fix(patch): cherry-pick 2194da2 to release/v0.40.0-pr-26153 to patch version v0.40.0 and create version 0.40.1#26268
Conversation
Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: Gal Zahavi <38544478+galz10@users.noreply.github.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a privacy-focused update to the telemetry system by making the logging of sensitive information conditional. By leveraging the 'logPrompts' configuration flag, the system now prevents the accidental exposure of user-provided prompts, content, and tool arguments in telemetry data unless explicitly permitted by the user. This change ensures better compliance with data privacy requirements while maintaining essential diagnostic capabilities. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
Size Change: +1.51 kB (0%) Total Size: 33.7 MB
ℹ️ View Unchanged
|
There was a problem hiding this comment.
Code Review
This pull request implements privacy controls for telemetry by conditionally omitting sensitive fields like prompts, tool arguments, and policies from OpenTelemetry and Clearcut logs based on the logPrompts configuration. It includes comprehensive unit tests to verify these redactions across various event types. Feedback highlights a potential privacy leak in the Clearcut logging path for tool calls and suggests using a more semantically accurate metadata key for tool call names in the Conseca context.
| if (this.metadata) { | ||
| const metadata = config.getTelemetryLogPromptsEnabled() | ||
| ? this.metadata | ||
| : Object.fromEntries( | ||
| Object.entries(this.metadata).filter(([k]) => | ||
| (TOOL_CALL_METADATA_SAFE_KEYS as readonly string[]).includes(k), | ||
| ), | ||
| ); | ||
| if (Object.keys(metadata).length > 0) { | ||
| attributes['metadata'] = safeJsonStringify(metadata, 2); | ||
| } | ||
| } |
There was a problem hiding this comment.
While the OpenTelemetry logging for ToolCallEvent metadata is correctly handled here to respect getTelemetryLogPromptsEnabled(), a similar check is missing in the Clearcut logging path. In packages/core/src/telemetry/clearcut-logger/clearcut-logger.ts, the logToolCallEvent method logs metadata related to the ask_user tool without checking if prompt logging is disabled. This could lead to sensitive user interaction data being logged to Clearcut against the user's configuration. This is a potential privacy leak and should be addressed. The logic for logging ask_user metadata in logToolCallEvent should be wrapped in a if (this.config?.getTelemetryLogPromptsEnabled()) block.
| { | ||
| gemini_cli_key: EventMetadataKey.GEMINI_CLI_TOOL_CALL_NAME, | ||
| value: safeJsonStringify(event.tool_call), | ||
| }, |
There was a problem hiding this comment.
The EventMetadataKey.GEMINI_CLI_TOOL_CALL_NAME is being used to log event.tool_call. However, according to its definition in event-metadata-key.ts, this key is intended for logging only the function name. The event.tool_call is a string that can contain the full tool call, including arguments, which is more than just the name. This misuse can lead to corrupted or misleading telemetry data for analyses that rely on GEMINI_CLI_TOOL_CALL_NAME containing only function names. To fix this, a new, more appropriate EventMetadataKey should be introduced for logging the full tool call string within the Conseca verdict context, for example CONSECA_TOOL_CALL.
References
- When logging events, ensure that the keys used for telemetry data accurately reflect the semantic meaning of the data being logged to avoid misinterpretation. Introduce new, more specific keys when existing ones are semantically confusing in a given context.
This PR automatically cherry-picks commit 2194da2 to patch version v0.40.0 in the stable release to create version 0.40.1.