STRIDE Finding R1: No Audit Trail (Score 9)
Threat: Every command executed through safe leaves no trace. If an AI agent runs something destructive (even an allowed command), there's no record of what happened, when, or which agent invoked it.
Likelihood: 3 (High) — AI agents routinely execute many commands per session
Impact: 3 (High) — Without audit trail, incident investigation and attribution is impossible
Current State
- Zero logging of executed commands
- No timestamps or caller attribution
- Git operations leave their own trail via reflog, but file ops, process kills, and docker commands are unlogged
- JSON output doesn't include execution context
Proposed Implementation
Add optional structured audit logging:
- Log file location:
~/.safecommands/audit.log (one line per command, JSON-L format)
- Log entry fields:
timestamp (ISO 8601)command (group + name)args (the arguments passed)exitCode (result)cwd (working directory)duration (milliseconds)user (system username)
- Configuration: Opt-in via
~/.safecommands/config.json with "audit": true
- Rotation: Simple size-based rotation (e.g., 10MB max, keep 3 files)
References
- STRIDE.md threat R1
- Real-world incidents where agents ran destructive commands with no trace (see specs/PRD.md)
STRIDE Finding R1: No Audit Trail (Score 9)
Threat: Every command executed through
safeleaves no trace. If an AI agent runs something destructive (even an allowed command), there's no record of what happened, when, or which agent invoked it.Likelihood: 3 (High) — AI agents routinely execute many commands per session
Impact: 3 (High) — Without audit trail, incident investigation and attribution is impossible
Current State
Proposed Implementation
Add optional structured audit logging:
~/.safecommands/audit.log(one line per command, JSON-L format)timestamp(ISO 8601)command(group + name)args(the arguments passed)exitCode(result)cwd(working directory)duration(milliseconds)user(system username)~/.safecommands/config.jsonwith"audit": trueReferences