Redact current user in comments and token checks

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-11 22:17:21 -05:00
parent b1bf09970f
commit 088eaea0cb
6 changed files with 225 additions and 55 deletions
--- a/server/src/services/issues.ts
+++ b/server/src/services/issues.ts
@@ -22,6 +22,7 @@ import {
  defaultIssueExecutionWorkspaceSettingsForProject,
  parseProjectExecutionWorkspacePolicy,
 } from "./execution-workspace-policy.js";
+import { redactCurrentUserText } from "../log-redaction.js";

 const ALL_ISSUE_STATUSES = ["backlog", "todo", "in_progress", "in_review", "blocked", "done", "cancelled"];

@@ -88,6 +89,13 @@ type IssueUserContextInput = {
  updatedAt: Date | string;
 };

+function redactIssueComment<T extends { body: string }>(comment: T): T {
+  return {
+    ...comment,
+    body: redactCurrentUserText(comment.body),
+  };
+}
+
 function sameRunLock(checkoutRunId: string | null, actorRunId: string | null) {
  if (actorRunId) return checkoutRunId === actorRunId;
  return checkoutRunId == null;
@@ -1041,14 +1049,18 @@ export function issueService(db: Db) {
        .select()
        .from(issueComments)
        .where(eq(issueComments.issueId, issueId))
-        .orderBy(desc(issueComments.createdAt)),
+        .orderBy(desc(issueComments.createdAt))
+        .then((comments) => comments.map(redactIssueComment)),

    getComment: (commentId: string) =>
      db
        .select()
        .from(issueComments)
        .where(eq(issueComments.id, commentId))
-        .then((rows) => rows[0] ?? null),
+        .then((rows) => {
+          const comment = rows[0] ?? null;
+          return comment ? redactIssueComment(comment) : null;
+        }),

    addComment: async (issueId: string, body: string, actor: { agentId?: string; userId?: string }) => {
      const issue = await db
@@ -1059,6 +1071,7 @@ export function issueService(db: Db) {

      if (!issue) throw notFound("Issue not found");

+      const redactedBody = redactCurrentUserText(body);
      const [comment] = await db
        .insert(issueComments)
        .values({
@@ -1066,7 +1079,7 @@ export function issueService(db: Db) {
          issueId,
          authorAgentId: actor.agentId ?? null,
          authorUserId: actor.userId ?? null,
-          body,
+          body: redactedBody,
        })
        .returning();

@@ -1076,7 +1089,7 @@ export function issueService(db: Db) {
        .set({ updatedAt: new Date() })
        .where(eq(issues.id, issueId));

-      return comment;
+      return redactIssueComment(comment);
    },

    createAttachment: async (input: {