# Redaction Defaults Decision

**Decision ID:** DECISION-SECURITY-001
**Status:** DEFAULT-APPROVED
**Effective Date:** 2025-12-06
**48h Window Started:** 2025-12-06T00:00:00Z

## Decision

Notification and export pipelines use **restrictive redaction defaults** that redact PII, secrets, and cryptographic keys.

## Rationale

1. Security-first approach minimizes data exposure risk
2. Users can opt-in to less restrictive settings via configuration
3. Aligns with GDPR and data minimization principles
4. Consistent with existing Evidence Locker redaction patterns

## Default Redaction Rules

### Always Redacted (HIGH)
- Private keys (RSA, ECDSA, Ed25519)
- API keys and tokens
- Passwords and secrets
- Database connection strings
- JWT tokens

### Redacted by Default (MEDIUM) - Opt-out available
- Email addresses
- IP addresses (external)
- File paths containing usernames
- Environment variable values (not names)

### Not Redacted (LOW)
- Package names and versions
- CVE identifiers
- Severity scores
- Public key fingerprints

## Configuration

```yaml
# etc/notify.yaml
redaction:
  level: restrictive  # Options: permissive, standard, restrictive
  custom_patterns:
    - pattern: "INTERNAL_.*"
      action: redact
```

## Impact

- Tasks unblocked: ~5
- Sprint files affected: SPRINT_0170, SPRINT_0171

## Reversibility

To change redaction defaults:
1. Update `docs/security/redaction-and-privacy.md`
2. Get Security Guild sign-off
3. Update configuration schemas
4. Ensure backward compatibility

## References

- [Redaction and Privacy](../security/redaction-and-privacy.md)
- [SPRINT_0170 Notifications](../implplan/SPRINT_0170_0001_0001_notifications_telemetry.md)