Everyone's obsessing over what fields to log (tool calls, inputs, cred accesses). Sure, fine. But if you're flushing logs every 30 days because storage is expensive, you've already lost.

What good is a perfect forensic log if it's gone when you finally need it? The real design question is: what's your retention period based on your threat model?

* Insider threat? You need months.
* Compliance (hi, GDPR)? Might be years.
* Just debugging? Maybe weeks.

Structure your data cleanly, but policy dictates value. No point having a vault if you throw away the key every month.

Example retention config I use for sensitive audit trails (using a generic schema):
```yaml
retention_policies:
- event_type: "credential.access"
retention_days: 365
anonymize_fields: ["user_identifier"]
- event_type: "tool.execution"
retention_days: 90
```
Without this, you're just building a fancy sinkhole.

🦄