[POA-4481] Do not obfuscate postman internal team witnesses for LLM calls (#147)

Author: shreys7

trace/backend_collector_test.go

@@ -802,7 +802,8 @@ func TestAlwaysCapturePayloads(t *testing.T) {
 			},
 			Host: "example.com",
 			Header: map[string][]string{
-				"Content-Type": {"application/json"},
+				"Content-Type":       {"application/json"},
+				"x-portkey-metadata": {`{"custom_postot_conversation_id":"12345678-1234-b1234-1234-123456789012","custom_postot_interaction_id":"12345678-1234-b1234-1234-123456789012","_prompt":"agent_system","_agent":"Root","_workflow":"agent_mode_chat","_domain":"agent_mode","_environment":"beta","_user":"916b323","_nrTraceId":"0d495a1379560f5d14f7f9c43d57bb07","_organization":"1"}`},
 			},
 			Body: memview.New([]byte(`{"name": "prince", "number": 6119717375543385000}`)),
 		},
@@ -879,6 +880,7 @@ func TestAlwaysCapturePayloads(t *testing.T) {
 					ApiType: pb.ApiType_HTTP_REST,
 				},
 				Args: map[string]*pb.Data{
+					"27YhIi6o-7o=": newTestHeaderSpec(dataFromPrimitive(spec_util.NewPrimitiveString(`{"custom_postot_conversation_id":"12345678-1234-b1234-1234-123456789012","custom_postot_interaction_id":"12345678-1234-b1234-1234-123456789012","_prompt":"agent_system","_agent":"Root","_workflow":"agent_mode_chat","_domain":"agent_mode","_environment":"beta","_user":"916b323","_nrTraceId":"0d495a1379560f5d14f7f9c43d57bb07","_organization":"1"}`)), "x-portkey-metadata", 0),
 					"nxnOc5Qy3D4=": newTestBodySpecFromStruct(0, pb.HTTPBody_JSON, "application/json", map[string]*pb.Data{
 						"name":   dataFromPrimitive(spec_util.NewPrimitiveString("prince")),
 						"number": dataFromPrimitive(spec_util.NewPrimitiveInt64(6119717375543385000)),

trace/util.go

@@ -1,13 +1,21 @@
 package trace
 
 import (
+	"encoding/json"
 	"regexp"
 	"strings"
 
 	pb "github.com/akitasoftware/akita-ir/go/api_spec"
 	"github.com/akitasoftware/akita-libs/http_rest_methods"
+	"github.com/akitasoftware/akita-libs/spec_util"
 )
 
+var internalPostmanTeamIDMap = map[string]string{
+	"beta":       "1",
+	"stage":      "2482",
+	"production": "6029",
+}
+
 // Returns true if the witness should be excluded from Repro Mode.
 //
 // XXX This is a stop-gap hack to exclude certain endpoints for Cloud API from
@@ -53,6 +61,30 @@ func hasMatchingPath(witness *pb.Witness, alwaysCapturePayloadsPathsRegex []*reg
 	return false
 }
 
+// PortkeyMetadata represents the structure of x-portkey-metadata header
+type PortkeyMetadata struct {
+	Organization string `json:"_organization"`
+	Environment  string `json:"_environment"`
+}
+
+// Returns true if the witness is from Postman internal team
+func isPostmanInternalTeam(witness *pb.Witness) bool {
+	// Look for x-portkey-metadata header in the request args
+	for _, data := range witness.GetMethod().GetArgs() {
+		if header := spec_util.HTTPHeaderFromData(data); header != nil && strings.ToLower(header.GetKey()) == "x-portkey-metadata" {
+			if primitive := data.GetPrimitive(); primitive != nil && primitive.GetStringValue() != nil {
+				var metadata PortkeyMetadata
+				if err := json.Unmarshal([]byte(primitive.GetStringValue().Value), &metadata); err == nil {
+					if teamID, ok := internalPostmanTeamIDMap[metadata.Environment]; ok {
+						return metadata.Organization == teamID
+					}
+				}
+			}
+		}
+	}
+	return false
+}
+
 // Determines whether a given method has only error (4xx or 5xx) response codes.
 // Returns true if the method has at least one response and all response codes are 4xx or 5xx.
 // Here method will only have single response object because in agent each witness stores single request-response pair.
@@ -80,8 +112,10 @@ func shouldCapturePayload(witness *pb.Witness, alwaysCapturePayloadsPathsRegex [
 	}
 
 	// Step 2: Check if the method path matches the always capture payloads regex.
+	// Hack: We are using `alwaysCapturePayloads` arg to always capture payloads for LLM calls.
+	// But, since we are not allowed to do that on Portkey production, we add the postman internal team check.
 	if hasMatchingPath(witness, alwaysCapturePayloadsPathsRegex) {
-		return true
+		return isPostmanInternalTeam(witness)
 	}
 
 	// Step 3: Check if the method has only error responses.

trace/util_test.go

@@ -0,0 +1,180 @@
+package trace
+
+import (
+	"regexp"
+	"testing"
+
+	pb "github.com/akitasoftware/akita-ir/go/api_spec"
+	"github.com/akitasoftware/akita-libs/spec_util"
+)
+
+func TestIsPostmanInternalTeam(t *testing.T) {
+	tests := []struct {
+		name     string
+		witness  *pb.Witness
+		expected bool
+	}{
+		{
+			name: "Postman internal team with organization 1",
+			witness: &pb.Witness{
+				Method: &pb.Method{
+					Args: map[string]*pb.Data{
+						"test-key": {
+							Value: &pb.Data_Primitive{
+								Primitive: spec_util.NewPrimitiveString(`{"custom_postot_conversation_id":"12345678-1234-b1234-1234-123456789012","custom_postot_interaction_id":"12345678-1234-b1234-1234-123456789012","_prompt":"agent_system","_agent":"Root","_workflow":"agent_mode_chat","_domain":"agent_mode","_environment":"beta","_user":"916b323","_nrTraceId":"0d495a1379560f5d14f7f9c43d57bb07","_organization":"1"}`),
+							},
+							Meta: &pb.DataMeta{
+								Meta: &pb.DataMeta_Http{
+									Http: &pb.HTTPMeta{
+										Location: &pb.HTTPMeta_Header{
+											Header: &pb.HTTPHeader{
+												Key: "x-portkey-metadata",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Non-Postman team with organization 2",
+			witness: &pb.Witness{
+				Method: &pb.Method{
+					Args: map[string]*pb.Data{
+						"test-key": {
+							Value: &pb.Data_Primitive{
+								Primitive: spec_util.NewPrimitiveString(`{"custom_postot_conversation_id":"12345678-1234-b1234-1234-123456789012","custom_postot_interaction_id":"12345678-1234-b1234-1234-123456789012","_prompt":"agent_system","_agent":"Root","_workflow":"agent_mode_chat","_domain":"agent_mode","_environment":"beta","_user":"916b323","_nrTraceId":"0d495a1379560f5d14f7f9c43d57bb07","_organization":"2"}`),
+							},
+							Meta: &pb.DataMeta{
+								Meta: &pb.DataMeta_Http{
+									Http: &pb.HTTPMeta{
+										Location: &pb.HTTPMeta_Header{
+											Header: &pb.HTTPHeader{
+												Key: "x-portkey-metadata",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "No x-portkey-metadata header",
+			witness: &pb.Witness{
+				Method: &pb.Method{
+					Args: map[string]*pb.Data{
+						"test-key": {
+							Value: &pb.Data_Primitive{
+								Primitive: spec_util.NewPrimitiveString("some-other-header-value"),
+							},
+							Meta: &pb.DataMeta{
+								Meta: &pb.DataMeta_Http{
+									Http: &pb.HTTPMeta{
+										Location: &pb.HTTPMeta_Header{
+											Header: &pb.HTTPHeader{
+												Key: "authorization",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "Invalid JSON in x-portkey-metadata header",
+			witness: &pb.Witness{
+				Method: &pb.Method{
+					Args: map[string]*pb.Data{
+						"test-key": {
+							Value: &pb.Data_Primitive{
+								Primitive: spec_util.NewPrimitiveString("invalid-json"),
+							},
+							Meta: &pb.DataMeta{
+								Meta: &pb.DataMeta_Http{
+									Http: &pb.HTTPMeta{
+										Location: &pb.HTTPMeta_Header{
+											Header: &pb.HTTPHeader{
+												Key: "x-portkey-metadata",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "Empty witness",
+			witness: &pb.Witness{
+				Method: &pb.Method{
+					Args: map[string]*pb.Data{},
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isPostmanInternalTeam(tt.witness)
+			if result != tt.expected {
+				t.Errorf("isPostmanInternalTeam() = %v, expected %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestShouldCapturePayloadWithPostmanTeam(t *testing.T) {
+	// Test that shouldCapturePayload returns true for Postman internal team
+	witness := &pb.Witness{
+		Method: &pb.Method{
+			Meta: &pb.MethodMeta{
+				Meta: &pb.MethodMeta_Http{
+					Http: &pb.HTTPMethodMeta{
+						Method:       "POST",
+						PathTemplate: "/v1/chat/completions",
+						Host:         "api.portkey.ai",
+					},
+				},
+			},
+			Args: map[string]*pb.Data{
+				"test-key": {
+					Value: &pb.Data_Primitive{
+						Primitive: spec_util.NewPrimitiveString(`{"custom_postot_conversation_id":"12345678-1234-b1234-1234-123456789012","custom_postot_interaction_id":"12345678-1234-b1234-1234-123456789012","_prompt":"agent_system","_agent":"Root","_workflow":"agent_mode_chat","_domain":"agent_mode","_environment":"beta","_user":"916b323","_nrTraceId":"0d495a1379560f5d14f7f9c43d57bb07","_organization":"1"}`),
+					},
+					Meta: &pb.DataMeta{
+						Meta: &pb.DataMeta_Http{
+							Http: &pb.HTTPMeta{
+								Location: &pb.HTTPMeta_Header{
+									Header: &pb.HTTPHeader{
+										Key: "x-portkey-metadata",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	result := shouldCapturePayload(witness, []*regexp.Regexp{regexp.MustCompile("/v1/chat/completions")})
+	if !result {
+		t.Errorf("shouldCapturePayload() = false, expected true for Postman internal team")
+	}
+}