Your Hermes agent's audit log is leaking customer emails. Here's a 100-line lib that fixes that.

A zero-dep Python lib that scrubs PII and provider keys from agent logs before they hit S3, the error tracker, or Slack.

lunedì 25 maggio 2026 New tab

793 words~4 min read

This is a submission for the Hermes Agent Challenge.

I built a Hermes agent last week that takes a customer support email, decides whether it needs a refund, and either issues one or escalates to a human. Standard stuff. The agent worked. The problem started the moment I turned on audit logging.

Every run wrote a JSONL row to disk. Every row contained the full inbound message, the tool calls, the tool outputs, and the final reply. Within an hour the log had:

41 customer email addresses

7 partial credit card numbers (people paste them into support tickets, then apologize)

Your Hermes agent's audit log is leaking customer emails. Here's a 100-line lib that fixes that.

Your Hermes agent's audit log is leaking customer emails. Here's a 100-line lib that fixes that.

Related reading

Wrapping Hermes Agent with agent-stack: six tiny libs for the boring parts

Wrap Hermes Agent in a leash: USD caps + egress allowlist + audit log in 30…

My Hermes agent spent $3 before I noticed. Now it can't.

My agent kept hitting context limits. This one function fixed it.

My agent kept forgetting what it was doing. A scratchpad fixed it.

My Hermes agent's stop condition was a 40-line if/elif chain. I replaced it…

Related reading

Wrapping Hermes Agent with agent-stack: six tiny libs for the boring parts

Wrap Hermes Agent in a leash: USD caps + egress allowlist + audit log in 30…

My Hermes agent spent $3 before I noticed. Now it can't.

My agent kept hitting context limits. This one function fixed it.

My agent kept forgetting what it was doing. A scratchpad fixed it.

My Hermes agent's stop condition was a 40-line if/elif chain. I replaced it…