From c8e125b47dcf183ef24f1bd560e7d3fef3f16895 Mon Sep 17 00:00:00 2001
From: Androz2091 <androz2091@gmail.com>
Date: Thu, 30 Apr 2026 22:07:52 -0700
Subject: [PATCH] fix(security): stop logging the package link (it contains the
 UPN key)

The package link ends with ?upn=<UPN_KEY>, where UPN is the AES key the
worker uses to encrypt that user's data. Logging the link puts the
decryption key in CloudWatch for the duration of the log group's
retention window (30 days), which contradicts the README's stated
security model ('encryption key must always remain on the client side,
must never be stored on the server side').

Drop the link from the print; package_id alone is enough to correlate
log lines.
---
 src/tasks.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/tasks.py b/src/tasks.py
index 47f8cbd..0386e5c 100644
--- a/src/tasks.py
+++ b/src/tasks.py
@@ -919,7 +919,10 @@ def process_package(package_status_id, package_id, link, worker_name='regular_pr
     worker Lambda in production. worker_name lets premium-only work skip the
     regular-process path; we only run regular_process today.
     """
-    print(f'handling package {package_id} with link {link}')
+    # Don't log the link itself: it ends with ?upn=<UPN>, which is the
+    # AES key for that user's encrypted blob. Logging it would put the
+    # decryption key in CloudWatch.
+    print(f'handling package {package_id}')
     session = Session()
     package_status = session.query(PackageProcessStatus).filter(PackageProcessStatus.id == package_status_id).first()
     if not package_status: