Bug Report
Bug Description
The redaction regex in agent/redact.py incorrectly redacted values of lowercase Python variable assignments, treating them as environment variables containing secrets.
For example:
before_tokens = self._estimate_current_context_tokens()
Would be incorrectly transformed to:
This happened because the _ENV_ASSIGN_RE regex used the re.IGNORECASE flag, which caused it to match lowercase Python variable names (like before_tokens, api_key, my_token) in addition to uppercase environment variables (like API_KEY, OPENAI_API_KEY).
Steps to Reproduce
- Enable redaction in config (
security.redact_secrets = true)
- Run any Hermes command that outputs Python code snippets in logs
- Observe that lowercase variable assignments like
before_tokens = ... have their values redacted
Expected Behavior
Only ALL-uppercase environment variable assignments should be redacted:
API_KEY=secret123 → API_KEY=*** ✓OPENAI_API_KEY=sk-abc... → OPENAI_API_KEY=*** ✓
Lowercase Python variable assignments should pass through unchanged:
before_tokens = self._estimate...() → before_tokens = self._estimate...() ✓api_key = secret → api_key = secret ✓
Actual Behavior
Both environment variables AND lowercase Python variables were being redacted:
API_KEY=secret123 → API_KEY=*** ✓before_tokens = self._estimate...() → before_tokens = *** ✗api_key = secret → api_key = *** ✗
Affected Component
- Agent Core (conversation loop, context compression, memory)
Operating System
Ubuntu 24.04
Python Version
3.13.5
Hermes Version
0.6
Root Cause Analysis
The bug is in agent/redact.py line 57:
_ENV_ASSIGN_RE = re.compile(
rf"([A-Z_]*{_SECRET_ENV_NAMES}[A-Z_]*)\s*=\s*(['\"]?)(\S+)\2",
re.IGNORECASE, # ← This flag caused lowercase matches
)The re.IGNORECASE flag caused the [A-Z_] character class to match lowercase letters as well. Additionally, the regex lacked a proper anchor at the start, allowing it to match mid-word.
Proposed Fix
- Remove
re.IGNORECASE flag
- Add
(?:(?:^|\s)) anchor before the variable name to match from start of string or whitespace
- Add regression test
test_lowercase_python_vars_not_redacted
_SECRET_ENV_NAMES = r"(?:API_?KEY|TOKEN|SECRET|PASSWORD|PASSWD|CREDENTIAL|AUTH)"
_ENV_ASSIGN_RE = re.compile(
rf"(?:(?:^|\s))([A-Z_]+{_SECRET_ENV_NAMES}[A-Z_]*)\s*=\s*(['\"]?)(\S+)\2",
)Are you willing to submit a PR for this?
Bug Report
Bug Description
The redaction regex in
agent/redact.pyincorrectly redacted values of lowercase Python variable assignments, treating them as environment variables containing secrets.For example:
Would be incorrectly transformed to:
This happened because the
_ENV_ASSIGN_REregex used there.IGNORECASEflag, which caused it to match lowercase Python variable names (likebefore_tokens,api_key,my_token) in addition to uppercase environment variables (likeAPI_KEY,OPENAI_API_KEY).Steps to Reproduce
security.redact_secrets = true)before_tokens = ...have their values redactedExpected Behavior
Only ALL-uppercase environment variable assignments should be redacted:
API_KEY=secret123→API_KEY=***✓OPENAI_API_KEY=sk-abc...→OPENAI_API_KEY=***✓Lowercase Python variable assignments should pass through unchanged:
before_tokens = self._estimate...()→before_tokens = self._estimate...()✓api_key = secret→api_key = secret✓Actual Behavior
Both environment variables AND lowercase Python variables were being redacted:
API_KEY=secret123→API_KEY=***✓before_tokens = self._estimate...()→before_tokens = ***✗api_key = secret→api_key = ***✗Affected Component
Operating System
Ubuntu 24.04
Python Version
3.13.5
Hermes Version
0.6
Root Cause Analysis
The bug is in
agent/redact.pyline 57:The
re.IGNORECASEflag caused the[A-Z_]character class to match lowercase letters as well. Additionally, the regex lacked a proper anchor at the start, allowing it to match mid-word.Proposed Fix
re.IGNORECASEflag(?:(?:^|\s))anchor before the variable name to match from start of string or whitespacetest_lowercase_python_vars_not_redactedAre you willing to submit a PR for this?