Scrub sensitive paths and emails from deploy telemetry error messages

Adds a scrubber that runs before error messages are sent to telemetry:
1. Replaces the bundle root path with "." to avoid leaking local paths
2. Redacts remaining home directory paths (/Users/..., /home/..., C:\Users\...)
3. Redacts email addresses (e.g., in workspace paths)

Inspired by VS Code's telemetry path scrubbing and Sentry's @userpath rule.

Co-authored-by: Isaac

Author: shreyas-goenka

bundle/phases/telemetry.go

@@ -38,6 +38,8 @@ const maxErrorMessageLength = 500
 
 // LogDeployTelemetry logs a telemetry event for a bundle deploy command.
 func LogDeployTelemetry(ctx context.Context, b *bundle.Bundle, errMsg string) {
+	errMsg = scrubForTelemetry(errMsg, b.BundleRootPath)
+
 	if len(errMsg) > maxErrorMessageLength {
 		errMsg = errMsg[:maxErrorMessageLength]
 	}

bundle/phases/telemetry_scrub.go

@@ -0,0 +1,60 @@
+package phases
+
+import (
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+// Scrub sensitive information from error messages before sending to telemetry.
+// Inspired by VS Code's telemetry path scrubbing and Sentry's @userpath pattern.
+//
+// References:
+// - VS Code: https://github.com/microsoft/vscode/blob/main/src/vs/platform/telemetry/common/telemetryUtils.ts
+// - Sentry: https://github.com/getsentry/relay (PII rule: @userpath)
+var (
+	// Matches home directory paths on macOS and Linux. Uses a negative lookbehind
+	// to avoid matching workspace paths like /Workspace/Users/...
+	unixHomeDirRegexp = regexp.MustCompile(`(?:^|[\s:,"'])(/(?:Users|home)/[^\s:,"']+)`)
+
+	// Matches home directory paths on Windows with either backslashes or
+	// forward slashes (C:\Users\xxx\... or C:/Users/xxx/...).
+	windowsHomeDirRegexp = regexp.MustCompile(`[A-Z]:[/\\]Users[/\\][^\s:,"']+`)
+
+	// Matches email addresses. Workspace paths in Databricks often contain
+	// emails (e.g., /Workspace/Users/user@example.com/.bundle/dev).
+	emailRegexp = regexp.MustCompile(`[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}`)
+)
+
+// scrubForTelemetry is a best-effort scrubber that removes sensitive path and
+// PII information from error messages before they are sent to telemetry.
+// The error message is treated as PII and should not be logged without scrubbing.
+func scrubForTelemetry(msg, bundleRoot string) string {
+	// Replace the bundle root path first since it's the most specific match.
+	// This turns "/Users/shreyas/project/databricks.yml" into "./databricks.yml".
+	if bundleRoot != "" {
+		normalized := filepath.ToSlash(bundleRoot)
+		msg = strings.ReplaceAll(msg, normalized+"/", "./")
+		msg = strings.ReplaceAll(msg, normalized, ".")
+		if bundleRoot != normalized {
+			msg = strings.ReplaceAll(msg, bundleRoot+string(filepath.Separator), "./")
+			msg = strings.ReplaceAll(msg, bundleRoot, ".")
+		}
+	}
+
+	// Redact remaining home directory paths that weren't covered by the
+	// bundle root replacement. Run Windows first to avoid partial matches
+	// from the Unix regex on paths like C:/Users/...
+	msg = windowsHomeDirRegexp.ReplaceAllString(msg, "[REDACTED_PATH]")
+	msg = unixHomeDirRegexp.ReplaceAllStringFunc(msg, func(match string) string {
+		// Find where the path starts (the `/` character).
+		// Preserve the leading delimiter character.
+		idx := strings.Index(match, "/")
+		return match[:idx] + "[REDACTED_PATH]"
+	})
+
+	// Redact email addresses.
+	msg = emailRegexp.ReplaceAllString(msg, "[REDACTED_EMAIL]")
+
+	return msg
+}

bundle/phases/telemetry_scrub_test.go

@@ -0,0 +1,148 @@
+package phases
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestScrubForTelemetry_BundleRootPath(t *testing.T) {
+	tests := []struct {
+		name       string
+		msg        string
+		bundleRoot string
+		expected   string
+	}{
+		{
+			name:       "replaces bundle root in file path",
+			msg:        "failed to load /home/user/project/databricks.yml: invalid config",
+			bundleRoot: "/home/user/project",
+			expected:   "failed to load ./databricks.yml: invalid config",
+		},
+		{
+			name:       "replaces bundle root without trailing content",
+			msg:        "error at /home/user/project",
+			bundleRoot: "/home/user/project",
+			expected:   "error at .",
+		},
+		{
+			name:       "replaces multiple occurrences",
+			msg:        "path /home/user/project/a.yml and /home/user/project/b.yml",
+			bundleRoot: "/home/user/project",
+			expected:   "path ./a.yml and ./b.yml",
+		},
+		{
+			name:       "empty bundle root is no-op",
+			msg:        "some error",
+			bundleRoot: "",
+			expected:   "some error",
+		},
+		{
+			name:       "empty message",
+			msg:        "",
+			bundleRoot: "/home/user/project",
+			expected:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, tt.bundleRoot))
+		})
+	}
+}
+
+func TestScrubForTelemetry_HomeDirPaths(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      string
+		expected string
+	}{
+		{
+			name:     "macOS home dir",
+			msg:      "failed to read /Users/shreyas/other-project/file.yml",
+			expected: "failed to read [REDACTED_PATH]",
+		},
+		{
+			name:     "Linux home dir",
+			msg:      "failed to read /home/runner/work/project/file.yml",
+			expected: "failed to read [REDACTED_PATH]",
+		},
+		{
+			name:     "home dir in middle of message",
+			msg:      "error: /Users/jane/project/a.yml: not found, try again",
+			expected: "error: [REDACTED_PATH]: not found, try again",
+		},
+		{
+			name:     "Windows home dir with backslashes",
+			msg:      `error at C:\Users\shreyas\project\file.yml`,
+			expected: "error at [REDACTED_PATH]",
+		},
+		{
+			name:     "Windows home dir with forward slashes",
+			msg:      "error at C:/Users/shreyas/project/file.yml",
+			expected: "error at [REDACTED_PATH]",
+		},
+		{
+			name:     "preserves relative paths",
+			msg:      "failed to load ./resources/job.yml",
+			expected: "failed to load ./resources/job.yml",
+		},
+		{
+			name:     "preserves workspace paths without email",
+			msg:      "uploading to /Workspace/.bundle/dev/files",
+			expected: "uploading to /Workspace/.bundle/dev/files",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, ""))
+		})
+	}
+}
+
+func TestScrubForTelemetry_Emails(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      string
+		expected string
+	}{
+		{
+			name:     "email in workspace path",
+			msg:      "/Workspace/Users/user@example.com/.bundle/dev should contain current username",
+			expected: "/Workspace/Users/[REDACTED_EMAIL]/.bundle/dev should contain current username",
+		},
+		{
+			name:     "plain email",
+			msg:      "access denied for user@company.io",
+			expected: "access denied for [REDACTED_EMAIL]",
+		},
+		{
+			name:     "no email present",
+			msg:      "some error without emails",
+			expected: "some error without emails",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, ""))
+		})
+	}
+}
+
+func TestScrubForTelemetry_Combined(t *testing.T) {
+	msg := "failed to load /Users/shreyas/myproject/databricks.yml: " +
+		"workspace /Workspace/Users/shreyas@databricks.com/.bundle is invalid, " +
+		"also tried /home/other/fallback/config.yml"
+
+	got := scrubForTelemetry(msg, "/Users/shreyas/myproject")
+
+	assert.Equal(t,
+		"failed to load ./databricks.yml: "+
+			"workspace /Workspace/Users/[REDACTED_EMAIL]/.bundle is invalid, "+
+			"also tried [REDACTED_PATH]",
+		got,
+	)
+}