Skip to content

Add optional OpenAI Privacy Filter redaction backend#69

Open
dpaluy wants to merge 2 commits intomasterfrom
cdx/privacyfilter
Open

Add optional OpenAI Privacy Filter redaction backend#69
dpaluy wants to merge 2 commits intomasterfrom
cdx/privacyfilter

Conversation

@dpaluy
Copy link
Copy Markdown
Owner

@dpaluy dpaluy commented Apr 26, 2026

Summary

  • Adds a config-gated Tracebook::Redaction::OpenAiPrivacyFilter backend for a local OpenAI Privacy Filter sidecar.
  • Keeps redaction placement explicit: enabling the model only changes Tracebook.redact(...); no dashboard/export/persistence/RubyLLM callback starts redacting automatically.
  • Maps OPF spans to Tracebook-owned placeholders and falls back to regex/custom-redacted text when the sidecar is unavailable or returns unusable output.
  • Restricts sidecar endpoints to localhost/loopback addresses, removes the dashboard CDN Stimulus fallback, bumps the gem to 1.1.0, and records the release in the changelog.

Why

Tracebook already has regex/custom redaction, but issue #68 asks for an optional local model-backed layer for context-sensitive PII while preserving the existing explicit placement model and lightweight default install.

Changes

Add local privacy filter redaction backend

  • What: Added nested config.openai_privacy_filter settings, the OPF sidecar adapter/client, stable placeholder mapping, loopback endpoint validation, fallback/raise failure modes, and tests for spans, invalid responses, connection failures, timeouts, and config behavior.
  • Why: Issue Add optional OpenAI Privacy Filter redaction backend #68 requires optional local model-backed redaction without hosted inference or hidden automatic redaction hooks.

Release and privacy hardening

  • What: Bumped Tracebook::VERSION and lockfile metadata to 1.1.0, added changelog/README/initializer docs, updated patched dependencies, and removed the dashboard's fallback load from unpkg.
  • Why: The feature is additive and release-worthy as a minor version; dashboard pages can display raw chat content, so they should not execute third-party fallback JavaScript.

Testing

  • bin/rails test -> 90 runs, 210 assertions, 0 failures
  • bundle audit check -> No vulnerabilities found
  • bin/rubocop lib/generators/tracebook/install/templates/initializer.rb.tt lib/tracebook.rb lib/tracebook/config.rb lib/tracebook/redaction/openai_privacy_filter.rb lib/tracebook/version.rb test/lib/config_test.rb test/lib/redaction/config_integration_test.rb test/lib/redaction/openai_privacy_filter_test.rb -> no offenses
  • node --check app/assets/javascripts/tracebook/application.js
  • gem build tracebook.gemspec --output /tmp/tracebook-1.1.0.gem and gem specification contents include lib/tracebook/redaction/openai_privacy_filter.rb

Full bin/rubocop still reports pre-existing test/dummy/db/schema.rb array-spacing offenses unrelated to this diff.

Risk & Rollout

  • Risk: Medium. The new backend is opt-in and loopback-only, but it touches redaction and release dependencies.
  • Rollback: Revert the commit or disable the backend with config.openai_privacy_filter.enabled = false.
  • Monitoring: Watch app logs for OpenAI Privacy Filter redaction skipped warnings and confirm sidecar availability in host apps that enable the backend.

Closes #68

@dpaluy
Add local privacy filter redaction backend
126e528 
Tracebook needs a stronger optional PII layer without changing the explicit redaction contract host apps already use. This adds a config-gated OpenAI Privacy Filter sidecar adapter, keeps regex/custom redactors first, restricts the sidecar endpoint to loopback addresses, and preserves fallback behavior when the sidecar cannot return usable spans.

The release metadata moves the gem to 1.1.0, records the feature in the changelog, removes the dashboard CDN Stimulus fallback, and updates patched dependencies so release validation is not blocked by known advisories.

Constraint: Issue #68 requires explicit Tracebook.redact placement, local sidecar behavior, stable placeholders, sidecar fallback, version bump, and changelog.

Rejected: Hosted Hugging Face inference | would send raw conversation text to a third party by default.

Rejected: Native Ruby ONNX runtime | larger dependency surface and higher drift from the official OPF implementation.

Confidence: high

Scope-risk: moderate

Directive: Do not add automatic persistence, dashboard, export, or RubyLLM callback redaction without a separate explicit placement decision.

Tested: bin/rails test; bundle audit check; targeted RuboCop on changed Ruby files; node --check app/assets/javascripts/tracebook/application.js; gem build/package contents check

Not-tested: Real OpenAI Privacy Filter model or production sidecar process.

Related: #68
This was referenced Apr 26, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@dpaluy
Keep local OMX state out of review
78022f9 
The branch uses OMX runtime files during autonomous work, but those files are local coordination state and should not appear as untracked PR noise.

Constraint: .omx/ contains local workflow/session state, not project source

Confidence: high

Scope-risk: narrow

Directive: Keep .omx/ ignored unless the repository explicitly starts owning OMX state

Tested: git check-ignore -v .omx/ .omx/state

Tested: git diff --check

Not-tested: full Rails suite; ignore-only change
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add optional OpenAI Privacy Filter redaction backend

1 participant

@dpaluy