sec: suppress CodeQL cleartext-logging false positives #1905
Description
Summary
CodeQL rust/cleartext-logging rule flags 11 intentional debug/trace log sites as potential sensitive data leaks. These are false positives — the logged values are tool outputs, request metadata, and test fixtures, not secrets or PII.
Affected locations
| File | Line | Context |
|---|---|---|
crates/zeph-memory/src/sqlite/compression_guidelines.rs |
136 | |
crates/zeph-llm/src/claude.rs |
934 | |
crates/zeph-core/src/debug_dump/trace.rs |
221 | |
crates/zeph-core/src/config/types/channels.rs |
102 | |
crates/zeph-core/src/agent/tool_orchestrator.rs |
103 | |
crates/zeph-core/src/agent/mod.rs |
2968 | |
crates/zeph-core/src/agent/tool_execution/native.rs |
272 | |
crates/zeph-core/src/agent/tool_execution/legacy.rs |
295 | |
crates/zeph-core/src/agent/tool_execution/legacy.rs |
174 | |
crates/zeph-core/src/agent/tests.rs |
1079 | |
crates/zeph-core/src/agent/tests.rs |
962 |
Fix
Add // lgtm[rust/cleartext-logging] suppression comment on each flagged line where logging is intentional (debug/trace context, test fixtures). For any site that genuinely logs sensitive data, replace with a redacted representation.