Fetching latest headlinesโ€ฆ
Stop pasting your API keys into ChatGPT: a safer way to feed a codebase to an LLM
NORTH AMERICA
๐Ÿ‡บ๐Ÿ‡ธ United Statesโ€ขJuly 3, 2026

Stop pasting your API keys into ChatGPT: a safer way to feed a codebase to an LLM

0 views0 likes0 comments
Originally published byDev.to

Every developer using Claude, ChatGPT, or Codex has done this: select a bunch of files, paste them into the chat, and ask a question. It works โ€” until two things quietly bite you.

Failure mode 1: you paste a secret

config.js, .env.local, a test fixture โ€” it only takes one file with api_key = "sk-ant-..." in it, and now your key is sitting in a third-party prompt log. You won't get an error. You'll just have leaked a credential.

The fix is boring but essential: scan for secrets before the text ever leaves your machine. API keys have recognizable shapes โ€” sk-ant-, sk-, AKIA..., ghp_..., -----BEGIN PRIVATE KEY-----. A pre-flight pass can mask them:

config.js โ†’ api_key = "<redacted:ANTHROPIC_KEY>"

You still send the code; you just don't send the credential.

Failure mode 2: you blow the context window

You paste 60k tokens into a 32k-context model and get a truncation, or worse, a silent drop of the earliest files. Most people find out by trial and error. But token count is knowable before you paste โ€” you just need a per-model estimate:

~48,210 tokens  (24.1% of Claude 200,000 ctx)

Now you know it fits, and you know how much room you have left for the conversation.

Doing both in one command

I got tired of eyeballing this, so I built ctxpack โ€” a zero-dependency Node CLI that packs a repo into an LLM-ready bundle, redacts secrets by default, and budgets tokens for the model you're targeting.

npx github:trongtruong110-ux/ctxpack . --model claude-fable-5
ctxpack: 34 files packed
  tokens: ~48,210  (24.1% of Claude Fable 5 200,000 ctx)
  redacted: 2 secret(s)
  skipped: 5 binary file(s)

It honors your .gitignore, skips binaries and build output, and can emit markdown, XML, or JSON. Presets cover Claude (Fable 5 / Opus / Sonnet), GPT-5/4.1, and Gemini 2.5 Pro.

The general lesson (even if you don't use the tool)

Whatever you use to shuttle code into an LLM, add two habits:

  1. Redact before you send. Treat any codebase bundle like a pastebin post โ€” assume it could be logged.
  2. Count tokens before you paste. "Does it fit?" is a question you can answer up front instead of after a bad response.

ctxpack is MIT-licensed and free: https://github.com/trongtruong110-ux/ctxpack. If you try it, I'd genuinely like to know which secret patterns or model presets are missing โ€” open an issue.

What do you currently use to pack a codebase into a prompt? Curious what workflows people have settled on.

Comments (0)

Sign in to join the discussion

Be the first to comment!