Skip to content

feat(cli): structured write-action audit log#165

Merged
chmmou merged 1 commit into
mainfrom
feat/cli-write-audit-log
May 16, 2026
Merged

feat(cli): structured write-action audit log#165
chmmou merged 1 commit into
mainfrom
feat/cli-write-audit-log

Conversation

@chmmou

@chmmou chmmou commented May 16, 2026

Copy link
Copy Markdown
Owner

Adds cli.AuditRecord + cli.WriteAudit: every dispatched write action emits a logfmt line on stderr (always on, independent of --verbose) with timestamp, resolved login, KAS action, target, outcome (success/failure:<kas_code>/failure) and correlating fields. New global --audit-log flag (and KAS_AUDIT_LOG; flag wins) appends each record as JSON Lines to a 0600 file. Secrets stripped by cli.RedactParams in both sinks. Safety doc + docs/cli regenerated.

No command emits a record yet (no #13 write endpoint exists; sessions delete is a session logout, not an audited write) — that acceptance box transfers to the first write-command PR.

Refs #131.

Add cli.AuditRecord + cli.WriteAudit: every dispatched write action
gets a logfmt line on stderr (always on, independent of --verbose)
with RFC3339 timestamp, resolved login, KAS action, target, outcome
(success | failure:<kas_code> | failure via api.AsError) and
correlating fields. New global --audit-log flag (and KAS_AUDIT_LOG;
flag wins) appends each record as JSON Lines to a 0600 file. Secret
parameters are stripped by cli.RedactParams (explicit key set +
password/token/secret/auth_data substring rule) in both sinks. Safety
doc and docs/cli regenerated.

No command emits a record yet: no #13 write endpoint exists and
sessions delete is a session logout, not an audited write. That
acceptance box transfers to the first write-command PR.

Refs #131.
@chmmou chmmou merged commit ceca090 into main May 16, 2026
6 checks passed
@chmmou chmmou deleted the feat/cli-write-audit-log branch May 16, 2026 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant