Skip to content

Include full Debug-formatted errors in cloud agent traces.#13586

Open
vorporeal wants to merge 2 commits into
masterfrom
david/richer-errors-in-cloud-agent-traces
Open

Include full Debug-formatted errors in cloud agent traces.#13586
vorporeal wants to merge 2 commits into
masterfrom
david/richer-errors-in-cloud-agent-traces

Conversation

@vorporeal

@vorporeal vorporeal commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Description

#[tracing::instrument(err)] formats the error using its Display format, which only includes the human-readable representation of the top error in the causal chain. We use anyhow and thiserror for richer, structured errors, and so we should switch to err(Debug) in order to get the full structured error data.

@cla-bot cla-bot Bot added the cla-signed label Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@vorporeal vorporeal marked this pull request as ready for review July 10, 2026 20:29
@oz-for-oss

oz-for-oss Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@vorporeal

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@vorporeal vorporeal enabled auto-merge (squash) July 10, 2026 20:30

@oz-for-oss oz-for-oss Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR switches cloud-agent tracing instrumentation from Display-formatted errors to Debug-formatted errors across the agent driver, attachment, environment, server API, team metadata, git credentials, and managed secrets paths.

Concerns

  • One changed top-level agent-driver span can now serialize nested AgentDriverError Debug fields that were intentionally absent from Display output, including raw third-party harness auth preflight stdout/stderr stored in HarnessAuthCheckFailed.detail.

Security

  • The AgentDriver::run_internal err(Debug) change can bypass the existing safe_error! redaction boundary for auth preflight details and send potentially sensitive command output into cloud-agent traces.

Verdict

Found: 0 critical, 1 important, 0 suggestions

Request changes

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

/// a `ModelSpawner` lets us express the high-level process linearly rather than in a
/// series of callbacks and state machine updates.
#[tracing::instrument(name = "AgentDriver::run_internal", skip_all, err, fields(tags.cloud_agent = true))]
#[tracing::instrument(name = "AgentDriver::run_internal", skip_all, err(Debug), fields(tags.cloud_agent = true))]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [IMPORTANT] [SECURITY] AgentDriverError's Debug output includes fields that Display intentionally hides; for example run_single_preflight stores raw auth-check block output in HarnessAuthCheckFailed.detail, so this span can emit third-party CLI auth stdout/stderr into cloud-agent traces and bypass the existing safe_error! redaction boundary. Keep this top-level driver error redacted or add a safe Debug wrapper before enabling Debug-format tracing here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants