Full command audit and usage statistics

[rodion-m]

Goal

Provide complete local auditability for command execution and secret delivery without logging secret values or sensitive command bodies.

Scope

• Record every approved, denied, failed, and repaired secret-delivery decision.
• Capture stable redacted metadata for CLI identity, command classification, target identity, secret alias, policy epoch, delivery grants, decision result, and coarse outcome.
• Derive usage statistics from the audit log rather than a separate source of truth.

Milestones

1. Define a versioned audit event schema and migration policy.
2. Add append-only local audit storage with tamper-evident chaining or equivalent local integrity protection.
3. Add query APIs for time windows, CLI names, secret aliases, users, decisions, and policy epochs.
4. Add CLI commands for audit list, audit show, audit stats, and redacted export.
5. Add native app views for audit timeline, secret usage, command decisions, denials, and repair actions.
6. Add retention, pruning, and export settings that never weaken redaction.

Acceptance criteria

• Audit records never contain provider tokens, raw secret values, raw request bodies, full environment snapshots, shell history, or unredacted command text.
• Statistics can report who ran which command, when it ran, which secret alias was delivered, and how often each alias was used.
• Audit export passes redaction gates and contract tests with synthetic token-shaped values.
• Audit data remains useful after adapter upgrades, policy migrations, and platform-specific storage changes.

Roadmap source: ROADMAP.md, Direction 2.