diff --git a/docs/modules/release-notes/pages/all-releases/_drafts/KOB-53654.adoc b/docs/modules/release-notes/pages/all-releases/_drafts/KOB-53654.adoc
new file mode 100644
index 00000000..3f00543f
--- /dev/null
+++ b/docs/modules/release-notes/pages/all-releases/_drafts/KOB-53654.adoc
@@ -0,0 +1,38 @@
+////
+DRAFT — release-note entry, not yet published.
+
+Generated by the docs-writer skill (Robot Ranch, release-note mode) from
+KOB-53654. This file lives under all-releases/_drafts/ so Antora treats it as
+hidden (the leading underscore keeps it out of the published site and the
+release-notes navigation). The PR is the review surface for the docs team.
+
+Source evidence: KOB-53654 (bug) spec material in kobiton/.ai
+  features/KOB-53654-llm-api-key-exposed-webdriver-traffic (feature.md, analysis.md).
+Mode: release-note. Change type: bug fix (security / sensitive-data exposure).
+
+Before publishing, the docs team must:
+  1. Assign the target release version and move this entry into the matching
+     all-releases/4_XX.adoc file (then delete this draft).
+  2. Wire that version file into nav.adoc and the *-latest include if not already.
+  3. Confirm the user-facing area heading (drafted under "Appium AI").
+
+Open questions (see also the report):
+  - Target release version and date are unknown. The ticket is "In Progress"
+    (not shipped); no deployment PR was supplied. Version/date are intentionally
+    omitted here rather than guessed.
+  - Confirm the area heading. The leak surfaces in Session Explorer, but the
+    masked value belongs to the Appium AI per-session LLM override capability.
+////
+
+= KOB-53654 release-note draft (unversioned)
+:navtitle: KOB-53654 draft
+
+// The entry below is the publishable snippet. Lift it into the target
+// all-releases/4_XX.adoc under "== Bug fixes and improvements", merging the
+// "Appium AI" area heading with any existing one in that file.
+
+== Bug fixes and improvements
+
+=== Appium AI
+
+- Fixed an issue where the `kobiton:llmApiKey` capability value appeared in plaintext in Session Explorer WebDriver Traffic and in the session Appium log. The value is now masked in the request body, response body, and Appium log. Masking also applies to previously recorded sessions.