feat: new variable network_secure_logging defaulting to true

[spetrosi]

Feature: Introduce the network_secure_logging variable that defaults to true and using verbosity-based logging for facts modules.

Reason: Currently, all sensitive tasks use hard-coded no_log: true, which makes debugging difficult. Users cannot see credential-related output even when troubleshooting authentication or secret management issues. Additionally, package_facts and service_facts produce verbose output that clutters logs during normal operation.

Result:

• Tasks handling credentials, secrets, and sensitive data now use no_log: "{{ network_secure_logging }}", allowing users to set network_secure_logging: false for debugging while maintaining secure defaults (true)
• package_facts and service_facts now use no_log: "{{ ansible_verbosity < 2 }}", hiding verbose output unless -vv or higher verbosity is specified
• New variable network_secure_logging documented in README.md with guidance on when to disable it
• Users can now debug credential and secret issues without modifying role code

🤖 Generated with Claude Code

Summary by Sourcery

Introduce a configurable secure logging toggle and adjust fact-gathering log verbosity.

New Features:

• Add the network_secure_logging variable, defaulting to true, to control logging of sensitive tasks.

Enhancements:

• Make setup and nmstate-related tasks respect the network_secure_logging flag instead of hard-coded no_log settings.
• Use verbosity-based no_log behavior for service_facts and package_facts to reduce log noise while allowing detailed output at higher verbosity levels.

Documentation:

• Document the network_secure_logging variable and its recommended usage in the README.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a new network_secure_logging variable (default true) to control no_log behavior for sensitive tasks, and switches facts-related tasks to verbosity-based logging while documenting the new variable.

Flow diagram for no_log behavior with network_secure_logging and verbosity

flowchart TD
  A[Start_task] --> B[Is_task_sensitive_credentials_or_secrets]
  B -->|Yes| C[Set_no_log_to_network_secure_logging]
  B -->|No| D[Is_task_facts_module_service_facts_or_package_facts]

  D -->|Yes| E[Evaluate_ansible_verbosity_less_than_2]
  E -->|True| F[Set_no_log_true_hide_facts_output]
  E -->|False| G[Set_no_log_false_show_facts_output]

  D -->|No| H[Use_existing_no_log_behavior_or_default]

  C --> I[Execute_task_with_configured_no_log]
  F --> I
  G --> I
  H --> I
  I --> J[End_task]

Loading

File-Level Changes

Change	Details	Files
Make sensitive network tasks respect a configurable secure-logging toggle instead of hard-coded no_log.	Replace hard-coded no_log: true with no_log: "{{ network_secure_logging }}" on tasks that handle network configuration and fingerprints Ensure behavior defaults to secure logging while allowing users to temporarily disable it for debugging	tasks/set_facts.yml tasks/main.yml
Use Ansible verbosity to control logging for verbose facts modules.	Change service_facts task to use no_log: "{{ ansible_verbosity < 2 }}" so output appears only at -vv and above Change package_facts task to use no_log: "{{ ansible_verbosity < 2 }}" to avoid noisy logs in normal runs	tasks/set_facts.yml
Introduce and document the new network_secure_logging variable with a secure default.	Add network_secure_logging: true to role defaults to enable secure logging by default Document network_secure_logging in README.md, including its purpose, default value, and guidance on when to disable it	defaults/main.yml README.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Consider wrapping the templated no_log expressions with | bool (e.g. no_log: "{{ network_secure_logging | bool }}") to ensure they are always interpreted as booleans even if overridden via inventory or extra vars.
• Since the verbosity-based logging rule is used in multiple places, you might want to introduce a dedicated variable (e.g. network_fact_logging_quiet: ansible_verbosity < 2) in defaults/main.yml and reference that for service_facts and package_facts to make the intent clearer and easier to adjust.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider wrapping the templated `no_log` expressions with `| bool` (e.g. `no_log: "{{ network_secure_logging | bool }}"`) to ensure they are always interpreted as booleans even if overridden via inventory or extra vars.
- Since the verbosity-based logging rule is used in multiple places, you might want to introduce a dedicated variable (e.g. `network_fact_logging_quiet: ansible_verbosity < 2`) in `defaults/main.yml` and reference that for `service_facts` and `package_facts` to make the intent clearer and easier to adjust.

## Individual Comments

### Comment 1
<location path="tasks/set_facts.yml" line_range="8" />
<code_context>
   when:
     - network_provider == "nm" or network_state != {}
-  no_log: true
+  no_log: "{{ network_secure_logging }}"

 # If any 802.1x connections are used, the wpa_supplicant
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Consider explicitly casting `network_secure_logging` to a boolean for robustness.

If `network_secure_logging` is set as a string in vars (e.g. `'false'`), Ansible may treat it as truthy, leading to unexpected logging or suppression. Using `no_log: "{{ network_secure_logging | bool }}"` (optionally with `| default(true)`) would make this robust to different input types and avoid surprises.

```suggestion
  no_log: "{{ network_secure_logging | default(true) | bool }}"
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Consider explicitly casting network_secure_logging to a boolean for robustness.

If network_secure_logging is set as a string in vars (e.g. 'false'), Ansible may treat it as truthy, leading to unexpected logging or suppression. Using no_log: "{{ network_secure_logging | bool }}" (optionally with | default(true)) would make this robust to different input types and avoid surprises.

Suggested change

	no_log: "{{ network_secure_logging }}"
	no_log: "{{ network_secure_logging | default(true) | bool }}"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.68%. Comparing base (1b57520) to head (074ba4e).
⚠️ Report is 93 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #868      +/-   ##
==========================================
- Coverage   43.11%   42.68%   -0.43%     
==========================================
  Files          12       13       +1     
  Lines        3124     3160      +36     
==========================================
+ Hits         1347     1349       +2     
- Misses       1777     1811      +34     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[richm]

Suggested change

	no_log: "{{ network_secure_logging }}"
	no_log: "{{ ansible_verbosity < 2 }}"

Adding no_log: true was just for verbosity, not security - same with other places

so I don't think we need network_secure_logging for now