feat(cli): append-only compliance audit log

[abhinav-1504]

Add structured NDJSON audit log for SOC 2 / ISO 27001 / HIPAA compliance.

• internal/audit: Logger with 8 event types, lumberjack rotation, PII redaction
• internal/audit: Redact() strips PIDs/IPs/paths, RedactRemoteAddr for HTTP
• internal/config: AuditConfig + PrometheusConfig.BearerToken
• internal/ai/analyzer: ai.call audit on every LLM call (hit/miss/error)
• internal/cli/start: daemon lifecycle, bpf.load, SIGHUP, auth.failure wired
• internal/cli/doctor: auditLog passed to NewEngine
• internal/doctor/engine: finding.emit wired for WARNING/CRITICAL findings
• docs/audit-schema.md: versioned NDJSON schema documentation

Closes #48

What

Add append-only NDJSON audit log for SOC 2 / ISO 27001 / HIPAA compliance. Emits structured records for every privileged action kerno takes — config reloads, AI calls, finding emissions, auth failures, and daemon lifecycle events.

Why

Fixes #48

How

• New internal/audit package: Logger with 8 event types, lumberjack file rotation, PII redaction (PIDs/IPs/paths stripped before any record is written)
• cycle_id links finding.emit → ai.call for end-to-end compliance tracing
• Bearer token mismatch on /metrics emits auth.failure audit record
• daemon.panic captured via recover() with SHA-256 stack digest only — raw stack never written
• docs/audit-schema.md documents the versioned NDJSON schema for compliance reviewers

Testing

• go build ./... passes
• go test ./... passes
• go vet ./... passes
• golangci-lint run ./... passes
• Tested locally with: go test ./internal/audit/... -v -race — 30+ tests PASS, zero regressions
• N/A — pure docs/refactor (BPF programs untouched)

• N/A — pure docs/refactor (BPF programs untouched)
• sudo ./bin/bpf-verify --read 5s confirms 6/6 programs still load
• ./scripts/verify.sh passes (or specific phase: ./scripts/verify.sh quality)

Checklist

• PR title follows Conventional Commits
• All commits are DCO-signed (git commit -s)
• No unrelated changes pulled in
• Documentation updated (docs/audit-schema.md added)
• Added/updated tests for new code paths (30+ tests in audit_test.go)
• N/A — no new doctor rule added

[github-actions]

🚀 First PR — welcome aboard!

A few things to expect:

1. CI: every PR runs build + race tests + lint + (eventually) the kernel matrix. If something fails, the log will tell you exactly which gate.
2. DCO: every commit needs Signed-off-by: — git commit -s adds it automatically.
3. Conventional Commits: PR titles like feat(doctor): add new rule or fix(bpf): handle X. We squash-merge by default.
4. Review: a maintainer will review within 72 hours. Suggestions are conversations, not orders — push back if something doesn't fit your context.

If you get stuck, reply here or jump to Discussions. We want this PR to land.

[abhinav-1504]

Hi @btwshivam, all CI checks are passing. Let me know if you need any changes. Thanks!
Waiting for your review!!

[btwshivam]

genuinely solid work ... metadata-only records (prompt sizes not content), hashed payloads, nil-safe and mutex-guarded logging, IP/path redaction at the call sites. resolve the conflicting merge state first (branch is on current main HEAD locally, so a rebase/re-push should clear it). one redaction gap and a dep note inline, plus a design

question: append-only here is file-level via lumberjack, no hash chain between records, so it's not tamper-evident, is that in scope for #48 or a follow-up?

[btwshivam]

lumberjack is a new dependency, CLAUDE.md asks for the alternative considered. it's a reasonable choice for rotation, just name what you weighed it against (raw os.OpenFile with O_APPEND and no built-in rotation, say). also worth confirming the defaults fit a compliance log: Compress: true gzips rotated files and MaxBackups/MaxAge can delete old ones, which may conflict with retention requirements.

[abhinav-1504]

lumberjack was chosen over raw os.OpenFile + O_APPEND because it provides built-in size-based rotation without requiring external logrotate setup. Issue #48 explicitly says "rotation handled by the OS or the user's log shipper" — lumberjack fits that model cleanly.

Re retention: changed MaxBackups default to 0 (unlimited — lumberjack never auto-deletes). Operators who are storage-constrained can set a non-zero value, but the safe default for compliance is no auto-deletion.

Re Compress: true — this gzips rotated files only, not the active log. Operators who need uncompressed files for their log shipper can set compress: false in config.

[abhinav-1504]

genuinely solid work ... metadata-only records (prompt sizes not content), hashed payloads, nil-safe and mutex-guarded logging, IP/path redaction at the call sites. resolve the conflicting merge state first (branch is on current main HEAD locally, so a rebase/re-push should clear it). one redaction gap and a dep note inline, plus a design

question: append-only here is file-level via lumberjack, no hash chain between records, so it's not tamper-evident, is that in scope for #48 or a follow-up?

append-only here means O_APPEND file writes via lumberjack — no hash chain between records, so not tamper-evident in the cryptographic sense.

Issue #48 doesn't require tamper-evidence — it asks for an audit trail that compliance reviewers can use to trace events.
Hash chains would be a separate concern and could be a follow-up if buyers require it.

[abhinav-1504]

/retest

[github-actions]

Re-running 1 failed workflow run(s) on bbe2580.

[abhinav-1504]

Hi @btwshivam, I've addressed all the review feedback and updated the branch. Please take another look and let me know if any further changes are needed. Thanks!

[btwshivam]

fix conflict

[github-actions]

Re-running 2 failed workflow run(s) on 49ec73a.

[abhinav-1504]

Hi @btwshivam, all CI checks are now passing. Ready for final review!

[abhinav-1504]

/retest

[github-actions]

Re-running 1 failed workflow run(s) on ff1da42.

[abhinav-1504]

fix conflict

FIXED !! @btwshivam

[btwshivam]

the audit fixes are good (bpf errors redacted, max_backups handled). but this bumps go.mod to 1.26 and rewrites ci.yml + release.yml to match, that is a repo-wide toolchain change riding in an audit-log PR. revert to 1.25 and drop the workflow edits.

[abhinav-1504]

the audit fixes are good (bpf errors redacted, max_backups handled). but this bumps go.mod to 1.26 and rewrites ci.yml + release.yml to match, that is a repo-wide toolchain change riding in an audit-log PR. revert to 1.25 and drop the workflow edits.

@btwshivam — go.mod is back on 1.25.4, workflows reverted, all 17 CI checks passing. Ready for final review!

[abhinav-1504]

@btwshivam Please review the PR !!