From e7b40c1c506a6e78a14671106ca314622bb9b305 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Wed, 20 May 2026 16:56:56 -0400 Subject: [PATCH] docs(audit): add M5 payload+redaction implementation plan (#23) 4 bundles: filter+truncation, redactors (header/body/SQL-param), wire into all emission paths + health metric, config+perf+safety-net. Vocabulary translation locked: error-row cap (64 KB) on Status NOT IN (Delivered, Submitted, Forwarded). Filter integration point in each writer (FallbackAuditWriter, CentralAuditWriter, AuditLogIngestActor) BEFORE storage call. --- ...026-05-20-auditlog-m5-payload-redaction.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/plans/2026-05-20-auditlog-m5-payload-redaction.md diff --git a/docs/plans/2026-05-20-auditlog-m5-payload-redaction.md b/docs/plans/2026-05-20-auditlog-m5-payload-redaction.md new file mode 100644 index 0000000..28f615e --- /dev/null +++ b/docs/plans/2026-05-20-auditlog-m5-payload-redaction.md @@ -0,0 +1,20 @@ +# Audit Log #23 — M5 Payload + Redaction Implementation Plan + +> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development (bundled cadence). + +**Goal:** Filter pipeline (IAuditPayloadFilter) runs between event construction and writer call. Truncates to 8 KB / 64 KB on error; applies HTTP header redactors (default list from M1-T9 AuditLogOptions); applies body regex redactors (global + per-target); applies SQL parameter redactors (per-connection opt-in); over-redacts on regex error and increments AuditRedactionFailure metric. Hot-reloadable config via IOptionsMonitor. + +**Vocabulary (M1 reality):** Error-row cap (64 KB) triggers when `Status NOT IN (AuditStatus.Delivered, AuditStatus.Submitted, AuditStatus.Forwarded)` — i.e., on `Failed/Parked/Discarded/Attempted/Skipped`. The roadmap's M5-T2 step references (Status=TransientFailure/PermanentFailure) are stale pre-M1 wording. Translation: `TransientFailure` = `Attempted` with HttpStatus 5xx OR `Failed`; `PermanentFailure` = `Failed`. + +**M4 realities baked in:** AuditingDb decorators, NotificationOutboxActor, AuditWriteMiddleware, site emission paths all need filter pluggin. Filter is invoked in: +- FallbackAuditWriter.WriteAsync (site chain) — before SqliteAuditWriter.WriteAsync. +- CentralAuditWriter.WriteAsync (central direct-write) — before IAuditLogRepository.InsertIfNotExistsAsync. +- AuditLogIngestActor handlers — before InsertIfNotExistsAsync/UpsertAsync. + +**Bundles:** +- Bundle A — Filter contract + truncation (T1, T2). +- Bundle B — Header + body + SQL param redaction (T3, T4, T5). +- Bundle C — Wire into emission paths + health metric (T6, T7). +- Bundle D — Configuration binding + perf + safety-net edge cases (T8, T9, T10). + +Final cross-bundle review + merge.