Symptom

Merchants report that sensitive fields like card, bank_account, and payment_method_details are arriving as "[REDACTED]" in webhook payloads. The payload should contain the full payment details — redaction is only meant for internal audit logs.

What you know

Dispatch records a timeline of events for auditing. Before storing a timeline entry, sensitive fields are redacted for PCI compliance. This redaction should only affect the timeline log, not the actual webhook delivery.

The pipeline processes events in this order:

1. Timeline recording (for audit) -- redacts sensitive fields
2. Payload serialization for HTTP delivery

Merchants need the full payload with card details, but they only see "[REDACTED]".

Event (payload has card, bank_account, payment_method_details)
  → Timeline Recorder (redacts sensitive fields for audit log)
  → HTTP Delivery (serializes event.payload for merchant)
                    ↑
                    payload.card is now "[REDACTED]"!

// Original event payload:
{
  "amount": 5000,
  "currency": "usd",
  "card": { "last4": "4242", "brand": "visa" },
  "bank_account": { "last4": "6789" },
  "description": "Payment for Order #1234"
}

// Payload delivered to merchant:
{
  "amount": 5000,
  "currency": "usd",
  "card": "[REDACTED]",
  "bank_account": "[REDACTED]",
  "description": "Payment for Order #1234"
}