Add gateway fallback for nested secret redaction

Author: efij

.claude-plugin/marketplace.json

@@ -11,7 +11,7 @@
     {
       "name": "runwall",
       "description": "Balanced default runtime security plugin for Claude Code with shell, git, MCP, secret, exfiltration, and inline gateway guardrails.",
-      "version": "3.3.4",
+      "version": "3.3.5",
       "source": "./"
     }
   ]

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "runwall",
   "description": "Runtime security plugin for Claude Code with balanced default hooks plus the Runwall inline MCP gateway for shell, git, MCP, secret, and exfiltration risks.",
-  "version": "3.3.4",
+  "version": "3.3.5",
   "author": {
     "name": "efij"
   },

.codex-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "runwall",
   "description": "Runtime security plugin bundle for Codex with the Runwall inline MCP gateway, policy tools, skills, and safer defaults for coding-agent workflows.",
-  "version": "3.3.4",
+  "version": "3.3.5",
   "author": {
     "name": "efij"
   },

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 3.3.5
+
+- added a gateway-side fallback for obvious secret markers so upstream MCP responses still get redacted even when nested JSON payloads are mangled by platform-specific shell argument handling
+- kept the redaction attribution on `mcp-response-secret-leak-guard` so the signature model and audit trail stay consistent
+
 ## 3.3.4
 
 - fixed the MCP response secret redaction path on Windows by adding a deterministic fixed-string fast path for obvious secret markers before regex-file matching

VERSION

@@ -1 +1 @@
-3.3.4
+3.3.5

scripts/runwall_gateway.py

@@ -134,6 +134,36 @@ def first_reason(result: dict[str, Any], fallback: str) -> str:
     return fallback
 
 
+def secret_redaction_fallback(result: dict[str, Any]) -> dict[str, Any] | None:
+    payload = safe_json_dumps(result)
+    obvious_markers = (
+        "AWS_SECRET_ACCESS_KEY",
+        "ghp_",
+        "github_pat_",
+        "PRIVATE KEY",
+    )
+    if not any(marker in payload for marker in obvious_markers):
+        return None
+    return {
+        "allowed": True,
+        "action": "redact",
+        "hits": [
+            {
+                "module": "mcp-response-secret-leak-guard",
+                "name": "MCP Response Secret Leak Guard Pack",
+                "category": "mcp",
+                "decision": "redact",
+                "exit_code": 0,
+                "output": "[runwall] redacting secret-like MCP response content",
+                "metadata": {
+                    "reason": "The upstream response contains secret-like material and should be redacted before it reaches the client.",
+                    "redactions": [{"type": "full-response", "label": "secret-material"}],
+                },
+            }
+        ],
+    }
+
+
 def load_gateway_config(path: pathlib.Path | None) -> dict[str, Any]:
     if path is None or not path.exists():
         return {"servers": {}}
@@ -670,6 +700,10 @@ def handle_upstream_tool(self, full_name: str, arguments: dict[str, Any]) -> dic
                 }
             ),
         )
+        if response_eval["action"] == "allow":
+            fallback = secret_redaction_fallback(result)
+            if fallback is not None:
+                response_eval = fallback
         if response_eval["action"] == "block":
             self.audit_gateway_event(
                 {
@@ -738,7 +772,7 @@ def serve_stdio(self) -> int:
                         "result": {
                             "protocolVersion": "2024-11-05",
                             "capabilities": {"tools": {}},
-                            "serverInfo": {"name": "runwall-gateway", "version": "3.3.4"},
+                            "serverInfo": {"name": "runwall-gateway", "version": "3.3.5"},
                         },
                     },
                 )