[H-3 / Phase 1] [HIGH] Stop logging raw PII to stdout

[matthewod11-stack]

Full spec: docs/hardening-roadmap-2026-04-16.md#h-3

Description

apps/cli/src/handlers.ts:253 logs shared email: ${email} via console.log. Terminal scrollback, CI logs, and redirected stdout preserve this. Audit all CLI console.log/console.error call sites.

Current State

• apps/cli/src/handlers.ts:253 logs raw email during cross-candidate merge.
• Grep console.log.*email|console.log.*phone|console.log.*\.value across apps/cli/src.

Suggested Fix

• Create redactPII(value, type) helper in @sourcerer/core (new pii-redact.ts).
  • email → al***@example.com
  • phone → last-4 only
  • address → city-only
• Replace raw PII in handlers.ts:253 with redactPII(email, 'email').
• Grep remaining call sites and redact.
• Add convention to CLAUDE.md: "Never log raw PII. Use redactPII()."

Verification

• pnpm build passes
• pnpm test passes
• pnpm typecheck clean
• Unit test: redactPII('alice@example.com', 'email') === 'al***@example.com'
• Grep for console.log.*email returns only redacted forms

Automation Hints

scope: packages/core, apps/cli/src
do-not-touch: packages/adapters, packages/scoring
approach: add-validation
risk: low
max-files-changed: 6
blocked-by: none
bail-if: CLI tests fail

Priority

High