fix(logs): run PII redaction over HTTP and fix Presidio provisioning

TheodoreSpeaks · TheodoreSpeaks · commit 34ab1d23fa8f · 2026-06-19T18:09:13.000-07:00
- resolve the guardrails venv via candidate paths and fail fast instead of
  silently falling back to system python3 (the misleading "Presidio not
  installed" that broke redaction and the guardrails block in deployed runtimes)
- install the en_core_web_lg spaCy model in setup.sh and app.Dockerfile
- route log redaction through an internal /api/guardrails/mask-batch endpoint
  so Presidio always runs in the app container, including async executions that
  persist inside the trigger.dev runtime
diff --git a/apps/sim/app/api/guardrails/mask-batch/route.test.ts b/apps/sim/app/api/guardrails/mask-batch/route.test.ts
@@ -0,0 +1,64 @@
+/**
+ * @vitest-environment node
+ */
+import { createMockRequest } from '@sim/testing'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { mockCheckInternalAuth, mockMaskPIIBatch } = vi.hoisted(() => ({
+  mockCheckInternalAuth: vi.fn(),
+  mockMaskPIIBatch: vi.fn(),
+}))
+
+vi.mock('@/lib/auth/hybrid', () => ({
+  checkInternalAuth: mockCheckInternalAuth,
+}))
+
+vi.mock('@/lib/guardrails/validate_pii', () => ({
+  maskPIIBatch: mockMaskPIIBatch,
+}))
+
+import { POST } from '@/app/api/guardrails/mask-batch/route'
+
+describe('POST /api/guardrails/mask-batch', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockCheckInternalAuth.mockResolvedValue({ success: true })
+    mockMaskPIIBatch.mockImplementation(async (texts: string[]) => texts.map((t) => `M(${t})`))
+  })
+
+  it('returns 401 without internal auth', async () => {
+    mockCheckInternalAuth.mockResolvedValue({
+      success: false,
+      error: 'Internal authentication required',
+    })
+
+    const res = await POST(
+      createMockRequest('POST', { texts: ['a@b.com'], entityTypes: ['EMAIL_ADDRESS'] })
+    )
+
+    expect(res.status).toBe(401)
+    expect(mockMaskPIIBatch).not.toHaveBeenCalled()
+  })
+
+  it('masks the batch in-process and preserves order', async () => {
+    const res = await POST(
+      createMockRequest('POST', {
+        texts: ['a@b.com', 'hello'],
+        entityTypes: ['EMAIL_ADDRESS'],
+        language: 'en',
+      })
+    )
+
+    expect(res.status).toBe(200)
+    const json = await res.json()
+    expect(json.masked).toEqual(['M(a@b.com)', 'M(hello)'])
+    expect(mockMaskPIIBatch).toHaveBeenCalledWith(['a@b.com', 'hello'], ['EMAIL_ADDRESS'], 'en')
+  })
+
+  it('rejects an invalid body with 400', async () => {
+    const res = await POST(createMockRequest('POST', { texts: 'not-an-array', entityTypes: [] }))
+
+    expect(res.status).toBe(400)
+    expect(mockMaskPIIBatch).not.toHaveBeenCalled()
+  })
+})
diff --git a/apps/sim/app/api/guardrails/mask-batch/route.ts b/apps/sim/app/api/guardrails/mask-batch/route.ts
@@ -0,0 +1,31 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { guardrailsMaskBatchContract } from '@/lib/api/contracts'
+import { parseRequest } from '@/lib/api/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { maskPIIBatch } from '@/lib/guardrails/validate_pii'
+
+const logger = createLogger('GuardrailsMaskBatchAPI')
+
+/**
+ * Internal batch PII masking. The log-redaction persist path runs in both the
+ * Next.js server and the trigger.dev runtime, but Presidio (Python venv) lives
+ * only in the app container — so redaction calls this endpoint server-to-server
+ * (internal JWT) to keep Presidio centralized here.
+ */
+export const POST = withRouteHandler(async (request: NextRequest) => {
+  const auth = await checkInternalAuth(request, { requireWorkflowId: false })
+  if (!auth.success) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const parsed = await parseRequest(guardrailsMaskBatchContract, request, {})
+  if (!parsed.success) return parsed.response
+
+  const { texts, entityTypes, language } = parsed.data.body
+
+  const masked = await maskPIIBatch(texts, entityTypes, language)
+  logger.info('Masked PII batch', { count: texts.length })
+  return NextResponse.json({ masked })
+})
diff --git a/apps/sim/lib/api/contracts/hotspots.ts b/apps/sim/lib/api/contracts/hotspots.ts
@@ -45,6 +45,34 @@ export const guardrailsValidateContract = defineRouteContract({
   },
 })
 
+const guardrailsMaskBatchBodySchema = z.object({
+  texts: z.array(z.string()).max(100_000),
+  entityTypes: z.array(z.string().min(1, 'Entity type cannot be empty')).max(200),
+  language: z.string().min(1).max(20).optional(),
+})
+
+const guardrailsMaskBatchResponseSchema = z.object({
+  masked: z.array(z.string()),
+})
+
+/**
+ * Internal batch PII masking. Called server-to-server (internal JWT) from the
+ * log-redaction persist path so Presidio always runs in the app container,
+ * including for async executions that persist inside the trigger.dev runtime.
+ */
+export const guardrailsMaskBatchContract = defineRouteContract({
+  method: 'POST',
+  path: '/api/guardrails/mask-batch',
+  body: guardrailsMaskBatchBodySchema,
+  response: {
+    mode: 'json',
+    schema: guardrailsMaskBatchResponseSchema,
+  },
+})
+
+export type GuardrailsMaskBatchBody = z.input<typeof guardrailsMaskBatchBodySchema>
+export type GuardrailsMaskBatchResult = z.output<typeof guardrailsMaskBatchResponseSchema>
+
 const chatMessageSchema = z.object({
   role: z.enum(['user', 'assistant', 'system']),
   content: z.string(),
diff --git a/apps/sim/lib/guardrails/mask-client.ts b/apps/sim/lib/guardrails/mask-client.ts
@@ -0,0 +1,44 @@
+import type { GuardrailsMaskBatchResult } from '@/lib/api/contracts'
+import { generateInternalToken } from '@/lib/auth/internal'
+import { getInternalApiBaseUrl } from '@/lib/core/utils/urls'
+
+/**
+ * Mask PII across many strings via the internal app-container endpoint.
+ *
+ * Presidio (a Python venv) only exists in the app container, but the
+ * log-redaction persist path also runs inside the trigger.dev runtime — so
+ * redaction always routes through HTTP, the same way the guardrails tool does.
+ * Order is preserved: the returned array matches `texts` length.
+ *
+ * Rejects on any non-2xx or shape mismatch so the caller can apply its own
+ * fail-safe (scrubbing rather than leaking).
+ */
+export async function maskPIIBatchViaHttp(
+  texts: string[],
+  entityTypes: string[],
+  language?: string
+): Promise<string[]> {
+  const token = await generateInternalToken()
+  const url = `${getInternalApiBaseUrl()}/api/guardrails/mask-batch`
+
+  // boundary-raw-fetch: internal server-to-server call to the app container (internal JWT auth, configurable base URL)
+  const response = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({ texts, entityTypes, language }),
+  })
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => '')
+    throw new Error(`PII mask-batch request failed (${response.status}): ${detail.slice(0, 200)}`)
+  }
+
+  const data = (await response.json()) as GuardrailsMaskBatchResult
+  if (!Array.isArray(data.masked) || data.masked.length !== texts.length) {
+    throw new Error('PII mask-batch returned an unexpected result')
+  }
+  return data.masked
+}
diff --git a/apps/sim/lib/guardrails/setup.sh b/apps/sim/lib/guardrails/setup.sh
@@ -30,6 +30,11 @@ source "$VENV_DIR/bin/activate"
 pip install --upgrade pip
 pip install -r "$SCRIPT_DIR/requirements.txt"
 
+# Presidio's default AnalyzerEngine loads the en_core_web_lg spaCy model; it is
+# not a pip dependency, so download the version compatible with the installed spaCy.
+echo "Downloading spaCy model (en_core_web_lg)..."
+python -m spacy download en_core_web_lg
+
 echo ""
 echo "✅ Setup complete! Guardrails validators are ready to use."
 echo ""
diff --git a/apps/sim/lib/guardrails/validate_pii.ts b/apps/sim/lib/guardrails/validate_pii.ts
@@ -13,6 +13,33 @@ const DEFAULT_TIMEOUT = 30000 // 30 seconds
  */
 const PII_CHUNK_MAX_BYTES = 256 * 1024
 
+/**
+ * Resolve the guardrails Presidio interpreter + script path.
+ *
+ * `process.cwd()` is not stable across runtimes — the Next standalone container
+ * launches from the monorepo root while local dev and some paths run from
+ * `apps/sim` — so probe both layouts (mirrors the candidate-path resolution in
+ * `lib/execution/isolated-vm.ts`). Requires the bundled venv: throws if it is
+ * absent rather than silently falling back to the system `python3`, which has no
+ * Presidio and reports a misleading "not installed".
+ */
+function resolveGuardrailsPython(): { pythonCmd: string; scriptPath: string } {
+  const candidateDirs = [
+    path.join(process.cwd(), 'apps', 'sim', 'lib', 'guardrails'),
+    path.join(process.cwd(), 'lib', 'guardrails'),
+  ]
+  for (const dir of candidateDirs) {
+    const venvPython = path.join(dir, 'venv', 'bin', 'python3')
+    if (fs.existsSync(venvPython)) {
+      return { pythonCmd: venvPython, scriptPath: path.join(dir, 'validate_pii.py') }
+    }
+  }
+  const probed = candidateDirs.map((d) => path.join(d, 'venv', 'bin', 'python3')).join(', ')
+  throw new Error(
+    `Guardrails Presidio venv not found (looked in ${probed}). Provision it with apps/sim/lib/guardrails/setup.sh locally, or verify the image build installs it.`
+  )
+}
+
 export interface PIIValidationInput {
   text: string
   entityTypes: string[] // e.g., ["PERSON", "EMAIL_ADDRESS", "CREDIT_CARD"]
@@ -136,10 +163,7 @@ export async function maskPIIBatch(
  */
 function runPythonScript<T>(payload: Record<string, unknown>): Promise<T> {
   return new Promise((resolve, reject) => {
-    const guardrailsDir = path.join(process.cwd(), 'lib/guardrails')
-    const scriptPath = path.join(guardrailsDir, 'validate_pii.py')
-    const venvPython = path.join(guardrailsDir, 'venv/bin/python3')
-    const pythonCmd = fs.existsSync(venvPython) ? venvPython : 'python3'
+    const { pythonCmd, scriptPath } = resolveGuardrailsPython()
 
     const python = spawn(pythonCmd, [scriptPath])
     let stdout = ''
@@ -208,14 +232,7 @@ async function executePythonPIIDetection(
   requestId: string
 ): Promise<PIIValidationResult> {
   return new Promise((resolve, reject) => {
-    // Use path relative to project root
-    // In Next.js, process.cwd() returns the project root
-    const guardrailsDir = path.join(process.cwd(), 'lib/guardrails')
-    const scriptPath = path.join(guardrailsDir, 'validate_pii.py')
-    const venvPython = path.join(guardrailsDir, 'venv/bin/python3')
-
-    // Use venv Python if it exists, otherwise fall back to system python3
-    const pythonCmd = fs.existsSync(venvPython) ? venvPython : 'python3'
+    const { pythonCmd, scriptPath } = resolveGuardrailsPython()
 
     const python = spawn(pythonCmd, [scriptPath])
 
diff --git a/apps/sim/lib/logs/execution/pii-redaction.test.ts b/apps/sim/lib/logs/execution/pii-redaction.test.ts
@@ -7,8 +7,8 @@ const { mockMaskPIIBatch } = vi.hoisted(() => ({
   mockMaskPIIBatch: vi.fn(),
 }))
 
-vi.mock('@/lib/guardrails/validate_pii', () => ({
-  maskPIIBatch: mockMaskPIIBatch,
+vi.mock('@/lib/guardrails/mask-client', () => ({
+  maskPIIBatchViaHttp: mockMaskPIIBatch,
 }))
 
 import { REDACTION_FAILED_MARKER, redactPIIFromExecution } from '@/lib/logs/execution/pii-redaction'
diff --git a/apps/sim/lib/logs/execution/pii-redaction.ts b/apps/sim/lib/logs/execution/pii-redaction.ts
@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
+import { maskPIIBatchViaHttp } from '@/lib/guardrails/mask-client'
 
 const logger = createLogger('PiiRedaction')
 
@@ -158,11 +159,9 @@ export async function redactPIIFromExecution(
     masked = collected.map(() => REDACTION_FAILED_MARKER)
   } else {
     try {
-      // Lazy import keeps the Python-spawning guardrails module (child_process +
-      // a `lib/guardrails` dir reference) out of the static middleware/RSC graph;
-      // it's only loaded at runtime on the Node log-persist path.
-      const { maskPIIBatch } = await import('@/lib/guardrails/validate_pii')
-      masked = await maskPIIBatch(collected, entityTypes, language)
+      // Presidio runs only in the app container; the persist path also runs in
+      // the trigger.dev runtime, so masking always goes over HTTP to the app.
+      masked = await maskPIIBatchViaHttp(collected, entityTypes, language)
     } catch (error) {
       logger.error('PII masking failed; scrubbing text to avoid leaking PII', {
         error: getErrorMessage(error),
diff --git a/docker/app.Dockerfile b/docker/app.Dockerfile
@@ -118,11 +118,14 @@ COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/execution/sandbox/bu
 COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt
 COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py
 
-# Install Python dependencies with pip cache mount for faster rebuilds
+# Install Python dependencies with pip cache mount for faster rebuilds.
+# Presidio's default AnalyzerEngine loads en_core_web_lg, which is not a pip
+# dependency — download the spaCy model into the venv after installing Presidio.
 RUN --mount=type=cache,target=/root/.cache/pip \
     python3 -m venv ./apps/sim/lib/guardrails/venv && \
     ./apps/sim/lib/guardrails/venv/bin/pip install --upgrade pip && \
     ./apps/sim/lib/guardrails/venv/bin/pip install -r ./apps/sim/lib/guardrails/requirements.txt && \
+    ./apps/sim/lib/guardrails/venv/bin/python -m spacy download en_core_web_lg && \
     chown -R nextjs:nodejs /app/apps/sim/lib/guardrails
 
 # Create .next/cache directory with correct ownership
diff --git a/scripts/check-api-validation-contracts.ts b/scripts/check-api-validation-contracts.ts
@@ -9,8 +9,8 @@ const QUERY_HOOKS_DIR = path.join(ROOT, 'apps/sim/hooks/queries')
 const SELECTOR_HOOKS_DIR = path.join(ROOT, 'apps/sim/hooks/selectors')
 
 const BASELINE = {
-  totalRoutes: 859,
-  zodRoutes: 859,
+  totalRoutes: 860,
+  zodRoutes: 860,
   nonZodRoutes: 0,
 } as const
 
