fix: drop display_name from logs to avoid logging PII#145
Conversation
The display name is PII; logging it on every request line risks violating privacy rules. Keep only the opaque user_id (UUID), which is sufficient to correlate a request with its user without exposing personal data. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughLog enrichment in ChangesUser Context Logging Privacy
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Problem
PR #142 added
user_idanddisplay_nameto every JSON log line. The display name is PII — logging it on every request risks violating privacy rules.Change
In
plane_mcp/__main__.py, stop collecting and emittingdisplay_name:UserContextFilternow records onlyuser_id(claims["sub"], an opaque UUID).JSONFormatterno longer emits adisplay_namekey.The
user_idUUID is sufficient to correlate a request with its user without exposing personal data. The enrichment-error signal added previously is unchanged.Result
{..., "logger": "fastmcp.middleware.structured_logging", "message": "{\"event\": \"request_success\", ...}", "user_id": "b3fea12b-4c99-4b8f-b726-6121c79f12aa"}Testing
ruff check/formatpass.display_name/email, the formatted line contains onlyuser_id— no PII leaks. No-context lines stay clean.🤖 Generated with Claude Code
Summary by CodeRabbit