Skip to content

fix(redact): add code_file param to skip false-positive ENV/JSON patterns#19715

Merged
teknium1 merged 1 commit into
mainfrom
hermes/hermes-8c54fd4a
May 4, 2026
Merged

fix(redact): add code_file param to skip false-positive ENV/JSON patterns#19715
teknium1 merged 1 commit into
mainfrom
hermes/hermes-8c54fd4a

Conversation

@teknium1

@teknium1 teknium1 commented May 4, 2026

Copy link
Copy Markdown
Contributor

Salvage of #16127 by @ms-alan onto current main.

Summary

ENV_ASSIGN and JSON_FIELD regex patterns in redact_sensitive_text() cause false positives when reading source code files — MAX_TOKENS=*** triggers the ENV-assignment pattern even though it's a constant definition, and "apiKey": "test" in test fixtures matches the JSON-field pattern. Both are safe content in that context. Add a code_file=True flag that skips those two patterns while keeping prefix patterns, auth headers, private keys, DB connstrings, JWTs, and URL secrets always redacted.

Conflict resolution during salvage

Main has since added a force: bool = False keyword-only param to the signature. Merged signatures to accept both kwargs: redact_sensitive_text(text, *, force=False, code_file=False). Docstring updated to explain both flags.

Note on authorship

The contributor's original commit had an empty author email (pander <>, local git-config quirk). Re-attributed to ms-alan <chenb19870707@gmail.com> (GitHub public email) during salvage so the commit passes AUTHOR_MAP validation.

Changes

  • agent/redact.py: code_file=True skips ENV/JSON patterns (+20/-14)

Validation

scripts/run_tests.sh tests/agent/ -k redact -> 78 passed

Original PR: #16127
Fixes: #15934

@ms-alan @teknium1
fix(redact): add code_file param to skip false-positive ENV/JSON patt…
a67d429 
…erns

ENV-assignment and JSON-field regex patterns in redact_sensitive_text()
cause false positives when reading source code files:
- MAX_TOKENS=*** triggers the ENV assignment pattern
- "apiKey": "test" in test fixtures triggers the JSON field pattern

Add code_file=False parameter. When code_file=True, skip only the
ENV-assignment and JSON-field regex passes; all other patterns (prefixes,
auth headers, private keys, DB connstrings, JWTs, URL secrets) are
still applied.

Update file_tools.py (read_file and search_files) to pass code_file=True
so agent code analysis is not polluted by false-positive redactions.

Closes #15934
@teknium1 teknium1 merged commit 6f864f8 into main May 4, 2026
7 of 10 checks passed
@teknium1 teknium1 deleted the hermes/hermes-8c54fd4a branch May 4, 2026 11:56
@teknium1 teknium1 mentioned this pull request May 4, 2026
Closed
@alt-glitch alt-glitch added type/bug Something isn't working P2 Medium — degraded but workaround exists comp/agent Core agent loop, run_agent.py, prompt builder tool/file File tools (read, write, patch, search) labels May 4, 2026
@github-actions github-actions Bot mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/agent Core agent loop, run_agent.py, prompt builder P2 Medium — degraded but workaround exists tool/file File tools (read, write, patch, search) type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(redact): ENV/JSON regex patterns cause false positives on source code files

3 participants

@teknium1 @alt-glitch @ms-alan