fix(otel): gate codemode script body on capture, sanitize fetch URL attrs

- `pkg/tools/codemode/exec.go`: emit `cagent.tool.codemode.script_hash` (SHA-256) + `script_length` unconditionally so dashboards can correlate identical scripts and spot oversize submissions, but gate the full `cagent.tool.codemode.script` body behind `OTEL_INSTRUMENTATION_GENAI_CAPTURE_MESSAGE_CONTENT`. Codemode scripts are kilobyte-scale arbitrary JS that routinely embed auth tokens / pasted user data / inline secrets, so the bundle decision (Option B, ship body unconditionally) was the wrong call for this attribute specifically
- `pkg/tools/builtin/fetch.go`: strip query strings, fragments, and userinfo from `cagent.tool.fetch.urls` so the attribute can ship by default without leaking signed-URL tokens, OAuth codes, or inline credentials. Path stays intact so dashboards still answer "which sites/endpoints did the agent hit?". Unparseable URLs are emitted as `<unparseable>` rather than passed through verbatim

Both span attributes were flagged on the upstream PR review for the same root cause — emitting unbounded user-controlled content as a default-on telemetry attribute creates a PII/secret-exfiltration surface. The other Option B attributes (`shell.cmd`, `filesystem.path`, `script_shell.cmd`) stay unconditional: they are short, do not carry the same query-token / arbitrary-content risk, and remain decision-relevant for incident response

Author: tdabasinskas

pkg/tools/builtin/fetch.go

@@ -50,22 +50,44 @@ type FetchToolArgs struct {
 	Format  string   `json:"format,omitempty"`
 }
 
+// sanitizeFetchURLs strips query strings and userinfo from each URL so
+// the resulting span attribute can ship by default without leaking
+// signed-URL tokens, OAuth codes, or inline credentials. URLs that fail
+// to parse are emitted as a sentinel rather than the raw string, since
+// an unparseable URL could also carry sensitive material.
+func sanitizeFetchURLs(urls []string) []string {
+	out := make([]string, len(urls))
+	for i, raw := range urls {
+		u, err := url.Parse(raw)
+		if err != nil {
+			out[i] = "<unparseable>"
+			continue
+		}
+		u.RawQuery = ""
+		u.Fragment = ""
+		u.User = nil
+		out[i] = u.String()
+	}
+	return out
+}
+
 func (h *fetchHandler) CallTool(ctx context.Context, params FetchToolArgs) (*tools.ToolCallResult, error) {
 	if len(params.URLs) == 0 {
 		return nil, errors.New("at least one URL is required")
 	}
 
-	// Decorate the active runtime.tool.handler span with the URL list
-	// and request shape. Each fetched URL still produces its own HTTP
-	// CLIENT child span via `httpclient.WrapWithOTel` below, so the
-	// per-request status / latency / target host all show up there;
-	// the parent span gets the requested URLs so a quick glance answers
-	// "which sites did the agent hit on this turn?" without expanding
-	// the children.
+	// Decorate the active runtime.tool.handler span with the requested
+	// URLs. Strip query params and userinfo first: query strings often
+	// carry signed-URL tokens, OAuth codes, or session IDs, and userinfo
+	// carries credentials inline. The path stays intact so dashboards
+	// can still answer "which sites/endpoints did the agent hit?" — the
+	// HTTP CLIENT child span emitted by `httpclient.WrapWithOTel` below
+	// retains the full URL under `http.url` for callers that opt into
+	// that backend's full-URL capture.
 	if span := trace.SpanFromContext(ctx); span.IsRecording() {
 		attrs := []attribute.KeyValue{
 			attribute.Int("cagent.tool.fetch.url_count", len(params.URLs)),
-			attribute.StringSlice("cagent.tool.fetch.urls", params.URLs),
+			attribute.StringSlice("cagent.tool.fetch.urls", sanitizeFetchURLs(params.URLs)),
 		}
 		if params.Format != "" {
 			attrs = append(attrs, attribute.String("cagent.tool.fetch.format", params.Format))

pkg/tools/codemode/exec.go

@@ -3,6 +3,8 @@ package codemode
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"slices"
@@ -11,6 +13,7 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 
+	"github.com/docker/docker-agent/pkg/telemetry/genai"
 	"github.com/docker/docker-agent/pkg/tools"
 )
 
@@ -42,17 +45,22 @@ func (c *codeModeTool) runJavascript(ctx context.Context, script string) (Script
 	vm := goja.New()
 	tracker := &toolCallTracker{}
 
-	// Stamp the script body and length onto the active span; the
-	// post-run defer adds the tool-call count. Script ships
-	// unconditionally — it's the main signal of what a code-mode turn
-	// did. Drop or hash `cagent.tool.codemode.script` at the OTel
-	// collector if scripts routinely carry secrets.
+	// Always stamp a hash + length so dashboards can correlate
+	// identical scripts ("model ran the same script 200 times this
+	// hour") without ever shipping the body. Codemode scripts are
+	// kilobyte-scale arbitrary JS — embedded auth tokens, pasted
+	// user data, and inline secrets are common — so the body itself
+	// is gated behind the GenAI content-capture opt-in.
 	span := trace.SpanFromContext(ctx)
 	if span.IsRecording() {
+		sum := sha256.Sum256([]byte(script))
 		span.SetAttributes(
-			attribute.String("cagent.tool.codemode.script", script),
+			attribute.String("cagent.tool.codemode.script_hash", hex.EncodeToString(sum[:])),
 			attribute.Int("cagent.tool.codemode.script_length", len(script)),
 		)
+		if genai.IsContentCaptureEnabled() {
+			span.SetAttributes(attribute.String("cagent.tool.codemode.script", script))
+		}
 	}
 	defer func() {
 		if span.IsRecording() {