If a pipeline can write a record before passing it through redaction, secret leakage is structural, not accidental. The redaction gate belongs at the write boundary, and it must fail closed on shapes it does not recognize — not enumerate the prefixes it does.
A pipeline that leaked a live credential did not have a redaction bug. It had a redaction the writer could bypass — applied somewhere other than the boundary where records are emitted. When redaction is an optional pass instead of the gate on the write, leakage is not an accident waiting to happen; it is the default behavior of any path that forgets to call it.
Two things make redaction real: it lives at the emit boundary, so nothing is written without traversing it, and it fails closed on shapes it does not recognize rather than matching a list of known secret prefixes. A list is always one unknown vendor behind. A boundary that default-denies the unrecognized is the only version that holds when the input is adversarial.