feat(engine): Add ActionStatement mask_output flag to redact action results in execution API#2578
Conversation
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0d6a6bdb48
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
✅ No security or compliance issues detected. Reviewed everything up to b8198c9. Security OverviewDetected Code Changes
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 2/5
- There is a high-confidence, high-severity regression in
tracecat/workflow/executions/service.py: compact execution responses appear to bypass masking because the redaction path expectsRunActionInputbut receivestask.argsdicts. - This creates meaningful user-impact risk (potential exposure of unmasked action input data), which makes this risky to merge until the redaction logic handles compact event payloads correctly.
- Pay close attention to
tracecat/workflow/executions/service.py- compact eventaction_inputshape mismatch is preventing expected redaction.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tracecat/workflow/executions/service.py">
<violation number="1" location="tracecat/workflow/executions/service.py:160">
P1: Masking is effectively bypassed in compact execution responses because the new redaction check expects `RunActionInput`, while compact events store `action_input` as `task.args` dict.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
This comment has been minimized.
This comment has been minimized.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
changed the title
daryllimyt
force-pushed
the
codex/add-flag-to-mask-actionstatement-return-value
branch
from
122113f to
c16a6f1
Compare
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c16a6f1e7c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d4fa7f9038
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
1 issue found across 6 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tracecat/workflow/executions/schemas.py">
<violation number="1" location="tracecat/workflow/executions/schemas.py:468">
P3: Use bare `raise` instead of `raise e` so the original traceback is preserved.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f55f3f5f00
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tracecat/workflow/executions/service.py">
<violation number="1" location="tracecat/workflow/executions/service.py:941">
P2: Parsing scheduled events for mask metadata is unguarded; an unexpected child workflow type can raise and fail object-result retrieval.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 94a21388c8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
3 issues found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tracecat/workflow/executions/service.py">
<violation number="1" location="tracecat/workflow/executions/service.py:945">
P2: Catching `Exception` here and defaulting to `masked` swallows unexpected failures, which can hide real parsing/runtime regressions and bypass centralized error translation.
(Based on your team's feedback about broad exception handling in services.) [FEEDBACK_USED]</violation>
</file>
<file name="tracecat/workflow/executions/schemas.py">
<violation number="1" location="tracecat/workflow/executions/schemas.py:109">
P1: This fallback fails open on memo parse errors by defaulting `mask_output` to `False`, which can expose unredacted child-workflow results in execution API responses.</violation>
<violation number="2" location="tracecat/workflow/executions/schemas.py:119">
P1: This fallback also defaults `mask_output` to `False` on parse errors, which can leak unredacted agent action results to clients.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tracecat/workflow/executions/service.py">
<violation number="1" location="tracecat/workflow/executions/service.py:181">
P2: `model_dump(mode="json")` in the redaction path can raise serialization errors and alter container shape (e.g., tuple→list). Use Python mode here so redaction remains shape-preserving and robust for arbitrary `BaseModel` fields.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
deleted the
codex/add-flag-to-mask-actionstatement-return-value
branch
2 participants
Motivation
ActionStatementso individual tasks can request redaction without changing runtime dataflow.Description
mask_output: bool = FalsetoActionStatementintracecat/dsl/schemas.pyto mark actions whose results should be redacted in API responses.RunActionInputand added_sanitize_action_result(...)intracecat/workflow/executions/service.pyto return"[REDACTED]"for client-facing result assembly whentask.mask_outputis true.source.action_resultfor API consumers.Screens
Screen.Recording.2026-04-30.at.10.37.06.mov
Testing
uv run ruff check tracecat/dsl/schemas.py tracecat/workflow/executions/service.py, which completed successfully.Codex Task
Summary by cubic
Adds a
mask_outputflag toActionStatementand applies structured redaction to action, child workflow, and agent results in both compact and standard execution API responses. Internal data flow, while-loop logic, and response shapes are preserved; only leaf values are replaced with "[REDACTED]".New Features
mask_output: bool = FalsetoActionStatement; surfaced infrontend/src/client/schemas.gen.tsandfrontend/src/client/types.gen.ts.mask_outputthrough child workflow and agent memos; compact events and event groups store the flag.Bug Fixes
Written for commit d4fa7f9. Summary will update on new commits. Review in cubic