Skip to content

fix(logging): respect redactSensitive config in tool payload redaction#6

Open
ralf003 wants to merge 4 commits into
mainfrom
pr-93467
Open

fix(logging): respect redactSensitive config in tool payload redaction#6
ralf003 wants to merge 4 commits into
mainfrom
pr-93467

Conversation

@ralf003

@ralf003 ralf003 commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Problem

sanitizeToolArgs() and sanitizeToolResult() always redact secrets
in Control UI tool events, ignoring the user's logging.redactSensitive config.
Setting redactSensitive: off had no effect — Bearer tokens in tool args
still got replaced with B***r.

Root Cause

resolveToolPayloadRedaction() in src/logging/redact.ts hardcoded
mode: "tools" regardless of the logging.redactSensitive setting.

Fix

Read loggingConfig.redactSensitive and respect it:

  • redactSensitive: off → no redaction (all secrets survive)
  • redactSensitive: tools (default) → existing behavior

Changes

  • src/logging/redact.ts: resolveToolPayloadRedaction() now reads loggingConfig.redactSensitive
  • src/agents/embedded-agent-subscribe.tools.test.ts: added test for off case

Previously resolveToolPayloadRedaction() hardcoded mode tools, ignoring the logging.redactSensitive config entirely. This meant users who set redactSensitive off could not disable sensitive-value masking in tool event args like Authorization Bearer headers in web_fetch args.

The fix reads redactSensitive from the logging config and passes it through normalizeMode(). When set to off, tool payload redaction is fully disabled.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant