Skip to content

RFC: Audit logging and tracing improvements#281

Open
pavolloffay wants to merge 1 commit into
openshift:mainfrom
pavolloffay:docs/audit-logging-tracing
Open

RFC: Audit logging and tracing improvements#281
pavolloffay wants to merge 1 commit into
openshift:mainfrom
pavolloffay:docs/audit-logging-tracing

Conversation

@pavolloffay

@pavolloffay pavolloffay commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

RFC documenting current state of audit logging and tracing, and proposing improvements:

Related PRs

🤖 Generated with Claude Code

@openshift-ci openshift-ci Bot requested review from joshuawilson and xrajesh July 6, 2026 17:18
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign blublinsky for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
📝 Walkthrough

Summary by CodeRabbit

  • Documentation
    • Expanded audit logging and tracing guidance with clearer operator and sandbox behavior.
    • Added side-by-side comparisons of audit logs, text logs, and tracing spans, including examples and key differences.
    • Documented current span schemas, recommended semantic-convention alignment, and tracing troubleshooting steps.
    • Added environment variable support details for tracing setup and exporter configuration.

Walkthrough

Adds documentation for operator and sandbox audit logging/tracing configuration, output behavior, span conventions, and sandbox tracing fixes.

Changes

Audit logging and tracing documentation

Layer / File(s) Summary
Configuration and output behavior
docs/audit-logging-tracing.md
Documents operator AgenticOLSConfig audit/tracing settings, sandbox environment-variable configuration, and the observed audit/log/span output modes.
Current span schemas and conventions
docs/audit-logging-tracing.md
Records current sandbox and operator span shapes, then defines the target semantic-convention alignment for each.
Sandbox tracing fixes
docs/audit-logging-tracing.md
Describes the missing tool-span parent-context issue and the refactor to honor standard OTEL SDK environment variables in sandbox tracing.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the RFC about audit logging and tracing improvements.
Description check ✅ Passed The description directly matches the changeset by outlining the documented audit logging and tracing improvements.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/audit-logging-tracing.md`:
- Around line 95-99: The fenced examples in the audit logging/tracing doc are
missing a language tag, which triggers markdownlint MD040. Update the affected
fenced blocks in the documentation so they use an explicit language identifier,
and apply the same fix to the other referenced example block as well.
- Around line 131-171: The markdown tables in the audit logging/tracing docs are
missing surrounding blank lines, violating MD058 and markdownlint. Update the
table sections under the proposal span documentation and the span events section
in this file by inserting blank lines before and after each table block so the
formatting is consistent and the repeated table blocks render cleanly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ef1affa-226c-4723-8d89-8bfe561292af

📥 Commits

Reviewing files that changed from the base of the PR and between 0ebffc5 and 8ee7c67.

📒 Files selected for processing (1)
  • docs/audit-logging-tracing.md
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift/lightspeed-agentic-sandbox (manual)

Comment thread docs/audit-logging-tracing.md
Comment thread docs/audit-logging-tracing.md
@pavolloffay pavolloffay force-pushed the docs/audit-logging-tracing branch from 8ee7c67 to 75983c4 Compare July 6, 2026 17:30
@pavolloffay pavolloffay changed the title docs: Add audit logging and tracing documentation RFC: Audit logging and tracing improvements Jul 6, 2026
@pavolloffay pavolloffay force-pushed the docs/audit-logging-tracing branch from 75983c4 to ab21f89 Compare July 6, 2026 17:33

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/audit-logging-tracing.md`:
- Line 212: The table row for gen_ai.tool.type is missing the trailing pipe,
causing an inconsistent Markdown table format. Update the row in the
audit-logging-tracing table so it matches the same pipe-delimited style as the
surrounding rows, using the table entry for gen_ai.tool.type as the anchor.
- Around line 269-274: The hierarchy example code fence is missing a language
tag, which keeps MD040 failing. Update the unlabeled fence in the audit
logging/tracing example to use the text language tag so the fenced block is
explicitly marked; locate the example by its proposal.lifecycle / agent.run /
tool.exec_command hierarchy snippet.
- Line 65: Fix the typo in the markdown heading so the section title reads
correctly. Update the “Audit logs and span events” heading text by replacing the
misspelled word in that section, using the heading itself as the target since
line numbers may shift.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b9074e34-708f-4755-be8d-dc9cc4152bb8

📥 Commits

Reviewing files that changed from the base of the PR and between 8ee7c67 and 75983c4.

📒 Files selected for processing (1)
  • docs/audit-logging-tracing.md
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift/lightspeed-agentic-sandbox (manual)

Comment thread docs/audit-logging-tracing.md Outdated

## Improvements

### Audit logs and span events differenceh

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the heading typo.

differenceh is misspelled here; use differences so the section title reads cleanly.

🛠️ Proposed fix
-### Audit logs and span events differenceh 
+### Audit logs and span events differences
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
### Audit logs and span events differenceh
### Audit logs and span events differences
🧰 Tools
🪛 LanguageTool

[grammar] ~65-~65: Ensure spelling is correct
Context: ...vements ### Audit logs and span events differenceh #### Operator The operator ([audit.go](https...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` at line 65, Fix the typo in the markdown
heading so the section title reads correctly. Update the “Audit logs and span
events” heading text by replacing the misspelled word in that section, using the
heading itself as the target since line numbers may shift.

Source: Linters/SAST tools

| `tool.output` | `gen_ai.tool.call.result` (Opt-In) |
| (missing) | `gen_ai.operation.name` = `"execute_tool"` (Required) |
| (missing) | `gen_ai.tool.call.id` (Recommended) |
| (missing) | `gen_ai.tool.type` = `"function"` (Recommended)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the table pipe style.

This row is missing the trailing |, which triggers MD055 and makes the table inconsistent.

🛠️ Proposed fix
-| (missing) | `gen_ai.tool.type` = `"function"` (Recommended)
+| (missing) | `gen_ai.tool.type` = `"function"` (Recommended) |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| (missing) | `gen_ai.tool.type` = `"function"` (Recommended)
| (missing) | `gen_ai.tool.type` = `"function"` (Recommended) |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 212-212: Table pipe style
Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe

(MD055, table-pipe-style)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` at line 212, The table row for
gen_ai.tool.type is missing the trailing pipe, causing an inconsistent Markdown
table format. Update the row in the audit-logging-tracing table so it matches
the same pipe-delimited style as the surrounding rows, using the table entry for
gen_ai.tool.type as the anchor.

Source: Linters/SAST tools

Comment on lines +269 to +274
```
proposal.lifecycle
└── proposal.analyze
└── agent.run
└── tool.exec_command (now properly nested)
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Tag the hierarchy example fence.

This example fence is still unlabeled, so MD040 will keep firing. Use text here.

🛠️ Proposed fix
-```
+```text
 proposal.lifecycle
 └── proposal.analyze
     └── agent.run
         └── tool.exec_command  (now properly nested)

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 269-269: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` around lines 269 - 274, The hierarchy example
code fence is missing a language tag, which keeps MD040 failing. Update the
unlabeled fence in the audit logging/tracing example to use the text language
tag so the fenced block is explicitly marked; locate the example by its
proposal.lifecycle / agent.run / tool.exec_command hierarchy snippet.

Source: Linters/SAST tools

Document current state of audit logging and tracing in operator and sandbox,
and propose improvements:

- Configuration via AgenticOLSConfig CRD (operator) and env vars (sandbox)
- Audit logs vs span events differences
- OTEL semantic conventions alignment for GenAI spans
- Tool spans export fix (PR openshift#97)
- Standard OTEL SDK initialization (PR openshift#98)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@pavolloffay pavolloffay force-pushed the docs/audit-logging-tracing branch from ab21f89 to 7c4d812 Compare July 6, 2026 17:35

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (4)
docs/audit-logging-tracing.md (4)

150-191: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add blank lines before each operator span table.

The proposal.* and span-event tables need the same separator before each block.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` around lines 150 - 191, Add the missing
blank-line separators before each operator span table in the audit
logging/tracing docs so the `proposal.lifecycle`, `proposal.analyze` /
`proposal.execute` / `proposal.verify` / `proposal.escalate`,
`proposal.human_approval`, `proposal.terminal`, and span-event sections all
follow the same spacing style and render consistently.

Source: Linters/SAST tools


91-95: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add language tags to both fenced examples.

Both unlabeled fences still trigger MD040. Tag them as text.

Also applies to: 269-274

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` around lines 91 - 95, Add language tags to the
unlabeled fenced examples in the audit-logging-tracing docs so they no longer
trigger MD040. Update both fenced blocks in the affected examples, including the
one near the current snippet and the matching one referenced later, and tag them
as text to keep the examples rendered consistently.

Source: Linters/SAST tools


195-212: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the proposed-change tables and the missing trailing pipe.

Add a blank line before the two tables in this section, and close the gen_ai.tool.type row with | so MD058/MD055 stop firing.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` around lines 195 - 212, Add the missing blank
line before the inference-span and tool-execution tables in the
audit-logging-tracing section, and fix the malformed GenAI semconv table row by
closing the gen_ai.tool.type entry with a trailing pipe. Update the Markdown in
the affected section so the tables render cleanly and the MD058/MD055 lint
errors are resolved.

Source: Linters/SAST tools


131-145: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Separate the sandbox tables from the preceding prose.

Insert a blank line before each table block here; the current paragraphs run straight into the tables and MD058 still fires.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audit-logging-tracing.md` around lines 131 - 145, The markdown in
audit-logging-tracing.md is missing blank lines before the table blocks, which
causes the preceding prose to run into the tables and triggers MD058. Update the
documentation around the agent.run and tool.{name} sections so each table is
separated from the prior paragraph by a blank line, keeping the table content
unchanged and ensuring the formatting is consistent in that area of the file.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/audit-logging-tracing.md`:
- Around line 150-191: Add the missing blank-line separators before each
operator span table in the audit logging/tracing docs so the
`proposal.lifecycle`, `proposal.analyze` / `proposal.execute` /
`proposal.verify` / `proposal.escalate`, `proposal.human_approval`,
`proposal.terminal`, and span-event sections all follow the same spacing style
and render consistently.
- Around line 91-95: Add language tags to the unlabeled fenced examples in the
audit-logging-tracing docs so they no longer trigger MD040. Update both fenced
blocks in the affected examples, including the one near the current snippet and
the matching one referenced later, and tag them as text to keep the examples
rendered consistently.
- Around line 195-212: Add the missing blank line before the inference-span and
tool-execution tables in the audit-logging-tracing section, and fix the
malformed GenAI semconv table row by closing the gen_ai.tool.type entry with a
trailing pipe. Update the Markdown in the affected section so the tables render
cleanly and the MD058/MD055 lint errors are resolved.
- Around line 131-145: The markdown in audit-logging-tracing.md is missing blank
lines before the table blocks, which causes the preceding prose to run into the
tables and triggers MD058. Update the documentation around the agent.run and
tool.{name} sections so each table is separated from the prior paragraph by a
blank line, keeping the table content unchanged and ensuring the formatting is
consistent in that area of the file.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d42038c1-c42c-4c77-9a2d-47dd56b27cc9

📥 Commits

Reviewing files that changed from the base of the PR and between 75983c4 and 7c4d812.

📒 Files selected for processing (1)
  • docs/audit-logging-tracing.md
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant