LCORE-1831: Implement Redaction Safety Capability in Pydantic AI

[arin-deloatch]

Description

Add a regex-based PII redaction capability for pydantic-ai agents. This introduces:

• Core engine (core.py): redact_text() function and immutable RedactionResult model for
  sequential regex-based text substitution
• Configuration (config.py): RedactionRule and RedactionConfig Pydantic models with
  compile-time pattern validation and per-rule/global case sensitivity controls
• Capability (capability.py): PiiRedactionCapability integrating with pydantic-ai's
  AbstractCapability to redact user prompts before model requests and model response text before
  returning to the caller

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: Claude Code (Claude Opus 4.6)
• Generated by: N/A

Related Tickets & Documents

• Closes LCORE-1831

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• uv run make format — passes, no reformats
• uv run make verify — all linters pass (black, pylint 10/10, pyright 0 errors, ruff, pydocstyle,
  mypy, lint-openapi)
• uv run pytest tests/unit/pydantic_ai_lightspeed/capabilities/ -v — 51/51 tests pass
• Coverage: 99% (2 uncovered lines in capability.py)

Summary by CodeRabbit

• New Features

  • Added a PII redaction capability that automatically detects and redacts sensitive information from user prompts and model responses using configurable regex patterns with customizable replacement rules and case-sensitivity controls.

• Tests

  • Added comprehensive unit tests covering redaction configuration, core functionality, and lifecycle integration scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 995034c8-2bf1-4391-8c97-2ee158a8bcbe

📥 Commits

Reviewing files that changed from the base of the PR and between 6116ef7 and f5586a7.

📒 Files selected for processing (10)

• src/pydantic_ai_lightspeed/capabilities/__init__.py
• src/pydantic_ai_lightspeed/capabilities/redaction/__init__.py
• src/pydantic_ai_lightspeed/capabilities/redaction/capability.py
• src/pydantic_ai_lightspeed/capabilities/redaction/config.py
• src/pydantic_ai_lightspeed/capabilities/redaction/core.py
• tests/unit/pydantic_ai_lightspeed/capabilities/__init__.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/__init__.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_capability.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_config.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_core.py

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E Tests for Lightspeed Evaluation job

🧰 Additional context used

📓 Path-based instructions (3)

src/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

src/**/*.py: Use absolute imports for internal modules: from authentication import get_auth_dependency
Llama Stack imports: Use from llama_stack_client import AsyncLlamaStackClient
Check constants.py for shared constants before defining new ones
All modules must start with descriptive docstrings explaining purpose
Use logger = get_logger(__name__) from log.py for module logging
All functions must have complete type annotations for parameters and return types, use modern syntax (str | int), and include descriptive docstrings
Use snake_case with descriptive, action-oriented names for functions (get_, validate_, check_)
Avoid in-place parameter modification anti-patterns; return new data structures instead of modifying function parameters
Use async def for I/O operations and external API calls
Use standard log levels with clear purposes: debug() for diagnostic info, info() for program execution, warning() for unexpected events, error() for serious problems
All classes must have descriptive docstrings explaining purpose and use PascalCase with standard suffixes: Configuration, Error/Exception, Resolver, Interface
Abstract classes must use ABC with @abstractmethod decorators
Follow Google Python docstring conventions with required sections: Parameters, Returns, Raises, and Attributes for classes

Files:

• src/pydantic_ai_lightspeed/capabilities/__init__.py
• src/pydantic_ai_lightspeed/capabilities/redaction/__init__.py
• src/pydantic_ai_lightspeed/capabilities/redaction/core.py
• src/pydantic_ai_lightspeed/capabilities/redaction/config.py
• src/pydantic_ai_lightspeed/capabilities/redaction/capability.py

src/**/__init__.py

📄 CodeRabbit inference engine (AGENTS.md)

Package __init__.py files must contain brief package descriptions

Files:

• src/pydantic_ai_lightspeed/capabilities/__init__.py
• src/pydantic_ai_lightspeed/capabilities/redaction/__init__.py

tests/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

tests/**/*.py: Use pytest for all unit and integration tests; do not use unittest
Use pytest.mark.asyncio marker for async tests

Files:

• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/__init__.py
• tests/unit/pydantic_ai_lightspeed/capabilities/__init__.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_config.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_core.py
• tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_capability.py

🔇 Additional comments (11)

src/pydantic_ai_lightspeed/capabilities/__init__.py (1)

1-1: LGTM!

src/pydantic_ai_lightspeed/capabilities/redaction/__init__.py (1)

1-21: LGTM!

tests/unit/pydantic_ai_lightspeed/capabilities/__init__.py (1)

1-1: LGTM!

tests/unit/pydantic_ai_lightspeed/capabilities/redaction/__init__.py (1)

1-1: LGTM!

src/pydantic_ai_lightspeed/capabilities/redaction/core.py (1)

1-56: LGTM!

tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_core.py (1)

1-154: LGTM!

src/pydantic_ai_lightspeed/capabilities/redaction/config.py (2)

14-107: LGTM!

---

8-8: Remove the ConfigurationBase import-path change suggestion

ConfigurationBase is defined in src/models/config.py, so from models.config import ConfigurationBase (line 8) is the correct import. The differing pydantic_ai_lightspeed... prefix on lines 9–11 is for a different top-level package (pydantic_ai_lightspeed), so no change is required for consistency.

tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_config.py (1)

1-158: LGTM!

src/pydantic_ai_lightspeed/capabilities/redaction/capability.py (1)

1-323: LGTM!

tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_capability.py (1)

1-317: LGTM!

---

Walkthrough

This pull request introduces a configurable PII redaction capability for Pydantic AI Lightspeed Core Stack. The implementation provides regex-based pattern matching and replacement logic, configuration models with compiled pattern caching, and integration with Pydantic AI's request/response lifecycle hooks.

Changes

PII Redaction Capability Implementation

Layer / File(s)	Summary
Core redaction types and text processing src/pydantic_ai_lightspeed/capabilities/redaction/core.py, tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_core.py	CompiledPatterns type alias and RedactionResult frozen model define the redaction output shape. redact_text applies compiled regex patterns sequentially to input, accumulating substitution counts and returning redaction metadata. Tests validate immutability, no-match passthrough, single/multiple pattern application, and case-sensitivity behavior.
Configuration models and pattern compilation src/pydantic_ai_lightspeed/capabilities/redaction/config.py, tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_config.py	RedactionRule captures pattern, replacement, and optional case-sensitive override. RedactionConfig holds ordered rules, global case-sensitivity flag, and compiles patterns at model construction time via @model_validator, exposing compiled patterns through a defensive copy property. Tests cover rule construction, regex compilation, case-sensitivity handling, and property immutability.
PiiRedactionCapability and message traversal src/pydantic_ai_lightspeed/capabilities/redaction/capability.py, tests/unit/pydantic_ai_lightspeed/capabilities/redaction/test_capability.py	Helpers (_redact_string_content, _redact_text_content, _redact_content_item/list, _redact_user_prompt_part, _redact_message_parts, _redact_model_request, _redact_messages, _redact_response) recursively traverse and redact message structures, preserving identity when no changes occur. PiiRedactionCapability dataclass implements before_model_request (redacts user prompts) and after_model_request (redacts response text parts), wiring into Pydantic AI lifecycle. Tests validate redaction across content types and lifecycle hook behavior.
Public API and package structure src/pydantic_ai_lightspeed/capabilities/__init__.py, src/pydantic_ai_lightspeed/capabilities/redaction/__init__.py, tests/unit/pydantic_ai_lightspeed/capabilities/__init__.py, tests/unit/pydantic_ai_lightspeed/capabilities/redaction/__init__.py	Module docstrings document package purpose. Redaction subpackage __all__ list exposes PiiRedactionCapability, RedactionConfig, RedactionRule, RedactionResult, and redact_text as public API.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• asimurka
• tisnik

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: implementing a redaction safety capability for Pydantic AI. It directly relates to all substantial changes across the codebase (core engine, config models, and capability integration).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anik120]

I know this is not part of the scope of this PR, but is src/pydantic_ai... leaking implementation detail again @jrobertboos?