# Observability standards

Common envelope fields
- Trace context: trace_id, span_id, trace_flags; propagate W3C traceparent and baggage.
- Tenant and workload: tenant, workload (service), region, env, version.
- Subject: component, operation, resource (purl or uri when safe).
- Timing: UTC ISO-8601 timestamp; durations in milliseconds.
- Outcome: status (ok, error, fault, throttle), error.code, redacted error.message, retryable.

Scrubbing policy
- Denylist PII and secrets: emails, tokens, auth headers, private keys, passwords.
- Redact to "[redacted]" and add redaction.reason (secret, pii, tenant_policy).
- Hash low-cardinality identifiers with sha256 and mark hashed=true.
- Never log full request or response bodies; store hashes and lengths only.

Sampling defaults
- Traces: 10% non-prod, 5% prod; always sample error or audit spans.
- Logs: info logs rate-limited; warn and error never sampled.
- Metrics: never sampled; stable histogram buckets per component.

Redaction override
- Overrides require a ticket id and are time-bound.
- Config: telemetry.redaction.overrides and telemetry.redaction.override_ttl (default 24h).
- Emit telemetry.redaction.audit with actor, fields, and TTL.

Determinism and offline
- No external enrichers; use bundled service maps and tenant metadata only.
- Export ordering: timestamp, workload, operation.
- Always use UTC; NDJSON for log exports.