job-forge 2.14.29 → 2.14.30

package/.cursor/rules/main.mdc

@@ -89,11 +89,14 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
   why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
 
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
 5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].

package/AGENTS.md

@@ -84,11 +84,14 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
   why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
 
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
 5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].

package/CLAUDE.md

@@ -84,11 +84,14 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
   why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
 
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
 5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].

package/README.md

@@ -31,7 +31,7 @@ The scaffolded `opencode.json` already has three MCPs wired up — they launch a
 - **Gmail** — reads replies from recruiters
 - **state-trace** — typed working memory for cross-session context (resumed batches, recent decisions, repeated portal quirks). Install once with `python3 -m pip install "state-trace[mcp]"`; the MCP command is `state-trace-mcp`.
 
-JobForge also keeps MCP-free local workflow state: `templates/canon.json` defines URL/company/role identity keys via `@razroo/iso-canon`, `templates/contracts.json` defines tracker/apply artifact shapes via `@razroo/iso-contract`, `templates/capabilities.json` defines role capability boundaries via `@razroo/iso-capabilities`, `templates/context.json` defines deterministic mode/reference bundles via `@razroo/iso-context`, `templates/preflight.json` defines safe dispatch rounds/gates via `@razroo/iso-preflight`, `templates/postflight.json` defines safe dispatch settlement via `@razroo/iso-postflight`, `templates/migrations.json` defines safe consumer-project upgrades via `@razroo/iso-migrate`, `.jobforge-ledger/events.jsonl` records duplicate/status events via `@razroo/iso-ledger`, `.jobforge-cache/` stores reusable JD/artifact content via `@razroo/iso-cache`, and `.jobforge-index.json` indexes artifact source pointers via `@razroo/iso-index`. None of these add always-on prompt or tool-schema tokens.
+JobForge also keeps MCP-free local workflow state: `templates/canon.json` defines URL/company/role identity keys via `@razroo/iso-canon`, `templates/contracts.json` defines tracker/apply artifact shapes via `@razroo/iso-contract`, `templates/capabilities.json` defines role capability boundaries via `@razroo/iso-capabilities`, `templates/context.json` defines deterministic mode/reference bundles via `@razroo/iso-context`, `templates/preflight.json` defines safe dispatch rounds/gates via `@razroo/iso-preflight`, `templates/postflight.json` defines safe dispatch settlement via `@razroo/iso-postflight`, `templates/redact.json` defines safe-export redaction rules via `@razroo/iso-redact`, `templates/migrations.json` defines safe consumer-project upgrades via `@razroo/iso-migrate`, `.jobforge-ledger/events.jsonl` records duplicate/status events via `@razroo/iso-ledger`, `.jobforge-cache/` stores reusable JD/artifact content via `@razroo/iso-cache`, and `.jobforge-index.json` indexes artifact source pointers via `@razroo/iso-index`. None of these add always-on prompt or tool-schema tokens.
 
 `npm install` also materializes symlinks for every supported agent harness — OpenCode, Cursor, Claude Code, and Codex — so you can run `opencode`, `cursor`, `claude`, or `codex` in the same project and each picks up the shared MCP config and instructions.
 
@@ -78,7 +78,7 @@ JobForge turns opencode into a full job search command center. Instead of manual
 | **Durable Batch Orchestration** | `batch-runner.sh` uses `@razroo/iso-orchestrator` for resumable bundle execution, bounded fan-out, mutexed state writes, and workflow records in `.jobforge-runs/`. |
 | **Pipeline Integrity** | Automated merge, dedup, status normalization, health checks |
 | **Cost-Aware Agent Routing** | Three subagents (`@general-free`, `@general-paid`, `@glm-minimal`) with per-task tool surfaces. On OpenCode, JobForge pins all tiers to `opencode-go/deepseek-v4-flash` so application runs avoid overloaded free-model pools. See [Subagent Routing in AGENTS.md](AGENTS.md) for the task-to-agent mapping. |
-| **Trace + Telemetry + Guard + Contract + Canon + Ledger + Capabilities + Context + Cache + Index + Preflight + Postflight + Migrate** | `job-forge trace:*` exposes local OpenCode transcripts, `job-forge telemetry:*` summarizes runs, `job-forge guard:*` audits deterministic policy rules, `templates/contracts.json` enforces artifact shape with `iso-contract`, `job-forge canon:*` derives stable URL/company/role identity keys, `job-forge ledger:*` queries append-only workflow state, `job-forge capabilities:*` checks role boundaries, `job-forge context:*` plans mode/reference context bundles, `job-forge cache:*` reuses fetched JD/artifact content, `job-forge index:*` queries compact source pointers, `job-forge preflight:*` plans bounded apply dispatch rounds from file-backed candidate facts, `job-forge postflight:*` settles dispatch outcomes/artifacts/post-steps, and `job-forge migrate:*` applies safe consumer-project upgrades without MCP/tool-schema overhead. |
+| **Trace + Telemetry + Guard + Contract + Canon + Ledger + Capabilities + Context + Cache + Index + Preflight + Postflight + Redact + Migrate** | `job-forge trace:*` exposes local OpenCode transcripts, `job-forge telemetry:*` summarizes runs, `job-forge guard:*` audits deterministic policy rules, `templates/contracts.json` enforces artifact shape with `iso-contract`, `job-forge canon:*` derives stable URL/company/role identity keys, `job-forge ledger:*` queries append-only workflow state, `job-forge capabilities:*` checks role boundaries, `job-forge context:*` plans mode/reference context bundles, `job-forge cache:*` reuses fetched JD/artifact content, `job-forge index:*` queries compact source pointers, `job-forge preflight:*` plans bounded apply dispatch rounds from file-backed candidate facts, `job-forge postflight:*` settles dispatch outcomes/artifacts/post-steps, `job-forge redact:*` sanitizes local exports, and `job-forge migrate:*` applies safe consumer-project upgrades without MCP/tool-schema overhead. |
 | **Token Cost Visibility** | `job-forge tokens --days 1` for per-session breakdown; `job-forge session-report --since-minutes 60 --log` to flag sessions over budget and append history to `data/token-usage.tsv`. Auto-logged after every batch run. |
 
 ## Usage
@@ -148,6 +148,7 @@ my-search/
 ├── .jobforge-ledger/              # append-only local workflow events (personal, gitignored)
 ├── .jobforge-cache/               # content-addressed local JD/artifact cache (personal, gitignored)
 ├── .jobforge-index.json           # deterministic artifact lookup index (generated, gitignored)
+├── .jobforge-redacted/            # sanitized local exports (generated, gitignored)
 ├── reports/                      # generated evaluation reports (personal, gitignored)
 ├── batch/{batch-input,batch-state}.tsv, tracker-additions/, logs/   # personal
 ├── .jobforge-runs/                # durable batch workflow records (generated)
@@ -164,7 +165,7 @@ my-search/
 ├── .opencode/skills/job-forge.md # → skill router
 ├── .opencode/agents/             # → @general-free, @general-paid, @glm-minimal
 ├── modes/                        # → _shared.md + skill modes
-├── templates/                    # → states.yml, portals.example.yml, cv-template.html, canon.json, capabilities.json, context.json, index.json, preflight.json, postflight.json, migrations.json
+├── templates/                    # → states.yml, portals.example.yml, cv-template.html, canon.json, capabilities.json, context.json, index.json, preflight.json, postflight.json, redact.json, migrations.json
 ├── batch/batch-prompt.md         # → batch worker prompt
 ├── batch/batch-runner.sh         # → parallel orchestrator
 │
@@ -190,7 +191,7 @@ JobForge/
 │   ├── sync.mjs                  # postinstall: creates symlinks in consumer project
 │   └── create-job-forge.mjs      # scaffolder
 ├── modes/                        # _shared.md + 16 skill modes
-├── templates/                    # cv-template.html, portals.example.yml, states.yml, canon.json, capabilities.json, context.json, preflight.json, postflight.json, migrations.json
+├── templates/                    # cv-template.html, portals.example.yml, states.yml, canon.json, capabilities.json, context.json, preflight.json, postflight.json, redact.json, migrations.json
 ├── config/profile.example.yml    # template for consumer's profile.yml
 ├── batch/{batch-prompt.md,batch-runner.sh}   # batch orchestrator
 ├── scripts/
@@ -204,6 +205,7 @@ JobForge/
 │   ├── canon.mjs                 # iso-canon-backed identity normalization CLI
 │   ├── preflight.mjs             # iso-preflight-backed dispatch planning CLI
 │   ├── postflight.mjs            # iso-postflight-backed dispatch settlement CLI
+│   ├── redact.mjs                # iso-redact-backed safe-export redaction CLI
 │   ├── migrate.mjs               # iso-migrate-backed consumer-project migrations
 │   ├── token-usage-report.mjs    # opencode cost analyzer
 │   └── release/check-source.mjs  # version gate for npm publish

package/bin/job-forge.mjs

@@ -28,6 +28,7 @@
  *   canon:*        Compute deterministic identity keys via iso-canon
  *   preflight:*    Plan safe dispatch rounds via iso-preflight
  *   postflight:*   Settle dispatch outcomes via iso-postflight
+ *   redact:*       Sanitize local exports via iso-redact
  *   migrate:*      Apply deterministic consumer-project migrations via iso-migrate
  *   sync           Re-run the harness symlink sync (bin/sync.mjs)
  *   help, --help   Show this message
@@ -153,6 +154,14 @@ const postflightAliases = {
   'postflight:path': 'path',
 };
 
+const redactAliases = {
+  'redact:scan': 'scan',
+  'redact:verify': 'verify',
+  'redact:apply': 'apply',
+  'redact:explain': 'explain',
+  'redact:path': 'path',
+};
+
 const migrateAliases = {
   'migrate:plan': 'plan',
   'migrate:apply': 'apply',
@@ -220,6 +229,10 @@ Commands:
   postflight:status       Reconcile dispatch plan, outcomes, artifacts, and post-steps
   postflight:check        Fail unless a dispatched workflow is fully settled
   postflight:explain      Show the active postflight workflow policy
+  redact:scan             Scan local text for sensitive values before export
+  redact:verify           Fail if local text still contains sensitive values
+  redact:apply            Write a sanitized copy of local text
+  redact:explain          Show the active redaction policy
   migrate:plan            Preview deterministic consumer-project migrations
   migrate:apply           Apply deterministic consumer-project migrations
   migrate:check           Fail if migrations are pending
@@ -268,6 +281,8 @@ Pass --help after a command to see its own flags, e.g.:
   job-forge preflight:check --candidates batch/preflight-candidates.json
   job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
   job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+  job-forge redact:scan --input raw-session.jsonl
+  job-forge redact:apply --input raw-session.jsonl --output .jobforge-redacted/session.jsonl
   job-forge migrate:check
   job-forge migrate:apply
 
@@ -444,6 +459,21 @@ if (cmd === 'postflight' || postflightAliases[cmd]) {
   process.exit(result.status ?? 1);
 }
 
+if (cmd === 'redact' || redactAliases[cmd]) {
+  const redactArgs = cmd === 'redact'
+    ? (rest.length === 0 ? ['help'] : rest)
+    : [redactAliases[cmd], ...rest];
+
+  const scriptPath = join(PKG_ROOT, 'scripts/redact.mjs');
+  const result = spawnSync(process.execPath, [scriptPath, ...redactArgs], {
+    stdio: 'inherit',
+    cwd: PROJECT_DIR,
+    env: process.env,
+  });
+
+  process.exit(result.status ?? 1);
+}
+
 if (cmd === 'migrate' || migrateAliases[cmd]) {
   const migrateArgs = cmd === 'migrate'
     ? (rest.length === 0 ? ['help'] : rest)

package/docs/ARCHITECTURE.md

@@ -235,6 +235,7 @@ Scripts maintain data consistency. In a consumer project they're invoked via the
 | `scripts/context.mjs` | `npx job-forge context:list` / `context:plan` / `context:check` / `context:render` | Deterministic `@razroo/iso-context` mode/reference context bundle planning and rendering |
 | `scripts/preflight.mjs` | `npx job-forge preflight:plan` / `preflight:check` / `preflight:explain` | Deterministic `@razroo/iso-preflight` dispatch planning for file-backed candidate facts and gates |
 | `scripts/postflight.mjs` | `npx job-forge postflight:status` / `postflight:check` / `postflight:explain` | Deterministic `@razroo/iso-postflight` settlement for dispatch outcomes, required tracker TSV artifacts, and merge/verify post-steps |
+| `scripts/redact.mjs` | `npx job-forge redact:scan` / `redact:apply` / `redact:verify` | Deterministic `@razroo/iso-redact` safe-export scanning and sanitization for traces, prompts, reports, and fixtures |
 | `scripts/migrate.mjs` | `npx job-forge migrate:plan` / `migrate:apply` / `migrate:check` | Deterministic `@razroo/iso-migrate` consumer-project upgrades for scripts and generated-artifact ignores |
 | `tracker-lib.mjs` | _(library)_ | Shared helpers for reading/writing day-based tracker files — imported by merge/dedup/verify/normalize |
 | `bin/sync.mjs` | `npx job-forge sync` | Creates the harness symlinks in a consumer project and applies safe migrations (also runs as `postinstall`) |

package/docs/CUSTOMIZATION.md

@@ -166,6 +166,10 @@ Application dispatch policy lives in `templates/preflight.json` and is planned l
 
 Application settlement policy lives in `templates/postflight.json` and is checked locally by `@razroo/iso-postflight`. After each dispatch round, record observed candidate outcomes and tracker TSV artifact paths in `batch/postflight-outcomes.json`, then run `job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` to get the next safe action. After `merge` and `verify`, add post-step observations and run `job-forge postflight:check ...` to fail unless the workflow is complete. This is not an MCP and does not add prompt or tool-schema tokens.
 
+## JobForge redaction policy
+
+Safe-export redaction rules live in `templates/redact.json` and are enforced locally by `@razroo/iso-redact`. Use `job-forge redact:scan --input <file>` before sharing traces, prompts, reports, or fixtures outside the project, `job-forge redact:apply --input <file> --output .jobforge-redacted/<file>` to write a sanitized copy, and `job-forge redact:verify --input <file>` to fail if secrets or configured PII remain. Findings never print matched values. This is not an MCP and does not add prompt or tool-schema tokens.
+
 ## JobForge consumer migrations
 
 Consumer-project migrations live in `templates/migrations.json` and are applied locally by `@razroo/iso-migrate`. `job-forge sync` applies safe migrations automatically after refreshing symlinks; use `JOB_FORGE_SKIP_MIGRATIONS=1` to opt out. Use `job-forge migrate:plan`, `job-forge migrate:apply`, and `job-forge migrate:check` to inspect or enforce script/gitignore drift explicitly. This is not an MCP and does not add prompt or tool-schema tokens.

package/docs/README.md

@@ -31,7 +31,7 @@ The harness exposes a single CLI (`job-forge`) installed as a `bin` entry. In a
 
 | What you need | Where to read |
 |---------------|---------------|
-| Full command list (`verify`, `merge`, `dedup`, `normalize`, `pdf`, `sync-check`, `tokens`, `trace`, `telemetry`, `guard`, `ledger`, `canon`, `context`, `preflight`, `postflight`, `sync`). | [SETUP.md — Tracker and scripts (terminal)](SETUP.md#tracker-and-scripts-terminal). |
+| Full command list (`verify`, `merge`, `dedup`, `normalize`, `pdf`, `sync-check`, `tokens`, `trace`, `telemetry`, `guard`, `ledger`, `canon`, `context`, `preflight`, `postflight`, `redact`, `sync`). | [SETUP.md — Tracker and scripts (terminal)](SETUP.md#tracker-and-scripts-terminal). |
 | What each harness `.mjs` script does. | [ARCHITECTURE.md — Pipeline integrity](ARCHITECTURE.md#pipeline-integrity) and the scripts table underneath. |
 | Batch runner, TSV layout, and `batch/tracker-additions/` merge flow. | [batch/README.md](../batch/README.md). |
 | PR gate for harness contributions (`npm run verify` + `npm run build:dashboard`). | [CONTRIBUTING.md — Development](../CONTRIBUTING.md#development). |

package/docs/SETUP.md

@@ -136,6 +136,8 @@ From your project root, these commands maintain the tracker and pipeline checks.
 | Fail on blocked preflight candidates | `npx job-forge preflight:check --candidates batch/preflight-candidates.json` | `npm run preflight:check -- --candidates ...` |
 | Settle dispatch outcomes after a round | `npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` | `npm run postflight:status -- --plan ... --outcomes ...` |
 | Fail unless dispatch outcomes and post-steps are complete | `npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` | `npm run postflight:check -- --plan ... --outcomes ...` |
+| Sanitize local text before exporting it | `npx job-forge redact:apply --input raw-session.jsonl --output .jobforge-redacted/session.jsonl` | `npm run redact:apply -- --input ... --output ...` |
+| Verify local text is safe to export | `npx job-forge redact:verify --input .jobforge-redacted/session.jsonl` | `npm run redact:verify -- --input ...` |
 | Inspect pending consumer migrations | `npx job-forge migrate:plan` | `npm run migrate:plan` |
 | Map status column to canonical labels | `npx job-forge normalize` | `npm run normalize` |
 | Merge duplicate company/role rows | `npx job-forge dedup` | `npm run dedup` |

package/iso/instructions.md

@@ -84,11 +84,14 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
   why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
 
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
 5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].

package/lib/jobforge-redact.mjs

@@ -0,0 +1,25 @@
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import {
+  loadRedactConfig,
+  parseJson,
+} from '@razroo/iso-redact';
+
+export const REDACT_CONFIG_FILE = 'templates/redact.json';
+
+export function resolveProjectDir(projectDir = process.env.JOB_FORGE_PROJECT || process.cwd()) {
+  return projectDir;
+}
+
+export function jobForgeRedactConfigPath(projectDir = resolveProjectDir()) {
+  return process.env.JOB_FORGE_REDACT_CONFIG || join(projectDir, REDACT_CONFIG_FILE);
+}
+
+export function redactConfigExists(projectDir = resolveProjectDir()) {
+  return existsSync(jobForgeRedactConfigPath(projectDir));
+}
+
+export function readJobForgeRedactConfig(projectDir = resolveProjectDir()) {
+  const path = jobForgeRedactConfigPath(projectDir);
+  return loadRedactConfig(parseJson(readFileSync(path, 'utf8'), path));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "job-forge",
-  "version": "2.14.29",
+  "version": "2.14.30",
   "description": "AI-powered job search pipeline built on opencode",
   "type": "module",
   "bin": {
@@ -65,6 +65,10 @@
     "postflight:status": "node bin/job-forge.mjs postflight:status",
     "postflight:check": "node bin/job-forge.mjs postflight:check",
     "postflight:explain": "node bin/job-forge.mjs postflight:explain",
+    "redact:scan": "node bin/job-forge.mjs redact:scan",
+    "redact:verify": "node bin/job-forge.mjs redact:verify",
+    "redact:apply": "node bin/job-forge.mjs redact:apply",
+    "redact:explain": "node bin/job-forge.mjs redact:explain",
     "migrate:plan": "node bin/job-forge.mjs migrate:plan",
     "migrate:apply": "node bin/job-forge.mjs migrate:apply",
     "migrate:check": "node bin/job-forge.mjs migrate:check",
@@ -147,6 +151,7 @@
     "@razroo/iso-orchestrator": "^0.1.0",
     "@razroo/iso-postflight": "^0.1.0",
     "@razroo/iso-preflight": "^0.1.0",
+    "@razroo/iso-redact": "^0.1.0",
     "@razroo/iso-trace": "^0.4.0",
     "playwright": "^1.58.1"
   },

package/scripts/redact.mjs

@@ -0,0 +1,180 @@
+#!/usr/bin/env node
+
+import { mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { dirname, isAbsolute, relative, resolve } from 'path';
+import {
+  formatConfigSummary,
+  formatScanResult,
+  loadRedactConfig,
+  parseJson,
+  redactText,
+  scanSources,
+} from '@razroo/iso-redact';
+import { PROJECT_DIR } from '../tracker-lib.mjs';
+import {
+  jobForgeRedactConfigPath,
+  readJobForgeRedactConfig,
+} from '../lib/jobforge-redact.mjs';
+
+const USAGE = `job-forge redact - deterministic local redaction for exports
+
+Usage:
+  job-forge redact:scan   [--input <file> ...] [--stdin] [--config <file>] [--json]
+  job-forge redact:verify [--input <file> ...] [--stdin] [--config <file>] [--json]
+  job-forge redact:apply  (--input <file> | --stdin) [--output <file>] [--config <file>] [--json]
+  job-forge redact:explain [--config <file>] [--json]
+  job-forge redact:path
+
+Default policy is templates/redact.json. Findings never print matched values;
+previews are redacted length markers. Use apply to write a sanitized copy
+before exporting traces, prompts, reports, or fixture text.`;
+
+const [cmd = 'help', ...rawArgs] = process.argv.slice(2);
+const opts = parseArgs(rawArgs);
+
+if (opts.help || cmd === 'help' || cmd === '--help' || cmd === '-h') {
+  console.log(USAGE);
+  process.exit(0);
+}
+
+try {
+  if (cmd === 'path') {
+    console.log(configPath(opts));
+  } else if (cmd === 'scan' || cmd === 'verify') {
+    scan(cmd, opts);
+  } else if (cmd === 'apply') {
+    apply(opts);
+  } else if (cmd === 'explain') {
+    explain(opts);
+  } else {
+    console.error(`unknown redact command "${cmd}"\n`);
+    console.error(USAGE);
+    process.exit(2);
+  }
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}
+
+function parseArgs(args) {
+  const opts = {
+    inputs: [],
+    stdin: false,
+    json: false,
+    help: false,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--json') {
+      opts.json = true;
+    } else if (arg === '--input' || arg === '-i') {
+      opts.inputs.push(valueAfter(args, ++i, arg));
+    } else if (arg.startsWith('--input=')) {
+      opts.inputs.push(arg.slice('--input='.length));
+    } else if (arg === '--stdin') {
+      opts.stdin = true;
+    } else if (arg === '--output' || arg === '-o') {
+      opts.output = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--output=')) {
+      opts.output = arg.slice('--output='.length);
+    } else if (arg === '--config' || arg === '-c') {
+      opts.config = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--config=')) {
+      opts.config = arg.slice('--config='.length);
+    } else if (arg === '--help' || arg === '-h') {
+      opts.help = true;
+    } else if (arg.startsWith('--')) {
+      throw new Error(`unknown flag "${arg}"`);
+    } else {
+      opts.inputs.push(arg);
+    }
+  }
+
+  return opts;
+}
+
+function valueAfter(values, index, flag) {
+  const value = values[index];
+  if (!value || value.startsWith('--')) throw new Error(`${flag} requires a value`);
+  return value;
+}
+
+function scan(mode, opts) {
+  const sources = readSources(opts);
+  if (sources.length === 0) throw new Error(`${mode} requires at least one --input or --stdin source`);
+  const result = scanSources(readConfig(opts), sources);
+  if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(formatScanResult(result, mode));
+  }
+  if (mode === 'verify' && !result.ok) process.exit(1);
+}
+
+function apply(opts) {
+  const sources = readSources(opts);
+  if (sources.length !== 1) throw new Error('apply requires exactly one --input or --stdin source');
+  const source = sources[0];
+  const result = redactText(readConfig(opts), source.text, { source: source.name });
+  if (opts.output) {
+    const output = resolveOutputPath(opts.output);
+    mkdirSync(dirname(output), { recursive: true });
+    writeFileSync(output, result.text, 'utf8');
+    if (opts.json) {
+      console.log(JSON.stringify({ ...result, text: undefined, output }, null, 2));
+    } else {
+      console.log(`iso-redact: wrote ${relativePath(output)} (${result.findings.length} finding(s) redacted)`);
+    }
+  } else if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    process.stdout.write(result.text);
+  }
+}
+
+function explain(opts) {
+  const config = readConfig(opts);
+  if (opts.json) {
+    console.log(JSON.stringify(config, null, 2));
+    return;
+  }
+  console.log(`config: ${relativePath(configPath(opts))}`);
+  console.log(formatConfigSummary(config));
+}
+
+function readSources(opts) {
+  const sources = opts.inputs.map((input) => {
+    const path = resolveInputPath(input);
+    return {
+      name: relativePath(path),
+      text: readFileSync(path, 'utf8'),
+    };
+  });
+  if (opts.stdin) sources.push({ name: '<stdin>', text: readFileSync(0, 'utf8') });
+  return sources;
+}
+
+function readConfig(opts) {
+  if (opts.config) {
+    const path = resolveInputPath(opts.config);
+    return loadRedactConfig(parseJson(readFileSync(path, 'utf8'), path));
+  }
+  return readJobForgeRedactConfig(PROJECT_DIR);
+}
+
+function configPath(opts) {
+  return opts.config ? resolveInputPath(opts.config) : jobForgeRedactConfigPath(PROJECT_DIR);
+}
+
+function resolveInputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function resolveOutputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function relativePath(path) {
+  return relative(PROJECT_DIR, path) || '.';
+}

package/templates/migrations.json

@@ -43,6 +43,10 @@
             "postflight:status": "job-forge postflight:status",
             "postflight:check": "job-forge postflight:check",
             "postflight:explain": "job-forge postflight:explain",
+            "redact:scan": "job-forge redact:scan",
+            "redact:verify": "job-forge redact:verify",
+            "redact:apply": "job-forge redact:apply",
+            "redact:explain": "job-forge redact:explain",
             "migrate:plan": "job-forge migrate:plan",
             "migrate:apply": "job-forge migrate:apply",
             "migrate:check": "job-forge migrate:check",
@@ -65,6 +69,7 @@
             ".jobforge-ledger/",
             ".jobforge-cache/",
             ".jobforge-index.json",
+            ".jobforge-redacted/",
             "batch/preflight-candidates.json",
             "batch/preflight-plan.json",
             "batch/postflight-outcomes.json"

package/templates/redact.json

@@ -0,0 +1,77 @@
+{
+  "version": 1,
+  "defaults": {
+    "severity": "error",
+    "replacement": "[REDACTED:{id}]"
+  },
+  "builtins": [
+    {
+      "id": "email",
+      "severity": "warn"
+    },
+    {
+      "id": "phone",
+      "severity": "warn"
+    },
+    "openai-api-key",
+    "github-token",
+    "npm-token",
+    "aws-access-key-id",
+    "bearer-token",
+    "private-key",
+    "proxy-url-credentials"
+  ],
+  "fields": [
+    {
+      "id": "profile-contact",
+      "label": "Profile contact field",
+      "severity": "warn",
+      "names": [
+        "email",
+        "phone",
+        "address",
+        "street",
+        "city",
+        "postalCode",
+        "zip",
+        "linkedin"
+      ]
+    },
+    {
+      "id": "proxy-config",
+      "label": "Proxy configuration field",
+      "names": [
+        "proxy",
+        "proxyUrl",
+        "proxy_url",
+        "server",
+        "username",
+        "password",
+        "bypass"
+      ]
+    },
+    {
+      "id": "credential-field",
+      "label": "Credential field",
+      "names": [
+        "apiKey",
+        "api_key",
+        "access_token",
+        "refresh_token",
+        "client_secret",
+        "clientSecret",
+        "authorization",
+        "cookie",
+        "session",
+        "token"
+      ]
+    }
+  ],
+  "patterns": [
+    {
+      "id": "proxy-provider-account",
+      "label": "Proxy provider account identifier",
+      "pattern": "\\bbrd-customer-[A-Za-z0-9_.-]+\\b"
+    }
+  ]
+}