Observability & Logging rules

Configure Monolog to add a processor that redacts emails, tokens, and SSNs before writing logs; include request_id.

Wrap logger to filter emails and tokens using regex before logging; include trace_id in every entry.

Delete Console.WriteLine, Debug.WriteLine, and temporary diagnostics before merging; rely on structured logging.

Do not use echo/var_dump for diagnostics in application code; use a PSR-3 logger or error_log with levels.

Use the standard logging module (or your app's logger) instead of print() in committed code.

Add middleware to set HSTS, X-Content-Type-Options, and secure cookies; log JSON with actor and trace_id for auth and admin routes.

Emit JSON audit events via ActiveSupport::Notifications with user_id, action, resource_id, and request_id.

Log security events via ILogger with properties {Action, UserId, ResourceId, Result, TraceId}; configure sink to JSON and send to SIEM.

Mark columns and event fields with pii and purpose metadata; prefer hashed or tokenized variants in telemetry. Use these tags to auto-generate Records of Processing Activities (RoPA). (GDPR Art. 30)

Emit stable message keys (for i18n/observability) and resolve user-facing text via localization layers.

When returning an error from a function, include contextual information. Use `fmt.Errorf` with `%w` (or similar error wrapping) to add a message while preserving the original error.