refactor sys and guard logging duplication

Copilot · lpcox · web-flow · commit 81b3a884254c · 2026-04-18T16:23:09.000Z
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/ac7dc66f-a385-4612-8f8a-66a15160508c Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
diff --git a/internal/guard/wasm.go b/internal/guard/wasm.go
@@ -20,6 +20,15 @@ import (
 
 var logWasm = logger.New("guard:wasm")
 
+func logMarshaledForDebug(value interface{}, onMarshalSuccess func(string), onMarshalFailure func(error)) {
+	resultJSON, err := json.Marshal(value)
+	if err != nil {
+		onMarshalFailure(err)
+		return
+	}
+	onMarshalSuccess(string(resultJSON))
+}
+
 // globalCompilationCache is a process-level compilation cache shared across all
 // WasmGuard instances. wazero's cache is goroutine-safe and eliminates redundant
 // JIT compilation when multiple guards load the same WASM binary.
@@ -695,12 +704,15 @@ func (g *WasmGuard) LabelAgent(ctx context.Context, policy interface{}, backend
 		logWasm.Printf("LabelAgent normalizePolicyPayload failed: guard=%s, error=%v", g.name, err)
 		return nil, err
 	}
-	normalizedPolicyJSON, normalizeMarshalErr := json.Marshal(normalizedPolicy)
-	if normalizeMarshalErr != nil {
-		logWasm.Printf("LabelAgent normalized policy (marshal failed): guard=%s, error=%v", g.name, normalizeMarshalErr)
-	} else {
-		logWasm.Printf("LabelAgent normalized policy: guard=%s, policy=%s", g.name, string(normalizedPolicyJSON))
-	}
+	logMarshaledForDebug(
+		normalizedPolicy,
+		func(policyJSON string) {
+			logWasm.Printf("LabelAgent normalized policy: guard=%s, policy=%s", g.name, policyJSON)
+		},
+		func(marshalErr error) {
+			logWasm.Printf("LabelAgent normalized policy (marshal failed): guard=%s, error=%v", g.name, marshalErr)
+		},
+	)
 	_ = caps
 
 	input, err := buildStrictLabelAgentPayload(normalizedPolicy)
@@ -727,12 +739,15 @@ func (g *WasmGuard) LabelAgent(ctx context.Context, policy interface{}, backend
 		return nil, err
 	}
 
-	resultLogJSON, resultMarshalErr := json.Marshal(result)
-	if resultMarshalErr != nil {
-		logWasm.Printf("LabelAgent parsed response (marshal failed): guard=%s, error=%v", g.name, resultMarshalErr)
-	} else {
-		logWasm.Printf("LabelAgent parsed response: guard=%s, response=%s", g.name, string(resultLogJSON))
-	}
+	logMarshaledForDebug(
+		result,
+		func(responseJSON string) {
+			logWasm.Printf("LabelAgent parsed response: guard=%s, response=%s", g.name, responseJSON)
+		},
+		func(marshalErr error) {
+			logWasm.Printf("LabelAgent parsed response (marshal failed): guard=%s, error=%v", g.name, marshalErr)
+		},
+	)
 
 	return result, nil
 }
diff --git a/internal/server/guard_init.go b/internal/server/guard_init.go
@@ -17,6 +17,15 @@ import (
 
 var logGuardInit = logger.New("server:guard_init")
 
+func logMarshaledForDebug(value interface{}, onMarshalSuccess func(string), onMarshalFailure func(error)) {
+	resultJSON, err := json.Marshal(value)
+	if err != nil {
+		onMarshalFailure(err)
+		return
+	}
+	onMarshalSuccess(string(resultJSON))
+}
+
 // hasServerGuardPolicies reports whether any server in cfg has per-server guard policies
 // configured. This is used during DIFC auto-detection to enable enforcement when policies
 // are present even if no non-noop guard was registered (e.g., guard missing or failed to load).
@@ -351,12 +360,15 @@ func (us *UnifiedServer) ensureGuardInitialized(
 		log.Printf("[DIFC] label_agent returned nil result: server=%s, session=%s, guard=%s", serverID, sessionID, g.Name())
 		return defaultMode, fmt.Errorf("label_agent returned nil result")
 	}
-	resultJSON, marshalErr := json.Marshal(labelAgentResult)
-	if marshalErr != nil {
-		log.Printf("[DIFC] label_agent returned result (failed to serialize for logging): server=%s, session=%s, guard=%s, error=%v", serverID, sessionID, g.Name(), marshalErr)
-	} else {
-		log.Printf("[DIFC] label_agent response: server=%s, session=%s, guard=%s, response=%s", serverID, sessionID, g.Name(), string(resultJSON))
-	}
+	logMarshaledForDebug(
+		labelAgentResult,
+		func(resultJSON string) {
+			log.Printf("[DIFC] label_agent response: server=%s, session=%s, guard=%s, response=%s", serverID, sessionID, g.Name(), resultJSON)
+		},
+		func(marshalErr error) {
+			log.Printf("[DIFC] label_agent returned result (failed to serialize for logging): server=%s, session=%s, guard=%s, error=%v", serverID, sessionID, g.Name(), marshalErr)
+		},
+	)
 
 	mode := defaultMode
 	if labelAgentResult.DIFCMode != "" {
diff --git a/internal/server/tool_registry.go b/internal/server/tool_registry.go
@@ -285,9 +285,7 @@ func (us *UnifiedServer) registerToolsFromBackend(serverID string) error {
 			if err != nil {
 				logger.LogError("client", "MCP tool call error, session=%s, tool=%s, error=%v", sessionID, toolNameCopy, err)
 			} else {
-				resultJSON, _ := json.Marshal(data)
-				sanitizedResult := sanitize.SanitizeString(string(resultJSON))
-				logger.LogInfo("client", "MCP tool call response, session=%s, tool=%s, result=%s", sessionID, toolNameCopy, sanitizedResult)
+				logger.LogInfo("client", "MCP tool call response, session=%s, tool=%s, result=%s", sessionID, toolNameCopy, marshalAndSanitizeForLog(data))
 			}
 
 			return result, data, err
@@ -351,6 +349,22 @@ func (us *UnifiedServer) callSysServer(toolName string) (interface{}, error) {
 	return result, nil
 }
 
+func marshalAndSanitizeForLog(value interface{}) string {
+	resultJSON, _ := json.Marshal(value)
+	return sanitize.SanitizeString(string(resultJSON))
+}
+
+func (us *UnifiedServer) callAndLogSysTool(sessionID, operationName, sysToolName string) (*sdk.CallToolResult, interface{}, error) {
+	result, err := us.callSysServer(sysToolName)
+	if err != nil {
+		logger.LogError("client", "MCP %s call failed, session=%s, error=%v", operationName, sessionID, err)
+		return mcp.NewErrorCallToolResult(err)
+	}
+
+	logger.LogInfo("client", "MCP %s response, session=%s, result=%s", operationName, sessionID, marshalAndSanitizeForLog(result))
+	return nil, result, nil
+}
+
 // registerSysTools registers built-in sys tools
 func (us *UnifiedServer) registerSysTools() error {
 	// Create sys_init handler
@@ -392,16 +406,7 @@ func (us *UnifiedServer) registerSysTools() error {
 		logger.LogInfo("client", "MCP session initialized successfully, session=%s, available_servers=%v", sessionID, us.launcher.ServerIDs())
 
 		// Call sys_init
-		result, err := us.callSysServer("sys_init")
-		if err != nil {
-			logger.LogError("client", "MCP session initialization: sys_init call failed, session=%s, error=%v", sessionID, err)
-			return mcp.NewErrorCallToolResult(err)
-		}
-
-		resultJSON, _ := json.Marshal(result)
-		sanitizedResult := sanitize.SanitizeString(string(resultJSON))
-		logger.LogInfo("client", "MCP session initialization complete, session=%s, result=%s", sessionID, sanitizedResult)
-		return nil, result, nil
+		return us.callAndLogSysTool(sessionID, "session initialization", "sys_init")
 	}
 
 	// Register sys_init tool using helper
@@ -431,15 +436,7 @@ func (us *UnifiedServer) registerSysTools() error {
 			return mcp.NewErrorCallToolResult(err)
 		}
 
-		result, err := us.callSysServer("sys_list_servers")
-		if err != nil {
-			logger.LogError("client", "MCP sys_list_servers error, session=%s, error=%v", sessionID, err)
-			return mcp.NewErrorCallToolResult(err)
-		}
-
-		resultJSON, _ := json.Marshal(result)
-		logger.LogInfo("client", "MCP sys_list_servers response, session=%s, result=%s", sessionID, string(resultJSON))
-		return nil, result, nil
+		return us.callAndLogSysTool(sessionID, "sys_list_servers", "sys_list_servers")
 	}
 
 	// Register sys_list_servers tool using helper
diff --git a/internal/server/tool_registry_test.go b/internal/server/tool_registry_test.go
@@ -496,6 +496,37 @@ func TestCallSysServer_UnknownTool(t *testing.T) {
 	require.Error(err, "callSysServer with unknown tool should return an error")
 }
 
+func TestMarshalAndSanitizeForLog_RedactsSecrets(t *testing.T) {
+	assert := assert.New(t)
+
+	const secret = "ghp_1234567890123456789012345678901234567890"
+	sanitized := marshalAndSanitizeForLog(map[string]interface{}{
+		"token": secret,
+	})
+
+	assert.Contains(sanitized, "[REDACTED]")
+	assert.NotContains(sanitized, secret)
+}
+
+func TestCallAndLogSysTool_UnknownToolReturnsErrorResult(t *testing.T) {
+	assert := assert.New(t)
+	require := require.New(t)
+
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{},
+	}
+
+	us, err := NewUnified(context.Background(), cfg)
+	require.NoError(err)
+	defer us.Close()
+
+	result, data, callErr := us.callAndLogSysTool("session-id", "sys test", "nonexistent_tool")
+	require.Error(callErr)
+	require.NotNil(result)
+	assert.Nil(data)
+	assert.True(result.IsError)
+}
+
 // TestRegisterAllToolsParallel_EmptyList verifies that parallel registration with no
 // servers does not block and returns immediately.
 func TestRegisterAllToolsParallel_EmptyList(t *testing.T) {
