fix(security): PII NER times out after 10s on search_code tool output, falls back to regex-only

[bug-ops]

Summary

PII Named Entity Recognition consistently times out (10 000 ms) when processing output from the search_code tool, silently falling back to regex-only PII detection.

Observed

WARN zeph_core::agent::tool_execution: PII NER timed out, regex only timeout_ms=10000 tool=search_code

Reproduced in CI-351 background task b1wkf69it (2026-03-31), fresh DB, single-turn query triggering search_code.

Impact

• PII redaction quality degrades for code search results — regex-only detection misses non-standard PII patterns (names, project-internal identifiers)
• Graph memory PII guard is weakened for every search_code invocation
• 10 second NER timeout adds latency before the fallback kicks in

Root cause hypothesis

search_code returns large, structured outputs (multiple file snippets with context lines). The NER model inference over a large multi-snippet payload exceeds the 10s timeout. The timeout may be appropriate for short tool outputs but not for bulk code search results.

Suggested fix

• Apply NER only to a truncated head of the tool output (e.g. first 2 KB) rather than the full payload
• Or: run NER incrementally per-snippet and short-circuit on first PII hit
• Or: increase timeout specifically for search_code / bulk-output tools via per-tool config
• Add a metric counter for NER timeout occurrences per tool to track prevalence

Session

CI-351 background task b1wkf69it, 2026-03-31