Add username log censor setting

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-18 03:30:39 +09:00 · 2026-03-20 08:00:39 -05:00 · 2026-03-20 08:00:39 -05:00 · 39878fcdfe
commit 39878fcdfe
parent 3de7d63ea9
33 changed files with 10841 additions and 146 deletions
--- a/server/src/services/heartbeat.ts
+++ b/server/src/services/heartbeat.ts
@ -720,6 +720,9 @@ function resolveNextSessionState(input: {

 export function heartbeatService(db: Db) {
  const instanceSettings = instanceSettingsService(db);
+  const getCurrentUserRedactionOptions = async () => ({
+    enabled: (await instanceSettings.getGeneral()).censorUsernameInLogs,
+  });

  const runLogStore = getRunLogStore();
  const secretsSvc = secretService(db);
@ -1318,8 +1321,13 @@ export function heartbeatService(db: Db) {
      payload?: Record<string, unknown>;
    },
  ) {
-    const sanitizedMessage = event.message ? redactCurrentUserText(event.message) : event.message;
-    const sanitizedPayload = event.payload ? redactCurrentUserValue(event.payload) : event.payload;
+    const currentUserRedactionOptions = await getCurrentUserRedactionOptions();
+    const sanitizedMessage = event.message
+      ? redactCurrentUserText(event.message, currentUserRedactionOptions)
+      : event.message;
+    const sanitizedPayload = event.payload
+      ? redactCurrentUserValue(event.payload, currentUserRedactionOptions)
+      : event.payload;

    await db.insert(heartbeatRunEvents).values({
      companyId: run.companyId,
@ -2252,8 +2260,9 @@ export function heartbeatService(db: Db) {
        })
        .where(eq(heartbeatRuns.id, runId));

+      const currentUserRedactionOptions = await getCurrentUserRedactionOptions();
      const onLog = async (stream: "stdout" | "stderr", chunk: string) => {
-        const sanitizedChunk = redactCurrentUserText(chunk);
+        const sanitizedChunk = redactCurrentUserText(chunk, currentUserRedactionOptions);
        if (stream === "stdout") stdoutExcerpt = appendExcerpt(stdoutExcerpt, sanitizedChunk);
        if (stream === "stderr") stderrExcerpt = appendExcerpt(stderrExcerpt, sanitizedChunk);
        const ts = new Date().toISOString();
@ -2503,6 +2512,7 @@ export function heartbeatService(db: Db) {
            ? null
            : redactCurrentUserText(
                adapterResult.errorMessage ?? (outcome === "timed_out" ? "Timed out" : "Adapter failed"),
+                currentUserRedactionOptions,
              ),
        errorCode:
          outcome === "timed_out"
@ -2570,7 +2580,10 @@ export function heartbeatService(db: Db) {
      }
      await finalizeAgentStatus(agent.id, outcome);
    } catch (err) {
-      const message = redactCurrentUserText(err instanceof Error ? err.message : "Unknown adapter failure");
+      const message = redactCurrentUserText(
+        err instanceof Error ? err.message : "Unknown adapter failure",
+        await getCurrentUserRedactionOptions(),
+      );
      logger.error({ err, runId }, "heartbeat execution failed");

      let logSummary: { bytes: number; sha256?: string; compressed: boolean } | null = null;
@ -3608,7 +3621,7 @@ export function heartbeatService(db: Db) {
        store: run.logStore,
        logRef: run.logRef,
        ...result,
-        content: redactCurrentUserText(result.content),
+        content: redactCurrentUserText(result.content, await getCurrentUserRedactionOptions()),
      };
    },