Source: 2026-04-20 multi-expert AADM audit. Security auditor.
Problem
AADM never mentions Claude Code's JSONL session logs (which contain everything Claude read — secrets, PII, proprietary code that flowed through context). For SOC 2 / HIPAA, this is in-scope storage of customer data.
No guidance on log location, retention, encryption-at-rest, or which directories should be .gitignored. Prompt injection via files Claude reads (poisoned READMEs in third-party deps, malicious issue bodies) is also unaddressed.
Fix
tooling/templates/SECURITY-OPS.md covering:
- Session-log location and retention.
- Transcript redaction guidance.
- An "untrusted content" policy for Claude inputs (third-party docs, issue bodies, web fetches).
- Encryption-at-rest expectations.
Acceptance
A new client engagement can answer "where do Claude's session logs live and how long are they kept?" by pointing at this template.
Source: 2026-04-20 multi-expert AADM audit. Security auditor.
Problem
AADM never mentions Claude Code's JSONL session logs (which contain everything Claude read — secrets, PII, proprietary code that flowed through context). For SOC 2 / HIPAA, this is in-scope storage of customer data.
No guidance on log location, retention, encryption-at-rest, or which directories should be
.gitignored. Prompt injection via files Claude reads (poisoned READMEs in third-party deps, malicious issue bodies) is also unaddressed.Fix
tooling/templates/SECURITY-OPS.mdcovering:Acceptance
A new client engagement can answer "where do Claude's session logs live and how long are they kept?" by pointing at this template.