Content-bearing LLM and document logs gated behind MIKE_DEBUG_STREAMS flag
counselos wraps every log site in the document pipeline and LLM stream handlers that emits filenames, storage paths, or document text behind a `MIKE_DEBUG_STREAMS=1` env flag, off by default. Three files, around 50 net lines. With the flag off, none of that content reaches container logs, backups, or your SIEM.
The change touches backend/src/lib/chatTools.ts, backend/src/lib/llm/claude.ts, and backend/src/lib/llm/gemini.ts. A debugStreamLog helper in chatTools.ts carries a docstring that names the threat: filenames, storage paths, and document text excerpts otherwise leak to any environment that captures stdout - backups, SIEMs, container log aggregators. The helper resolves to a no-op unless process.env.MIKE_DEBUG_STREAMS === "1".
Every console.log call at the [read_document], [generate_docx], [runLLMStream], [buildDocContext], and [buildProjectDocContext] log sites is replaced with debugStreamLog(...). One log site is intentionally retained as a plain console.error - read failures in the catch branch, which are content-free.
In claude.ts, the stream.on("streamEvent", ...) listener that appended raw events to RAW_STREAM_LOG_PATH on disk is now only attached when the flag is on. The same pattern applies to the for-await loop in gemini.ts.
If your fork has a different naming convention for this flag, it's a trivial rename (MIKE_DEBUG_STREAMS appears in one place in the helper and in .env.example). Verify that your claude.ts and gemini.ts still have the same hook points before adopting.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?