Skip to content

Audit: log denied/blocked write operations #116

Description

@sunilgattupalle

Context

From PR #115 review. When confirmViaElicitation returns !elicit.proceed (user declined or client doesn't support elicitation), the tool handler returns early before registry.dispatch(), so denied writes are never audited.

Files

  • src/tools/harness-create.ts (line 62-63)
  • src/tools/harness-update.ts
  • src/tools/harness-execute.ts
  • src/tools/harness-delete.ts

Proposed fix

Emit an audit event with status: "denied" and the confirmation: "blocked" | "declined" method before returning the error result. This gives operators visibility into rejected operations.

Priority

Medium — improves audit completeness but no security risk (the operation never executed).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions