From a1b54ad83324ff72e603367bbd45d7eebb4f1ac3 Mon Sep 17 00:00:00 2001
From: Danijel Martinek <danijel@fraqtal.xyz>
Date: Mon, 11 May 2026 16:41:20 +0200
Subject: [PATCH] docs: surface core-audit as 5th optional package across
 discovery points

---
 AGENTS.md                                  | 1 +
 CLAUDE.md                                  | 3 ++-
 README.md                                  | 3 ++-
 docs/architecture/data-flow-explainer.html | 6 +++---
 docs/architecture/template-tiers.md        | 1 +
 docs/scaffolding/core-package-generator.md | 1 +
 6 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 020e601..3e62041 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -10,6 +10,7 @@ This is a **Turborepo + pnpm monorepo** organized by vertical features. Each fea
 |---|---|---|
 | `@repo/core-shared` | core | Generic primitives (Zod, env, Payload hooks/fields/blocks, tRPC init/context) |
 | `@repo/core-ui` | core | Design system (atoms, molecules, generic organisms, templates) — **optional**, scaffold via `pnpm turbo gen core-package ui` |
+| `@repo/core-audit` | core | DPA-compliant audit logging (4 impls, GDPR erasure, OTel correlation) — **optional**, scaffold via `pnpm turbo gen core-package audit` |
 | `@repo/core-api` | core-composition | tRPC router aggregator — imports `@repo/<feature>/api` only |
 | `@repo/core-cms` | core-composition | Payload config aggregator — imports `@repo/<feature>/cms` only |
 | `@repo/core-trpc` | core-composition | Frontend tRPC client + framework-specific providers (Next.js, TanStack) |
diff --git a/CLAUDE.md b/CLAUDE.md
index 1822ce5..91d753a 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -30,7 +30,7 @@ See `docs/guides/tdd-workflow.md` for the full cycle.
 
 ## Project Overview
 
-Turborepo + pnpm monorepo organized by vertical features. Each feature (`auth`, `blog`, `media`, `marketing-pages`, `navigation`) owns its Clean Architecture layers. Must-have core packages (`core-shared`, `core-cms`, `core-api`) provide foundation; four optional core packages (`core-realtime`, `core-events`, `core-trpc`, `core-ui`) scaffold on demand via `pnpm turbo gen core-package <name>` (see `docs/architecture/template-tiers.md`). Two tooling packages (`core-eslint`, `core-typescript`) provide shared configs. Workspace boundaries are enforced by ESLint (lint-time) and Turborepo (build-graph time). Supports Next.js and TanStack Start as frontend frameworks, Payload CMS for content management, and comprehensive agent-optimized documentation.
+Turborepo + pnpm monorepo organized by vertical features. Each feature (`auth`, `blog`, `media`, `marketing-pages`, `navigation`) owns its Clean Architecture layers. Must-have core packages (`core-shared`, `core-cms`, `core-api`) provide foundation; five optional core packages (`core-realtime`, `core-events`, `core-trpc`, `core-ui`, `core-audit`) scaffold on demand via `pnpm turbo gen core-package <name>` (see `docs/architecture/template-tiers.md`). Two tooling packages (`core-eslint`, `core-typescript`) provide shared configs. Workspace boundaries are enforced by ESLint (lint-time) and Turborepo (build-graph time). Supports Next.js and TanStack Start as frontend frameworks, Payload CMS for content management, and comprehensive agent-optimized documentation.
 
 ## Read First
 
@@ -41,6 +41,7 @@ Turborepo + pnpm monorepo organized by vertical features. Each feature (`auth`,
 - `docs/guides/adding-a-feature.md` — End-to-end new feature walkthrough (manual path; for cases the generator's Phase-1 scope doesn't cover)
 - `docs/guides/events-and-jobs.md` — publish/consume/schedule cookbook (cross-feature events + background jobs; *requires `gen core-package events`*)
 - `docs/guides/realtime.md` — Socket.IO channels, broadcasts, handlers (*requires `gen core-package realtime`*)
+- `docs/guides/audit-and-compliance.md` — DPA-compliant audit logging cookbook (*requires `gen core-package audit`*)
 - `docs/architecture/template-tiers.md` — must-have vs optional packages and how to scaffold the optionals
 
 ## Key Conventions
diff --git a/README.md b/README.md
index c8bbe42..6907290 100644
--- a/README.md
+++ b/README.md
@@ -16,13 +16,14 @@ docker compose up -d   # Start PostgreSQL
 
 ## Optional packages
 
-The default template includes the must-have core packages and all 5 feature packages. Four core packages are optional and scaffold on demand:
+The default template includes the must-have core packages and all 5 feature packages. Five core packages are optional and scaffold on demand:
 
 ```bash
 pnpm turbo gen core-package realtime  # Socket.IO realtime layer (ADR-016)
 pnpm turbo gen core-package events    # Cross-feature events + Payload jobs (ADR-015)
 pnpm turbo gen core-package trpc      # tRPC server setup
 pnpm turbo gen core-package ui        # Design system
+pnpm turbo gen core-package audit     # DPA-compliant audit logging (ADR-018)
 ```
 
 See `docs/architecture/template-tiers.md` for the full tier list.
diff --git a/docs/architecture/data-flow-explainer.html b/docs/architecture/data-flow-explainer.html
index d8dff40..c095fe9 100644
--- a/docs/architecture/data-flow-explainer.html
+++ b/docs/architecture/data-flow-explainer.html
@@ -1703,8 +1703,8 @@ footer .colophon {
       <h3>blog/di/<em>bind-production.ts</em></h3>
       <p>Called from each app's bootstrap (<code>apps/web-next/src/server/bind-production.ts</code>) with the <code>ctx</code> object built once by the aggregator. <code>BindProductionContext</code> is imported from <code>@repo/core-shared/di</code>.</p>
       <pre class="code" data-lang="typescript // packages/blog/src/di/bind-production.ts"><span class="k">export function</span> <span class="n">bindProductionBlog</span>(<span class="n">ctx</span>: <span class="t">BindProductionContext</span>): <span class="t">void</span> {
-  <span class="c">// bus is optional — present only when @repo/core-events is scaffolded</span>
-  <span class="k">const</span> { <span class="n">config</span>, <span class="n">tracer</span>, <span class="n">logger</span>, <span class="n">bus</span>, <span class="n">queue</span>, <span class="n">realtime</span>, <span class="n">realtimeRegistry</span> } = <span class="n">ctx</span>;
+  <span class="c">// bus, realtime, realtimeRegistry, auditLog are optional — present only when the corresponding optional package is scaffolded</span>
+  <span class="k">const</span> { <span class="n">config</span>, <span class="n">tracer</span>, <span class="n">logger</span>, <span class="n">bus</span>, <span class="n">queue</span>, <span class="n">realtime</span>, <span class="n">realtimeRegistry</span>, <span class="n">auditLog</span> } = <span class="n">ctx</span>;
   <span class="k">if</span> (<span class="n">blogContainer</span>.<span class="n">isBound</span>(<span class="n">BLOG_SYMBOLS</span>.<span class="n">IArticlesRepository</span>)) {
     <span class="n">blogContainer</span>.<span class="n">unbind</span>(<span class="n">BLOG_SYMBOLS</span>.<span class="n">IArticlesRepository</span>);
   }
@@ -2193,7 +2193,7 @@ footer .colophon {
     <div class="tradeoff-card">
       <div class="tag">di/bind-production.ts</div>
       <h3>Production binder</h3>
-      <p class="blurb"><code>bindProduction&lt;F&gt;(ctx: BindProductionContext)</code> — unbinds the mock, rebinds the real Payload-backed impl. The <code>ctx</code> arg carries required fields (<code>tracer</code>, <code>logger</code>, <code>config</code>) and optional cross-cutting deps (<code>queue</code>). Event bus (<code>bus</code>) is also optional — present only when <code>@repo/core-events</code> is scaffolded via <code>pnpm turbo gen core-package events</code>; absent, <code>bus?.subscribe/publish</code> calls are no-ops. Realtime deps (<code>realtime</code>, <code>realtimeRegistry</code>) are also optional — present only when <code>@repo/core-realtime</code> is scaffolded via <code>pnpm turbo gen core-package realtime</code>.</p>
+      <p class="blurb"><code>bindProduction&lt;F&gt;(ctx: BindProductionContext)</code> — unbinds the mock, rebinds the real Payload-backed impl. The <code>ctx</code> arg carries required fields (<code>tracer</code>, <code>logger</code>, <code>config</code>) and optional cross-cutting deps (<code>queue</code>). Event bus (<code>bus</code>) is also optional — present only when <code>@repo/core-events</code> is scaffolded via <code>pnpm turbo gen core-package events</code>; absent, <code>bus?.subscribe/publish</code> calls are no-ops. Realtime deps (<code>realtime</code>, <code>realtimeRegistry</code>) are also optional — present only when <code>@repo/core-realtime</code> is scaffolded via <code>pnpm turbo gen core-package realtime</code>. Audit log (<code>auditLog</code>) is also optional — present only when <code>@repo/core-audit</code> is scaffolded via <code>pnpm turbo gen core-package audit</code>; absent, <code>ctx.auditLog?.record(entry)</code> calls are no-ops. When present, <code>auditLog</code> is a <code>TraceIdEnrichingAuditLog</code> that auto-populates <code>AuditEntry.correlationId</code> from the active OTel span.</p>
       <div class="pc-cols">
         <div class="pros"><h5>Pros</h5><ul>
           <li>Decouples Payload config from the feature package — boundary stays clean</li>
diff --git a/docs/architecture/template-tiers.md b/docs/architecture/template-tiers.md
index 1ce9a8a..23027a3 100644
--- a/docs/architecture/template-tiers.md
+++ b/docs/architecture/template-tiers.md
@@ -21,6 +21,7 @@ Plus all 5 feature packages: auth, blog, marketing-pages, navigation, media.
 | core-events | `pnpm turbo gen core-package events` | ADR-015 | docs/guides/events-and-jobs.md |
 | core-trpc | `pnpm turbo gen core-package trpc` | (none) | (none) |
 | core-ui | `pnpm turbo gen core-package ui` | (none) | (none) |
+| core-audit | `pnpm turbo gen core-package audit` | ADR-018 | docs/guides/audit-and-compliance.md |
 
 ## Why optional
 
diff --git a/docs/scaffolding/core-package-generator.md b/docs/scaffolding/core-package-generator.md
index 115bcea..ecdbc26 100644
--- a/docs/scaffolding/core-package-generator.md
+++ b/docs/scaffolding/core-package-generator.md
@@ -23,6 +23,7 @@ The generator emits the package files, updates consuming-app config (e.g. `apps/
 | `events` | Cross-feature event bus + Payload jobs adapter (ADR-015) | Phase 4 |
 | `trpc` | tRPC server setup | Phase 5 |
 | `ui` | Design-system package | Phase 6 |
+| `audit` | DPA-compliant audit logging (ADR-018) | Phase 7 |
 
 ## Verifying an existing project