Worker-side durable audit for memory + cred data-plane ops (store/fetch)

[hanwencheng]

Context

Split out from the Codex adversarial review of #228 (agent-side credential store/fetch). Finding #2 [high]: a plaintext credential fetch returns the secret with only a tracing::info! log — no durable audit event.

On investigation this is pre-existing and repo-wide, not specific to cred:

• The memory MCP tool (crates/agentkeys-mcp-server/src/tools/memory.rs) also audits only via tracing::info! (it literally labels that "Audit trail").
• Neither the memory worker (crates/agentkeys-worker-memory) nor the cred worker (crates/agentkeys-worker-creds) emits a durable audit on store/fetch.
• Durable audit today is a separate explicit call (agentkeys.audit.append / the audit worker); the data-plane read/write paths don't auto-emit it.

Scope

• Emit a durable audit event for store/fetch on the data-plane workers — after cap-verify, before returning success/plaintext — covering memory, cred, and config symmetrically (per-data-class, no asymmetry).
• Include service + cap/payload hash (NOT plaintext), op kind (e.g. CredFetch / MemoryGet), result, and audit failures too.
• Decide emit point: worker-side (preferred — closest to the secret release, defense-in-depth vs broker compromise) vs MCP-tool-side.
• Explicitly NOT a cred-only change: bolting audit onto cred alone would create the cred-vs-memory asymmetry the per-data-class design avoids.

Acceptance

• A cred fetch and a memory get each produce a durable audit event (off-chain feed + on-chain anchor per the two-tier audit model), asserted by tests.
• No plaintext in the audit payload.
• Symmetric coverage across credential / memory / config workers.

Effort

~M (touches the 2-3 data-plane workers + audit emission path + tests).

Refs: #228 (PR), #198 (source feature).