docs(spec): audit logging & DPA compliance design
Six-phase design for @repo/core-audit (5th optional package).
Phase 1: AuditLogProtocol + AuditEntry type + truncateIp helper in
core-shared; BindContext.auditLog? optional field.
Phase 2: @repo/core-audit package with NoopAuditLog + PayloadAuditLog
(append-only collection) + StdoutJsonAuditLog (structured JSON) +
MultiSinkAuditLog fan-out wrapper + RecordingAuditLog in core-testing.
Phase 3: GDPR erasure plumbing — eraseSubject impls, pseudonymize helper
(sha256-with-salt), admin tRPC procedure, createAuditErasureHook
Payload afterDelete hook factory.
Phase 4: OTel correlation bridge — currentTraceId() helper,
TraceIdEnrichingAuditLog decorator wraps inner sinks at bind time so
AuditEntry.correlationId auto-populates from active OTel span.
Phase 5: createAuditAfterReadHook factory for opt-in per-collection
automatic VIEW capture; reference wiring documented (printed by
generator as a diff, NOT auto-installed in auth).
Phase 6: ADR-018, audit-and-compliance.md guide, generator template
+ byte-identical snapshot + e2e test, doc refreshes (CLAUDE.md,
AGENTS.md, template-tiers, data-flow-explainer, README,
scaffolding-doc).
Compliance grounded in DPA "Logging & Monitoring" requirements:
closed action enum (VIEW/CREATE/UPDATE/DELETE/EXPORT/PERMISSION_CHANGE),
required tenant field, type-enforced "what NOT to log" (no payload/
body/oldValue/newValue fields), IP /24 v4 + /48 v6 truncation, sha256-
salted pseudonymization, append-only Payload collection with privileged
overrideAccess erasure path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Danijel Martinek
40b5b1a94f