feat: add --no-upload-logs to explicitly decline log upload

Backend now distinguishes "user wants out" from "user said nothing":
- `decline_logs: true` (the new flag) overrides every other signal
  including the server-side org-level override, so users with a
  legal/consent reason for no upload get a guaranteed off.
- `share_logs: true` (the existing --upload-logs) opts in.
- Otherwise the server applies its own policy.

Argparse enforces that --upload-logs and --no-upload-logs are mutually
exclusive (post-parse check via parser.error so dash/underscore aliases
on either side still coexist with the same dests).

register_cli_run now sends both `share_logs` and `decline_logs` in the
payload; setup_streaming forwards both. CHANGELOG 2.4.8 entry updated
to call out --no-upload-logs alongside --upload-logs.

Author: barslev

CHANGELOG.md

@@ -4,7 +4,9 @@
 
 ### Added: opt-in streaming log channel via `--upload-logs`
 
-- New `--upload-logs` flag (default off). When set, each CLI invocation registers a run, reports a per-run status (`in_progress` / `success` / `failure` / `cancelled`), and uploads a transcript of its own log output to the Socket backend for that run, visible in the Socket admin views. The transcript is captured regardless of the local `--enable-debug` state; the existing terminal verbosity is unchanged. The Socket backend can also force-enable streaming for specific orgs regardless of the flag. The feature is best-effort — registration or upload failures silently degrade and never block the scan.
+- New `--upload-logs` flag (default off). When set, each CLI invocation registers a run, reports a per-run status (`in_progress` / `success` / `failure` / `cancelled`), and uploads a transcript of its own log output to the Socket backend for that run, visible in the Socket admin views. The transcript is captured regardless of the local `--enable-debug` state; the existing terminal verbosity is unchanged.
+- New `--no-upload-logs` flag (mutually exclusive with `--upload-logs`) explicitly opts the run out of uploading logs, even when an org-level override would otherwise enable it. Use this when you need a guaranteed no-upload guarantee (e.g. legal/consent reasons).
+- The Socket backend can also force-enable streaming for specific orgs in the absence of an explicit opt-out. The feature is best-effort — registration or upload failures silently degrade and never block the scan.
 
 ## 2.4.7
 

socketsecurity/config.py

@@ -140,6 +140,7 @@ class CliConfig:
     disable_blocking: bool = False
     disable_ignore: bool = False
     upload_logs: bool = False
+    decline_logs: bool = False
     strict_blocking: bool = False
     integration_type: IntegrationType = "api"
     integration_org_slug: Optional[str] = None
@@ -213,6 +214,9 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
 
         args = parser.parse_args(args_list)
 
+        if args.upload_logs and args.decline_logs:
+            parser.error("--upload-logs and --no-upload-logs are mutually exclusive")
+
         if args.reach_exclude_paths:
             logging.warning(
                 "--reach-exclude-paths is deprecated; use --exclude-paths instead. "
@@ -284,6 +288,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'disable_blocking': args.disable_blocking,
             'disable_ignore': args.disable_ignore,
             'upload_logs': args.upload_logs,
+            'decline_logs': args.decline_logs,
             'strict_blocking': args.strict_blocking,
             'integration_type': args.integration,
             'pending_head': args.pending_head,
@@ -874,14 +879,29 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Upload the CLI's log output to the Socket backend for this run. "
              "When set, the CLI registers the run with share_logs=true and streams "
-             "its log records in 5s batches. Default off."
+             "its log records in 5s batches. Default off. Mutually exclusive with "
+             "--no-upload-logs."
     )
     advanced_group.add_argument(
         "--upload_logs",
         dest="upload_logs",
         action="store_true",
         help=argparse.SUPPRESS
     )
+    advanced_group.add_argument(
+        "--no-upload-logs",
+        dest="decline_logs",
+        action="store_true",
+        help="Explicitly opt out of uploading CLI logs to the Socket backend, even "
+             "when an org-level override would otherwise enable it. Mutually "
+             "exclusive with --upload-logs."
+    )
+    advanced_group.add_argument(
+        "--no_upload_logs",
+        dest="decline_logs",
+        action="store_true",
+        help=argparse.SUPPRESS
+    )
     advanced_group.add_argument(
         "--strict-blocking",
         dest="strict_blocking",

socketsecurity/core/cli_run.py

@@ -29,12 +29,17 @@ def register_cli_run(
     client: CliClient,
     client_version: str,
     share_logs: bool,
+    decline_logs: bool,
 ) -> Optional[str]:
     try:
         resp = client.request(
             path="python-cli-runs",
             method="POST",
-            payload=json.dumps({"client_version": client_version, "share_logs": share_logs}),
+            payload=json.dumps({
+                "client_version": client_version,
+                "share_logs": share_logs,
+                "decline_logs": decline_logs,
+            }),
         )
     except APIFailure as e:
         log.debug(f"cli-run register failed (streaming disabled): {e}")

socketsecurity/core/streaming.py

@@ -37,12 +37,14 @@ def setup_streaming(
     sdk_logger: logging.Logger,
     client_version: str,
     share_logs: bool,
+    decline_logs: bool,
     enable_debug: bool,
 ) -> Optional[Callable[[], None]]:
     run_id = register_cli_run(
         client,
         client_version=client_version,
         share_logs=share_logs,
+        decline_logs=decline_logs,
     )
     if not run_id:
         cli_logger.debug("server log streaming not active for this run")

socketsecurity/socketcli.py

@@ -198,6 +198,7 @@ def main_code():
         sdk_logger=socket_logger,
         client_version=config.version,
         share_logs=config.upload_logs,
+        decline_logs=config.decline_logs,
         enable_debug=config.enable_debug,
     )
     if teardown:

tests/unit/test_cli_run.py

@@ -19,14 +19,16 @@ def test_register_cli_run_returns_run_id_when_enabled():
         "run_id": "srv-issued-123",
     })
 
-    run_id = register_cli_run(client, client_version="1.2.3", share_logs=True)
+    run_id = register_cli_run(
+        client, client_version="1.2.3", share_logs=True, decline_logs=False
+    )
 
     assert run_id == "srv-issued-123"
     args, kwargs = client.request.call_args
     assert kwargs["path"] == "python-cli-runs"
     assert kwargs["method"] == "POST"
     body = json.loads(kwargs["payload"])
-    assert body == {"client_version": "1.2.3", "share_logs": True}
+    assert body == {"client_version": "1.2.3", "share_logs": True, "decline_logs": False}
 
 
 def test_register_cli_run_returns_none_when_disabled_by_server():
@@ -36,31 +38,47 @@ def test_register_cli_run_returns_none_when_disabled_by_server():
         "run_id": None,
     })
 
-    assert register_cli_run(client, client_version="1.0.0", share_logs=False) is None
+    assert register_cli_run(
+        client, client_version="1.0.0", share_logs=False, decline_logs=False
+    ) is None
 
 
 def test_register_cli_run_sends_share_logs_false_when_not_opted_in():
     client = Mock(spec=CliClient)
     client.request.return_value = _resp({"log_streaming_enabled": False, "run_id": None})
 
-    register_cli_run(client, client_version="1.0.0", share_logs=False)
+    register_cli_run(client, client_version="1.0.0", share_logs=False, decline_logs=False)
 
     body = json.loads(client.request.call_args.kwargs["payload"])
-    assert body == {"client_version": "1.0.0", "share_logs": False}
+    assert body == {"client_version": "1.0.0", "share_logs": False, "decline_logs": False}
+
+
+def test_register_cli_run_sends_decline_logs_true_when_opted_out():
+    client = Mock(spec=CliClient)
+    client.request.return_value = _resp({"log_streaming_enabled": False, "run_id": None})
+
+    register_cli_run(client, client_version="1.0.0", share_logs=False, decline_logs=True)
+
+    body = json.loads(client.request.call_args.kwargs["payload"])
+    assert body == {"client_version": "1.0.0", "share_logs": False, "decline_logs": True}
 
 
 def test_register_cli_run_returns_none_on_api_failure():
     client = Mock(spec=CliClient)
     client.request.side_effect = APIFailure("network down")
 
-    assert register_cli_run(client, client_version="1.0.0", share_logs=True) is None
+    assert register_cli_run(
+        client, client_version="1.0.0", share_logs=True, decline_logs=False
+    ) is None
 
 
 def test_register_cli_run_returns_none_on_missing_run_id_when_enabled():
     client = Mock(spec=CliClient)
     client.request.return_value = _resp({"log_streaming_enabled": True})
 
-    assert register_cli_run(client, client_version="1.0.0", share_logs=True) is None
+    assert register_cli_run(
+        client, client_version="1.0.0", share_logs=True, decline_logs=False
+    ) is None
 
 
 def test_register_cli_run_returns_none_on_bad_json():
@@ -69,7 +87,9 @@ def test_register_cli_run_returns_none_on_bad_json():
     client = Mock(spec=CliClient)
     client.request.return_value = bad
 
-    assert register_cli_run(client, client_version="1.0.0", share_logs=True) is None
+    assert register_cli_run(
+        client, client_version="1.0.0", share_logs=True, decline_logs=False
+    ) is None
 
 
 def test_finalize_cli_run_posts_status_and_null_report_run_id_by_default():

tests/unit/test_streaming.py

@@ -28,6 +28,7 @@ def test_setup_streaming_returns_none_when_register_fails():
             sdk_logger=logging.getLogger("t-fail-sdk"),
             client_version="1.0",
             share_logs=True,
+            decline_logs=False,
             enable_debug=False,
         )
     assert teardown is None
@@ -52,6 +53,7 @@ def fake_finalize(client, run_id, status="success", report_run_id=None):
             sdk_logger=sdk_logger,
             client_version="1.0",
             share_logs=True,
+            decline_logs=False,
             enable_debug=False,
         )
         assert teardown is not None
@@ -82,6 +84,7 @@ def fake_finalize(client, run_id, status="success", report_run_id=None):
             sdk_logger=sdk_logger,
             client_version="1.0",
             share_logs=True,
+            decline_logs=False,
             enable_debug=False,
         )
         teardown()
@@ -108,6 +111,7 @@ def test_setup_streaming_restores_logger_state_on_teardown():
             sdk_logger=sdk_logger,
             client_version="1.0",
             share_logs=True,
+            decline_logs=False,
             enable_debug=False,
         )
         # During streaming: levels and propagate are forced