refactor(wrangler): add safe command/args handling for telemetry

[petebacondarwin]

Sanitize commands and arguments in telemetry to prevent accidentally capturing sensitive information.

Changes:

• Renamed telemetry fields from command/args to sanitizedCommand/sanitizedArgs to distinguish from historical fields that may have contained sensitive data in older versions
• Command names now come from command definitions rather than user input, preventing accidental capture of sensitive data pasted as positional arguments
• Sentry breadcrumbs now use the safe command name from definitions
• Argument values are only included if explicitly allowed via COMMAND_ARG_ALLOW_LIST
• Argument keys (names) are always included since they come from command definitions, not user input
  Replaces fix(wrangler): add safe command/args handling for telemetry #12063, which added the redundant logArgs: false behaviour. See fix(wrangler): add safe command/args handling for telemetry #12063 (comment)

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: internal fix

A picture of a cute animal (not mandatory, but encouraged)

---

[changeset-bot]

🦋 Changeset detected

Latest commit: 34c0bfc

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@12153

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@12153

miniflare

npm i https://pkg.pr.new/miniflare@12153

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@12153

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@12153

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@12153

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@12153

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@12153

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@12153

wrangler

npm i https://pkg.pr.new/wrangler@12153

commit: 34c0bfc

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional flags.

[vicb]

Nice simplification!

I added a couple comments inline

[petebacondarwin]

Rewritten the sanitizedArgs code to make it less scary and more clear where the sanitization should happen. PTAL @vicb

[devin-ai-integration]

Devin Review found 1 new potential issue.

View issue and 8 additional flags in Devin Review.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View issue and 9 additional flags in Devin Review.

[vicb]

Nice, thanks!

Some of my comments could probably be addressed in a follow up PR.
Could you please create/update an issue for the minor comments you decide not to address here?

[vicb]

I am not fan of "argsUsed" because I find this too generic.

What about "userSuppliedArgs" or something similar.

I would also be nice to figure out a place to document it, either in the JSDoc of sendCommandEvent or a newly introduce type?

[petebacondarwin]

argsUsed is the property sent in the metrics event.
I don't think this refactor is the right place to discuss that.
#12192

[vicb]

Reopening...

argsUsed is the property sent in the metrics event.

It doesn't mean we can not use a clearer and meaningful name in the code, does it?

The only place where we "have to" use this name is when sending the payload

[petebacondarwin]

It can be dealt with in the linked issue.

[vicb]

Reopening...

Sorry but isn't this newly introduced code?

I think it's fair to fix existing code later but I don't think introducing new "not great" code is.

[petebacondarwin]

@vicb you concern at the start of this thread above is merely a naming/documentation one, which is itself entirely subjective.

The previous code looked like this:

const sanitizedArgs = sanitizeArgKeys(
  properties.args ?? {},
  options.argv
);
const sanitizedArgsKeys = Object.keys(sanitizedArgs).sort();

const commonEventProperties: CommonEventProperties = {
  ...
  argsUsed: sanitizedArgsKeys,
  argsCombination: sanitizedArgsKeys.join(", "),
  ...
};

So you can see that all that has effectively happened is that sanitizedArgsKeys variable is now argsUsed.

This PR is therefore not new code, and is not reducing the quality of the code in any tangible meaningful way.

[petebacondarwin]

We can discuss further on the linked issue, if you feel strongly about the naming of this variable.

[vicb]

Your call here.
My point is that it is a shame to introduce code and create an issue to change it at the same time - knowing that the update would take approximately 30s.