_index_tokens
0— no blocking issues1— security findings or warnings under--strict2— parse or file-level failure
Initial secret linting covers likely:
- OpenAI keys
- GitHub tokens
- AWS access keys
- Slack tokens
- Bearer tokens
- JWTs
- generic
api_key=...,token=...,password=...,secret=...assignments
These are heuristic warnings, not perfect proofs. Treat them as a safety net, not a substitute for review.
To redact obvious credentials:
crumb lint handoff.crumb --secrets --redactBehavior:
- by default, redaction writes back to the source file
- if
--outputis provided, CRUMB writes the redacted result there instead
Before pasting a CRUMB into a hosted AI or public issue:
- Run
crumb lint --secrets. - Remove or redact raw credentials.
- Avoid dumping giant
[entries],[logs], or[raw_sessions]sections unless they are truly needed. - Prefer packed task/mem/map artifacts over raw transcripts.
Core CRUMB functionality does not require remote APIs.
- validation is local
- linting is local
- pack building is deterministic and local
- bridge export can run from saved text
- optional compression can use Ollama locally
That local-first bias is deliberate.