Skip to content

feat(sight): add --exclude filter to audit CLI for noise reduction#792

Open
jfeng18 wants to merge 1 commit into
alibaba:mainfrom
jfeng18:feat/audit-exclude-filter
Open

feat(sight): add --exclude filter to audit CLI for noise reduction#792
jfeng18 wants to merge 1 commit into
alibaba:mainfrom
jfeng18:feat/audit-exclude-filter

Conversation

@jfeng18

@jfeng18 jfeng18 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Add --exclude <pattern> flag (repeatable) to agentsight audit that hides process_action events whose filename or args contain the substring.

Dog-food testing showed 60%+ of audit events are cosh editor-detection noise (command -v cursor/vim/emacs/... at every startup). This makes audit output unusable without expert knowledge of --type llm.

Usage

# Before: 1345 events, 80% noise
agentsight audit --last 1

# After: noise filtered, hidden count reported
agentsight audit --last 1 --exclude "command -v"
# Last 1 hours: 550 audit events (795 hidden by --exclude)

# Multiple patterns
agentsight audit --last 1 --exclude "command -v" --exclude "grepconf"

Behavior

  • Only ProcessAction events are matched; LlmCall events are never excluded
  • Empty and whitespace-only patterns are silently ignored (prevents accidental match-all)
  • Text mode: hidden count in header line
  • JSON mode: hidden count on stderr, clean JSON array on stdout
  • --summary + --exclude: warns that summary is unfiltered
  • No --exclude: identical behavior to before (zero filtering)

What's NOT changed

  • Default behavior (no --exclude) is unchanged
  • Summary queries are unfiltered (warn if --exclude provided)
  • No changes to storage/DB layer

Verification (ECS, 10 test cases)

Test Result
Baseline (no exclude) 12272 events ✅
Basic exclude 11507 shown, 767 hidden ✅
Empty string --exclude "" Same as baseline (ignored) ✅
Whitespace --exclude " " Same as baseline (ignored via trim) ✅
--type llm + exclude 3 LLM events shown, NOT excluded ✅
JSON + exclude Valid JSON + stderr hidden count ✅
Summary + exclude Warns "not applied to summary" ✅
Nonexistent pattern 0 hidden ✅
cargo fmt --check Clean ✅
LLM discriminating 3 events with/without exclude identical ✅

🤖 Generated with Claude Code

@jfeng18 jfeng18 requested a review from chengshuyi as a code owner June 8, 2026 16:19
@github-actions github-actions Bot added the component:sight src/agentsight/ label Jun 8, 2026
@jfeng18 @claude
feat(sight): add --exclude filter to audit CLI for noise reduction
ea2364c 
Add repeatable --exclude <pattern> flag that hides process_action
events whose filename/args contain the substring. Cosh editor-detection
noise (command -v cursor/vim/...) typically accounts for 60%+ of audit
events; --exclude "command -v" makes the output usable.

- Empty and whitespace-only patterns are silently ignored
- LLM events are never excluded (only ProcessAction matched)
- Hidden count reported in text header and JSON stderr
- --summary + --exclude warns that summary is unfiltered

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jfeng18 jfeng18 force-pushed the feat/audit-exclude-filter branch from 6b23937 to ea2364c Compare June 10, 2026 03:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chengshuyi chengshuyi Awaiting requested review from chengshuyi chengshuyi is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

component:sight src/agentsight/

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jfeng18