feat(cli): privacy-aware vault op-log (process, never the secret)

2026-06-24 10:17:50 +00:00 · 2026-06-24 10:17:50 +00:00 · 5bae2a3907
commit 5bae2a3907
parent 81122f8607
2 changed files with 47 additions and 0 deletions
--- a/cli/cmd_vault_test.go
+++ b/cli/cmd_vault_test.go
@ -176,3 +176,17 @@ func TestTerminalAllowed(t *testing.T) {
 		}
 	}
 }
+
+func TestOpLogLineHasNoSecretOrItem(t *testing.T) {
+	line := opLogLine(opRecord{User: "emo", Verb: "get", PID: 10, PPID: 9, ParentComm: "claude", ItemName: "Chase Bank"})
+	for _, must := range []string{"user=emo", "verb=get", "ppid=9", "parent=claude"} {
+		if !strings.Contains(line, must) {
+			t.Errorf("op-log missing %q: %s", must, line)
+		}
+	}
+	for _, mustNot := range []string{"Chase", "password", "secret"} {
+		if strings.Contains(line, mustNot) {
+			t.Fatalf("op-log LEAKS %q (privacy violation): %s", mustNot, line)
+		}
+	}
+}