Skip to content

credential_redactor: docs imply redact() scrubs PII, but it covers secrets only; SSN patterns diverge #3239

Description

@imran-siddique

Found during a code-quality / docs pass.

In agent_os/credential_redactor.py (around lines 101-199), redact() / redact_data_structure() iterate only PATTERNS (secret-like material), not PII_PATTERNS (email / phone / SSN / credit-card / IP). So PII is detected by find_pii_matches() but not removed by redact(). The class docstring's 'redact sensitive material' phrasing can lead a caller to assume PII is scrubbed when persisting/returning data.

Suggestion: either add an opt-in redact_pii=True path, or clarify in the docstring that redact() is secrets-only.

Separately, the SSN pattern here (\d{3}-\d{2}-\d{4}) is narrower than the one in integrations/base.py (which also accepts space/dot/no-separator) — reconciling to one shared pattern would avoid divergent detection.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions