Skip to content

fix(control-plane): prevent structured logs from leaking execution payloads#701

Open
7vignesh wants to merge 1 commit into
Agent-Field:mainfrom
7vignesh:fix/560-structured-logs-leak-execution-data
Open

fix(control-plane): prevent structured logs from leaking execution payloads#701
7vignesh wants to merge 1 commit into
Agent-Field:mainfrom
7vignesh:fix/560-structured-logs-leak-execution-data

Conversation

@7vignesh

@7vignesh 7vignesh commented Jul 1, 2026

Copy link
Copy Markdown

Summary

The control-plane structured logs output entire execution attributes (inputs, outputs, context) which may contain sensitive data, with no config to control this behavior.

This PR adds a logging config section with level and redact_payloads options, replaces unleveled log.Printf calls with proper zerolog calls, and guards execution payload data behind a redaction flag that defaults to safe (redacted).

Closes #560

Type of change

  • Bug fix
  • Refactor / cleanup

Test plan

  • cd control-plane && go test ./internal/logger/ -v
  • cd control-plane && go test ./internal/config/ -v -run "TestLogging"
  • cd control-plane && go test ./internal/handlers/ -v -run "TestSetRedactPayloads|TestNewExecutionControllerInherits"
  • cd control-plane && go test ./internal/storage/ -v -run "TestSafeJSONRawMessage"
  • cd control-plane && go test ./cmd/agentfield-server/ -v -run "TestLoadConfig"
  • cd control-plane && CGO_ENABLED=0 GOOS=linux go build ./cmd/agentfield-server (cross-compile check)

Test coverage

  • I ran tests for the surface(s) I changed locally.
  • New code paths are covered by tests in this PR (no bare additions).
  • If I removed code, I updated coverage-baseline.json in this PR only if the removal
    caused a legitimate regression and I called it out in the summary above.
  • The coverage gate check is green in CI before requesting review.

Checklist

Related issues / PRs

Fixes #560

…yloads (Agent-Field#560)

Add logging configuration (level + redact_payloads) to control what
execution data appears in structured log events and the internal event bus.

Changes:
- Add LoggingConfig with 'level' and 'redact_payloads' options
- Support AGENTFIELD_LOG_LEVEL and AGENTFIELD_LOG_REDACT_PAYLOADS env vars
- Guard execution input/output/context in event publishing behind redaction flag
- Default to redact_payloads=true (safe) — opt-in via config to see full payloads
- Replace 32 log.Printf calls in storage layer with leveled logger.Logger calls
- Add InitLoggerWithLevel() for string-based log level configuration
- Re-initialize logger from config at server startup

Closes Agent-Field#560
Copilot AI review requested due to automatic review settings July 1, 2026 19:56
@7vignesh 7vignesh requested review from a team and AbirAbbas as code owners July 1, 2026 19:56
@CLAassistant

CLAassistant commented Jul 1, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the control-plane’s logging and execution event emission to reduce the risk of leaking sensitive execution payload data, by introducing a first-class logging config surface and gating execution payload fields behind a safe-by-default redaction flag.

Changes:

  • Added Config.Logging (level, redact_payloads) with YAML defaults and env overrides, and wired log level initialization after config load.
  • Introduced payload-redaction controls in the execution handler so internal execution events can omit input/output/context payloads by default.
  • Replaced scattered log.Printf calls with structured zerolog usage across storage and related tests.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
control-plane/internal/storage/utils.go Swaps log.Printf corruption warnings to zerolog logging.
control-plane/internal/storage/local.go Replaces many log.Printf calls with structured logger calls/levels.
control-plane/internal/storage/helpers_test.go Updates log-capture strategy to match zerolog-based logging.
control-plane/internal/server/server.go Sets handler payload-redaction default from loaded logging config.
control-plane/internal/logger/logger.go Adds level parsing + initialization from a config-provided level string.
control-plane/internal/logger/logger_test.go Adds unit tests for level parsing/init helpers.
control-plane/internal/handlers/execute.go Adds controller-level redaction flag and gates payload fields in emitted events.
control-plane/internal/handlers/execute_redact_test.go Adds tests for the redaction default + inheritance into controllers.
control-plane/internal/config/config.go Adds logging config section, defaults, and env overrides.
control-plane/internal/config/config_additional_test.go Adds tests for logging defaults and env overrides.
control-plane/config/agentfield.yaml Documents new logging config keys and safe defaults.
control-plane/cmd/agentfield-server/main.go Re-initializes logger using configured log level after config load.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.


// Log corruption warning with context
log.Printf("WARNING: Corrupted JSON data detected in %s, using fallback. Data preview: %.100s", context, data)
logger.Logger.Warn().Msgf("Corrupted JSON data detected in %s, using fallback. Data preview: %.100s", context, data)
Comment on lines +976 to 980
if !c.redactPayloads {
if inputPayload := decodeJSON(updated.InputPayload); inputPayload != nil {
eventData["input"] = inputPayload
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Control-Plane] Structured logs output the entire attributes from executions

3 participants