HighFile-scopePython Plug & play

Add proper logging for audit and debugging

Log key operations with structured fields (actor/resource/operation) at appropriate levels; include exception info on failures.

Why this matters

Enables traceability and forensics while keeping logs actionable.

Side-by-side examples engineers can pattern-match during review.

Avoid

logger.info('user updated')

Prefer

logger.info('user_update', extra={'user_id': uid, 'op': 'update', 'status': 'ok'})

Bad

logger.error('failed')

Good

logger.exception('update_failed', extra={'user_id': uid})

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Mask PAN and exclude SAD from logs
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
compliance-pci-dssobservability-logging+1
High
Add comprehensive error logging
Log failures with operation name, key identifiers, and exception; prefer structured logging (fields).
error-handlingobservability-logging