The pattern: secrets enter the agent's environment at the tool boundary, not in the prompt. Vault-injected env. 1Password op-run envelopes. Hooks that scrub before write. Your session JSONL gets archived; nothing in there should be sensitive.