[SAR] APPENG-5151: Configurable audit logging#202
Conversation
Add an AUDIT_LOGGING_ENABLED setting that controls whether PII fields (user_id, org_id, order_id, request_id) are injected into log records. When disabled, these fields are set to empty strings, removing PII from logs while maintaining consistent log format structure. - Add audit_logging_enabled setting to config (default: True) - Update AuditContextFilter to respect the setting - Empty strings used when disabled to preserve JSON log schema Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
luis5tb
left a comment
luis5tb
left a comment
There was a problem hiding this comment.
PR 202 Review: [SAR] APPENG-5151 — Configurable Audit Logging
Critical (1)
- Toggle only suppresses PII in the log filter, not in direct log messages —
AUDIT_LOGGING_ENABLED=FalsecontrolsAuditContextFilterbutAgentLoggingPlugin._audit_fields()(api/a2a/logging_plugin.py:55-62) independently reads and logsuser_id,org_id,order_id,request_idfrom contextvars in 8+ log statements across every tool call, LLM invocation, and run lifecycle event. Similarly,mcp_headers.py:48-55logsuser_id,org_id,request_idon every JWT forwarding event. An operator who disables the toggle expecting no PII in logs will still see PII throughout. → Gate_audit_fields()andmcp_headers.pyon the same setting, or explicitly scope the toggle in docs as "structured log record fields only."[logging/filters.py:21, api/a2a/logging_plugin.py:54-62, tools/mcp_headers.py:48-55]
Important (2)
-
Missing tests for disabled mode — No tests exercise
audit_logging_enabled=False. ExistingTestAuditContextFilteronly covers the default (enabled) behavior. Add tests that patchget_settings().audit_logging_enabledtoFalseand assert all record fields are empty strings even when contextvars are populated.[tests/test_audit_logging.py] -
Missing
.env.exampleupdate — The newAUDIT_LOGGING_ENABLEDenv var is not documented in.env.example, which has a dedicated "Audit logging" section (lines 173-184). Add it with a comment explaining the PII implications.[.env.example:173]
Suggestions (3)
-
Per-log-record deferred import overhead —
filter()doesfrom lightspeed_agent.config import get_settings+get_settings()on every log record. While both are cached (sys.modules + lru_cache), consider caching the boolean at construction time since Settings is a singleton.[logging/filters.py:22-23] -
Consider a startup warning when audit logging is disabled — Unlike
SKIP_JWT_VALIDATIONwhich has a production guard via_block_skip_jwt_in_production, this setting has no guardrail or visibility. AWARNINGat startup when disabled would help operators notice misconfiguration.[config/settings.py] -
Cross-service consistency — Agent (port 8000) and Marketplace Handler (port 8001) have independent settings. If one disables audit logging and the other doesn't, PII leakage is inconsistent. Document that
AUDIT_LOGGING_ENABLEDshould be set identically across both services.[config/settings.py]
Strengths
- Empty-string default preserves JSON schema — downstream log consumers won't break
- Setting is well-placed in the Logging section with a clear description of the trade-off
- Default
Truepreserves backward compatibility - Clean, minimal diff — does exactly what it says
- PR description is thorough with SAR reference and CWE citation
|
fixes to the reveiew at: yuvalk#7 |
2 participants
Summary
Addresses APPENG-5151.
Add an
AUDIT_LOGGING_ENABLEDsetting that controls whether PII fields (user_id, org_id, order_id, request_id) are injected into log records. This allows operators to disable PII in logs for compliance while maintaining consistent log format structure.Changes
audit_logging_enabledsetting toconfig/settings.py(default:True)AuditContextFilterinlogging/filters.pyto check the setting before injecting contextSAR Reference
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com