security: remove query content from web search logs to prevent PII leakage

- Remove search query from iteration logs (Info level) - Remove query and toolUseId from analysis logs (Info level) - Remove query from non-stream result logs (Info level) - Remove query from tool injection logs (Info level) - Remove query from tool_use detection logs (Debug level) This addresses the security concern raised in PR #226 review about potential PII exposure in search query logs.
2026-03-09 15:25:17 +00:00 · 2026-02-13 02:25:55 +08:00
parent 2db89211a9
commit 5626637fbd
3 changed files with 8 additions and 8 deletions
--- a/internal/runtime/executor/kiro_executor.go
+++ b/internal/runtime/executor/kiro_executor.go
@@ -4457,8 +4457,8 @@ func (e *KiroExecutor) handleWebSearchStream(
 		currentToolUseId := fmt.Sprintf("srvtoolu_%s", kiroclaude.GenerateToolUseID())

 		for iteration := 0; iteration < maxWebSearchIterations; iteration++ {
-			log.Infof("kiro/websearch: search iteration %d/%d — query: %s",
-				iteration+1, maxWebSearchIterations, currentQuery)
+			log.Infof("kiro/websearch: search iteration %d/%d",
+				iteration+1, maxWebSearchIterations)

 			// MCP search
 			_, mcpRequest := kiroclaude.CreateMcpRequest(currentQuery)
@@ -4515,8 +4515,8 @@ func (e *KiroExecutor) handleWebSearchStream(

 			// Analyze response
 			analysis := kiroclaude.AnalyzeBufferedStream(kiroChunks)
-			log.Infof("kiro/websearch: iteration %d — stop_reason: %s, has_tool_use: %v, query: %s, toolUseId: %s",
-				iteration+1, analysis.StopReason, analysis.HasWebSearchToolUse, analysis.WebSearchQuery, analysis.WebSearchToolUseId)
+			log.Infof("kiro/websearch: iteration %d — stop_reason: %s, has_tool_use: %v",
+				iteration+1, analysis.StopReason, analysis.HasWebSearchToolUse)

 			if analysis.HasWebSearchToolUse && analysis.WebSearchQuery != "" && iteration+1 < maxWebSearchIterations {
 				// Model wants another search
@@ -4613,7 +4613,7 @@ func (e *KiroExecutor) handleWebSearch(
 	if searchResults != nil {
 		resultCount = len(searchResults.Results)
 	}
-	log.Infof("kiro/websearch: non-stream: got %d search results for query: %s", resultCount, query)
+	log.Infof("kiro/websearch: non-stream: got %d search results", resultCount)

 	// Step 3: Replace restrictive web_search tool description (align with streaming path)
 	simplifiedPayload, simplifyErr := kiroclaude.ReplaceWebSearchToolDescription(bytes.Clone(req.Payload))
--- a/internal/translator/kiro/claude/kiro_claude_stream_parser.go
+++ b/internal/translator/kiro/claude/kiro_claude_stream_parser.go
@@ -226,7 +226,7 @@ func AnalyzeBufferedStream(chunks [][]byte) BufferedStreamResult {
 							result.WebSearchQuery = q
 						}
 					}
-					log.Debugf("kiro/websearch: detected web_search tool_use, query: %s", result.WebSearchQuery)
+					log.Debugf("kiro/websearch: detected web_search tool_use")
 				}
 				currentToolName = ""
 				currentToolIndex = -1
--- a/internal/translator/kiro/claude/kiro_websearch.go
+++ b/internal/translator/kiro/claude/kiro_websearch.go
@@ -388,8 +388,8 @@ Do NOT apologize for bad results without first attempting a re-search.
 		return claudePayload, fmt.Errorf("failed to marshal updated payload: %w", err)
 	}

-	log.Infof("kiro/websearch: injected tool_use+tool_result (toolUseId=%s, query=%s, messages=%d)",
-		toolUseId, query, len(messages))
+	log.Infof("kiro/websearch: injected tool_use+tool_result (toolUseId=%s, messages=%d)",
+		toolUseId, len(messages))

 	return result, nil
 }