fix(control-plane): prevent structured logs from leaking execution payloads#701
Open
7vignesh wants to merge 1 commit into
Open
fix(control-plane): prevent structured logs from leaking execution payloads#7017vignesh wants to merge 1 commit into
7vignesh wants to merge 1 commit into
Conversation
…yloads (Agent-Field#560) Add logging configuration (level + redact_payloads) to control what execution data appears in structured log events and the internal event bus. Changes: - Add LoggingConfig with 'level' and 'redact_payloads' options - Support AGENTFIELD_LOG_LEVEL and AGENTFIELD_LOG_REDACT_PAYLOADS env vars - Guard execution input/output/context in event publishing behind redaction flag - Default to redact_payloads=true (safe) — opt-in via config to see full payloads - Replace 32 log.Printf calls in storage layer with leveled logger.Logger calls - Add InitLoggerWithLevel() for string-based log level configuration - Re-initialize logger from config at server startup Closes Agent-Field#560
There was a problem hiding this comment.
Pull request overview
This PR hardens the control-plane’s logging and execution event emission to reduce the risk of leaking sensitive execution payload data, by introducing a first-class logging config surface and gating execution payload fields behind a safe-by-default redaction flag.
Changes:
- Added
Config.Logging(level,redact_payloads) with YAML defaults and env overrides, and wired log level initialization after config load. - Introduced payload-redaction controls in the execution handler so internal execution events can omit input/output/context payloads by default.
- Replaced scattered
log.Printfcalls with structuredzerologusage across storage and related tests.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| control-plane/internal/storage/utils.go | Swaps log.Printf corruption warnings to zerolog logging. |
| control-plane/internal/storage/local.go | Replaces many log.Printf calls with structured logger calls/levels. |
| control-plane/internal/storage/helpers_test.go | Updates log-capture strategy to match zerolog-based logging. |
| control-plane/internal/server/server.go | Sets handler payload-redaction default from loaded logging config. |
| control-plane/internal/logger/logger.go | Adds level parsing + initialization from a config-provided level string. |
| control-plane/internal/logger/logger_test.go | Adds unit tests for level parsing/init helpers. |
| control-plane/internal/handlers/execute.go | Adds controller-level redaction flag and gates payload fields in emitted events. |
| control-plane/internal/handlers/execute_redact_test.go | Adds tests for the redaction default + inheritance into controllers. |
| control-plane/internal/config/config.go | Adds logging config section, defaults, and env overrides. |
| control-plane/internal/config/config_additional_test.go | Adds tests for logging defaults and env overrides. |
| control-plane/config/agentfield.yaml | Documents new logging config keys and safe defaults. |
| control-plane/cmd/agentfield-server/main.go | Re-initializes logger using configured log level after config load. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| // Log corruption warning with context | ||
| log.Printf("WARNING: Corrupted JSON data detected in %s, using fallback. Data preview: %.100s", context, data) | ||
| logger.Logger.Warn().Msgf("Corrupted JSON data detected in %s, using fallback. Data preview: %.100s", context, data) |
Comment on lines
+976
to
980
| if !c.redactPayloads { | ||
| if inputPayload := decodeJSON(updated.InputPayload); inputPayload != nil { | ||
| eventData["input"] = inputPayload | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The control-plane structured logs output entire execution attributes (inputs, outputs, context) which may contain sensitive data, with no config to control this behavior.
This PR adds a
loggingconfig section withlevelandredact_payloadsoptions, replaces unleveledlog.Printfcalls with proper zerolog calls, and guards execution payload data behind a redaction flag that defaults to safe (redacted).Closes #560
Type of change
Test plan
cd control-plane && go test ./internal/logger/ -vcd control-plane && go test ./internal/config/ -v -run "TestLogging"cd control-plane && go test ./internal/handlers/ -v -run "TestSetRedactPayloads|TestNewExecutionControllerInherits"cd control-plane && go test ./internal/storage/ -v -run "TestSafeJSONRawMessage"cd control-plane && go test ./cmd/agentfield-server/ -v -run "TestLoadConfig"cd control-plane && CGO_ENABLED=0 GOOS=linux go build ./cmd/agentfield-server(cross-compile check)Test coverage
coverage-baseline.jsonin this PR only if the removalcaused a legitimate regression and I called it out in the summary above.
Checklist
Related issues / PRs
Fixes #560