Creates a middleware that detects and redacts personally identifiable information (PII)
from messages before they are sent to model providers, and restores original values
in model responses for tool execution.
Mechanism
The middleware intercepts agent execution at two points:
Request Phase (wrapModelCall)
- Applies regex-based pattern matching to all message content (HumanMessage, ToolMessage, SystemMessage, AIMessage)
- Processes both message text and AIMessage tool call arguments
- Each matched pattern generates:
- Unique identifier:
generateRedactionId() → "abc123"
- Redaction marker:
[REDACTED_{RULE_NAME}_{ID}] → "[REDACTED_SSN_abc123]"
- Redaction map entry:
{ "abc123": "123-45-6789" }
- Returns modified request with redacted message content
Response Phase (afterModel)
- Scans AIMessage responses for redaction markers matching pattern:
/\[REDACTED_[A-Z_]+_(\w+)\]/g
- Replaces markers with original values from redaction map
- Handles both standard responses and structured output (via tool calls or JSON content)
- For structured output, restores values in both the tool call arguments and the
structuredResponse state field
- Returns new message instances via RemoveMessage/AIMessage to update state
Data Flow
User Input: "My SSN is 123-45-6789"
↓ [beforeModel]
Model Request: "My SSN is [REDACTED_SSN_abc123]"
↓ [model invocation]
Model Response: tool_call({ "ssn": "[REDACTED_SSN_abc123]" })
↓ [afterModel]
Tool Execution: tool({ "ssn": "123-45-6789" })
Limitations
This middleware provides model provider isolation only. PII may still be present in:
- LangGraph state checkpoints (memory, databases)
- Network traffic between client and application server
- Application logs and trace data
- Tool execution arguments and responses
- Final agent output
For comprehensive PII protection, implement additional controls at the application,
network, and storage layers.
