fix(privacy): stop persisting dictated content to the disk log#403
Open
postoso wants to merge 2 commits into
Open
fix(privacy): stop persisting dictated content to the disk log#403postoso wants to merge 2 commits into
postoso wants to merge 2 commits into
Conversation
DebugLogger.log() writes every line to a persistent plaintext file (~/Library/Logs/Fluid/Fluid.log) unconditionally: FileLogger.append runs before the `guard loggingEnabled` check, so the EnableDebugLogs toggle only gates the in-memory UI panel, not the disk file. As a result, multiple log call sites persisted the user's dictated transcript, spoken prompts/instructions, selected text, and the AI-processed result to disk in plaintext on release builds. Redact user content at every leak site, logging metadata (lengths, byte counts, model/provider names, status, response field names) instead of the content itself, while keeping diagnostics useful: - LLMClient: redact the cURL request body, the request-body debug log, the full streaming delta (now logs field names only), the streamed content chunk, and the non-streaming HTTP-error body. - LLMClient: LLMError.httpError.errorDescription no longer embeds the raw provider error body, which callers persist via error.localizedDescription; expose status code and body size only. - AIProvider / FunctionCallingProvider: redact request body, response body, error bodies, and tool-call arguments. - ASRService: redact the final transcript, post-processed transcript, streaming partial, and boosted-term logs. - AppleSpeechAnalyzerProvider / AppleSpeechProvider: redact recognized-speech logs. - ContentView / RewriteModeService: the prompt-trace sinks (logDictationPromptTrace, logPromptTrace) persist only a redacted metadata line; the full trace remains available on the console behind the explicit FLUID_PROMPT_TRACE=1 env var. - TypingService: drop the typed-text content previews; the adjacent length logs are retained.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DebugLoggerpersists every log line to~/Library/Logs/Fluid/Fluid.logunconditionally:FileLogger.appendruns before theloggingEnabledguard, so the "Enable debug logs" toggle only gates the in-memory UI panel, not the disk file. As a result, on release builds the dictated transcript, spoken prompts/instructions, selected text, and LLM request/response bodies were written to that log in plaintext. The dictation prompt-trace path was also on by default, so it logged the transcript + prompt + AI answer on every AI-enhanced dictation.This redacts user content to metadata only (lengths, byte counts, model/provider names, status, response field names) at every affected site, keeping diagnostics useful. Full prompt traces are still available on the console behind
FLUID_PROMPT_TRACE=1, but are never persisted to disk.Scope
28 logging sites across 9 files (
LLMClient,AIProvider,FunctionCallingProvider,ASRService, the two Apple speech providers,ContentView,RewriteModeService,TypingService). IncludesLLMError.httpError's description, which embedded the raw provider error body and escaped to the log via downstreamerror.localizedDescriptioncalls.Testing