Content-bearing LLM and document logs gated behind MIKE_DEBUG_STREAMS flag

counselos wraps every log site in the document pipeline and LLM stream handlers that emits filenames, storage paths, or document text behind a `MIKE_DEBUG_STREAMS=1` env flag, off by default. Three files, around 50 net lines. With the flag off, none of that content reaches container logs, backups, or your SIEM.

securitycompliance

The change touches backend/src/lib/chatTools.ts, backend/src/lib/llm/claude.ts, and backend/src/lib/llm/gemini.ts. A debugStreamLog helper in chatTools.ts carries a docstring that names the threat: filenames, storage paths, and document text excerpts otherwise leak to any environment that captures stdout - backups, SIEMs, container log aggregators. The helper resolves to a no-op unless process.env.MIKE_DEBUG_STREAMS === "1".

Every console.log call at the [read_document], [generate_docx], [runLLMStream], [buildDocContext], and [buildProjectDocContext] log sites is replaced with debugStreamLog(...). One log site is intentionally retained as a plain console.error - read failures in the catch branch, which are content-free.

In claude.ts, the stream.on("streamEvent", ...) listener that appended raw events to RAW_STREAM_LOG_PATH on disk is now only attached when the flag is on. The same pattern applies to the for-await loop in gemini.ts.

If your fork has a different naming convention for this flag, it's a trivial rename (MIKE_DEBUG_STREAMS appears in one place in the helper and in .env.example). Verify that your claude.ts and gemini.ts still have the same hook points before adopting.

So what Worth a look for any fork where the server processes privileged documents and stdout is captured by an external system. The pattern - a single gated helper with a threat model comment - is clean and easy to extend. Skip it only if your fork already has equivalent log hygiene.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from counselos/mike-inhouse, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
88922de2 fix: gate content-bearing LLM and document logs behind MIKE_DEBUG_STREAMS counselos 2026-05-04 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-72.md from inside the repo you want the changes in.

⬇ Download capture-thread-72.md