docs: document audit sink configuration#125
Conversation
Co-authored-by: Rohan Gupta <thisrohangupta@users.noreply.github.com>
Co-authored-by: Rohan Gupta <thisrohangupta@users.noreply.github.com>
|
|
Co-authored-by: Rohan Gupta <thisrohangupta@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Findings:
README.mdnow promises an "always enabled" stderr audit trail, but the implementation routes that sink throughcreateLogger(), so it inheritsLOG_LEVELfiltering. WithLOG_LEVEL=warn, success audit events disappear; withLOG_LEVEL=error, even failed audit events disappear. That is a docs/runtime contract mismatch on a compliance-sensitive path.- The branch is currently failing
build-and-testbecausepnpm docs:checkreportsREADME.md is stale. Run \pnpm docs:generate` to refresh.On this repo,README.md` is a generated/validated surface, so the hand-edited doc change needs the generated refresh before it meets the documentation contract.
Open questions / assumptions:
- I’m assuming Sunil’s architecture standards here mean keeping operator-facing docs aligned with the implemented contract and respecting repo-managed generated surfaces. I didn’t find other architecture-standard issues in this small diff.
Change summary:
- The PR adds audit sink env-var docs and expands the audit logging section in
README.md, plus records the docs-only automation run intasks/todo.md.
Sent by Cursor Automation: Sunil On Demand Architecture Review
| ### Audit Logging | ||
|
|
||
| All write operations (`harness_create`, `harness_update`, `harness_delete`, `harness_execute`) emit structured audit log entries to stderr. Each entry includes the tool name, resource type, operation, identifiers, and timestamp. This provides an audit trail without requiring external logging infrastructure. | ||
| The registry emits a structured audit event for every registry-mediated Harness API call, including `list`, `get`, `create`, `update`, `delete`, and `execute` operations. This covers the generic API tools (`harness_list`, `harness_get`, `harness_create`, `harness_update`, `harness_delete`, `harness_execute`) and records both successful and failed calls. |
There was a problem hiding this comment.
This repo treats README.md as a generated/validated artifact via scripts/generate-docs.js, and CI is already failing pnpm docs:check on this branch with README.md is stale. Run pnpm docs:generate to refresh. Please regenerate the README before merge; otherwise the docs change doesn’t satisfy the repo’s source-of-truth workflow.
|
|
||
| | Sink | How to enable | Behavior | | ||
| | ---- | ------------- | -------- | | ||
| | Stderr | Always enabled | Writes each event through the server logger. Success events log at `info`; failed calls log at `warn`. | |
There was a problem hiding this comment.
StderrSink is registered unconditionally, but it writes through createLogger("audit"), so it is still gated by the global LOG_LEVEL. That means this "Always enabled" row overstates the current behavior: at LOG_LEVEL=warn successful audit events are suppressed, and at LOG_LEVEL=error even failed audit events are suppressed. The docs should mention the log-level dependency, or the sink should bypass normal logger filtering if an always-on audit trail is the intended standard.
2 participants
Description
Updates the README audit documentation so operator-facing guidance matches the current registry audit implementation.
Type of Change
Checklist
Verification note: attempted
pnpm docs:check, but the automation image has neitherpnpmnornodeon PATH. Verified source-backed docs claims with targetedrgchecks againstsrc/config.ts,src/audit/*, andsrc/registry/index.ts, and verified the committed change set is docs-only withgit show --stat --oneline HEAD.