feat(go): add ContentCaptureMode for SDK-level content stripping

Callers now have a way to prevent text from leaving the process
via the export pipeline or OTel attributes. MetadataOnly mode
strips all text content at the SDK level while preserving message
structure, tool names, usage, and timing so server-side
analytics still work.

The existing IncludeContent bool on ToolExecutionStart only
controlled span attributes for individual tools, this replaces it
with a mode that applies to the entire generation and propagates
to child tool executions via context.

Author: alexander-akhmetov

go/sigil/client.go

@@ -26,6 +26,24 @@ type Config struct {
 	GenerationExport GenerationExportConfig
 	API              APIConfig
 	EmbeddingCapture EmbeddingCaptureConfig
+	// ContentCapture controls the default content capture mode for all
+	// generations and tool executions. Per-recording overrides take precedence.
+	ContentCapture ContentCaptureMode
+	// ContentCaptureResolver, when set, is called before each generation,
+	// tool execution, and rating submission to dynamically resolve the content
+	// capture mode. It receives the request context and the recording's
+	// metadata (nil when the recording type has no metadata, e.g. tool
+	// executions).
+	//
+	// Resolution precedence (highest → lowest):
+	//   1. Per-recording ContentCapture field (explicit override)
+	//   2. ContentCaptureResolver return value
+	//   3. Config.ContentCapture (static default)
+	//
+	// Returning ContentCaptureModeDefault defers to Config.ContentCapture.
+	// Panics are recovered and treated as ContentCaptureModeMetadataOnly
+	// (fail-closed).
+	ContentCaptureResolver func(ctx context.Context, metadata map[string]any) ContentCaptureMode
 	// Tracer is optional and mainly used for tests. If nil, the client uses the global OpenTelemetry tracer.
 	Tracer trace.Tracer
 	// Meter is optional and mainly used for tests. If nil, the client uses the global OpenTelemetry meter.
@@ -226,11 +244,12 @@ type Client struct {
 //
 // All methods are safe to call on a nil or no-op recorder.
 type GenerationRecorder struct {
-	client    *Client
-	ctx       context.Context
-	span      trace.Span
-	seed      GenerationStart
-	startedAt time.Time
+	client             *Client
+	ctx                context.Context
+	span               trace.Span
+	seed               GenerationStart
+	startedAt          time.Time
+	contentCaptureMode ContentCaptureMode
 
 	mu             sync.Mutex
 	ended          bool
@@ -455,12 +474,19 @@ func (c *Client) startGeneration(ctx context.Context, start GenerationStart, def
 		ThinkingEnabled:   cloneBoolPtr(seed.ThinkingEnabled),
 	})...)
 
+	// Resolve content capture mode: per-recording > resolver > client default.
+	resolverMode := callContentCaptureResolver(c.config.ContentCaptureResolver, ctx, seed.Metadata)
+	clientMode := resolveClientContentCaptureMode(resolveContentCaptureMode(resolverMode, c.config.ContentCapture))
+	ccMode := resolveContentCaptureMode(seed.ContentCapture, clientMode)
+	callCtx = withContentCaptureMode(callCtx, ccMode)
+
 	return callCtx, &GenerationRecorder{
-		client:    c,
-		ctx:       callCtx,
-		span:      span,
-		seed:      seed,
-		startedAt: startedAt,
+		client:             c,
+		ctx:                callCtx,
+		span:               span,
+		seed:               seed,
+		startedAt:          startedAt,
+		contentCaptureMode: ccMode,
 	}
 }
 
@@ -575,13 +601,16 @@ func (c *Client) StartToolExecution(ctx context.Context, start ToolExecutionStar
 	attrs := toolSpanAttributes(seed)
 	span.SetAttributes(attrs...)
 
+	ctxMode, ctxSet := contentCaptureModeFromContext(ctx)
+	includeContent := shouldIncludeToolContent(seed.ContentCapture, ctxMode, ctxSet, c.config.ContentCapture, seed.IncludeContent)
+
 	return callCtx, &ToolExecutionRecorder{
 		client:         c,
 		ctx:            callCtx,
 		span:           span,
 		seed:           seed,
 		startedAt:      startedAt,
-		includeContent: seed.IncludeContent,
+		includeContent: includeContent,
 	}
 }
 
@@ -661,14 +690,19 @@ func (r *GenerationRecorder) End() {
 	normalized := r.normalizeGeneration(generation, completedAt, callErr)
 	applyTraceContextFromSpan(r.span, &normalized)
 
+	stampContentCaptureMetadata(&normalized, r.contentCaptureMode)
+	if r.contentCaptureMode == ContentCaptureModeMetadataOnly {
+		stripContent(&normalized, classifyErrorCategory(callErr, false))
+	}
+
 	r.span.SetName(generationSpanName(normalized))
 	r.span.SetAttributes(generationSpanAttributes(normalized)...)
 
 	r.mu.Lock()
 	r.lastGeneration = cloneGeneration(normalized)
 	r.mu.Unlock()
 
-	enqueueErr := r.client.persistGeneration(r.ctx, normalized)
+	enqueueErr := r.client.persistGeneration(normalized)
 
 	// Record errors on span.
 	if callErr != nil {
@@ -1078,11 +1112,10 @@ func combineAllErrors(errs ...error) error {
 	return errors.Join(filtered...)
 }
 
-func (c *Client) persistGeneration(_ context.Context, generation Generation) error {
-	if err := ValidateGeneration(generation); err != nil {
+func (c *Client) persistGeneration(generation Generation) error {
+	if err := validateGeneration(generation); err != nil {
 		return fmt.Errorf("%w: %v", errGenerationValidation, err)
 	}
-
 	if err := c.enqueueGeneration(generation); err != nil {
 		return fmt.Errorf("%w: %w", errGenerationEnqueue, err)
 	}

go/sigil/content_capture.go

@@ -0,0 +1,180 @@
+package sigil
+
+import (
+	"context"
+	"fmt"
+	"strings"
+)
+
+// ContentCaptureMode controls what content is included in exported generation
+// payloads and OTel span attributes.
+type ContentCaptureMode int
+
+const (
+	// ContentCaptureModeDefault uses the parent or client-level default.
+	// On Config this resolves to Full for backward compatibility.
+	// On GenerationStart this inherits from Config.
+	// On ToolExecutionStart this inherits from the parent generation context,
+	// falling back to Config.
+	ContentCaptureModeDefault ContentCaptureMode = iota
+	// ContentCaptureModeFull exports all content.
+	ContentCaptureModeFull
+	// ContentCaptureModeMetadataOnly preserves message structure, tool names,
+	// usage, and timing but strips text, tool arguments, tool results,
+	// thinking, system prompts, and raw artifacts.
+	//
+	// Note: user-provided Metadata and Tags are NOT stripped — callers are
+	// responsible for ensuring these maps do not contain sensitive content
+	// when using MetadataOnly mode.
+	ContentCaptureModeMetadataOnly
+)
+
+const (
+	metadataKeyContentCaptureMode   = "sigil.sdk.content_capture_mode"
+	contentCaptureModeValueFull     = "full"
+	contentCaptureModeValueMetaOnly = "metadata_only"
+)
+
+// resolveContentCaptureMode returns the effective mode from an override and a
+// fallback. Default is transparent — it falls through to the fallback.
+func resolveContentCaptureMode(override, fallback ContentCaptureMode) ContentCaptureMode {
+	if override != ContentCaptureModeDefault {
+		return override
+	}
+	return fallback
+}
+
+// callContentCaptureResolver invokes the resolver callback safely, recovering
+// from panics. Returns ContentCaptureModeDefault when the resolver is nil.
+// Panics are treated as ContentCaptureModeMetadataOnly (fail-closed).
+func callContentCaptureResolver(resolver func(ctx context.Context, metadata map[string]any) ContentCaptureMode, ctx context.Context, metadata map[string]any) (mode ContentCaptureMode) {
+	if resolver == nil {
+		return ContentCaptureModeDefault
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			mode = ContentCaptureModeMetadataOnly
+		}
+	}()
+	return resolver(ctx, metadata)
+}
+
+// resolveClientContentCaptureMode resolves the effective mode for the client.
+// Default at the client level means Full (backward compatibility).
+func resolveClientContentCaptureMode(mode ContentCaptureMode) ContentCaptureMode {
+	if mode == ContentCaptureModeDefault {
+		return ContentCaptureModeFull
+	}
+	return mode
+}
+
+// stampContentCaptureMetadata sets the content capture mode marker on the generation.
+func stampContentCaptureMetadata(g *Generation, mode ContentCaptureMode) {
+	if g.Metadata == nil {
+		g.Metadata = map[string]any{}
+	}
+	g.Metadata[metadataKeyContentCaptureMode] = mode.String()
+}
+
+// isContentStripped reports whether the generation has been through MetadataOnly
+// stripping, based on the stamped metadata marker.
+func isContentStripped(g Generation) bool {
+	if g.Metadata == nil {
+		return false
+	}
+	v, _ := g.Metadata[metadataKeyContentCaptureMode].(string)
+	return v == contentCaptureModeValueMetaOnly
+}
+
+// stripContent removes sensitive content from a generation while preserving
+// message structure (roles, part kinds), tool names/IDs, usage, timing, and
+// all other metadata fields. errorCategory is the classified error category
+// (e.g. "rate_limit", "timeout") used to replace the raw CallError text.
+func stripContent(g *Generation, errorCategory string) {
+	g.SystemPrompt = ""
+	g.Artifacts = nil
+
+	if g.CallError != "" {
+		if errorCategory != "" {
+			g.CallError = errorCategory
+		} else {
+			g.CallError = "sdk_error"
+		}
+	}
+	delete(g.Metadata, "call_error")
+
+	for i := range g.Input {
+		stripMessageContent(&g.Input[i])
+	}
+	for i := range g.Output {
+		stripMessageContent(&g.Output[i])
+	}
+	for i := range g.Tools {
+		g.Tools[i].Description = ""
+		g.Tools[i].InputSchema = nil
+	}
+}
+
+func stripMessageContent(m *Message) {
+	for i := range m.Parts {
+		m.Parts[i].Text = ""
+		m.Parts[i].Thinking = ""
+		if m.Parts[i].ToolCall != nil {
+			m.Parts[i].ToolCall.InputJSON = nil
+		}
+		if m.Parts[i].ToolResult != nil {
+			m.Parts[i].ToolResult.Content = ""
+			m.Parts[i].ToolResult.ContentJSON = nil
+		}
+	}
+}
+
+// shouldIncludeToolContent determines whether tool execution content (arguments,
+// results) should be included in span attributes. It resolves the effective mode
+// from the explicit override, context, client default, and legacy IncludeContent.
+func shouldIncludeToolContent(toolMode, ctxMode ContentCaptureMode, ctxSet bool, clientDefault ContentCaptureMode, legacyInclude bool) bool {
+	resolved := resolveClientContentCaptureMode(clientDefault)
+	if ctxSet {
+		resolved = ctxMode
+	}
+	if toolMode != ContentCaptureModeDefault {
+		resolved = toolMode
+	}
+	if resolved == ContentCaptureModeMetadataOnly {
+		return false
+	}
+	// In Full mode, fall back to legacy IncludeContent behavior.
+	return legacyInclude
+}
+
+// String returns the string representation of a ContentCaptureMode.
+func (m ContentCaptureMode) String() string {
+	switch m {
+	case ContentCaptureModeMetadataOnly:
+		return contentCaptureModeValueMetaOnly
+	case ContentCaptureModeFull:
+		return contentCaptureModeValueFull
+	default:
+		return "default"
+	}
+}
+
+// MarshalText implements encoding.TextMarshaler for ContentCaptureMode.
+func (m ContentCaptureMode) MarshalText() ([]byte, error) {
+	return []byte(m.String()), nil
+}
+
+// UnmarshalText implements encoding.TextUnmarshaler for ContentCaptureMode.
+func (m *ContentCaptureMode) UnmarshalText(text []byte) error {
+	switch strings.ToLower(string(text)) {
+	case contentCaptureModeValueFull:
+		*m = ContentCaptureModeFull
+	case contentCaptureModeValueMetaOnly:
+		*m = ContentCaptureModeMetadataOnly
+	case "default", "":
+		*m = ContentCaptureModeDefault
+	default:
+		return fmt.Errorf("unknown content capture mode: %q", string(text))
+	}
+	return nil
+}