Add unified metadata-only audit.jsonl with secret-material guard, instrument sign/access/worker paths, and expose warden activity CLI. Surface broker hint when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production integration checklists plus catalog lane promotion playbook.
2.4 KiB
Audit Trail — Unified ops-warden Activity
Date: 2026-07-01
Workplan: WARDEN-WP-0022
ops-warden records metadata only for every action it performs. No token, key, cert body, or other secret value ever lands in the audit log.
What is recorded
| Kind | Source actions | Typical fields |
|---|---|---|
sign |
warden sign, warden issue, cert_command |
actor, backend, TTL, policy_decision_id |
access |
warden access --fetch / --exec |
need id, owner repo, subject, decision id, outcome |
worker |
warden worker tick, approve, full-auto execute |
triage counts, draft id, outcome |
hub |
State Hub progress notes (--hub) |
summary, author, event type |
Storage
- Primary:
{state_dir}/audit.jsonl— append-only JSONL (default~/.local/state/warden/audit.jsonl) - Legacy (merged for back-compat):
signatures.log,access-audit.log
Rotation: when audit.jsonl exceeds 5 MiB it is renamed to audit.jsonl.1 and a
fresh file starts.
Secret-material guard
record_event() rejects fields that look like secret values (known token prefixes,
high-entropy runs). Signing and proxy paths swallow audit failures so gatekeeping
never blocks the primary action — but tests prove values cannot be written.
Query
# Human table — last 7 days
warden activity
# Filter and JSON for agents
warden activity --days 3 --kind sign --json
warden activity --days 7 --hub --json
| Flag | Purpose |
|---|---|
--days N |
Look back N days (default 7) |
--kind sign|access|worker|hub |
Filter by event kind |
--json |
Stable JSON array for automation |
--hub |
Include recent State Hub progress notes mentioning ops-warden |
Linger and login independence
The coordination worker can run under a systemd --user timer with linger enabled
(WARDEN-WP-0021). Audit events from worker ticks appear with kind: worker.
Full logged-out operational value still depends on State Hub and tunnels being
reachable without an interactive login (State Hub on railiance01, cust-wp-0011).
The audit trail is local-first; --hub adds narrative context when the hub is up.
See also
wiki/OperatorAccessAssist.md— metadata-only principle for access proxywiki/PolicyGatedSigning.md—policy_decision_idon sign eventswiki/playbooks/scheduled-worker.md— worker timer and review loop