src/lib/logger.ts

import pino from 'pino';

export const logger = pino({
  level: process.env.LOG_LEVEL ?? 'info',
  redact: {
    paths: [
      'password',
      'token',
      'secret',
      'accessKey',
      'secretKey',
      'creditCard',
      '*.password',
      '*.token',
      '*.secret',
      '*.accessKey',
      '*.secretKey',
      // Encrypted credential blobs surface in storage / smtp config logs
      // unintentionally; redact them defensively even though they're
      // already AES-encrypted at rest.
      '*.secretKeyEncrypted',
      '*.smtpPassEncrypted',
      '*.imapPassEncrypted',
      '*.proxyHmacSecretEncrypted',
      // HTTP authorization headers (Bearer tokens, Basic creds) leak via
      // err.config.headers on http-client error logs.
      '*.headers.authorization',
      '*.headers.Authorization',
      '*.headers["x-documenso-secret"]',
      '*.config.headers.Authorization',
      '*.config.headers.authorization',
      // Cookie headers can carry session tokens.
      '*.headers.cookie',
      '*.headers.Cookie',
      // Two-level nesting for things like `req.headers.authorization` or
      // `cfg.s3.secretKeyEncrypted`.
      '*.*.password',
      '*.*.token',
      '*.*.secret',
      '*.*.secretKeyEncrypted',
      '*.*.headers.authorization',
      '*.*.headers.Authorization',
    ],
    censor: '[REDACTED]',
  },
  transport:
    process.env.NODE_ENV !== 'production'
      ? { target: 'pino-pretty', options: { colorize: true } }
      : undefined,
  serializers: {
    err: pino.stdSerializers.err,
    req: pino.stdSerializers.req,
    res: pino.stdSerializers.res,
  },
});
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`import pino from 'pino';`

			`export const logger = pino({`
			`level: process.env.LOG_LEVEL ?? 'info',`
			`redact: {`
			`paths: [`
			`'password',`
			`'token',`
			`'secret',`
			`'accessKey',`
			`'secretKey',`
			`'creditCard',`
			`'*.password',`
			`'*.token',`
			`'*.secret',`
			`'*.accessKey',`
			`'*.secretKey',`
fix(audit-v3): platform-wide deferred-list cleanup (rounds 1-4) Working through the audit-v2 deferred backlog. Each round was tested (typecheck + 1168/1168 vitest) before moving on. Round 1 — DB performance + AI cost visibility: - Add missing FK indexes Postgres doesn't auto-create on berth_reservations.{interest_id, contract_file_id}, documents.{file_id, signed_file_id}, document_events.signer_id, document_templates.source_file_id, form_submissions.{form_template_id, client_id}, document_sends.{brochure_id, brochure_version_id, sent_by_user_id}. Without these, RESTRICT-checks on parent delete + reverse-lookups walk the child tables fully. Migration 0037. - AI worker now writes one ai_usage_ledger row per OpenAI call so admins can audit spend per port/user/feature and future per-port budgets have history to read from. Failure to write is logged-not-thrown so the user-facing email draft is unaffected. Round 2 — Boot-time + transport hardening: - S3 backend verifies the bucket exists at startup (or auto-creates when MINIO_AUTO_CREATE_BUCKET=true). A typo'd bucket name now surfaces with a clear boot error instead of a vague Minio error inside the first user-facing request. - Documenso v1 placeFields: 3-attempt exponential-backoff retry on 5xx + network errors, fail-fast on 4xx. Stops one transient flake from leaving a document with a partial field set. - FilesystemBackend logs a structured warn-once at boot when the dev HMAC fallback is in effect, so two processes started with different BETTER_AUTH_SECRET values are observable (random 401s on file downloads otherwise). - Logger redact paths extended to cover .headers.{authorization, cookie}, .config.headers.authorization, encrypted-credential blobs (secretKeyEncrypted, smtpPassEncrypted, etc.), the Documenso X-Documenso-Secret header, and 2-level nested forms. Round 3 — UI feedback + permission gates: - Storage admin migrate dialog: success toast with row count + error toast on both dryRun and migrate mutations. - Invoice detail Send + Record-payment buttons wrapped in PermissionGate (invoices.send / invoices.record_payment); both mutations now toast on success/error. - Admin user list Edit button wrapped in PermissionGate(admin.manage_users). - Scan-receipt page surfaces an amber warning when OCR fails so reps know they can fill the form manually instead of staring at a stalled spinner; the editable form now also opens on scanMutation.isError / uploadedFile, not only on success. - Email threads list now renders skeleton rows during load + shared EmptyState for the empty case (was a single "Loading…" line). Round 4 — Service / route correctness: - documentSends.sent_by_user_id was a free-text NOT NULL column with no FK. Now nullable + FK to user(id) ON DELETE SET NULL so the audit row survives a user being hard-deleted. Migration 0038 with a defensive null-out for any orphan ids before attaching the constraint. - Saved-views route: documented why withAuth alone is correct (the service strictly filters by (portId, userId) — owner-only by design). - Public-interests audit log: replaced "userId: null as unknown as string" cast with userId: null; AuditLogParams already accepts null for system-generated events. - EOI in-app PDF fill: extracted setBerthRange() that, when the AcroForm field is missing AND the context has a non-empty range string, logs a structured warn so the deployment gap (live Documenso template needs the field) is observable instead of silently dropping the multi-berth range. Test status: 1168/1168 vitest. tsc clean. Two new migrations (0037/0038) need pnpm db:push (or migration apply) on the dev DB. Deferred-doc updated with the remaining open items (bigger refactors). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 12:49:53 +02:00			`// Encrypted credential blobs surface in storage / smtp config logs`
			`// unintentionally; redact them defensively even though they're`
			`// already AES-encrypted at rest.`
			`'*.secretKeyEncrypted',`
			`'*.smtpPassEncrypted',`
			`'*.imapPassEncrypted',`
			`'*.proxyHmacSecretEncrypted',`
			`// HTTP authorization headers (Bearer tokens, Basic creds) leak via`
			`// err.config.headers on http-client error logs.`
			`'*.headers.authorization',`
			`'*.headers.Authorization',`
			`'*.headers["x-documenso-secret"]',`
			`'*.config.headers.Authorization',`
			`'*.config.headers.authorization',`
			`// Cookie headers can carry session tokens.`
			`'*.headers.cookie',`
			`'*.headers.Cookie',`
			// Two-level nesting for things like `req.headers.authorization` or
			// `cfg.s3.secretKeyEncrypted`.
			`'..password',`
			`'..token',`
			`'..secret',`
			`'..secretKeyEncrypted',`
			`'..headers.authorization',`
			`'..headers.Authorization',`
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`],`
			`censor: '[REDACTED]',`
			`},`
			`transport:`
			`process.env.NODE_ENV !== 'production'`
			`? { target: 'pino-pretty', options: { colorize: true } }`
			`: undefined,`
			`serializers: {`
			`err: pino.stdSerializers.err,`
			`req: pino.stdSerializers.req,`
			`res: pino.stdSerializers.res,`
			`},`
			`});`