Skip to content

Feat/phase 9 monitoring#10

Merged
DanielDeshmukh merged 6 commits into
mainfrom
feat/phase-9-monitoring
Jun 27, 2026
Merged

Feat/phase 9 monitoring#10
DanielDeshmukh merged 6 commits into
mainfrom
feat/phase-9-monitoring

Conversation

@DanielDeshmukh

Copy link
Copy Markdown
Owner

No description provided.

Add RedactionFilter that scrubs API keys, JWT tokens, passwords,
and other secrets from log messages before they are written.

Patterns covered:
- API keys (X-API-Key headers, api_key params)
- JWT tokens (Bearer tokens, access_token values)
- Passwords (password=, POSTGRES_PASSWORD)
- Secrets (jwt_secret, secret_key)
- Groq API keys (gsk_ prefix)
- Database connection strings (postgresql://, redis://)

The filter is installed on the root logger at app startup, after
setup_logging(), so all log records pass through redaction before
output. Filter is thread-safe and operates on record.msg and args.
Add cache hit/miss/eviction/size metrics as Prometheus gauges
to the /metrics endpoint. Metrics are sourced from TTLCache.get_metrics()
and exposed as:
- hector_cache_size (current items in cache)
- hector_cache_hits (total cache hits)
- hector_cache_misses (total cache misses)
- hector_cache_evictions (total evictions)
- hector_cache_hit_rate_percent (hit rate percentage)

These complement the existing cache metrics already exposed via
the /status JSON endpoint.
Add Prometheus and Grafana as Docker services in docker-compose.prod.yml:

Prometheus:
- Scrapes /metrics endpoint from hector-api every 15s
- Loads alerting rules from prometheus-alerts.yml
- 30-day data retention
- Read-only filesystem with persistent data volume
- Resource limits: 512MB memory, 0.5 CPU

Grafana:
- Auto-provisions hector-main dashboard from grafana-dashboard.json
- Admin credentials via GRAFANA_ADMIN_USER/GRAFANA_ADMIN_PASSWORD env vars
- Connected to Prometheus as data source
- Read-only filesystem with persistent data volume
- Resource limits: 256MB memory, 0.5 CPU

New prometheus.yml config file added to monitoring/ directory.
New persistent volumes: prometheus_data, grafana_data.
Fix _redact_dict_value to be called from the dict args branch
instead of _redact_value. The dict branch was only applying
pattern-based redaction to values, which fails for standalone
secrets (e.g., dict values without key= prefix).

Add _redact_dict_value method that checks dict keys against a
set of secret-suggesting key names (api_key, password, secret,
authorization, token, etc.) and redacts values when the key
matches. Normalizes key names for comparison.
Add 13 tests for api.log_redaction.RedactionFilter:

TestRedactionFilter:
- API key values redacted from log messages
- X-API-Key header values redacted
- Bearer JWT tokens redacted
- Password values redacted
- JWT secret values redacted
- Groq API keys (gsk_ prefix) redacted
- PostgreSQL connection strings redacted
- Clean messages pass through unchanged
- Tuple args with secrets are redacted
- Dict args with secret keys are redacted

TestInstallRedactionFilter:
- Filter installed on root logger with correct name
- Filter always returns True (passthrough)

Tests use isolated loggers with null handlers to avoid
polluting test output.
Update test_enhanced_ingestor.py to match the latest enhanced_ingestor.py
changes pulled from main:

- acts_found is now a list (not set), updated assertions accordingly
- chunk_text now uses boundary-aware splitting with section detection
  instead of simple sliding window; tests verify all words are covered
  and chunks are non-empty rather than exact step counts
- validate_pdf now exists; tests cover nonexistent/empty/too-small/
  invalid-header/valid-PDF cases (invalid-header test uses >100 bytes
  to pass size check before header check)

847 tests passing.
@gitguardian

gitguardian Bot commented Jun 27, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 3 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
34323629 Triggered Generic Password 49720c9 tests/test_log_redaction.py View secret
34010484 Triggered Generic Password 15534c3 docker-compose.prod.yml View secret
34323628 Triggered Generic Password 49720c9 tests/test_log_redaction.py View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@DanielDeshmukh, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 57 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a93a2eb1-b75d-4e98-86d1-5bdeaa4f3e9f

📥 Commits

Reviewing files that changed from the base of the PR and between 7dde50d and f851095.

📒 Files selected for processing (6)
  • api/app.py
  • api/log_redaction.py
  • docker-compose.prod.yml
  • monitoring/prometheus.yml
  • tests/test_enhanced_ingestor.py
  • tests/test_log_redaction.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/phase-9-monitoring

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@DanielDeshmukh DanielDeshmukh merged commit 4a4617d into main Jun 27, 2026
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant