ADR 013: PII Log Sanitization

Status

Implemented

Context

The codebase has ~590 log statements across 42 files. Audit revealed HIGH-RISK PII exposure in MQTT credentials, password commands, and API endpoints. Only one file (tokenCache.js) had any sanitization. File logging is disabled by default, but when enabled, sensitive data could leak.

Decision

Use custom regex-based sanitization utility (app/utils/logSanitizer.js) instead of third-party libraries.

Pattern replacement order (specific before general):

MQTT URLs → preserve protocol, redact credentials
Bearer tokens → Bearer [TOKEN]
Passwords, auth headers, API keys, tokens, secrets → [REDACTED]
Certificate fingerprints → preserve label, redact value
Emails → [EMAIL]
UUIDs → keep first 8 chars for correlation
IP addresses → [IP]
URL query params → ?[PARAMS]
User paths → preserve structure, redact username

Consequences

Positive

Zero dependencies, fast execution
Full control over patterns
UUIDs remain correlatable for debugging

Negative

Requires pattern maintenance
May miss edge cases (regex-only, no NER)

Implementation Phases

Done: Sanitizer utility + tests (app/utils/logSanitizer.js)
Done: Logger integration via electron-log hooks (app/config/logger.js)
~~Apply to high-risk files~~ - Not needed: Hook automatically sanitizes all logs
Done: Log verbosity reduction (21% debug log reduction)

Alternatives Considered

Option	Rejected Because
Microsoft Presidio	Requires Docker, network latency
PII-PALADIN	90MB bundle size
@redactpii/node	Additional dependency, less control
Pino with redaction	Would require replacing electron-log

Implementation: app/utils/logSanitizer.js
Logger Hook: app/config/logger.js

Status​

Context​

Decision​

Consequences​

Positive​

Negative​

Implementation Phases​

Alternatives Considered​

Related​