Problem
The daemon logs method names and request IDs but not what specific data was accessed. Post-incident there is no way to audit what data was exfiltrated through sensitive methods like env.get, clipboard.read, reg.read, mem.read, file.read.
Proposed Solution
Add --audit-log <file> flag writing structured JSON entries for sensitive method calls with timestamp, authenticated identity, and data summary (e.g. file path, registry key, process name).
References
Problem
The daemon logs method names and request IDs but not what specific data was accessed. Post-incident there is no way to audit what data was exfiltrated through sensitive methods like
env.get,clipboard.read,reg.read,mem.read,file.read.Proposed Solution
Add
--audit-log <file>flag writing structured JSON entries for sensitive method calls with timestamp, authenticated identity, and data summary (e.g. file path, registry key, process name).References