passwordForbidden secret field
UnsafeApi/Controllers/AuthController.cs:47Structured field is forbidden by the active policy.
Fix: Remove the value; retain outcome and correlation context.
apiKeyAPI token may be logged
node-api/src/middleware/requestLogger.ts:32Field matches the token rule through a configured alias.
Fix: Log token type and validation result, not the token.
userEmailEmail in structured field
python-api/app/orders.py:81Field matches the email warning rule through an alias.
Fix: Prefer a non-sensitive reference or govern explicitly.

