audit

package
v0.9.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ActionBlockedPath = "blocked_path" // file tool blocked due to protected path
	ActionBlockedCmd  = "blocked_cmd"  // Bash command blocked due to protected path
	ActionMasked      = "masked"       // secret value replaced with placeholder in tool output
)

Action constants for audit log entries.

Variables

This section is empty.

Functions

func AppendEntry

func AppendEntry(repoRoot, tool, action, target, pattern string) error

AppendEntry appends a new signed entry to .envault/ai-secure.log. The entry's hash chains from the last entry in the log.

func VerifyChain

func VerifyChain(entries []Entry) error

VerifyChain checks that the hash chain in entries is intact. Returns the first error found, or nil if the chain is valid.

Types

type Entry

type Entry struct {
	Time    string `json:"t"`
	Tool    string `json:"tool"`
	Action  string `json:"action"`
	Target  string `json:"target"`  // file path, command snippet, or masked secret name
	Pattern string `json:"pattern"` // matched protect pattern (empty for masked entries)
	Prev    string `json:"prev"`    // hash of the immediately preceding entry
	Hash    string `json:"hash"`    // SHA256 of this entry (fields above, not hash itself)
}

Entry is a single record in the audit log.

func LoadEntries

func LoadEntries(repoRoot string) ([]Entry, error)

LoadEntries reads and parses all entries from .envault/ai-secure.log. Returns nil (not an error) when the log does not exist.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL