fix(logs): redact oversized strings and executionData.environment

TheodoreSpeaks · TheodoreSpeaks · commit a5ca0f4faa2e · 2026-06-19T10:44:46.000-07:00
- Drop the per-string size cap in PII redaction: oversized strings were left
  unmasked (leak). Nothing is skipped now; large payloads still fail-safe via the
  total-bytes ceiling + per-chunk timeout (scrub, never leak).
- Add executionData.environment (incl. variables) to the redaction set.
diff --git a/apps/sim/lib/logs/execution/logger.ts b/apps/sim/lib/logs/execution/logger.ts
@@ -767,6 +767,9 @@ export class ExecutionLogger implements IExecutionLoggerService {
       ...(builtExecutionData.executionState !== undefined
         ? { executionState: builtExecutionData.executionState }
         : {}),
+      ...(builtExecutionData.environment !== undefined
+        ? { environment: builtExecutionData.environment }
+        : {}),
     })
 
     const rawDurationMs =
@@ -791,6 +794,9 @@ export class ExecutionLogger implements IExecutionLoggerService {
       ...(pii.executionState !== undefined
         ? { executionState: pii.executionState as SerializableExecutionState }
         : {}),
+      ...(pii.environment !== undefined
+        ? { environment: pii.environment as ExecutionEnvironment }
+        : {}),
     }
 
     stripSpanCosts((cleanExecutionData as Record<string, unknown>).traceSpans)
diff --git a/apps/sim/lib/logs/execution/pii-redaction.test.ts b/apps/sim/lib/logs/execution/pii-redaction.test.ts
@@ -74,24 +74,25 @@ describe('redactPIIFromExecution', () => {
     expect(result.finalOutput).toBe(REDACTION_FAILED_MARKER)
   })
 
-  it('skips oversized strings without consuming a masked slot', async () => {
-    const huge = 'x'.repeat(200 * 1024)
-    const payload = { finalOutput: { big: huge, small: 'pii' } }
+  it('masks large strings too (never left unredacted)', async () => {
+    const big = 'x'.repeat(200 * 1024)
+    const payload = { finalOutput: { big, small: 'pii' } }
 
     const result = await redactPIIFromExecution(payload, { entityTypes: [] })
 
-    expect((result.finalOutput as any).big).toBe(huge)
+    expect((result.finalOutput as any).big).toBe(`MASKED(${big})`)
     expect((result.finalOutput as any).small).toBe('MASKED(pii)')
-    expect(mockMaskPIIBatch.mock.calls[0][0]).toEqual(['pii'])
+    expect(mockMaskPIIBatch.mock.calls[0][0]).toEqual([big, 'pii'])
   })
 
-  it('masks span error/errorMessage and top-level error, trigger, executionState', async () => {
+  it('masks span error/errorMessage and top-level error, trigger, executionState, environment', async () => {
     const payload = {
       traceSpans: [{ blockId: 'b1', error: 'failed for bob@x.com', errorMessage: 'bad input z' }],
       error: 'run failed: a@b.com',
       completionFailure: 'cancelled by c@d.com',
       trigger: { type: 'webhook', data: { from: 'caller@x.com' } },
       executionState: { status: 'completed', note: 'state for e@f.com' },
+      environment: { variables: { CONTACT: 'admin@x.com' } },
     }
 
     const result = await redactPIIFromExecution(payload, { entityTypes: ['EMAIL_ADDRESS'] })
@@ -105,6 +106,7 @@ describe('redactPIIFromExecution', () => {
     expect((result.trigger as any).type).toBe('MASKED(webhook)')
     expect((result.trigger as any).data.from).toBe('MASKED(caller@x.com)')
     expect((result.executionState as any).note).toBe('MASKED(state for e@f.com)')
+    expect((result.environment as any).variables.CONTACT).toBe('MASKED(admin@x.com)')
   })
 
   it('returns payload unchanged when there is nothing to mask', async () => {
diff --git a/apps/sim/lib/logs/execution/pii-redaction.ts b/apps/sim/lib/logs/execution/pii-redaction.ts
@@ -7,14 +7,10 @@ const logger = createLogger('PiiRedaction')
 export const REDACTION_FAILED_MARKER = '[REDACTION_FAILED]'
 
 /**
- * Strings larger than this are skipped (left as-is). They are almost always
- * base64 blobs / embedded JSON rather than PII prose, and would dominate NER time.
- */
-const PII_MAX_STRING_BYTES = 128 * 1024
-
-/**
- * Upper bound on total text masked for one execution. Beyond this we scrub rather
- * than spend minutes in NER. Typical inline logs (≤3MB) stay well under.
+ * Upper bound on total text masked for one execution. Beyond this we scrub the
+ * whole payload rather than spend minutes in NER (never leave it unmasked).
+ * Typical inline logs (≤3MB) stay well under. Individual strings are never
+ * skipped by size — they would otherwise persist unredacted.
  */
 const PII_MAX_TOTAL_BYTES = 16 * 1024 * 1024
 
@@ -32,6 +28,7 @@ export interface RedactablePayload {
   completionFailure?: unknown
   trigger?: unknown
   executionState?: unknown
+  environment?: unknown
 }
 
 /** Keys of {@link RedactablePayload} processed by the redactor, in order. */
@@ -43,6 +40,7 @@ const REDACTABLE_KEYS: (keyof RedactablePayload)[] = [
   'completionFailure',
   'trigger',
   'executionState',
+  'environment',
 ]
 
 /** Trace-span fields that carry runtime content (and therefore possible PII). */
@@ -57,7 +55,7 @@ const SPAN_CONTENT_FIELDS = [
 ] as const
 
 function isEligibleString(value: string): boolean {
-  return value.length > 0 && Buffer.byteLength(value, 'utf8') <= PII_MAX_STRING_BYTES
+  return value.length > 0
 }
 
 /**
