Skip to content

Audit log has one write site (interactive chat, frontend fire-and-forget) — backend LLM egress writes zero audit rows #112

Description

@matthewod11-stack

Description

Half of the marketed "PII redaction + audit" pair has exactly one write site: a frontend fire-and-forget call after successful interactive chat streams. Backend-initiated egress that is live today (memory summaries, review highlights) and all recruiting LLM/Exa calls produce zero audit rows; errored/interrupted streams also skip the write. The marketing site currently sells "Every AI interaction logged — what was asked, what was redacted, what was returned," which is demonstrably false today (site copy qualification tracked in hr-command-center). (Audit finding 1.4; updates 5/29 review R-18/REC-6.)

Current State

  • Sole write site: src/contexts/ConversationContext.tsx:471 ("audit is non-critical")
  • Table is hardened append-only (migration 011) — good foundation
  • Unaudited egress live today: src-tauri/src/memory.rs:148, src-tauri/src/highlights.rs:349,519
  • All LLM paths do funnel through chat::send_message* for redaction (chat.rs:407-420) — the redaction half is real; the audit half isn't
  • No audit retention path at all (DELETE trigger-blocked, no UI) — needs a documented position pre-enterprise

Suggested Fix

  • Move audit writes backend-side into the chat seam so every successful send writes a row (interactive, memory, highlights), including on stream error/interrupt (partial row)
  • This is a stepping stone to the single redact+audit choke point for ALL egress (REC-6 / Linear FHR-91) — design the write helper so recruiting can adopt it
  • Document the retention position (even "append-only, no deletion, export via DB" is a position)

Verification

  • cargo test: new tests assert audit rows for memory + highlights egress and for an interrupted stream
  • Row counts match send counts in a manual session

Automation Hints

scope: src-tauri/src/commands/chat.rs, src-tauri/src/memory.rs, src-tauri/src/highlights.rs, src-tauri/src/audit*.rs
do-not-touch: src-tauri/src/recruiting/ (FHR-91 covers it), migrations of existing tables
approach: extract-and-move
risk: medium
max-files-changed: 8
blocked-by: none
bail-if: requires schema migration beyond additive columns

Priority

Medium — coordinates with Linear FHR-91; do the seam design once, not twice.

Metadata

Metadata

Assignees

No one assigned

    Labels

    hardeningReliability or defense-in-depth improvementtech-debtEligible for automated overnight fixing

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions