AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

Secret Detection

write_file, create_file, append_log, and staged uploads (upload_session action: “complete”) are scanned for 20+ secret patterns before content reaches storage. Matched secrets are blocked by default; the full secret never persists. 
{ "secretScanning": { "enabled": true, "block": true, "allowPatterns": [] } }
Built-in patterns: AWS keys, GitHub PATs, Stripe keys, OpenAI/Anthropic keys, Slack tokens, GCP/Azure credentials, private keys, JWTs, database URLs, and generic secret assignments.
Note: restore_version does not re-run secret scanning. If an old version contains a secret that was previously allowed, restoring it will succeed. Secret scanning is also subject to policy — if you need to store secrets for agent use, see the vault_secret tool below. See also Common Errors for restore behavior details.