fix(tools): redact URLs in scrape audit log and fix IPI tracing span#4730
Merged
Conversation
github-actions
Bot
added
documentation
Apply redact_url_for_log() at all four audit call sites in scrape.rs (log_audit success/error in execute(), run_with_audit in execute_tool_call for web_scrape and fetch). Previously raw URLs with sensitive query parameters were written to audit JSONL. Closes #4713. Replace manual tracing::info_span! + span.enter()-after-await in apply_ipi_filter with #[tracing::instrument], so the span correctly covers filter_async().await. Closes #4712.
bug-ops
force-pushed
the
4713-scrape-audit-ipi
branch
from
77ed84b to
c63c600
Compare
5 tasks
bug-ops
added a commit
that referenced
this pull request
May 30, 2026
…#4745) Closes #4723: resolve_edge_typed passed hardcoded 0.8 instead of edge.confidence to the store in both the non-APEX and APEX-MEM paths. Introduces DEFAULT_EDGE_CONFIDENCE const to eliminate the magic number and forwards edge.confidence.unwrap_or(DEFAULT_EDGE_CONFIDENCE) at both call sites. Adds two regression tests (non-APEX and APEX paths). Closes #4731: resolve_and_validate created a tracing span before the async DNS lookup but entered it after .await, leaving the actual async work invisible in traces. Replaced manual span.enter() with #[tracing::instrument], consistent with the apply_ipi_filter fix (#4730).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
redact_url_for_log()at all four audit call sites inscrape.rsso sensitive query parameters (tokens, API keys) are stripped before writing to audit JSONL. Closes scrape: legacy fenced-block audit path logs unredacted URL as AuditEntry.command #4713.tracing::info_span!+span.enter()after.awaitinapply_ipi_filterwith#[tracing::instrument], so the span correctly coversfilter_async().await. Closes scrape: apply_ipi_filter tracing span entered after async await — covers no work #4712.Changes
crates/zeph-tools/src/scrape.rs: four&instruction.url/&p.urlreplaced with&redact_url_for_log(...), manual span replaced with attribute macroCHANGELOG.md: two entries under[Unreleased] ### FixedTest plan
cargo check -p zeph-tools— cleancargo +nightly fmt --check— cleancargo clippy -p zeph-tools -- -D warnings— cleanRUSTFLAGS="-D warnings" cargo check -p zeph-tools --all-targets— cleancargo nextest run -p zeph-tools --lib --bins— 1228 passed, 0 skipped