This is a submission for the Hermes Agent Challenge.
I built a Hermes agent last week that takes a customer support email, decides whether it needs a refund, and either issues one or escalates to a human. Standard stuff. The agent worked. The problem started the moment I turned on audit logging.
Every run wrote a JSONL row to disk. Every row contained the full inbound message, the tool calls, the tool outputs, and the final reply. Within an hour the log had:
I was about to ship that log to S3 for run-history search. The log was also being mirrored to Sentry on error, and to a Slack channel on escalation. Three places to leak from. Zero scrubbing.
I went looking for a small lib that would clean a string before I wrote it. The options were either a paid API, a heavy NER-based PII detector, or a hand-rolled regex I would have to maintain myself. None of those fit a 200-line agent script.
So I built one. It is called agent-redact
. The whole thing is around 130 lines, zero runtime dependencies, and pip-installs as agent-redact
. Repo: MukundaKatta/agent-redact.
from agent_redact import redact
audit_line = (
"tool=charge_customer args={'email': 'jane.doe@acme.com', "
"'card': '4111 1111 1111 1111'} key=sk-" + "Z" * 40
)
print(redact(audit_line))
Output:
tool=charge_customer args={'email': '<email>', 'card': '<credit-card>'} key=<openai-key>
That is the default mode. One function call, one line of output. The pattern set covers email, US SSN, phone numbers, credit cards (with optional Luhn), and the common provider keys (OpenAI, Anthropic, AWS, GitHub, Google, Stripe, Slack), plus JWTs. No model call, no network, no config file.
The bigger pain with naive redaction is that you lose all join keys. If jane.doe@acme.com
shows up in 30 audit rows, replacing every one with <email>
means you can no longer ask "how many runs did this user trigger today" without going back to raw logs.
agent-redact
ships a hash mode for exactly that case:
redact("user jane.doe@acme.com retried 3 times", mode="hash", salt="rotate-monthly")
Same email, same salt, same six-char tag every time. Different user, different tag. You can group, count, and filter on those tags without ever seeing the underlying address. Rotate the salt monthly and the tags rotate too.
This is the seventh small Python lib I have shipped in the same "boring middleware for agents" family. The others compose with it directly:
agenttrace
writes per-run JSONL with token counts and latency. Pipe that through agent-redact
before storage. There is a 30-line example in examples/integrate_with_agenttrace.py
that walks rows recursively and scrubs every string node.agentleash
writes an audit log proving an agent stayed under a USD cap. Same scrubber, same hash mode, and now the proof you keep around does not double as a PII spill.birddog
is a scraping middleware. If the scraped page is going to a downstream LLM, run redact()
on the page body first so the model never sees the raw payload.Three integration points, one function, no extra deps.
Two things are worth flagging if you read the source.
First, overlap resolution. The Anthropic sk-ant-
prefix is a strict superset of the OpenAI sk-
prefix. Naive iteration over patterns would wrap a key twice, or wrap the wrong label. The fix: collect all matches across all patterns, sort by (earliest start, longest length), then walk forward and skip anything that starts before the previous match ended. Provider keys are listed before generic shapes so the tie-break goes the right way.
Second, the phone pattern needed a separator. The first version matched any 13-digit run, which meant a 16-digit credit card got partially eaten by the phone rule before the card rule ran. Requiring at least one space, dash, or +
prefix in the phone pattern fixed that without losing real phone hits.
pip install agent-redact
python
from agent_redact import redact
print(redact("contact me at jane@example.com"))
Repo with all the patterns and tests: github.com/MukundaKatta/agent-redact.
If you are building a Hermes agent that touches user input, take 10 minutes this weekend and wrap your audit writer. Future-you, the one explaining the S3 bucket to your security team, will thank you.