Context
The architecture asks for audit logs on admin-sensitive operations, but advisor_update.md flags that audit_logs.details may include WhatsApp numbers or other sensitive values. The audit log should stay useful without becoming a PII dump.
Acceptance criteria
- Inventory every insert into
audit_logs and identify any phone numbers, payment references, notes, or free-text fields stored in details.
- Define what is allowed in audit details versus what should be redacted, hashed, truncated, or omitted.
- Update logging helpers/actions to avoid storing unnecessary PII.
- Confirm the audit viewer still gives admins enough context to investigate changes.
- Add tests or code-level assertions for any new sanitizer/helper.
References
docs/ARCHITECTURE.md observability and audit logging notesdocs/OPS.md data hygiene and privacy sectionsadvisor_update.md Security / hardening: Privacy: WhatsApp numbers in audit logs
Context
The architecture asks for audit logs on admin-sensitive operations, but
advisor_update.mdflags thataudit_logs.detailsmay include WhatsApp numbers or other sensitive values. The audit log should stay useful without becoming a PII dump.Acceptance criteria
audit_logsand identify any phone numbers, payment references, notes, or free-text fields stored indetails.References
docs/ARCHITECTURE.mdobservability and audit logging notesdocs/OPS.mddata hygiene and privacy sectionsadvisor_update.mdSecurity / hardening: Privacy: WhatsApp numbers in audit logs