[Compliance] AI usage anonymization misses metadata-stored prompts

[2witstudios]

Summary

The AI usage anonymization job targets ai_usage_logs.prompt/completion, but runtime writes store prompt/completion snippets under metadata, which can leave prompt-like content unredacted until full row purge.

Evidence

• Runtime writer stores snippets in metadata, not dedicated columns:
  • /Users/jono/production/PageSpace/packages/lib/src/monitoring/ai-monitoring.ts:487
• DB insert path does not set prompt/completion columns:
  • /Users/jono/production/PageSpace/packages/lib/src/logging/logger-database.ts:192
• Anonymizer only nulls prompt and completion columns:
  • /Users/jono/production/PageSpace/packages/lib/src/logging/ai-usage-purge.ts:17
• Cron explicitly intends 30-day anonymization before 90-day purge:
  • /Users/jono/production/PageSpace/apps/web/src/app/api/cron/purge-ai-usage-logs/route.ts:9

Why This Matters

The current 30-day anonymization step can be ineffective for data actually stored in metadata, causing retention behavior to diverge from policy intent.

Proposed Work

1. Choose one canonical storage model for prompt/completion snippets (columns vs metadata).
2. Update write path and purge/anonymization logic to align to that model.
3. Ensure scrub covers all prompt/completion-bearing locations.
4. Add tests proving anonymization removes prompt-like data at 30 days.

Acceptance Criteria

• Prompt/completion snippets are stored and redacted consistently with documented policy.
• 30-day anonymization demonstrably removes prompt/completion content from persisted records.
• 90-day purge still removes rows as expected.

[2witstudios]

Closing — deep code verification found this is a false positive.

Core premise is false: Prompt/completion data is never stored at all — not in the dedicated columns, not in metadata.

• AIUsageData interface (ai-monitoring.ts:413-439) has no prompt/completion fields
• writeAiUsage() (logger-database.ts:165-229) never inserts prompt/completion data
• The prompt and completion columns exist in the schema but are never written to
• The anonymizer clearing these empty columns is harmless but unnecessary

No data leak exists. The 30/90 day anonymization/purge policy works correctly for the data that IS stored (token counts, model info, cost calculations).