6c393d8069
New securityRegistry (separate from companionRegistry) with two read-only, secret-free tools for the Yerin security agent: - audit_log: query the redacted audit trail by actor_kind/actor_id - agent_inventory: list agents + capabilities/scopes (explicit projection, never SELECT *, no token material) Follows the existing createRegistry() pattern. Design + wiring roadmap in docs/yerin-security-agent.md. Not yet seeded/exposed over MCP (left for review). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
27 lines
1.2 KiB
JavaScript
27 lines
1.2 KiB
JavaScript
import * as audit from '../../../../db/repos/audit.js';
|
|
|
|
// Yerin's window into the audit trail. Read-only. The audit repo already
|
|
// redacts sensitive diff keys (token/password/api_key/secret/authorization)
|
|
// at write time, so entries are safe to surface.
|
|
export const auditLogTool = {
|
|
name: 'audit_log',
|
|
description: 'Review the security audit trail: who (which actor) did what, newest first. Filter by actor_kind (user/agent/cron/worker/system) and/or actor_id to investigate a specific principal.',
|
|
input_schema: {
|
|
type: 'object',
|
|
properties: {
|
|
actor_kind: {
|
|
type: 'string',
|
|
enum: ['user', 'agent', 'cron', 'worker', 'system'],
|
|
description: 'optional: only entries from this kind of actor'
|
|
},
|
|
actor_id: { type: 'string', description: 'optional: only entries from this actor id (uuid)' },
|
|
limit: { type: 'integer', description: 'max entries (default 50, max 200)' }
|
|
}
|
|
},
|
|
async handler({ actor_kind, actor_id, limit } = {}, _ctx) {
|
|
const capped = Math.min(Math.max(Number(limit) || 50, 1), 200);
|
|
const entries = await audit.listByActor({ actor_kind, actor_id, limit: capped });
|
|
return { entries };
|
|
}
|
|
};
|