generated from coulomb/repo-seed
Draft workplan for a unified, metadata-only audit log of every ops-warden action (sign, access proxy, worker send/tick) and a single `warden activity [--days N] [--kind] [--json]` command to read it. Secret-material guard so no value ever lands in the audit; folds in the existing signatures.log / access-audit.log; optional --hub for the progress-note narrative. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>