From 651b7e48c47e419ce8de4ed8b35b6493883ef431 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub@stacklok.com>
Date: Wed, 19 Feb 2025 14:37:24 +0100
Subject: [PATCH] Fix copilot secret unredaction

The copilot provider always sends `cleanup_sensitive` set to `False` as it
manages the context itself. On streams where `finish_stream` was set to
`False` as well, we would have yielded the rest of the context buffer though
which would break secret unredaction.

To reproduce, ask Copilot to make a simple modification in a file
containing secrets so that it's forced to print the secrets back to you.
---
 src/codegate/pipeline/output.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/codegate/pipeline/output.py b/src/codegate/pipeline/output.py
index 16672a60..608c36de 100644
--- a/src/codegate/pipeline/output.py
+++ b/src/codegate/pipeline/output.py
@@ -170,8 +170,9 @@ async def process_stream(
         finally:
             # NOTE: Don't use await in finally block, it will break the stream
             # Don't flush the buffer if we assume we'll call the pipeline again
-            if cleanup_sensitive is False and finish_stream:
-                self._record_to_db()
+            if cleanup_sensitive is False:
+                if finish_stream:
+                    self._record_to_db()
                 return
 
             # Process any remaining content in buffer when stream ends