From 5626637fbd1a6f6b1c841cb5002c6c34df960b65 Mon Sep 17 00:00:00 2001 From: Skyuno Date: Fri, 13 Feb 2026 02:25:55 +0800 Subject: [PATCH] security: remove query content from web search logs to prevent PII leakage - Remove search query from iteration logs (Info level) - Remove query and toolUseId from analysis logs (Info level) - Remove query from non-stream result logs (Info level) - Remove query from tool injection logs (Info level) - Remove query from tool_use detection logs (Debug level) This addresses the security concern raised in PR #226 review about potential PII exposure in search query logs. --- internal/runtime/executor/kiro_executor.go | 10 +++++----- .../kiro/claude/kiro_claude_stream_parser.go | 2 +- internal/translator/kiro/claude/kiro_websearch.go | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/internal/runtime/executor/kiro_executor.go b/internal/runtime/executor/kiro_executor.go index c9792903..9d197769 100644 --- a/internal/runtime/executor/kiro_executor.go +++ b/internal/runtime/executor/kiro_executor.go @@ -4457,8 +4457,8 @@ func (e *KiroExecutor) handleWebSearchStream( currentToolUseId := fmt.Sprintf("srvtoolu_%s", kiroclaude.GenerateToolUseID()) for iteration := 0; iteration < maxWebSearchIterations; iteration++ { - log.Infof("kiro/websearch: search iteration %d/%d — query: %s", - iteration+1, maxWebSearchIterations, currentQuery) + log.Infof("kiro/websearch: search iteration %d/%d", + iteration+1, maxWebSearchIterations) // MCP search _, mcpRequest := kiroclaude.CreateMcpRequest(currentQuery) @@ -4515,8 +4515,8 @@ func (e *KiroExecutor) handleWebSearchStream( // Analyze response analysis := kiroclaude.AnalyzeBufferedStream(kiroChunks) - log.Infof("kiro/websearch: iteration %d — stop_reason: %s, has_tool_use: %v, query: %s, toolUseId: %s", - iteration+1, analysis.StopReason, analysis.HasWebSearchToolUse, analysis.WebSearchQuery, analysis.WebSearchToolUseId) + log.Infof("kiro/websearch: iteration %d — stop_reason: %s, has_tool_use: %v", + iteration+1, analysis.StopReason, analysis.HasWebSearchToolUse) if analysis.HasWebSearchToolUse && analysis.WebSearchQuery != "" && iteration+1 < maxWebSearchIterations { // Model wants another search @@ -4613,7 +4613,7 @@ func (e *KiroExecutor) handleWebSearch( if searchResults != nil { resultCount = len(searchResults.Results) } - log.Infof("kiro/websearch: non-stream: got %d search results for query: %s", resultCount, query) + log.Infof("kiro/websearch: non-stream: got %d search results", resultCount) // Step 3: Replace restrictive web_search tool description (align with streaming path) simplifiedPayload, simplifyErr := kiroclaude.ReplaceWebSearchToolDescription(bytes.Clone(req.Payload)) diff --git a/internal/translator/kiro/claude/kiro_claude_stream_parser.go b/internal/translator/kiro/claude/kiro_claude_stream_parser.go index 35ae945b..275196ac 100644 --- a/internal/translator/kiro/claude/kiro_claude_stream_parser.go +++ b/internal/translator/kiro/claude/kiro_claude_stream_parser.go @@ -226,7 +226,7 @@ func AnalyzeBufferedStream(chunks [][]byte) BufferedStreamResult { result.WebSearchQuery = q } } - log.Debugf("kiro/websearch: detected web_search tool_use, query: %s", result.WebSearchQuery) + log.Debugf("kiro/websearch: detected web_search tool_use") } currentToolName = "" currentToolIndex = -1 diff --git a/internal/translator/kiro/claude/kiro_websearch.go b/internal/translator/kiro/claude/kiro_websearch.go index aaf4d375..b9da3829 100644 --- a/internal/translator/kiro/claude/kiro_websearch.go +++ b/internal/translator/kiro/claude/kiro_websearch.go @@ -388,8 +388,8 @@ Do NOT apologize for bad results without first attempting a re-search. return claudePayload, fmt.Errorf("failed to marshal updated payload: %w", err) } - log.Infof("kiro/websearch: injected tool_use+tool_result (toolUseId=%s, query=%s, messages=%d)", - toolUseId, query, len(messages)) + log.Infof("kiro/websearch: injected tool_use+tool_result (toolUseId=%s, messages=%d)", + toolUseId, len(messages)) return result, nil }