🐛 fix email regex bug and reorder patterns for specificity

Miyamura80 · claude · Miyamura80 · commit 7a553366e3dc · 2026-01-26T20:17:03.000Z
- Remove errant `|` from email TLD character class
- Move Anthropic pattern before OpenAI for correct matching
- Add rk_ prefix to Stripe key tests

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/utils/logging_config.py b/src/utils/logging_config.py
@@ -14,16 +14,17 @@
 _logging_lock = threading.Lock()
 
 # PII Patterns for redaction (pre-compiled for performance)
+# Note: More specific patterns must come before general ones (e.g., sk-ant- before sk-)
 _COMPILED_PII_PATTERNS = [
     # Email addresses
     (
-        re.compile(r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"),
+        re.compile(r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b"),
         "[REDACTED_EMAIL]",
     ),
+    # Anthropic API keys (sk-ant-...) - must be before OpenAI pattern
+    (re.compile(r"sk-ant-[a-zA-Z0-9-]{20,}"), "[REDACTED_API_KEY]"),
     # OpenAI API keys (sk-...)
     (re.compile(r"sk-[a-zA-Z0-9]{20,}"), "[REDACTED_API_KEY]"),
-    # Anthropic API keys (sk-ant-...)
-    (re.compile(r"sk-ant-[a-zA-Z0-9-]{20,}"), "[REDACTED_API_KEY]"),
     # Stripe API keys (sk_live_*, sk_test_*, pk_live_*, pk_test_*, rk_live_*, rk_test_*)
     (re.compile(r"[spr]k_(live|test)_[a-zA-Z0-9]{20,}"), "[REDACTED_API_KEY]"),
     # Authorization Bearer tokens
diff --git a/tests/test_logging_security.py b/tests/test_logging_security.py
@@ -87,7 +87,7 @@ def test_stripe_api_key_redaction(self):
         """Test that Stripe API keys are redacted."""
         # Construct keys dynamically to avoid GitHub secret scanning
         suffix = "0" * 24
-        prefixes = ["sk" + "_live_", "sk" + "_test_", "pk" + "_live_"]
+        prefixes = ["sk" + "_live_", "sk" + "_test_", "pk" + "_live_", "rk" + "_live_"]
 
         for prefix in prefixes:
             key = prefix + suffix
