Compliance
Compliance gives operators security, RBAC, audit-log, and retention views without mixing them into unrelated modules.
On this page
Where to look
| Area | Paths |
|---|---|
| Routes | src/app/(dashboard)/admin/security, src/app/(dashboard)/admin/audit-log |
| Security overview | src/features/compliance/server/security/queries.ts |
| Permission matrix | src/features/compliance/server/permissions/matrix-query.ts |
| Audit | src/features/compliance/server/audit/query.ts, redaction.ts, descriptions.ts, values.ts |
| Retention | src/features/compliance/server/retention/service.ts |
| Shared | src/features/compliance/shared/types.ts, formatters.ts |
| UI | src/features/compliance/ui/security-dashboard.tsx, audit-log-client.tsx |
Code-backed compliance map
Security and audit surfaces
Admin pages render security overview, permission matrix, audit log, and retention status.
src/app/(dashboard)/admin/security/page.tsxsrc/app/(dashboard)/admin/audit-log/page.tsxsrc/features/compliance/ui/security-dashboard.tsxsrc/features/compliance/ui/audit-log-client.tsx
Compliance reads
Security, permission, and audit queries keep admin reporting server-owned and role-aware.
src/features/compliance/server/security/queries.tssrc/features/compliance/server/permissions/matrix-query.tssrc/features/compliance/server/audit/query.ts
Redaction and retention
Audit redaction and retention services preserve useful context without exposing sensitive payloads.
src/features/compliance/server/audit/redaction.tssrc/features/compliance/server/audit/descriptions.tssrc/features/compliance/server/retention/service.ts
Compliance reporting flow
- 1
Gate admin routes
Security and audit surfaces should only render after server-side access checks.
src/app/(dashboard)/admin/security/page.tsxsrc/lib/auth/guards/route.ts
- 2
Read security and permission state
Dashboard cards and permission matrix exports are assembled from compliance-owned server queries.
src/features/compliance/server/security/queries.tssrc/features/compliance/server/permissions/matrix-query.ts
- 3
Redact audit fields by role
Audit descriptions, values, and redaction helpers keep logs useful without exposing raw sensitive payloads.
src/features/compliance/server/audit/query.tssrc/features/compliance/server/audit/redaction.tssrc/features/compliance/server/audit/values.ts
- 4
Run retention as protected work
Retention cleanup is handled by the compliance service behind the protected cron route.
src/features/compliance/server/retention/service.ts
Audit redaction branch
Source: src/features/compliance/server/audit/redaction.ts
Profile audit entries preserve role changes but remove raw metadata and sensitive state.
if (entry.entityType === "profile") {
return {
...entry,
actorEmail: maskedActorEmail,
targetLabel: maskedTargetLabel,
description: maskedDescription,
metadata: {},
beforeState: pickObjectKeys(entry.beforeState, ["role"]),
afterState: pickObjectKeys(entry.afterState, ["role"]),
redacted: true,
};
}Compliance rules
- Keep admin-only pages behind server-side role checks.
- Do not log secrets, raw tokens, or full provider payloads.
- Preserve stable identifiers in audit entries.
- Treat retention work as operational work and make it easy to verify.