Description
Half of the marketed "PII redaction + audit" pair has exactly one write site: a frontend fire-and-forget call after successful interactive chat streams. Backend-initiated egress that is live today (memory summaries, review highlights) and all recruiting LLM/Exa calls produce zero audit rows; errored/interrupted streams also skip the write. The marketing site currently sells "Every AI interaction logged — what was asked, what was redacted, what was returned," which is demonstrably false today (site copy qualification tracked in hr-command-center). (Audit finding 1.4; updates 5/29 review R-18/REC-6.)
Current State
- Sole write site:
src/contexts/ConversationContext.tsx:471 ("audit is non-critical")
- Table is hardened append-only (migration 011) — good foundation
- Unaudited egress live today:
src-tauri/src/memory.rs:148, src-tauri/src/highlights.rs:349,519
- All LLM paths do funnel through
chat::send_message* for redaction (chat.rs:407-420) — the redaction half is real; the audit half isn't
- No audit retention path at all (DELETE trigger-blocked, no UI) — needs a documented position pre-enterprise
Suggested Fix
Verification
Automation Hints
scope: src-tauri/src/commands/chat.rs, src-tauri/src/memory.rs, src-tauri/src/highlights.rs, src-tauri/src/audit*.rs
do-not-touch: src-tauri/src/recruiting/ (FHR-91 covers it), migrations of existing tables
approach: extract-and-move
risk: medium
max-files-changed: 8
blocked-by: none
bail-if: requires schema migration beyond additive columns
Priority
Medium — coordinates with Linear FHR-91; do the seam design once, not twice.
Description
Half of the marketed "PII redaction + audit" pair has exactly one write site: a frontend fire-and-forget call after successful interactive chat streams. Backend-initiated egress that is live today (memory summaries, review highlights) and all recruiting LLM/Exa calls produce zero audit rows; errored/interrupted streams also skip the write. The marketing site currently sells "Every AI interaction logged — what was asked, what was redacted, what was returned," which is demonstrably false today (site copy qualification tracked in hr-command-center). (Audit finding 1.4; updates 5/29 review R-18/REC-6.)
Current State
src/contexts/ConversationContext.tsx:471("audit is non-critical")src-tauri/src/memory.rs:148,src-tauri/src/highlights.rs:349,519chat::send_message*for redaction (chat.rs:407-420) — the redaction half is real; the audit half isn'tSuggested Fix
Verification
Automation Hints
scope: src-tauri/src/commands/chat.rs, src-tauri/src/memory.rs, src-tauri/src/highlights.rs, src-tauri/src/audit*.rs
do-not-touch: src-tauri/src/recruiting/ (FHR-91 covers it), migrations of existing tables
approach: extract-and-move
risk: medium
max-files-changed: 8
blocked-by: none
bail-if: requires schema migration beyond additive columns
Priority
Medium — coordinates with Linear FHR-91; do the seam design once, not twice.