chore: import upstream snapshot with attribution
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,72 @@
|
||||
# Logging Guidelines
|
||||
|
||||
## The Rule
|
||||
|
||||
Always use the logger with an object as the second parameter:
|
||||
|
||||
```typescript
|
||||
logger.debug('[Component] Message', { headers, body, config });
|
||||
```
|
||||
|
||||
The object is **auto-sanitized** - sensitive fields are automatically redacted.
|
||||
|
||||
## Why This Matters
|
||||
|
||||
- **Security**: Prevents accidental exposure of secrets in logs
|
||||
- **Consistency**: Structured logs are easier to search and analyze
|
||||
- **Safety**: Red team test content may contain harmful/sensitive data
|
||||
|
||||
## Correct Usage
|
||||
|
||||
```typescript
|
||||
import logger from './logger';
|
||||
|
||||
// Good - context object is auto-sanitized
|
||||
logger.debug('[Provider]: Making API request', {
|
||||
url: 'https://api.example.com',
|
||||
method: 'POST',
|
||||
headers: { Authorization: 'Bearer secret-token' },
|
||||
body: { apiKey: 'secret-key', data: 'value' },
|
||||
});
|
||||
// Output: Authorization and apiKey are [REDACTED]
|
||||
|
||||
logger.error('Request failed', {
|
||||
headers: response.headers,
|
||||
body: errorResponse,
|
||||
});
|
||||
```
|
||||
|
||||
## Anti-Pattern
|
||||
|
||||
```typescript
|
||||
// WRONG - exposes secrets, bypasses sanitization
|
||||
logger.debug(`Config: ${JSON.stringify(config)}`);
|
||||
logger.debug(`Calling ${url} with headers: ${JSON.stringify(headers)}`);
|
||||
```
|
||||
|
||||
## Manual Sanitization
|
||||
|
||||
For non-logging contexts:
|
||||
|
||||
```typescript
|
||||
import { sanitizeObject } from './util/sanitizer';
|
||||
|
||||
const sanitizedConfig = sanitizeObject(providerConfig, {
|
||||
context: 'provider config',
|
||||
});
|
||||
```
|
||||
|
||||
## What Gets Sanitized
|
||||
|
||||
Field names containing (case-insensitive, works with `-`, `_`, camelCase):
|
||||
|
||||
| Category | Fields |
|
||||
| ------------ | -------------------------------------------------------------------------- |
|
||||
| Passwords | `password`, `passwd`, `pwd`, `passphrase` |
|
||||
| API Keys | `apiKey`, `api_key`, `token`, `accessToken`, `refreshToken`, `bearerToken` |
|
||||
| Secrets | `secret`, `clientSecret`, `webhookSecret` |
|
||||
| Headers | `authorization`, `cookie`, `x-api-key`, `x-auth-token` |
|
||||
| Certificates | `privateKey`, `certificatePassword`, `keystorePassword` |
|
||||
| Signatures | `signature`, `sig`, `signingKey` |
|
||||
|
||||
See `src/util/sanitizer.ts` for the complete list.
|
||||
Reference in New Issue
Block a user