Skip to content

Redact credentials from debug config logs#168

Merged
Areson merged 1 commit into
mainfrom
Areson/debug-config-redaction
Jul 15, 2026
Merged

Redact credentials from debug config logs#168
Areson merged 1 commit into
mainfrom
Areson/debug-config-redaction

Conversation

@Areson

@Areson Areson commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Why

Debug config logging could expose database passwords, sink credentials, and authenticated HTTP proxy passwords after environment interpolation.

What

  • Log non-mutating redacted copies of server and monitor configuration
  • Redact every global and per-monitor sink option value while retaining option names
  • Sanitize authenticated proxy URLs in both config and HTTP-client debug logs
  • Cover inline, environment-expanded, nested, malformed, and custom credential configurations

Risk Assessment

Low — redaction only changes debug output and does not mutate or alter the live configuration used for database, sink, or proxy connections.

References

  • env -u GOROOT go test -race . ./server
  • env -u GOROOT go test ./...
  • env -u GOROOT go vet . ./server ./monitor
  • Final Codex review found no actionable issues

Generated with Codex

@Areson
Areson marked this pull request as ready for review July 15, 2026 20:24
Log non-mutating sanitized config copies so database passwords, sink options, and authenticated proxy URLs cannot leak through debug output.

Co-authored-by: Codex <noreply@openai.com>
Ai-assisted: true
@Areson
Areson force-pushed the Areson/debug-config-redaction branch from baac08d to 581fdba Compare July 15, 2026 22:06
@Areson
Areson merged commit 71506a5 into main Jul 15, 2026
2 checks passed
@Areson
Areson deleted the Areson/debug-config-redaction branch July 15, 2026 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants