From c6c19e0fb7898c6c32d557ee38ed003a40f57472 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 17:42:20 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20[security=20fix]=20Fix=20sensiti?=
 =?UTF-8?q?ve=20data=20exposure=20in=20logs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Change core.info to core.debug for model responses in src/inference.ts
- Change core.info to core.debug for tool execution details in src/mcp.ts
- Change core.info to core.debug for custom header logging in src/helpers.ts
- Remove sensitive response previews from error messages in src/inference.ts
- Update tests to reflect changes from core.info to core.debug
---
 __tests__/helpers.test.ts   | 26 +++++++++++++-------------
 __tests__/inference.test.ts |  4 ++--
 __tests__/mcp.test.ts       |  4 ++--
 src/helpers.ts              |  4 ++--
 src/inference.ts            | 10 ++++------
 src/mcp.ts                  |  4 ++--
 6 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/__tests__/helpers.test.ts b/__tests__/helpers.test.ts
index fe22b76..fddd05d 100644
--- a/__tests__/helpers.test.ts
+++ b/__tests__/helpers.test.ts
@@ -150,9 +150,9 @@ X-Custom-Header: custom-value`
         header2: 'value2',
         'X-Custom-Header': 'custom-value',
       })
-      expect(core.info).toHaveBeenCalledWith('Custom header added: header1: value1')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: header2: value2')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: X-Custom-Header: custom-value')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: header1: value1')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: header2: value2')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: X-Custom-Header: custom-value')
     })
 
     it('parses JSON format headers correctly', () => {
@@ -165,9 +165,9 @@ X-Custom-Header: custom-value`
         header2: 'value2',
         'X-Team': 'engineering',
       })
-      expect(core.info).toHaveBeenCalledWith('Custom header added: header1: value1')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: header2: value2')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: X-Team: engineering')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: header1: value1')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: header2: value2')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: X-Team: engineering')
     })
 
     it('returns empty object for empty input', () => {
@@ -194,13 +194,13 @@ password: pass123`
       })
 
       // Sensitive headers should be masked
-      expect(core.info).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: X-Api-Token: ***MASKED***')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: Authorization: ***MASKED***')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: password: ***MASKED***')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: X-Api-Token: ***MASKED***')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: Authorization: ***MASKED***')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: password: ***MASKED***')
 
       // Non-sensitive headers should not be masked
-      expect(core.info).toHaveBeenCalledWith('Custom header added: serviceName: my-service')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: serviceName: my-service')
     })
 
     it('validates header names and skips invalid ones', () => {
@@ -367,8 +367,8 @@ systemID: terraform-ci`
       })
 
       // Only the subscription key should be masked
-      expect(core.info).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
-      expect(core.info).toHaveBeenCalledWith('Custom header added: serviceName: terraform-plan-workflow')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
+      expect(core.debug).toHaveBeenCalledWith('Custom header added: serviceName: terraform-plan-workflow')
     })
   })
 })
diff --git a/__tests__/inference.test.ts b/__tests__/inference.test.ts
index 5c10fc6..c90214c 100644
--- a/__tests__/inference.test.ts
+++ b/__tests__/inference.test.ts
@@ -58,7 +58,7 @@ describe('inference.ts', () => {
 
       expect(result).toBe('Hello, user!')
       expect(core.info).toHaveBeenCalledWith('Running simple inference without tools')
-      expect(core.info).toHaveBeenCalledWith('Model response: Hello, user!')
+      expect(core.debug).toHaveBeenCalledWith('Model response: Hello, user!')
 
       // Verify the request structure
       expect(mockCreate).toHaveBeenCalledWith({
@@ -136,7 +136,7 @@ describe('inference.ts', () => {
       const result = await simpleInference(mockRequest)
 
       expect(result).toBeNull()
-      expect(core.info).toHaveBeenCalledWith('Model response: No response content')
+      expect(core.debug).toHaveBeenCalledWith('Model response: No response content')
     })
 
     it('includes response format when specified', async () => {
diff --git a/__tests__/mcp.test.ts b/__tests__/mcp.test.ts
index f8a37bf..fea06cb 100644
--- a/__tests__/mcp.test.ts
+++ b/__tests__/mcp.test.ts
@@ -177,8 +177,8 @@ describe('mcp.ts', () => {
         name: 'test-tool',
         content: JSON.stringify(toolResult.content),
       })
-      expect(core.info).toHaveBeenCalledWith('Executing GitHub MCP tool: test-tool with args: {"param": "value"}')
-      expect(core.info).toHaveBeenCalledWith('GitHub MCP tool test-tool executed successfully')
+      expect(core.debug).toHaveBeenCalledWith('Executing GitHub MCP tool: test-tool with args: {"param": "value"}')
+      expect(core.debug).toHaveBeenCalledWith('GitHub MCP tool test-tool executed successfully')
     })
 
     it('handles tool execution errors gracefully', async () => {
diff --git a/src/helpers.ts b/src/helpers.ts
index ff79c0e..3482270 100644
--- a/src/helpers.ts
+++ b/src/helpers.ts
@@ -143,9 +143,9 @@ function validateAndMaskHeaders(headers: Record<string, unknown>): Record<string
     const lowerName = name.toLowerCase()
     const isSensitive = sensitivePatterns.some(pattern => lowerName.includes(pattern))
     if (isSensitive) {
-      core.info(`Custom header added: ${name}: ***MASKED***`)
+      core.debug(`Custom header added: ${name}: ***MASKED***`)
     } else {
-      core.info(`Custom header added: ${name}: ${stringValue}`)
+      core.debug(`Custom header added: ${name}: ${stringValue}`)
     }
   }
 
diff --git a/src/inference.ts b/src/inference.ts
index c7880d7..a77dbe9 100644
--- a/src/inference.ts
+++ b/src/inference.ts
@@ -61,7 +61,7 @@ export async function simpleInference(request: InferenceRequest): Promise<string
 
   const response = await chatCompletion(client, chatCompletionRequest, 'simpleInference')
   const modelResponse = response.choices[0]?.message?.content
-  core.info(`Model response: ${modelResponse || 'No response content'}`)
+  core.debug(`Model response: ${modelResponse || 'No response content'}`)
   return modelResponse || null
 }
 
@@ -116,7 +116,7 @@ export async function mcpInference(
       const modelResponse = assistantMessage?.content
       const toolCalls = assistantMessage?.tool_calls
 
-      core.info(`Model response: ${modelResponse || 'No response content'}`)
+      core.debug(`Model response: ${modelResponse || 'No response content'}`)
 
       messages.push({
         role: 'assistant',
@@ -181,16 +181,14 @@ async function chatCompletion(
       try {
         response = JSON.parse(response)
       } catch (e) {
-        const preview = response.slice(0, 400)
         throw new Error(
-          `${context}: Chat completion response was a string and not valid JSON (${(e as Error).message}). Preview: ${preview}`,
+          `${context}: Chat completion response was a string and not valid JSON (${(e as Error).message})`,
         )
       }
     }
 
     if (!response || typeof response !== 'object' || !('choices' in response)) {
-      const preview = JSON.stringify(response)?.slice(0, 800)
-      throw new Error(`${context}: Unexpected response shape (no choices). Preview: ${preview}`)
+      throw new Error(`${context}: Unexpected response shape (no choices)`)
     }
 
     return response as OpenAI.Chat.Completions.ChatCompletion
diff --git a/src/mcp.ts b/src/mcp.ts
index 616c8fd..4c9a921 100644
--- a/src/mcp.ts
+++ b/src/mcp.ts
@@ -96,7 +96,7 @@ export async function connectToGitHubMCP(token: string, toolsets?: string): Prom
  * Execute a single tool call via GitHub MCP
  */
 export async function executeToolCall(githubMcpClient: Client, toolCall: ToolCall): Promise<ToolResult> {
-  core.info(`Executing GitHub MCP tool: ${toolCall.function.name} with args: ${toolCall.function.arguments}`)
+  core.debug(`Executing GitHub MCP tool: ${toolCall.function.name} with args: ${toolCall.function.arguments}`)
 
   try {
     const args = JSON.parse(toolCall.function.arguments)
@@ -106,7 +106,7 @@ export async function executeToolCall(githubMcpClient: Client, toolCall: ToolCal
       arguments: args,
     })
 
-    core.info(`GitHub MCP tool ${toolCall.function.name} executed successfully`)
+    core.debug(`GitHub MCP tool ${toolCall.function.name} executed successfully`)
 
     return {
       tool_call_id: toolCall.id,