scadalink-design/docs/plans/2026-05-20-auditlog-m5-payload-redaction.md

Audit Log #23 — M5 Payload + Redaction Implementation Plan

For Claude: REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development (bundled cadence).

Goal: Filter pipeline (IAuditPayloadFilter) runs between event construction and writer call. Truncates to 8 KB / 64 KB on error; applies HTTP header redactors (default list from M1-T9 AuditLogOptions); applies body regex redactors (global + per-target); applies SQL parameter redactors (per-connection opt-in); over-redacts on regex error and increments AuditRedactionFailure metric. Hot-reloadable config via IOptionsMonitor.

Vocabulary (M1 reality): Error-row cap (64 KB) triggers when Status NOT IN (AuditStatus.Delivered, AuditStatus.Submitted, AuditStatus.Forwarded) — i.e., on Failed/Parked/Discarded/Attempted/Skipped. The roadmap's M5-T2 step references (Status=TransientFailure/PermanentFailure) are stale pre-M1 wording. Translation: TransientFailure = Attempted with HttpStatus 5xx OR Failed; PermanentFailure = Failed.

M4 realities baked in: AuditingDb decorators, NotificationOutboxActor, AuditWriteMiddleware, site emission paths all need filter pluggin. Filter is invoked in:

• FallbackAuditWriter.WriteAsync (site chain) — before SqliteAuditWriter.WriteAsync.
• CentralAuditWriter.WriteAsync (central direct-write) — before IAuditLogRepository.InsertIfNotExistsAsync.
• AuditLogIngestActor handlers — before InsertIfNotExistsAsync/UpsertAsync.

Bundles:

• Bundle A — Filter contract + truncation (T1, T2).
• Bundle B — Header + body + SQL param redaction (T3, T4, T5).
• Bundle C — Wire into emission paths + health metric (T6, T7).
• Bundle D — Configuration binding + perf + safety-net edge cases (T8, T9, T10).

Final cross-bundle review + merge.