fix(axiom): remove sensitive data from error logs and cleanup #192
Conversation
- Remove user prompts/messages from error logs in extractErrorDetails - Remove WebVitals tracking from client - Remove middleware request logging
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughThis change removes WebVitals telemetry from the layout and Axiom client, removes middleware request logging, and adds recursive sanitization to error extraction to strip sensitive fields from logged data. Changes
Sequence Diagram(s)(omitted — changes are removals and a local sanitization utility; no multi-component new control flow requiring a sequence diagram) Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@lib/utils/error-utils.ts`:
- Around line 34-57: The removeSensitiveData function can infinite-recurse on
circular structures; update it to accept and use a WeakSet (e.g., visited) to
track seen objects, returning a safe placeholder (or the original non-traversed
value) when an object is already in visited; mark objects as visited when first
traversed, pass the same WeakSet into recursive calls for both arrays and nested
objects, and ensure primitive short-circuits remain unchanged; reference the
removeSensitiveData function and SENSITIVE_KEYS so you add the WeakSet logic
around Object/Array traversal and recursive calls.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@lib/utils/error-utils.ts`:
- Around line 98-105: The current flow uses removeSensitiveData on
anyError.responseBody and anyError.data but removeSensitiveData returns strings
unchanged, so sensitive text can be logged; update the implementation of
removeSensitiveData (and/or add a helper like sanitizeString) to handle
primitive string inputs by applying a defensive redaction policy (e.g., mask API
keys, PII patterns, and long prompt-like content or replace with a fixed
redacted placeholder) before returning, then keep using removeSensitiveData
where details.responseBody and details.providerData are assigned; alternatively,
if you cannot safely redact here, add a clear code comment/documentation on
removeSensitiveData stating that responseBody and data are guaranteed safe and
must not contain sensitive content.
| details.responseBody = removeSensitiveData(anyError.responseBody); | ||
| } | ||
| if ("isRetryable" in anyError) { | ||
| details.isRetryable = anyError.isRetryable; | ||
| } | ||
| if ("data" in anyError) { | ||
| details.providerData = anyError.data; | ||
| details.providerData = removeSensitiveData(anyError.data); | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's find the removeSensitiveData function and understand what it does
rg -n "removeSensitiveData" lib/utils/error-utils.ts -A 10 -B 2Repository: hackerai-tech/hackerai
Length of output: 1088
🏁 Script executed:
# Also search for the function definition
rg -n "function removeSensitiveData|const removeSensitiveData|export.*removeSensitiveData" -A 15Repository: hackerai-tech/hackerai
Length of output: 1009
🏁 Script executed:
# Let's look at the entire error-utils.ts file to understand context
wc -l lib/utils/error-utils.tsRepository: hackerai-tech/hackerai
Length of output: 94
🏁 Script executed:
# Search for type definitions of error objects with responseBody or data fields
rg -n "responseBody|providerData" -B 5 -A 2 --type=tsRepository: hackerai-tech/hackerai
Length of output: 2269
🏁 Script executed:
# Read the full removeSensitiveData function to see all logic
sed -n '35,70p' lib/utils/error-utils.tsRepository: hackerai-tech/hackerai
Length of output: 951
🏁 Script executed:
# Search for data field type definitions in error objects
rg -n "data\s*\?*:\s*(string|unknown|any)" -B 3 -A 1 --type=tsRepository: hackerai-tech/hackerai
Length of output: 5132
🏁 Script executed:
# Look for error object type definitions more broadly
rg -n "interface.*Error|type.*Error" --type=ts -A 8 | head -100Repository: hackerai-tech/hackerai
Length of output: 4454
🏁 Script executed:
# Check what SENSITIVE_KEYS contains
rg -n "SENSITIVE_KEYS" lib/utils/error-utils.ts -B 5 -A 5Repository: hackerai-tech/hackerai
Length of output: 595
🏁 Script executed:
# Look for how responseBody and data are populated to understand if they could contain sensitive info
rg -n "\.responseBody\s*=" -B 3 -A 1 --type=tsRepository: hackerai-tech/hackerai
Length of output: 764
🏁 Script executed:
# Check how the error details are used/logged after extraction
rg -n "getErrorDetails|extractErrorDetails|providerData|responseBody" lib/ -A 2 --type=ts | head -60Repository: hackerai-tech/hackerai
Length of output: 1646
removeSensitiveData passes strings unchanged—confirm responseBody and data won't contain sensitive content.
The function returns primitive values (including strings) as-is without inspection (line 40). Since responseBody is typed as string, any sensitive content embedded in error messages (e.g., prompts, rejection reasons) will be logged verbatim. Similarly, data fields may be strings or contain unfiltered string content. Either document that these fields are guaranteed to be safe, or add a defensive redaction layer for string values.
🤖 Prompt for AI Agents
In `@lib/utils/error-utils.ts` around lines 98 - 105, The current flow uses
removeSensitiveData on anyError.responseBody and anyError.data but
removeSensitiveData returns strings unchanged, so sensitive text can be logged;
update the implementation of removeSensitiveData (and/or add a helper like
sanitizeString) to handle primitive string inputs by applying a defensive
redaction policy (e.g., mask API keys, PII patterns, and long prompt-like
content or replace with a fixed redacted placeholder) before returning, then
keep using removeSensitiveData where details.responseBody and
details.providerData are assigned; alternatively, if you cannot safely redact
here, add a clear code comment/documentation on removeSensitiveData stating that
responseBody and data are guaranteed safe and must not contain sensitive
content.
Summary by CodeRabbit
Bug Fixes
Removed Features
Chores
✏️ Tip: You can customize this high-level summary in your review settings.