Skip to content

Add --filtered-integrity flag to logs command#21838

Merged
pelikhan merged 2 commits intomainfrom
copilot/add-logs-filtered-integrity-support
Mar 19, 2026
Merged

Add --filtered-integrity flag to logs command#21838
pelikhan merged 2 commits intomainfrom
copilot/add-logs-filtered-integrity-support

Conversation

Copy link
Contributor

Copilot AI commented Mar 19, 2026

Summary

Adds support in the logs command to filter sessions that have DIFC-filtered items in the gateway logs, via the new --filtered-integrity flag.

Changes

  • pkg/cli/logs_command.go: Register the --filtered-integrity bool flag, read its value, pass it to the orchestrator, and add a usage example.
  • pkg/cli/logs_orchestrator.go:
    • Add filteredIntegrity bool parameter to DownloadWorkflowLogs.
    • Add filtering block: when --filtered-integrity is set, call runHasDifcFilteredItems and skip runs with no DIFC-filtered events. Errors from the check produce an unconditional warning (not silently skipped).
    • Add runHasDifcFilteredItems helper that calls parseGatewayLogs (with automatic fallback to rpc-messages.jsonl) and returns true when TotalFiltered > 0.
  • pkg/cli/logs_filtering_test.go:
    • Add filtered-integrity to the flag-presence test.
    • Add TestRunHasDifcFilteredItems (table-driven, covers gateway.jsonl, mcp-logs/gateway.jsonl, no-file, and no-DIFC cases).
    • Add TestFilteredIntegrityFlag to assert default value and usage text.
  • Fix all existing DownloadWorkflowLogs call sites in test files to include the new parameter.

Usage

gh aw logs --filtered-integrity          # Only sessions with DIFC integrity-filtered items
gh aw logs --filtered-integrity -c 20   # Same, limit to 20 runs

@pelikhan
Add --filtered-integrity flag to logs command
cdd36e9 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan March 19, 2026 18:14
@pelikhan
Copy link
Contributor

pelikhan commented Mar 19, 2026

@copilot refactor DownloadWorkflowLogs to take an options type rather than a gazillion parameters

@pelikhan pelikhan marked this pull request as ready for review March 19, 2026 18:24
Copilot AI review requested due to automatic review settings March 19, 2026 18:24
@pelikhan pelikhan merged commit 250b463 into main Mar 19, 2026
49 checks passed
@pelikhan pelikhan deleted the copilot/add-logs-filtered-integrity-support branch March 19, 2026 18:25
Copilot stopped work on behalf of pelikhan due to an error March 19, 2026 18:25
The session was cancelled by the user.
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new gh aw logs --filtered-integrity flag to filter workflow runs to those that contain DIFC-filtered items in MCP gateway logs, wiring the flag from the CLI command into the logs download orchestrator and extending tests/call sites accordingly.

Changes:

  • Register and plumb a new --filtered-integrity boolean flag through logsDownloadWorkflowLogs.
  • Add DIFC filtered-item gating in the orchestrator via a new runHasDifcFilteredItems helper (uses gateway log parsing with rpc-messages fallback).
  • Update/extend unit tests and fix DownloadWorkflowLogs call sites to pass the new parameter.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
pkg/cli/logs_command.go Adds the --filtered-integrity flag, reads it, passes it to the orchestrator, and updates examples/help text.
pkg/cli/logs_orchestrator.go Extends DownloadWorkflowLogs signature, adds DIFC-based run filtering, and introduces runHasDifcFilteredItems.
pkg/cli/logs_filtering_test.go Extends flag-presence assertions and adds tests for the new helper/flag registration.
pkg/cli/logs_json_stderr_order_test.go Updates orchestrator call sites to include the new parameter.
pkg/cli/logs_download_test.go Updates orchestrator call sites to include the new parameter.
pkg/cli/logs_ci_scenario_test.go Updates orchestrator call sites to include the new parameter.
pkg/cli/context_cancellation_test.go Updates orchestrator call sites to include the new parameter.
Comments suppressed due to low confidence (1)

pkg/cli/logs_orchestrator.go:906

  • The --filtered-integrity flag text implies integrity-only filtering, but runHasDifcFilteredItems returns gatewayMetrics.TotalFiltered > 0, which counts all DIFC_FILTERED events (integrity and secrecy). Either (a) filter specifically on FilteredEvents[i].Reason == "integrity", or (b) rename/update the flag + help text to reflect that it matches any DIFC-filtered event.
	if gatewayMetrics == nil {
		return false, nil
	}

	return gatewayMetrics.TotalFiltered > 0, nil

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/cli/logs_orchestrator.go
Comment on lines +898 to +899
// No gateway log file present — not an error for workflows without MCP
return false, nil
pkg/cli/logs_command.go
logsCmd.Flags().Bool("firewall", false, "Filter to only runs with firewall enabled")
logsCmd.Flags().Bool("no-firewall", false, "Filter to only runs without firewall enabled")
logsCmd.Flags().String("safe-output", "", "Filter to runs containing a specific safe output type (e.g., create-issue, missing-tool, missing-data)")
logsCmd.Flags().Bool("filtered-integrity", false, "Filter to runs with DIFC integrity-filtered items in the gateway logs")
pkg/cli/logs_filtering_test.go
Comment on lines +450 to +476
const gatewayWithDifc = `{"timestamp":"2025-01-01T00:00:00Z","type":"DIFC_FILTERED","server_id":"github","tool_name":"create_issue","reason":"integrity"}` + "\n"
const gatewayWithoutDifc = `{"timestamp":"2025-01-01T00:00:00Z","event":"tool_call","server_name":"github","tool_name":"list_issues","duration":10}` + "\n"

tests := []struct {
name string
fileContent string
filePath func(dir string) string
want bool
}{
{
name: "gateway.jsonl with DIFC_FILTERED event",
fileContent: gatewayWithDifc,
filePath: func(dir string) string { return filepath.Join(dir, "gateway.jsonl") },
want: true,
},
{
name: "gateway.jsonl without DIFC_FILTERED events",
fileContent: gatewayWithoutDifc,
filePath: func(dir string) string { return filepath.Join(dir, "gateway.jsonl") },
want: false,
},
{
name: "mcp-logs/gateway.jsonl with DIFC_FILTERED event",
fileContent: gatewayWithDifc,
filePath: func(dir string) string { return filepath.Join(dir, "mcp-logs", "gateway.jsonl") },
want: true,
},
This was referenced Mar 19, 2026
Closed
Merged
Closed
github-actions bot added a commit that referenced this pull request Mar 20, 2026
@github-actions @claude
docs: update documentation for 2026-03-20 changes
19b1c9c 
- cli.md: add missing logs flags (--filtered-integrity, --firewall,
  --no-firewall, --safe-output, --after-run-id, --before-run-id,
  --no-staged, --tool-graph, --timeout) per #21838 and issue #21808
- custom-safe-outputs.md: document safe-outputs.actions feature (#21752)
- safe-outputs.md: add actions: entry to Available Safe Output Types

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions bot mentioned this pull request Mar 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan