feat: opt-in last_exception redaction hook for the DLQ (F3-01)#93
Merged
Conversation
The DLQ stores repr(exc) verbatim, which for poison messages can embed the request
body / rejected row / credentials — durably, in the audit table. Add an opt-in
last_exception_renderer: Callable[[BaseException], str | None] on OutboxBroker (and
the FastAPI OutboxRouter) so PII-sensitive deployments can redact
(lambda exc: type(exc).__name__) or drop it (return None). Default stays repr for
full forensic detail; the rendered string is still length-capped at 8 KiB.
Rendering is centralized in _render_last_exception (replacing _truncate_exception),
read from OutboxBrokerConfig.last_exception_renderer. Backward-compatible: with no
renderer, every existing path is byte-for-byte identical.
Tests: test_fake_dlq_{redacts_last_exception_with_renderer,drops_last_exception_when_renderer_returns_none};
existing truncation tests still cover the default path. just test -> 516 passed, 100%
coverage; just lint clean. CLAUDE.md + docs/usage/dlq.md updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
PR 4 of the tail program. Closes F3-01: the DLQ stores
repr(exc)verbatim, and for a poison message thatreprcan embed the request body / rejected row / credentials — durably, in the audit table.Adds an opt-in
last_exception_renderer: Callable[[BaseException], str | None]toOutboxBroker(and, for parity, the FastAPIOutboxRouter):None) keeps the fullreprfor forensic detail._render_last_exception(replacing_truncate_exception), read fromOutboxBrokerConfig.last_exception_renderer.Backward-compatible: with no renderer configured, every existing path is byte-for-byte identical (the existing truncation tests still pass unchanged).
Tests
test_fake_dlq_redacts_last_exception_with_renderer— class-name-only renderer; asserts the secret-bearing message is absent.test_fake_dlq_drops_last_exception_when_renderer_returns_none—None→ storedNone.test_flush_terminal_dlq_payload_{truncates,short}cover the default repr path.just test→ 516 passed, 100% coverage;just lintclean.Docs
CLAUDE.md(DLQ invariants) anddocs/usage/dlq.md(new "Redactinglast_exception" section) updated.🤖 Generated with Claude Code