LowFile-scopeKotlin Plug & play

Enhance logging with structured format

Prefer key-value or JSON logging over string concatenation; include correlation/request IDs from CoroutineContext when available.

Why this matters

Structured logs are machine-parsable for search and alerting.

Side-by-side examples engineers can pattern-match during review.

Avoid

logger.info("User " + id + " logged in")

Prefer

logger.info("user_login", mapOf("userId" to id, "requestId" to reqId))

Bad

logger.error("fail: $e")

Good

logger.error("op_failed", mapOf("err" to e))

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Mask PAN and exclude SAD from logs
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
compliance-pci-dssobservability-logging+1
High
Add comprehensive error logging
Log failures with operation name, key identifiers, and exception; prefer structured logging (fields).
error-handlingobservability-logging