From dcda4d174d1d6f951f8a414bc6c4aa134c07ab64 Mon Sep 17 00:00:00 2001
From: martinshub-tech <jambemail2003@gmail.com>
Date: Mon, 29 Jun 2026 21:48:00 +0800
Subject: [PATCH] Remove x-user-email from audit logs; add test

---
 src/middleware/audit.ts |  1 -
 tests/audit.test.ts     | 24 ++++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 tests/audit.test.ts

diff --git a/src/middleware/audit.ts b/src/middleware/audit.ts
index bc650ad8..eaac66e4 100644
--- a/src/middleware/audit.ts
+++ b/src/middleware/audit.ts
@@ -29,7 +29,6 @@ function getActorId(request: Request): string {
   return (
     getRequestHeader(request, 'x-admin-user') ||
     getRequestHeader(request, 'x-user-id') ||
-    getRequestHeader(request, 'x-user-email') ||
     'anonymous'
   );
 }
diff --git a/tests/audit.test.ts b/tests/audit.test.ts
new file mode 100644
index 00000000..b672d5df
--- /dev/null
+++ b/tests/audit.test.ts
@@ -0,0 +1,24 @@
+import { logAuditMutation } from '@/middleware/audit';
+import { appendAuditLog } from '@/lib/audit';
+
+jest.mock('@/lib/audit');
+
+test('actorId never contains an email address', () => {
+  const mockRequest = new Request('http://example.com/api', {
+    method: 'POST',
+    headers: {
+      'x-user-id': 'user-123',
+    },
+  });
+
+  logAuditMutation(mockRequest, {
+    action: 'create',
+    targetType: 'document',
+    targetId: 'doc-456',
+    statusCode: 200,
+  });
+
+  const logged = (appendAuditLog as jest.Mock).mock.calls[0][0];
+  expect(logged.actorId).not.toMatch(/@/);
+  expect(logged.actorId).toBe('user-123');
+});