mino 1.6.0

Secure AI agent sandbox using rootless containers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

//! Audit logging for security events
//!
//! Writes JSON lines to `~/.local/share/mino/audit.log`.
//! Always-on by default (security tool — audit should be opt-out, not opt-in).

use crate::config::{schema::Config, ConfigManager};
use chrono::Utc;
use std::path::PathBuf;
use tokio::fs::OpenOptions;
use tokio::io::AsyncWriteExt;
use tracing::warn;

/// File-based audit logger that appends JSON lines
pub struct AuditLog {
    enabled: bool,
    path: PathBuf,
}

impl AuditLog {
    /// Create a new audit logger from config
    pub fn new(config: &Config) -> Self {
        Self {
            enabled: config.general.audit_log,
            path: ConfigManager::audit_log_path(),
        }
    }

    /// Log an audit event as a JSON line
    ///
    /// Silently drops events on IO failure — audit logging must never
    /// block or crash the primary workflow.
    pub async fn log(&self, event: &str, data: &serde_json::Value) {
        if !self.enabled {
            return;
        }

        let entry = serde_json::json!({
            "timestamp": Utc::now().to_rfc3339(),
            "event": event,
            "data": data,
        });

        let mut line = match serde_json::to_string(&entry) {
            Ok(s) => s,
            Err(e) => {
                warn!("Failed to serialize audit event: {}", e);
                return;
            }
        };
        line.push('\n');

        if let Err(e) = self.append(&line).await {
            warn!("Failed to write audit log: {}", e);
        }
    }

    async fn append(&self, line: &str) -> std::io::Result<()> {
        if let Some(parent) = self.path.parent() {
            tokio::fs::create_dir_all(parent).await?;
        }

        let mut file = OpenOptions::new()
            .create(true)
            .append(true)
            .open(&self.path)
            .await?;

        file.write_all(line.as_bytes()).await?;
        file.flush().await?;
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::TempDir;

    fn test_audit_log(dir: &TempDir, enabled: bool) -> AuditLog {
        AuditLog {
            enabled,
            path: dir.path().join("audit.log"),
        }
    }

    #[tokio::test]
    async fn writes_json_line() {
        let dir = TempDir::new().unwrap();
        let audit = test_audit_log(&dir, true);

        audit
            .log(
                "session.created",
                &serde_json::json!({"name": "test-session"}),
            )
            .await;

        let content = tokio::fs::read_to_string(&audit.path).await.unwrap();
        let parsed: serde_json::Value = serde_json::from_str(content.trim()).unwrap();

        assert_eq!(parsed["event"], "session.created");
        assert_eq!(parsed["data"]["name"], "test-session");
        assert!(parsed["timestamp"].is_string());
    }

    #[tokio::test]
    async fn appends_multiple_lines() {
        let dir = TempDir::new().unwrap();
        let audit = test_audit_log(&dir, true);

        audit.log("event.one", &serde_json::json!({})).await;
        audit.log("event.two", &serde_json::json!({})).await;

        let content = tokio::fs::read_to_string(&audit.path).await.unwrap();
        let lines: Vec<&str> = content.trim().lines().collect();
        assert_eq!(lines.len(), 2);
    }

    #[tokio::test]
    async fn skips_when_disabled() {
        let dir = TempDir::new().unwrap();
        let audit = test_audit_log(&dir, false);

        audit.log("should.not.appear", &serde_json::json!({})).await;

        assert!(!audit.path.exists());
    }
}