Mirror the Audit Trail compliance story on the Delivery Log: a storage-boundary decorator redacts the Event on each EventDeliveryRecord before the repository persists it, while the original IEventDeliveryRecord instance seen by the channel pipeline stays untouched.
The problem today: DeliveryLogMiddleware builds an EventDeliveryRecord that wraps the full CloudEvent and forwards it to IEventPublishDeliveryLog. The InMemoryEventDeliveryLogRepository and NdJsonEventDeliveryLogRepository (and the EF Core variant) persist the serialised record verbatim. The same PCI-DSS concern as the audit trail applies: the Event field of each persisted record contains the original payload, including any DataClassification-tagged fields.
What we will build: A new Hermodr.Publisher.DeliveryLog.Compliance package that adds a redaction seam at the delivery-log storage boundary, parallel in shape to the audit-trail one:
- Nested
DeliveryLogComplianceOptions. A dedicated options object exposed on DeliveryLogBuilder, mirroring the audit-trail options: Redaction mode, OnMissingSchema behaviour, FallbackMarker. Default Disabled, zero behaviour change when not enabled.
RedactingEventPublishDeliveryLog decorator. A new IEventPublishDeliveryLog implementation that wraps the existing repository. On RecordAsync, it evaluates the policy against the record's Event, resolves the schema from the user's IEventSchemaRegistry, and applies the schema-aware redactor. The redacted event is placed on a new EventDeliveryRecord obtained via EventDeliveryRecord.FromRecord(record) with { Event = redacted }; the original IEventDeliveryRecord is never mutated, so the channel pipeline, error handlers, and any code holding a reference to the original record are unaffected.DeliveryLogBuilder.UseCompliance extension. Swaps the registered IEventPublishDeliveryLog for the decorator. DeliveryLogMiddleware is unchanged. The decorator participates transparently in the same DI lifetime as the original repository.
Benefits:
- Delivery log entries — the operational record of every publish attempt — no longer expose confidential data in clear text when redaction is enabled.
- Symmetric to the audit-trail compliance support: one framework, two storage integrations, identical options shape, identical redactor pipeline.
- Custom delivery-log repositories that today implement
IEventPublishDeliveryLog directly can opt in by wrapping themselves with the decorator in their DI registration, without forking the framework.
Depends on #83. See ROADMAP.md item 25 for the full design.
The problem today:
DeliveryLogMiddlewarebuilds anEventDeliveryRecordthat wraps the fullCloudEventand forwards it toIEventPublishDeliveryLog. TheInMemoryEventDeliveryLogRepositoryandNdJsonEventDeliveryLogRepository(and the EF Core variant) persist the serialised record verbatim. The same PCI-DSS concern as the audit trail applies: theEventfield of each persisted record contains the original payload, including anyDataClassification-tagged fields.What we will build: A new
Hermodr.Publisher.DeliveryLog.Compliancepackage that adds a redaction seam at the delivery-log storage boundary, parallel in shape to the audit-trail one:DeliveryLogComplianceOptions. A dedicated options object exposed onDeliveryLogBuilder, mirroring the audit-trail options:Redactionmode,OnMissingSchemabehaviour,FallbackMarker. DefaultDisabled, zero behaviour change when not enabled.RedactingEventPublishDeliveryLogdecorator. A newIEventPublishDeliveryLogimplementation that wraps the existing repository. OnRecordAsync, it evaluates the policy against the record'sEvent, resolves the schema from the user'sIEventSchemaRegistry, and applies the schema-aware redactor. The redacted event is placed on a newEventDeliveryRecordobtained viaEventDeliveryRecord.FromRecord(record) with { Event = redacted }; the originalIEventDeliveryRecordis never mutated, so the channel pipeline, error handlers, and any code holding a reference to the original record are unaffected.DeliveryLogBuilder.UseComplianceextension. Swaps the registeredIEventPublishDeliveryLogfor the decorator.DeliveryLogMiddlewareis unchanged. The decorator participates transparently in the same DI lifetime as the original repository.Benefits:
IEventPublishDeliveryLogdirectly can opt in by wrapping themselves with the decorator in their DI registration, without forking the framework.Depends on #83. See
ROADMAP.mditem 25 for the full design.