V37 Gate 8: Conversation Telemetry Proof Hooks And Docs#118
Conversation
Adds package-owned ConversationTelemetryProofHooks canon source and generated artifact. Wires source-safe conversation telemetry proof hooks into API stream rows, the Conversations telemetry proof panel, dashboard/runbook docs, and Gate 8 workflow checks. Extends protocol, API, UI, documentation, and checker coverage for source-safe telemetry proof posture.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fa6ada205b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| redacted = redacted.replace(pattern, '[redacted:conversation-telemetry-secret]'); | ||
| } | ||
|
|
||
| return redacted.replace(PROTECTED_CONTEXT_RE, '[redacted:conversation-telemetry-protected-context]'); |
There was a problem hiding this comment.
Redact every protected-context token in telemetry strings
sanitizeText replaces PROTECTED_CONTEXT_RE only once, because the regex is not global and there is no loop. If metadata/correlation text contains multiple protected markers (for example both raw prompt and protected source), later matches remain in expandedMetadata and can be emitted in stream telemetry logs, violating the source-safe boundary this hook is meant to enforce.
Useful? React with 👍 / 👎.
| const protectedVisibility = | ||
| preview.metadata.promptPayloadVisible || | ||
| preview.metadata.protectedSourceVisible || | ||
| preview.metadata.unpaidAssetPackSourceVisible || | ||
| preview.metadata.rawModelResponseVisible || | ||
| preview.metadata.walletPrivateMaterialVisible || | ||
| !preview.metadata.dashboardBound || | ||
| !preview.metadata.runbookBound; |
There was a problem hiding this comment.
Reject previews when sourceSafePreview still contains unsafe text
assertConversationTelemetryProofPreviewSourceSafe only inspects boolean flags in preview.metadata, but buildConversationTelemetryProofPreview hardcodes those flags to safe values. As a result, this assertion can return admitted: true even when sourceSafePreview still contains unredacted sensitive/protected content (e.g., a pattern not covered by the current redactor), so callers cannot rely on it as an actual safety gate.
Useful? React with 👍 / 👎.
Summary
Validation