Skip to content

Python: Refine DevUI request logging#7083

Open
moonbox3 wants to merge 2 commits into
microsoft:mainfrom
moonbox3:codex/devui-log-hygiene
Open

Python: Refine DevUI request logging#7083
moonbox3 wants to merge 2 commits into
microsoft:mainfrom
moonbox3:codex/devui-log-hygiene

Conversation

@moonbox3

Copy link
Copy Markdown
Contributor

Motivation & Context

Keep DevUI request logging focused on operational signals.

Description & Review Guide

  • What are the major changes? Remove verbose request-content diagnostics and add focused regression coverage.
  • What is the impact of these changes? Request handling is unchanged; logs contain less request detail.
  • What do you want reviewers to focus on? The logging behavior and its regression coverage.

Related Issue

Tracked separately.

Contribution Checklist

  • The code builds clean without any errors or warnings
  • All unit tests pass, and I have added new tests where possible
  • The PR follows the Contribution Guidelines
  • This PR is linked to an issue and there is no other open PR for this issue (see Related Issue above).
  • This is not a breaking change. If it is a breaking change, add the breaking change label (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.

Copilot AI review requested due to automatic review settings July 13, 2026 02:53
@giles17 giles17 added the python Usage: [Issues, PRs], Target: Python label Jul 13, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 5 | Confidence: 94%

✓ Correctness

The PR cleanly removes verbose request-content logging (raw body and parsed metadata) and adds a focused regression test verifying that private input/metadata markers don't appear in logs. The remaining log statement on line 842 only emits the entity_id value (None when not provided), which doesn't leak request content. The test correctly expects a 400 status (no entity_id in metadata) and validates log absence at DEBUG level. No correctness issues found.

✓ Security Reliability

This PR removes verbose request-content logging (raw body and parsed metadata) from the /v1/responses endpoint and adds a regression test confirming that user input and metadata are not written to server logs at any level. The change is a clear security improvement — it eliminates a potential PII/secret leakage vector through logs. The remaining log statement only outputs the entity_id routing identifier, not user content. No security or reliability concerns found.

✓ Test Coverage

The PR cleanly removes verbose request-content logging (raw body and parsed metadata) from the /v1/responses endpoint and adds a focused regression test that verifies neither input nor metadata values leak into server logs. The test is well-designed: it captures all log levels (DEBUG and above) from the correct logger, uses unique marker strings, and exercises the exact code path where the logging was removed. The test's reliance on a 400 response (missing entity_id) is appropriate since the removed logging occurred before entity_id validation, meaning it exercises the relevant lines without requiring complex executor setup.

✓ Failure Modes

This PR cleanly removes verbose request-content logging (raw body and parsed metadata) from the DevUI server's /v1/responses endpoint and adds a focused regression test verifying that request input and metadata are not written to server logs. The remaining logger.info call logs only the extracted entity_id (an operational routing identifier), which is appropriate. No silent failures, swallowed exceptions, or operational failure modes are introduced or preserved by this change.

✗ Design Approach

The change removes request-body logging from /v1/responses, but it does not fully address the stated goal of refining DevUI request logging: another request path in the same module still logs caller-suplied metadata verbatim, so sensitive request content can still reach server logs.

Flagged Issues

  • python/packages/devui/agent_framework_devui/_server.py:942-943 still logs request_data.get("metadata") in create_conversation, so private metadata sent to /v1/conversations will continue to be written to logs even after this PR removes the analogous /v1/responses logging.

Automated review by moonbox3's agents

@github-actions

Copy link
Copy Markdown
Contributor

Flagged issue

python/packages/devui/agent_framework_devui/_server.py:942-943 still logs request_data.get("metadata") in create_conversation, so private metadata sent to /v1/conversations will continue to be written to logs even after this PR removes the analogous /v1/responses logging.


Source: automated DevFlow PR review

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Python Test Coverage

Python Test Coverage Report •
FileStmtsMissCoverMissing
TOTAL44155526588% 
report-only-changed-files is enabled. No files were changed during this commit :)

Python Unit Test Overview

Tests Skipped Failures Errors Time
8857 33 💤 0 ❌ 0 🔥 2m 22s ⏱️

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refines Python DevUI server logging to avoid emitting verbose request content, and adds a regression test to prevent accidental reintroduction of request-input/metadata logging.

Changes:

  • Removed logging of raw request bodies and parsed request metadata from the /v1/responses handler.
  • Added a test ensuring request input and non-routing metadata values are not written to DevUI server logs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
python/packages/devui/agent_framework_devui/_server.py Removes request-body/metadata diagnostics from the responses endpoint logging path.
python/packages/devui/tests/devui/test_server.py Adds regression coverage to ensure request content is not emitted in server logs.

Comment thread python/packages/devui/tests/devui/test_server.py Outdated
Comment thread python/packages/devui/agent_framework_devui/_server.py Outdated
@moonbox3

Copy link
Copy Markdown
Contributor Author

Addressed in e5d5b18. Removed the remaining conversation-metadata diagnostic and kept the upstream request behavior unchanged.

@moonbox3 moonbox3 marked this pull request as ready for review July 13, 2026 03:40

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 5 | Confidence: 93% | Result: All clear

Reviewed: Correctness, Security Reliability, Test Coverage, Failure Modes, Design Approach


Automated review by moonbox3's agents

@moonbox3 moonbox3 self-assigned this Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

python Usage: [Issues, PRs], Target: Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants