CCCL #6 — Claude Code for Everyone 26 May 2026 · Old Street, London

fix: replace prod password with devpass

// transcript

Claude Code removed a production password from my codebase…

[pause]

…and put it in the commit message.

A few days ago, I was adding Docker infrastructure to an old project. The code had lived on my machine for a while, and I had tested it with production-ish databases and credentials.

So before committing, I asked Claude to clean it up.

And honestly, it did a good job.

It found passwords. It replaced them. I reviewed the diff.

It was clean.

So I said: okay, let’s commit.

And then Claude suggested this commit message:

fix: replace [actual prod password] with devpass

[pause]

The secret was gone from the code.

But it had landed in the metadata.

And that’s what stuck with me.

We all know the traditional way of leaking sensitive data: putting it into a file and committing it to main.

But this was different.

The diff was clean. The dangerous output was somewhere else.

The security boundary is shifting. It’s no longer just the codebase.

Commit messages. PR titles. Logs. Release notes.

Anything the agent sees can become something the agent writes.

So my tiny warning is this:

Don’t just review the diff.

Review every surface the agent can write to.

Because if an agent can clean secrets from your code, it can also helpfully leave a message explaining exactly what it did.

Thank you.