docs(plan): audit logging & DPA compliance (6 phases, ~30 commits)
Implementation plan for the spec at docs/superpowers/specs/2026-05-11-
audit-and-compliance-design.md. Six phases:
- Phase 1: AuditLogProtocol + AuditEntry type + truncateIp helper in
core-shared; BindContext.auditLog? (5th generic).
- Phase 2: @repo/core-audit optional package — NoopAuditLog,
StdoutJsonAuditLog, append-only audit-logs Payload collection,
PayloadAuditLog (record), MultiSinkAuditLog fan-out, bindAudit
binder with prod salt validation, RecordingAuditLog in core-testing.
- Phase 3: GDPR erasure plumbing — pseudonymize helper (sha256 +
AUDIT_PSEUDONYM_SALT), PayloadAuditLog.eraseSubject via
overrideAccess, createAuditErasureHook Payload afterDelete factory,
admin tRPC procedure (audit.eraseSubject).
- Phase 4: OTel correlation bridge — currentTraceId() in core-shared,
TraceIdEnrichingAuditLog decorator wraps inner sinks at bindAudit
time. Explicit caller correlationId wins.
- Phase 5: createAuditAfterReadHook factory for opt-in per-collection
VIEW capture; fire-and-forget semantics with stderr fallback.
- Phase 6: ADR-018 + audit-and-compliance.md guide + generator template
at turbo/generators/templates/core-package/audit/ + byte-identical
snapshot + e2e test + 6 doc surface refreshes (template-tiers,
scaffolding-doc, CLAUDE.md, AGENTS.md, data-flow-explainer, README).
Total: ~30 commits expected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Danijel Martinek
ac8dfcc5d4