Use case
Regression probe for a bug where outbound PII redaction corrupted JSON request bodies. When Presidio classified a name like “Aarav Sharma” asPERSON, the span could grab a neighbouring JSON quote character.
Substituting the redaction token into the raw body broke JSON syntax,
causing upstream APIs (e.g. OpenAI) to return 400 “could not parse the
JSON body”.
After the fix, each JSON string value is scanned in isolation so entity
spans cannot cross structural characters. The re-serialised body is
guaranteed to stay valid JSON regardless of replacement length.
What you’ll learn
- How outbound PII scanning interacts with JSON request bodies
- Why per-value scanning is necessary (vs. scanning the whole body as one string)
- Testing the fix end-to-end with a real OpenAI API call
Prerequisites
Also:Code walkthrough
The security policy enables PII redaction with rehydration on, so the sandbox code receives a normal-looking response from the LLM:Aarav Sharma) — the minimum trigger for the original bug.
It uses stdlib urllib so it runs on the minimal sandbox template
without extra dependencies:
Expected output
STATUS: 200 means the JSON body arrived intact at OpenAI after
redaction. If the body were corrupted, OpenAI would return a 400 and
the probe would report FAIL.
Full source
Seecookbook/examples/pii-json-body-safety/main.py in the repo.