[Security][Low] Verbose PII logging — userId, documentId, editId emitted at INFO level

[bmersereau]

Severity: Low

File: backend/src/routes/documents.ts:635-638 (and ~10 similar calls throughout the edit-resolution handler)
CWE: CWE-209 — Information Exposure Through an Error Message
OWASP: A09:2021 — Security Logging and Monitoring Failures

Description

The edit-resolution handler emits user IDs, document IDs, and edit IDs at INFO level on every accept/reject operation:

console.log(`[edit-resolution] incoming ${mode}`, {
    userId,
    documentId,
    editId,
});

This pattern repeats approximately 10 times through the handler.

Impact

In a cloud environment with log aggregation, these identifiers appear in any log pipeline or third-party logging service. This expands the scope of a log system breach and, in a legal document context, may link user activity to specific legal matters. This conflicts with data minimization principles under GDPR and similar privacy regulations.

Fix

Remove all INFO-level console.log calls that include user/document/edit identifiers from this handler. Retain console.error for genuine failure cases only, and strip or hash PII fields:

// Before
console.log(`[edit-resolution] incoming ${mode}`, { userId, documentId, editId });

// After — use DEBUG-level, no PII in default log output
if (process.env.NODE_ENV !== "production") {
    console.debug(`[edit-resolution] incoming ${mode}`);
}

Remediation tier: Backlog — schedule within 90 days.