Audit rails query invocations and tag agent-driven runs#154
Conversation
Subscribes to the query.rails ActiveSupport::Notifications event emitted by Rails 8.2's rails query command and records each invocation as a session in the configured session logger, matching the audit trail already produced for rails console. When a known agent env var is present, include its label in the session reason (e.g. 'rails query (via Claude Code)') so audit trails can distinguish between human and agent-driven queries. Known agents and the override via QUERY_AGENT are configurable on the auditor class.
YAGNI — the known_agents map already covers the realistic detection surface, and consumers can extend it without needing a separate generic override.
lewispb
force-pushed
the
query-command-auditor
branch
from
13883f6 to
fdb3d69
Compare
There was a problem hiding this comment.
Pull request overview
This PR upstreams auditing for the new rails query command by subscribing to query.rails notifications and recording each invocation as a Console1984 session, optionally tagging sessions as agent-driven based on known env vars (or a QUERY_AGENT override).
Changes:
- Add
Console1984::QueryAuditorsubscriber to create sessions + record the query expression as a command. - Register the subscriber from the engine so it’s active automatically.
- Add tests covering session creation, expression logging, and agent labeling/override behavior.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
lib/console1984/query_auditor.rb |
Implements the query.rails subscriber, session reason construction, and agent detection. |
lib/console1984/engine.rb |
Installs the subscriber via a Rails initializer. |
test/query_auditor_test.rb |
Adds coverage for session creation, expression logging, and agent labeling behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Other tests mutate the shared MutableUsernameEnvResolver, so pin it to jorge in setup rather than relying on the dummy app default.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Adds an audit subscriber for the
rails querycommand introduced in rails/rails#57156 (Rails 8.2+). Eachrails queryinvocation is recorded as a session in the configured session logger — same audit trail asrails console.When a known coding-agent env var is present in the environment, its label is appended to the session reason so audit trails can distinguish human from agent-driven queries:
CLAUDECODE=1→rails query (via Claude Code)CODEX_THREAD_ID=<uuid>→rails query (via Codex)Both env markers were verified by inspecting a live agent session. The map is configurable:
The subscriber no-ops outside protected environments, so it's safe to register unconditionally from the engine.
Context
Haystack and Queenbee both ship a copy of this subscriber today as an app-level initializer. Upstreaming avoids the duplication and gives any console1984 consumer on Rails 8.2+ the audit trail for free.
Test plan
bundle exec rails test— 83 runs, 0 failures, 0 errors