# Issue #277: Add comprehensive audit logging for security events

## Objective

Add comprehensive audit logging for critical security events to enable forensic analysis and attack detection.

## Missing Logging Areas

### 1. Failed signature verifications

- **Current**: DEBUG level only
- **Location**: `signature.service.ts`
- **Required**: WARN level with full details

### 2. Failed OIDC validations

- **Current**: No details logged
- **Location**: `auth` module
- **Required**: Full validation failure details

### 3. Capability bypass attempts

- **Current**: Not logged
- **Location**: `capability.guard.ts`
- **Required**: Log all denied capabilities

### 4. Rate limit violations

- **Current**: Not logged
- **Location**: ThrottlerGuard
- **Required**: Log rate limit hits

### 5. Command injection attempts

- **Current**: Not logged
- **Location**: `git-validation.util.ts` (recently added)
- **Required**: Log validation rejections

## Already Implemented

From issue #276 (commit 744290a):

- ✅ Incoming connection attempts
- ✅ Failed signature verifications for connections
- ✅ Connection created events

From issue #274 (commit 7a84d96):

- ✅ Git command validation (but not logged)

## Implementation Plan

### Priority 1: Add missing audit methods

1. `logSignatureVerificationFailed()` - Failed signatures
2. `logRateLimitViolation()` - Rate limit hits
3. `logCommandInjectionAttempt()` - Malicious input attempts

### Priority 2: Update existing code

1. Add logging to signature.service.ts
2. Add logging to git-validation.util.ts (throw + log)
3. Document rate limit violations (if not already handled by NestJS)

### Priority 3: Review capability guard

1. Check if logCapabilityDenied is being called
2. Add calls if missing

## Status Assessment

After reviewing issue #276, we already have:

- ✅ logCapabilityDenied() method
- ✅ logIncomingConnectionAttempt()
- ✅ logIncomingConnectionRejected()
- ✅ Signature verification failures for connections

What's actually missing:

1. General signature verification failures (outside connection context)
2. Rate limit violation logging
3. Command injection attempt logging

## Implementation Approach

Focus on what's truly missing and actionable:

1. **Add command injection attempt logging**
   - Update git-validation.util.ts to log before throwing
   - Create logCommandInjectionAttempt() method

2. **Add rate limit logging**
   - Check if NestJS throttler already logs
   - Add custom logging if needed

3. **Verify capability logging**
   - Check that capability.guard.ts calls logCapabilityDenied

## Progress

- [ ] Create scratchpad
- [ ] Add logCommandInjectionAttempt() to audit service
- [ ] Update git-validation.util.ts to log attempts
- [ ] Check capability guard logging
- [ ] Check rate limit logging
- [ ] Add tests
- [ ] Run quality gates
- [ ] Commit changes
- [ ] Push and close issue

## Notes

Some of the required logging may already be in place. Need to verify:

1. Capability guard usage
2. Rate limiter behavior
3. OIDC validation (may be in auth module, not federation)

Focus on concrete, implementable improvements rather than theoretical gaps.