Use config.default_mask_strategy instead of hardcoded values

[smrutisahoo10]

🔗 Related Issue

Closes #3724

---

📝 Summary

Fixes bug where default_mask_strategy configuration was ignored for built-in PII types in PIIFilterPlugin. The plugin was using hardcoded MaskingStrategy.PARTIAL values instead of respecting the configured strategy.

Changes:

• Changed 20+ hardcoded mask_strategy=MaskingStrategy.PARTIAL to mask_strategy=self.config.default_mask_strategy in _compile_patterns() method

Impact:

• Users can now control PII masking behavior via configuration (redact, partial, hash, tokenize, remove) instead of being forced to use hardcoded partial masking.

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	Pass
Unit tests	make test	Pass
Coverage ≥ 80%	make coverage	Pass

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

Screenshots, design decisions, or additional context.

[crivetimihai]

Thanks @smrutisahoo10 — good cleanup, replacing hardcoded mask strategy values with config-driven ones.

[crivetimihai]

Thanks @smrutisahoo10 — good cleanup, replacing hardcoded mask strategy values with config-driven ones.

Rebased onto main and resolved merge conflicts (the AWS_KEY/API_KEY PII types were removed upstream, so those sections were dropped). Added differential regression tests covering all five masking strategies and a detect-secrets pragma fix for the test fixture.

A few notes from the review:

• Correctness: The fix is sound. The hardcoded mask_strategy values on each PIIPattern made the default_mask_strategy config a no-op for built-in types, since mask() always found an explicit value and the fallback was dead code. This PR makes the config work as documented.

• Security: The default MaskingStrategy.REDACT is preserved, so out-of-the-box behavior is actually more secure now — types like SSN, email, and phone that previously defaulted to PARTIAL (leaking partial data) now default to full redaction.

• Rust parity note: The Rust implementation (pii_filter_rust) still has its own hardcoded per-type strategies that override the global default. The existing Rust-specific tests verify this is intentional. If Rust should also honor default_mask_strategy, that would be a separate follow-up issue.

Changes I pushed on top of the original commit:

• Resolved rebase conflict (dropped removed AWS_KEY/API_KEY sections)
• Added TestPythonDefaultMaskStrategyHonored class with 11 regression tests
• Added PIIPattern to test imports and # pragma: allowlist secret on a pre-existing test fixture line

[crivetimihai]

Looks good — fix is correct, default behavior is more secure, and differential tests are in place. Approving.

[jonpspri]

@lucarlig Can we please check this change against the Rust plugin? Leaving in draft pending resolution.

[lucarlig]

@jonpspri checked. The Rust-backed detector was still hardcoding built-in mask strategies, so default_mask_strategy was still ignored when Rust is active.

The correct follow-up lives in IBM/cpex-plugins:

• Issue: [BUG]: Rust pii_filter ignores default_mask_strategy for built-in patterns cpex-plugins#22
• Draft PR: fix: honor default mask strategy in rust pii filter cpex-plugins#23

I also closed the mistaken mcp-context-forge follow-up issue/PR that I opened first.

cpex-plugins#23 updates the Rust pattern handling to honor the global default while keeping explicit custom-pattern overrides, and it includes verified Rust and plugin-level test coverage.