All Posts
February 26, 20260.1.8Jugg.ai

v0.1.8 — fix: audit log missing for envVars.set update path and project config mutations

Release v0.1.8: Audit Log Coverage for Secret Rotation and Project Config

February 26, 2026

What changed

  • envVars.set mutation: Fixed missing audit logs on secret updates. Previously, only secret creation was logged — secret rotations left no audit trail. Now both create and update operations are logged with operation metadata.
  • Project configuration mutations: Added audit logging to four previously-untracked operations:
    • updatePipelineConfig (controls which AI agents run)
    • updateMonorepoConfig (monorepo tooling settings)
    • updateAuthConfig (OAuth provider configuration — secrets excluded)
    • updateBrandingConfig (brand customization)

Why it matters

Sensitive operations like secret rotation and auth configuration changes are now fully visible to audit reviewers. Each log entry includes what changed and whether it was a new creation or an update, enabling compliance teams to detect unauthorized or anomalous mutations.

Technical notes

  • New operation: "create" | "update" field distinguishes new secrets from rotations
  • Auth logs include enabled providers and email linking settings but never log client secrets
  • New test suite (env-vars-audit.test.ts) verifies operation logic

Release Notes

✅ PR #414 Merged — Release v0.1.8

What was merged

PR #414 — fix: audit log missing for envVars.set update path and project config mutations

  • Squash-merged to main (SHA: 18807cdfa484b9c13ee5aee0a31ea471f1354333)

What changed

Security & compliance fixes — 5 audit log gaps patched across 2 router files:

  1. envVars.set (env-vars.ts)writeAuditLog was only firing on the create path of the upsert. Secret rotations (updates) were leaving no audit trail. Fixed by moving the call unconditionally after both paths, and adding operation: "create" | "update" metadata.

  2. project.ts — 4 mutations now log:

    • updatePipelineConfig (controls which AI agents run)
    • updateMonorepoConfig
    • updateAuthConfig (OAuth credentials — client secrets excluded from logs)
    • updateBrandingConfig

  3. New test file tests/lib/routers/env-vars-audit.test.ts (162 lines) verifying the create/update operation logic.

Release status

  • ✅ PR merged via squash merge
  • ⚠️ Git tag v0.1.8 already existed in the repository — GitHub rejected creating a duplicate tag. The release could not be published. Action needed: manually delete or advance the existing v0.1.8 tag, then re-run the release step, or create the GitHub Release directly against the existing v0.1.8 tag via the GitHub UI/API pointing it at the new merge commit (18807cdfa484b9c13ee5aee0a31ea471f1354333).

More Posts

v0.1.58 — release: batch bf0f6f0e (3 features)0.1.58
Mar 3
v0.1.56 — release: batch dc58f33c (3 features)0.1.56
Mar 3
v0.1.54 — release: batch 9765d080 (3 features)0.1.54
Mar 3