From 58d0721240d45cb64fe37b774e9fe21a0bc4cd75 Mon Sep 17 00:00:00 2001 From: OpenSourceSoul Date: Sun, 1 Feb 2026 16:16:12 +0000 Subject: [PATCH] fix: change trace_include_sensitive_data default to False for security By default, trace_include_sensitive_data was set to True, which meant sensitive data (tool inputs/outputs, LLM generations) was included in traces without explicit user consent. This is a security risk as it could lead to accidental data leakage of PII, secrets, or confidential info. This change makes the SDK secure-by-default: - Changed OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA env default from 'true' to 'false' - Changed VoicePipelineConfig.trace_include_sensitive_data default from True to False - Updated tests to reflect new secure-by-default behavior Users can still opt-in to include sensitive data by: 1. Setting OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=true environment variable 2. Explicitly passing trace_include_sensitive_data=True to RunConfig or VoicePipelineConfig Security impact: Prevents accidental exposure of sensitive data in production deployments. --- src/agents/run_config.py | 2 +- src/agents/voice/pipeline_config.py | 7 ++++--- tests/test_run_config.py | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/agents/run_config.py b/src/agents/run_config.py index fc0eb2b17d..73428963d4 100644 --- a/src/agents/run_config.py +++ b/src/agents/run_config.py @@ -28,7 +28,7 @@ def _default_trace_include_sensitive_data() -> bool: """Return the default for trace_include_sensitive_data based on environment.""" - val = os.getenv("OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA", "true") + val = os.getenv("OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA", "false") return val.strip().lower() in ("1", "true", "yes", "on") diff --git a/src/agents/voice/pipeline_config.py b/src/agents/voice/pipeline_config.py index eed2ab6940..d0ffb2d865 100644 --- a/src/agents/voice/pipeline_config.py +++ b/src/agents/voice/pipeline_config.py @@ -22,9 +22,10 @@ class VoicePipelineConfig: tracing: TracingConfig | None = None """Tracing configuration for this pipeline.""" - trace_include_sensitive_data: bool = True - """Whether to include sensitive data in traces. Defaults to `True`. This is specifically for the - voice pipeline, and not for anything that goes on inside your Workflow.""" + trace_include_sensitive_data: bool = False + """Whether to include sensitive data in traces. Defaults to `False` for security. When enabled, + tool inputs/outputs and LLM generations may be exposed in traces. Only enable in trusted + environments.""" trace_include_sensitive_audio_data: bool = True """Whether to include audio data in traces. Defaults to `True`.""" diff --git a/tests/test_run_config.py b/tests/test_run_config.py index 31d6d0a46a..059da1b43a 100644 --- a/tests/test_run_config.py +++ b/tests/test_run_config.py @@ -88,11 +88,11 @@ async def test_agent_model_object_is_used_when_present() -> None: assert result.final_output == "from-agent-object" -def test_trace_include_sensitive_data_defaults_to_true_when_env_not_set(monkeypatch): - """By default, trace_include_sensitive_data should be True when the env is not set.""" +def test_trace_include_sensitive_data_defaults_to_false_when_env_not_set(monkeypatch): + """By default, trace_include_sensitive_data should be False for security when the env is not set.""" monkeypatch.delenv("OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA", raising=False) config = RunConfig() - assert config.trace_include_sensitive_data is True + assert config.trace_include_sensitive_data is False @pytest.mark.parametrize(