---
id: document-payload-redaction
name: Document Call Graph Payload Redaction Strategy
status: completed
depends_on: []
scope: narrow
risk: medium
impact: component
level: implementation
---

## Description

W08: The `input` and `output` JSONB columns on `call_graph_nodes` store full call payloads. Operations like `hub.register` (which receives auth tokens) would store API keys and secrets in cleartext. The truncation strategy (10KB) addresses size, not sensitive data. No redaction is mentioned.

Add a section to `call-graph.md` on sensitive data handling. Options: operation handlers mark fields as redacted; call graph writer applies field-level redaction by convention (fields named `password`, `token`, `secret`, `key`); truncation strategy extended with redaction pass.

## Acceptance Criteria

- [ ] `call-graph.md` has a "Sensitive Data Handling" section
- [ ] Redaction strategy is specified (field-level by convention, handler-driven, or both)
- [ ] Default redacted field names defined (e.g., `password`, `token`, `secret`, `key`, `apiKey`, `authorization`)
- [ ] Redaction applies before DB write (not on read)

## References

- docs/reviews/storage-architecture-review-2026-04-21.md#W08
- docs/architecture/storage/call-graph.md:22-23

## Notes

> To be filled by implementation agent

## Summary

> To be filled on completion