Redact PII from production log statements

- Also committing task list update after all the fixes

Author: vdavid

apps/desktop/src-tauri/src/licensing/app_status.rs

@@ -6,6 +6,7 @@
 //! - Caching for offline use (30-day grace period)
 //! - Mock mode for local testing
 
+use crate::licensing::redact_email;
 use crate::licensing::verification::{LicenseInfo, get_license_info};
 use serde::{Deserialize, Serialize};
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
@@ -267,7 +268,7 @@ fn get_cached_or_validate(app: &tauri::AppHandle, license_info: &LicenseInfo) ->
     // We'll return Personal until async validation completes
     log::info!(
         "License key found for {} but no cached status, returning Personal until validation",
-        license_info.email
+        redact_email(&license_info.email)
     );
     AppStatus::Personal {
         show_commercial_reminder: should_show_commercial_reminder(app),

apps/desktop/src-tauri/src/licensing/mod.rs

@@ -15,6 +15,14 @@ pub use verification::{LicenseInfo, activate_license, activate_license_async, ge
 
 use serde::{Deserialize, Serialize};
 
+/// Redact an email for logging: "john@example.com" -> "j***@example.com"
+pub(crate) fn redact_email(email: &str) -> String {
+    match email.find('@') {
+        Some(0) | None => "***".to_string(),
+        Some(at) => format!("{}***{}", &email[..1], &email[at..]),
+    }
+}
+
 /// License data encoded in the license key.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct LicenseData {

apps/desktop/src-tauri/src/licensing/verification.rs

@@ -1,6 +1,7 @@
 //! License key verification using Ed25519 signatures.
 
 use crate::licensing::LicenseData;
+use crate::licensing::redact_email;
 use crate::licensing::validation_client::{activate_short_code, is_short_code};
 use base64::{Engine, engine::general_purpose::STANDARD as BASE64};
 use ed25519_dalek::{Signature, Verifier, VerifyingKey};
@@ -137,15 +138,11 @@ fn validate_license_key_with_public_key(license_key: &str, public_key_hex: &str)
 
     // Parse payload
     let data: LicenseData = serde_json::from_slice(&payload_bytes).map_err(|e| {
-        log::info!(
-            "License payload parse error: {}. Raw payload: {}",
-            e,
-            String::from_utf8_lossy(&payload_bytes)
-        );
+        log::info!("License payload parse error: {}", e);
         "Invalid license key: bad payload data"
     })?;
 
-    log::info!("License validated successfully for: {}", data.email);
+    log::info!("License validated successfully for: {}", redact_email(&data.email));
 
     Ok(data)
 }

apps/license-server/src/index.ts

@@ -62,6 +62,13 @@ function isValidLicenseType(type: string): type is LicenseType {
     return (licenseTypes as readonly string[]).includes(type)
 }
 
+/** Redact an email for logging: "john@example.com" -> "j***@example.com" */
+function redactEmail(email: string): string {
+    const atIndex = email.indexOf('@')
+    if (atIndex <= 0) return '***'
+    return email[0] + '***' + email.slice(atIndex)
+}
+
 const app = new Hono<{ Bindings: Bindings }>()
 
 // Health check
@@ -237,7 +244,7 @@ async function processCompletedTransaction(payload: PaddleWebhookPayload, env: B
         return Response.json({ error: 'Failed to fetch customer details' }, { status: 500 })
     }
 
-    console.log('Customer email:', customer.email, 'business:', customer.businessName)
+    console.log('Customer:', redactEmail(customer.email))
 
     // Determine license type from price ID
     const priceIds: PriceIdMapping = {
@@ -274,7 +281,14 @@ async function processCompletedTransaction(payload: PaddleWebhookPayload, env: B
     const sevenDaysInSeconds = 604_800
     await env.LICENSE_CODES.put(idempotencyKey, 'processed', { expirationTtl: sevenDaysInSeconds })
 
-    console.log('Licenses sent to:', customer.email, 'type:', result.licenseType, 'quantity:', result.quantity)
+    console.log(
+        'Licenses sent to:',
+        redactEmail(customer.email),
+        'type:',
+        result.licenseType,
+        'quantity:',
+        result.quantity,
+    )
     return Response.json({
         status: 'ok',
         email: customer.email,

docs/notes/2026-02-09-codebase-review.md

@@ -158,24 +158,24 @@ locations. The staging pattern, atomic rename failure handling, and rollback-on-
 
 ### Immediate (critical, affects real money)
 
-- [ ] Add webhook idempotency — check KV for existing transaction before processing (#1) `[S]`
-- [ ] Wrap webhook handler in try-catch, handle email/KV failures gracefully (#2) `[S]`
+- [x] Add webhook idempotency — check KV for existing transaction before processing (#1) `[S]`
+- [x] Wrap webhook handler in try-catch, handle email/KV failures gracefully (#2) `[S]`
 
 ### Urgent (high severity)
 
-- [ ] Fix admin auth timing attack + audit for other constant-time comparison gaps (#3) `[S]`
-- [ ] Add `--color-allow` to dark mode CSS block (#4) `[XS]`
-- [ ] Add Rust tests for `delete.rs` — success, cancellation, permission errors, partial failure (#11) `[M]`
+- [x] Fix admin auth timing attack + audit for other constant-time comparison gaps (#3) `[S]`
+- [x] Add `--color-allow` to dark mode CSS block (#4) `[XS]`
+- [x] Add Rust tests for `delete.rs` — success, cancellation, permission errors, partial failure (#11) `[M]`
 
 ### Soon (medium severity)
 
-- [ ] Fix AppleScript injection + audit codebase for other shell/script interpolation gaps (#5) `[M]`
-- [ ] Replace hardcoded viewer highlight colors with CSS variables (#6) `[XS]`
-- [ ] HTML-escape user inputs in license email templates (#7) `[XS]`
-- [ ] Add input validation to admin endpoint + audit other endpoints (#8) `[S]`
-- [ ] Add tests for cross-filesystem move staging pattern (#12) `[M]`
+- [x] Fix AppleScript injection + audit codebase for other shell/script interpolation gaps (#5) `[M]`
+- [x] Replace hardcoded viewer highlight colors with CSS variables (#6) `[XS]`
+- [x] HTML-escape user inputs in license email templates (#7) `[XS]`
+- [x] Add input validation to admin endpoint + audit other endpoints (#8) `[S]`
+- [x] Add tests for cross-filesystem move staging pattern (#12) `[M]`
 
 ### When convenient (low severity)
 
-- [ ] Delete completed specs from `docs/specs/` (#9) `[XS]`
-- [ ] Remove/redact PII from production logs + audit for more (#10) `[S]`
+- [x] Delete completed specs from `docs/specs/` (#9) `[XS]`
+- [x] Remove/redact PII from production logs + audit for more (#10) `[S]`