Immutable audit log for every tool call #2
Description
No AI coding agent natively logs what was executed and why. After a security incident, forensic investigation is nearly impossible. ISACA 2025 research documents this as a compliance blind spot. Proposal: append-only log at ~/.config/vibe-sec/audit.log with timestamp, tool name, exact params, block/allow decision, triggering rule, session ID. Add npm run audit command to view/search. Regulators are beginning to require AI action traceability.