feat: new variable trustee_server_secure_logging defaulting to true

[spetrosi]

Feature: Introduce the trustee_server_secure_logging variable that defaults to true and using verbosity-based logging for facts modules.

Reason: Currently, all sensitive tasks use hard-coded no_log: true, which makes debugging difficult. Users cannot see credential-related output even when troubleshooting authentication or secret management issues. Additionally, service_facts produces verbose output that clutters logs during normal operation.

Result:

• Tasks handling credentials, secrets, and sensitive data now use no_log: "{{ trustee_server_secure_logging }}", allowing users to set trustee_server_secure_logging: false for debugging while maintaining secure defaults (true)
• service_facts now uses no_log: "{{ ansible_verbosity < 2 }}", hiding verbose output unless -vv or higher verbosity is specified
• New variable trustee_server_secure_logging documented in README.md with guidance on when to disable it
• Users can now debug credential and secret issues without modifying role code

🤖 Generated with Claude Code

Summary by Sourcery

Introduce a configurable secure logging toggle for sensitive tasks and adjust service facts logging verbosity to balance security and debuggability.

New Features:

• Add the trustee_server_secure_logging variable, defaulting to true, to control logging of tasks handling credentials and secrets.

Enhancements:

• Apply trustee_server_secure_logging to previously hard-coded no_log tasks to allow temporary exposure of sensitive output for debugging.
• Make service_facts tasks respect Ansible verbosity by hiding their output unless higher verbosity is enabled.
• Document the trustee_server_secure_logging variable and its recommended usage in the README.

[sourcery-ai]

Reviewer's Guide

Introduces a configurable secure logging toggle and verbosity-based logging for service facts to balance sensitive data protection with debug visibility.

Flow diagram for trustee_server_secure_logging behavior in sensitive tasks

flowchart TD
    A[Start sensitive_task] --> B[Evaluate trustee_server_secure_logging]
    B -->|true| C[Set no_log true on sensitive_task]
    B -->|false| D[Set no_log false on sensitive_task]
    C --> E[Run task with sensitive output suppressed]
    D --> F[Run task with full output visible]
    E --> G[End sensitive_task]
    F --> G

Loading

Flow diagram for verbosity-based logging of service_facts

flowchart TD
    A[Start service_facts task] --> B[Check ansible_verbosity]
    B -->|ansible_verbosity < 2| C[Set no_log true]
    B -->|ansible_verbosity >= 2| D[Set no_log false]
    C --> E[Run service_facts with output hidden]
    D --> F[Run service_facts with output shown]
    E --> G[End service_facts task]
    F --> G

Loading

File-Level Changes

Change	Details	Files
Make secure logging behavior configurable via a new variable with a secure default.	Add trustee_server_secure_logging variable to defaults with a default value of true Document trustee_server_secure_logging usage, behavior, and security implications in README	defaults/main.yml README.md
Gate sensitive task logging on the new secure logging variable instead of hard-coded no_log.	Replace hard-coded no_log: true on the token copy shell task with no_log referencing trustee_server_secure_logging	tasks/trustee_quadlet.yml
Reduce log noise from service_facts while keeping detailed output available at higher verbosity.	Set no_log on service_facts in trustee_quadlet tasks based on ansible_verbosity < 2 Set no_log on service_facts in secret_registration_server tasks based on ansible_verbosity < 2	tasks/trustee_quadlet.yml tasks/secret_registration_server.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider coercing trustee_server_secure_logging to a boolean in the no_log expression (e.g. no_log: "{{ trustee_server_secure_logging | bool }}") so that string overrides like "false" don’t accidentally evaluate as truthy.
• For the service_facts tasks using no_log: "{{ ansible_verbosity < 2 }}", it may be safer to guard against ansible_verbosity being undefined by using a default (e.g. no_log: "{{ (ansible_verbosity | default(0)) < 2 }}").

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider coercing `trustee_server_secure_logging` to a boolean in the `no_log` expression (e.g. `no_log: "{{ trustee_server_secure_logging | bool }}"`) so that string overrides like `"false"` don’t accidentally evaluate as truthy.
- For the `service_facts` tasks using `no_log: "{{ ansible_verbosity < 2 }}"`, it may be safer to guard against `ansible_verbosity` being undefined by using a default (e.g. `no_log: "{{ (ansible_verbosity | default(0)) < 2 }}"`).

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}