ez_logs_agent 0.1.10 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a7479b12ee7dd0814929516f0474d7e05e393410d86a1c6d56117c854945809
-  data.tar.gz: 54af5890799ca5614373dae0e66d1b422b3abab3dee7d9d0f95c7f23039ffdd7
+  metadata.gz: 96fd8717fab4330e842769b9a4ae03902ccb2487e24c418d54601c99862da306
+  data.tar.gz: e0967b4bfe22b2abb5946c213378a615f3d399a9c0b8d8dd3f002f731bda9444
 SHA512:
-  metadata.gz: a68790e445b19ba92f2df2d0733fe6ae7e6d9c43f2ff854eed01fced091cb7d62aa1c0377429c44d3250abc515d5a1bb45056f1087eb0e2b8d491461fdd94843
-  data.tar.gz: f4208dc88f566f28e1ec24288533468fb3f99d268a77d4f3030da19fc4fc77fe8e36a39052516ddc94def977f03012d8bc157fccb319161a06d4889f52cd37e5
+  metadata.gz: bc502ab7e6ec65dab0f691005e4e0a71a23182a184c2ce1a188933ebe01db1155b3e4e500a59d23e7275c1a836450317a63e262d0d0babbf5123120be1718809
+  data.tar.gz: cc13f82eece53f6deb53c07ad324cf74fce412d06112abfa86c5ca76a829ed01a1cb421a63125489d969ee2e21efb3d9cb03f5b65412db9792330edca30be271

data/CHANGELOG.md

@@ -2,6 +2,94 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.2.1] — 2026-06-05
+
+### Fixed
+- **Bulk-op row counts on Postgres.** The PG adapter does not populate
+  `payload[:row_count]` for plain `DELETE`/`UPDATE` notifications, so
+  the first 0.2.0 builds shipped `row_count: 0` for the cases that
+  matter most. `BulkDatabaseCapturer` now prepends a tiny shim onto
+  `ActiveRecord::Relation#delete_all` / `#update_all` that stashes the
+  returned row count and back-fills it onto the just-pushed event via
+  `Buffer.peek_last`. No change to the wire shape — `row_count` now
+  carries the real number.
+- **Model resolution in Rails dev mode.** `ActiveRecord::Base.descendants`
+  only sees eager-loaded models. The resolver now falls through to
+  `safe_constantize` of the classified table name and verifies the
+  reconstructed class actually owns that table, so bulk ops on
+  lazy-autoloaded models in dev / test no longer silently drop.
+- **Rails Query Log Tags noise in `where_template`.** The parser now
+  strips `/*application='X',action='Y'*/` comments before extracting
+  the WHERE clause, so the humanized filter line on the server reads
+  cleanly instead of leaking the framework's instrumentation tags.
+
+### Changed
+- **Framework-rewrite filter narrowed.** The 0.2.0 filter that swallowed
+  Rails-generated `SET col = NULL` writes was too aggressive — it also
+  hid deliberate "null this column out" operations the customer wrote.
+  The filter now only drops `COALESCE`-shaped counter bumps and
+  empty-`SET` shells; honest `SET col = NULL` writes are captured and
+  render as "Cleared col" on the timeline.
+- **Hot-path performance.** `capture_jobs`, `capture_database`, the
+  excluded-tables / excluded-job-classes / display-name maps, and the
+  user-extended sensitive-key patterns are now memoized at install
+  time across `ActiveJobCapturer`, `DatabaseCapturer`,
+  `BulkDatabaseCapturer`, and `SensitivePatterns`. The
+  `sql.active_record` subscriber is also tuned: 5-arity block to avoid
+  splat allocation, cheap `end_with?` name-prefilter ahead of any
+  parsing, and an early bail before `safe_constantize`. Bulk capture
+  overhead measured below the noise floor on a 10 ms reference query.
+
+## [0.2.0] — 2026-06-05
+
+### Added
+- **Bulk database operations are now captured.** Adds a fourth event
+  `source_type` — `bulk_database` — for the four ActiveRecord operations
+  that bypass per-row callbacks: `delete_all`, `update_all`, `insert_all`,
+  `upsert_all`. Implemented via a narrowly-filtered
+  `ActiveSupport::Notifications.subscribe("sql.active_record")` subscription
+  (`Capturers::BulkDatabaseCapturer`) — not a replacement for the existing
+  callback-based DatabaseCapturer; the two run side by side under the
+  same `capture_database` config flag.
+
+  The new wire shape carries `model_class`, `operation`, `row_count`,
+  `where_template` + sanitized `where_binds`, plus an operation-specific
+  field (`set` for update_all, `columns` for insert_all/upsert_all).
+  Insert/upsert ship column NAMES only — no values, per the product
+  decision that bulk-row PII shouldn't ride the wire.
+
+  Cascade case (`dependent: :delete_all` on a parent destroy) is
+  captured automatically, since it produces the same SQL shape — the
+  reader sees the parent destroy AND the cascade as sibling rows on the
+  timeline.
+
+  Resource attribution uses a `resource_id: "bulk:<row_count>"` sentinel,
+  since individual row IDs are not knowable from the SQL without
+  changing the customer's operation (which would violate the read-only
+  principle).
+
+### Changed
+- `Sanitizer::SENSITIVE_PATTERNS` and the previous in-class
+  `DatabaseCapturer::SENSITIVE_PATTERNS` (which had drifted) are now a
+  single source of truth: `EzLogsAgent::SensitivePatterns::PATTERNS`.
+  Both capturers + the new BulkDatabaseCapturer consult the same list.
+  The merged list is the UNION of the previous two — no patterns
+  removed; `passwd`, `pwd`, `cvv`, `cvc`, `pem`, `cipher`, `nonce`,
+  `salt`, `digest`, `signature`, `hmac` all continue to be masked.
+- `encrypts :foo` introspection (Rails 7+ `model.class.encrypted_attributes`)
+  is now exposed as the standalone `EzLogsAgent::EncryptedAttributes`
+  module, so both the per-row and bulk capturers consult it via the
+  same path. Behavior unchanged for per-row.
+
+### Limits (documented)
+- Raw `connection.execute(sql)` calls are not captured (no
+  notifications fire under `sql.active_record` with a recognizable
+  shape). Use the typed bulk methods to get visibility.
+- Specific row IDs affected by a bulk op are not captured — only the
+  filter rule (WHERE columns + values) and row count. For per-row
+  detail, use `find_each(&:destroy)` style which fires per-row
+  callbacks.
+
 ## [0.1.10] — 2026-06-05
 
 ### Fixed

data/README.md

@@ -218,17 +218,29 @@ Sidekiq and ActiveJob executions:
 
 ActiveRecord create, update, and destroy operations:
 
-**What's captured:**
+**What's captured (per-row, via `after_create` / `after_update` / `after_destroy`):**
 - Model class name, record ID, operation type (create/update/destroy)
 - For creates: initial attribute values
 - For updates: one meaningful attribute change (e.g., `status: pending → shipped`)
 - For destroys: final attribute values before deletion
 - Correlation ID (automatically inherited from the current request or job)
 
+**What's captured (bulk, via `ActiveSupport::Notifications` on `sql.active_record`):**
+- The four ActiveRecord operations that bypass per-row callbacks:
+  `delete_all`, `update_all`, `insert_all`, `upsert_all`.
+- For each: model class, row count, the filter rule (WHERE columns +
+  sanitized bind values), and operation-specific detail (SET hash for
+  `update_all`, column names for `insert_all` / `upsert_all` — values
+  are NOT shipped for bulk inserts).
+- `dependent: :delete_all` cascades during a parent destroy.
+
 **What's NOT captured:**
 - SELECT queries (read operations don't change data)
 - Schema migrations (Rails internal operations)
-- Bulk operations (e.g., `update_all`, `delete_all`)
+- Raw `connection.execute(sql)` calls (no recognizable model class)
+- Individual row IDs affected by bulk operations (only the filter rule
+  and row count — pulling the IDs would require modifying the
+  customer's SQL, which violates the read-only principle).
 
 **Automatic exclusions (no configuration needed):**
 - `sessions` — Session store updates
@@ -777,18 +789,23 @@ Common validation errors:
 
 3. **Look for database capture registration in logs:**
    ```
-   [Railtie] Database capture installed
+   [Railtie] Database capture installed (per-row + bulk)
    ```
 
 4. **Verify models aren't excluded:**
    Check `config.excluded_tables` to ensure your tables aren't being filtered out.
 
-5. **Remember: Only create/update/destroy are captured:**
-   - ✅ `User.create(...)` — Captured
-   - ✅ `user.update(...)` — Captured
-   - ✅ `user.destroy` — Captured
+5. **What is and isn't captured:**
+   - ✅ `User.create(...)` — Captured (per-row callback)
+   - ✅ `user.update(...)` — Captured (per-row callback)
+   - ✅ `user.destroy` — Captured (per-row callback)
+   - ✅ `User.update_all(...)` — Captured as a `bulk_database` event
+     (filter + SET clause + row count; no per-row IDs)
+   - ✅ `User.where(...).delete_all` — Captured as a `bulk_database` event
+   - ✅ `User.insert_all(...)` / `upsert_all(...)` — Captured (columns + count)
    - ❌ `User.find(...)` — NOT captured (read-only)
-   - ❌ `User.update_all(...)` — NOT captured (bulk operation)
+   - ❌ `User.connection.execute("DELETE FROM ...")` — NOT captured
+     (raw SQL bypasses the typed AR API we hook)
 
 ---
 

data/lib/ez_logs_agent/buffer.rb

@@ -59,6 +59,20 @@ module EzLogsAgent
         # Best effort, ignore failures
       end
 
+      # Returns the most recently pushed event WITHOUT removing it.
+      # Used by BulkDatabaseCapturer to backfill the affected-row count
+      # after the relation method's return value is known (Rails'
+      # payload[:row_count] is unreliable for plain DELETE on PG).
+      # Mutating the returned hash in place is intentional and safe —
+      # the event hasn't been flushed yet.
+      # @return [Hash, nil] The last event, or nil if empty.
+      def peek_last
+        @monitor.synchronize { @queue.last }
+      rescue => error
+        log_error("[Buffer] peek_last failed: #{error.message}")
+        nil
+      end
+
       private
 
       def max_size

data/lib/ez_logs_agent/bulk_sql_parser.rb

@@ -0,0 +1,312 @@
+# frozen_string_literal: true
+
+module EzLogsAgent
+  # Pure-functional parser for the four ActiveRecord bulk operations that
+  # bypass per-row callbacks: delete_all, update_all, insert_all, upsert_all.
+  # Used by BulkDatabaseCapturer to turn an AS::Notifications "sql.active_record"
+  # payload into a structured wire shape the server can humanize.
+  #
+  # ## What it extracts
+  #
+  # For delete_all:
+  #   { operation: :delete_all, where_template: "status = $1", where_binds: [{column:, value:}] }
+  #
+  # For update_all:
+  #   { operation: :update_all, set: {"status" => "paid"}, where_template:, where_binds: }
+  #
+  # For insert_all / upsert_all:
+  #   { operation: :insert_all|:upsert_all, columns: ["name", "email"] }
+  #   (No values — per the product decision; column SHAPE only.)
+  #
+  # For anything else (subqueries, joins, raw SQL the regex can't parse,
+  # malformed binds): returns { unparseable: true }. BulkDatabaseCapturer
+  # falls back to shipping row_count + operation + model_class with no
+  # template / binds / set — the timeline still reads "Bulk delete: 50,000
+  # orders" minus the WHERE detail.
+  #
+  # ## Why regex (not Arel / pg_query)
+  #
+  # Both Arel and pg_query are adapter-specific and either slow or heavy
+  # to add as a runtime dependency on every customer host app. Regex on
+  # the standardized AR-emitted SQL string is fast (sub-millisecond on
+  # typical statements) and adapter-tolerant. The graceful "unparseable"
+  # branch covers the long tail.
+  #
+  # ## Adapter quoting handled
+  #
+  # - PostgreSQL: "orders"."status" = $1   (double-quoted, $N placeholders)
+  # - SQLite:     "orders"."status" = ?     (double-quoted, ? placeholders)
+  # - MySQL:      `orders`.`status` = ?     (backticks, ? placeholders)
+  module BulkSqlParser
+    # Loose match for an identifier wrapped in any of the three quote
+    # styles AR uses. Captures the unquoted name.
+    IDENTIFIER = /["`]([^"`]+)["`]/.freeze
+
+    # Either a "qualified" or "bare" identifier reference, used in
+    # WHERE/SET clause columns. AR prefixes the table name in some
+    # paths and not in others — accept both. Captures just the column.
+    COLUMN = /(?:#{IDENTIFIER}\.)?#{IDENTIFIER}/.freeze
+
+    # A bind placeholder — Postgres uses $N (1-indexed), SQLite/MySQL use ?.
+    # The order of placeholders in the SQL corresponds 1:1 with the order
+    # of values in `binds` / `type_casted_binds`.
+    PLACEHOLDER = /(?:\$\d+|\?)/.freeze
+
+    module_function
+
+    # @param sql [String] Raw SQL string from `payload[:sql]`.
+    # @param type_casted_binds [Array] `payload[:type_casted_binds]` —
+    #   already-typecast values in placeholder order. May be nil for
+    #   raw SQL paths.
+    # @return [Hash] Always returns a Hash. Either the parsed structure
+    #   (keys above) or `{ unparseable: true }`.
+    def parse(sql:, type_casted_binds:)
+      return { unparseable: true } if sql.nil? || sql.empty?
+
+      sql_stripped = strip_query_log_tags(sql.strip)
+
+      case sql_stripped
+      when /\ADELETE FROM /i
+        parse_delete(sql_stripped, type_casted_binds || [])
+      when /\AUPDATE /i
+        parse_update(sql_stripped, type_casted_binds || [])
+      when /\AINSERT INTO /i
+        parse_insert(sql_stripped)
+      else
+        { unparseable: true }
+      end
+    rescue StandardError
+      # If the regex engine, binds zipping, or any sub-parse step raises,
+      # ship unparseable rather than crash the capture handler. The
+      # BulkDatabaseCapturer's own rescue would also catch this, but
+      # defending here means the rest of the capturer sees a uniform
+      # return shape.
+      { unparseable: true }
+    end
+
+    # Strip Rails 7+ Query Log Tags (`/*application='X',action='Y'*/`)
+    # AND any other trailing SQL comments. They land at the end of every
+    # statement when `config.active_record.query_log_tags_enabled = true`
+    # and are pure noise on the timeline — they leak the host app's name
+    # and controller into the user-visible filter line. Removing them at
+    # parse time means we never ship them on the wire.
+    def strip_query_log_tags(sql)
+      sql.gsub(%r{/\*.*?\*/}m, "").rstrip
+    end
+
+    # Returns the symbolic operation name we expect downstream. Detected
+    # from SQL shape, independent of the `payload[:name]` Rails version
+    # variance (see plan §"insert_all/upsert_all payload :name varies").
+    # Upsert detection requires the `ON CONFLICT` (PG) or `ON DUPLICATE KEY`
+    # (MySQL) clause — bare INSERTs are insert_all.
+    #
+    # @return [Symbol, nil] :delete_all, :update_all, :insert_all,
+    #   :upsert_all, or nil if not a bulk op.
+    def detect_operation(sql)
+      return nil if sql.nil?
+
+      sql_up = sql.lstrip.upcase
+
+      return :delete_all if sql_up.start_with?("DELETE FROM ")
+      return :update_all if sql_up.start_with?("UPDATE ")
+
+      if sql_up.start_with?("INSERT INTO ")
+        # Disambiguate insert_all vs upsert_all:
+      # - insert_all on PG/SQLite emits `ON CONFLICT DO NOTHING` (still insert).
+      # - upsert_all on PG/SQLite emits `ON CONFLICT ... DO UPDATE SET ...`.
+      # - upsert_all on MySQL emits `ON DUPLICATE KEY UPDATE ...`.
+        if (sql_up.include?("ON CONFLICT") && sql_up.include?("DO UPDATE")) ||
+           sql_up.include?("ON DUPLICATE KEY")
+          return :upsert_all
+        end
+
+        :insert_all
+      end
+    end
+
+    # --- DELETE FROM "orders" WHERE "orders"."status" = $1 ---
+    def parse_delete(sql, type_casted_binds)
+      where_sql = extract_where(sql)
+      template, binds = build_template_and_binds(where_sql, type_casted_binds)
+
+      { operation: :delete_all, where_template: template, where_binds: binds }
+    end
+
+    # --- UPDATE "orders" SET "status" = $1 WHERE "orders"."status" = $2 ---
+    # SET binds come first in placeholder order, then WHERE binds.
+    def parse_update(sql, type_casted_binds)
+      set_sql = extract_set(sql)
+      where_sql = extract_where(sql)
+      return { unparseable: true } if set_sql.nil?
+
+      set_pairs, set_bind_count = parse_set_assignments(set_sql)
+      set_binds = type_casted_binds.first(set_bind_count)
+      where_binds_raw = type_casted_binds.drop(set_bind_count)
+
+      set_hash = zip_set_values(set_pairs, set_binds)
+      where_template, where_binds = build_template_and_binds(where_sql, where_binds_raw)
+
+      {
+        operation: :update_all,
+        set: set_hash,
+        where_template: where_template,
+        where_binds: where_binds
+      }
+    end
+
+    # --- INSERT INTO "users" ("name","email") VALUES (...), (...) ---
+    def parse_insert(sql)
+      operation = detect_operation(sql)
+      return { unparseable: true } unless operation == :insert_all || operation == :upsert_all
+
+      columns = extract_insert_columns(sql)
+      return { unparseable: true } if columns.nil? || columns.empty?
+
+      { operation: operation, columns: columns }
+    end
+
+    # Returns the WHERE-clause SQL (without the keyword), or nil if absent.
+    # Stops at end-of-string, RETURNING, ORDER BY, LIMIT (AR rarely emits
+    # these on bulk DML but cheap insurance).
+    def extract_where(sql)
+      match = sql.match(/\sWHERE\s+(.+?)(?:\s+(?:RETURNING|ORDER BY|LIMIT)\b|\z)/i)
+      match && match[1].strip
+    end
+
+    # Returns the SET-clause SQL between "SET" and "WHERE"/end-of-string.
+    def extract_set(sql)
+      match = sql.match(/\sSET\s+(.+?)(?:\s+WHERE\s+|\s+RETURNING\b|\z)/i)
+      match && match[1].strip
+    end
+
+    # SET clause is comma-separated `"col" = <placeholder|literal>` pairs.
+    # AR inlines non-symbol values as literals (no placeholder) — we still
+    # surface those in the result so the reader sees what changed.
+    # Returns [[col_name, placeholder_or_literal_str], ...] + total bind count.
+    def parse_set_assignments(set_sql)
+      pairs = []
+      bind_count = 0
+
+      split_top_level_commas(set_sql).each do |assignment|
+        m = assignment.match(/\A#{COLUMN}\s*=\s*(.+)\z/)
+        next unless m
+
+        col = m[2] || m[1]
+        rhs = m[3].strip
+        pairs << [col, rhs]
+        bind_count += 1 if rhs.match?(PLACEHOLDER)
+      end
+
+      [pairs, bind_count]
+    end
+
+    # Walks set_pairs in order, taking the next bind for each placeholder
+    # RHS and pulling the literal text for non-placeholder RHS (e.g.,
+    # `updated_at = '2026-06-05 12:00:00'`).
+    def zip_set_values(set_pairs, set_binds)
+      bind_idx = 0
+      set_pairs.each_with_object({}) do |(col, rhs), acc|
+        if rhs.match?(PLACEHOLDER)
+          acc[col] = set_binds[bind_idx]
+          bind_idx += 1
+        else
+          # Strip surrounding quotes to surface the actual value.
+          acc[col] = rhs.gsub(/\A['"]|['"]\z/, "")
+        end
+      end
+    end
+
+    # Splits on commas that are NOT inside (parens) or quotes. Bulk DML
+    # SET / WHERE almost never nests, but defensive against function
+    # calls like `coalesce(x, 0)`.
+    def split_top_level_commas(str)
+      result = []
+      depth = 0
+      in_quote = false
+      quote_char = nil
+      buffer = +""
+
+      str.each_char do |ch|
+        if in_quote
+          buffer << ch
+          in_quote = false if ch == quote_char
+        elsif ch == "'" || ch == '"' || ch == "`"
+          in_quote = true
+          quote_char = ch
+          buffer << ch
+        elsif ch == "("
+          depth += 1
+          buffer << ch
+        elsif ch == ")"
+          depth -= 1
+          buffer << ch
+        elsif ch == "," && depth.zero?
+          result << buffer.strip unless buffer.empty?
+          buffer = +""
+        else
+          buffer << ch
+        end
+      end
+      result << buffer.strip unless buffer.empty?
+      result
+    end
+
+    # Given a WHERE clause SQL and the binds in placeholder order, walk
+    # the placeholders and pair each one with the column to its LEFT
+    # (the standard `"table"."col" = $1` shape AR emits). Returns the
+    # template (placeholder-preserved) and the binds tagged with column.
+    #
+    # Unrecognized shapes (subselects, joins, NULL checks without binds)
+    # leave the template intact but produce no column for the bind, in
+    # which case the bind ships with column: nil. The display layer
+    # handles nil-column binds.
+    def build_template_and_binds(where_sql, type_casted_binds)
+      return [nil, []] if where_sql.nil?
+
+      template = where_sql
+      binds = []
+      bind_index = 0
+
+      # Walk the template scanning each placeholder, looking backward
+      # for the nearest column identifier to its left.
+      template.scan(PLACEHOLDER) do
+        match_data = Regexp.last_match
+        next unless match_data
+
+        column = nearest_column_left_of(template, match_data.begin(0))
+        value = type_casted_binds[bind_index]
+        binds << { column: column, value: value }
+        bind_index += 1
+      end
+
+      [template, binds]
+    end
+
+    # Finds the most recent column identifier to the left of `pos` in
+    # the WHERE clause. Used to attribute each bind to its column name
+    # so we can mask sensitive values by name downstream.
+    def nearest_column_left_of(where_sql, pos)
+      prefix = where_sql[0...pos]
+      # Look for the last identifier before the operator (=, <, >, etc.)
+      match = prefix.match(/#{COLUMN}\s*(?:=|<>|!=|<=|>=|<|>|LIKE|IN|IS)\s*\z/i)
+      return nil unless match
+
+      # COLUMN has two capture groups: [table, col] or [_, col].
+      match[2] || match[1]
+    end
+
+    # --- INSERT INTO "users" ("name","email") VALUES ...  ---
+    # Extracts the ordered column list. Returns nil if the open paren
+    # column list isn't present (e.g., INSERT ... DEFAULT VALUES).
+    def extract_insert_columns(sql)
+      # First parenthesized list after the table name.
+      m = sql.match(/\AINSERT INTO\s+#{IDENTIFIER}\s*\(([^)]+)\)/i)
+      return nil unless m
+
+      columns_block = m[2]
+      columns_block.split(",").map do |col|
+        col.strip.gsub(/\A["`]|["`]\z/, "")
+      end.reject(&:empty?)
+    end
+  end
+end

data/lib/ez_logs_agent/capturers/active_job_capturer.rb

@@ -51,6 +51,25 @@ module EzLogsAgent
         def install
           return unless defined?(ActiveJob)
 
+          # Memoize config values that the per-job hot path reads on
+          # every execute. Without this, capture_execution dispatches
+          # into EzLogsAgent.configuration twice per job (once for
+          # capture_jobs, once for all_excluded_job_classes). On
+          # job-heavy apps that's measurable. Runtime mutations need
+          # uninstall! + install.
+          @capture_enabled =
+            begin
+              EzLogsAgent.configuration.capture_jobs
+            rescue StandardError
+              false
+            end
+          @excluded_job_classes =
+            begin
+              EzLogsAgent.configuration.all_excluded_job_classes.dup.freeze
+            rescue StandardError
+              [].freeze
+            end
+
           install_serialization_hooks unless @serialization_installed
 
           ActiveJob::Base.before_enqueue do |job|
@@ -101,7 +120,11 @@ module EzLogsAgent
         # @param block [Proc] The job execution block
         # @return [Object] The result of the job execution
         def capture_execution(job, block)
-          return block.call unless EzLogsAgent.configuration.capture_jobs
+          # Memoized at install time for hot-path perf. If we haven't
+          # installed yet (specs that test capture_execution directly),
+          # fall back to a live config read so the behavior matches.
+          enabled = defined?(@capture_enabled) ? @capture_enabled : EzLogsAgent.configuration.capture_jobs
+          return block.call unless enabled
 
           if sidekiq_adapter?(job)
             EzLogsAgent::Logger.debug("[ActiveJobCapturer] Skipping capture (Sidekiq adapter)")
@@ -196,8 +219,10 @@ module EzLogsAgent
         # @param job [ActiveJob::Base] The job instance
         # @return [Boolean] true if excluded, false otherwise
         def excluded_job_class?(job)
-          job_class_name = job.class.name
-          EzLogsAgent.configuration.all_excluded_job_classes.include?(job_class_name)
+          # Memoized at install time for perf. Fall back to a live read
+          # for specs that don't call install (see capture_execution).
+          excluded = defined?(@excluded_job_classes) ? @excluded_job_classes : EzLogsAgent.configuration.all_excluded_job_classes
+          excluded.include?(job.class.name)
         rescue StandardError
           false
         end