Minimal Logging
Scenario: The user sends a vibration request payload like:
{
"device_id": "toy-5832",
"pattern": [
{ "speed": 0.8, "duration_ms": 4000 }
]
}
Policy Actions
The device_id is hashed before logging or stored in anonymized form
The payload is NOT stored in logs unless the request is marked with a debug=true query parameter and the user is verified as developer/admin
Metadata like User-Agent is redacted in session logs
WebSocket relays use session_id tokens; raw commands are abstracted from stored logs