Summary
While reviewing the 2.0.441 → 2.0.442 diff, we noticed the local daemon's auth-failure path no longer records an audit event. Flagging as a friendly heads-up — the auth checks themselves look intact, this is purely about observability.
Details
In guard/daemon/server.py, the _write_unauthorized() helper and its _record_auth_audit_event() call were removed; 401 responses are now written inline via _write_json(..., status=401). The 401s still fire (and /v1/events/stream actually gained a token check), but the daemon.auth.unauthorized event — which captured method, path, origin, and which auth headers were present — is no longer emitted.
Risk scenario
For a local security daemon, unauthorized-access attempts are exactly the signal worth retaining. Without the audit event, a local process probing daemon endpoints (e.g. a malicious tool the guard is meant to contain) leaves no trace in the event store.
Suggested mitigations
- Restore the
daemon.auth.unauthorized audit event on the inlined 401 paths.
- Separately:
stable_digest.py is excluded from CodeQL via paths-ignore. The inline # codeql[py/weak-sensitive-data-hashing] suppression you already have is sufficient to silence that query — dropping the paths-ignore entry would keep the file under static analysis and avoid tripping third-party supply-chain heuristics that read "new crypto file + CodeQL exclusion" as a concealment signal.
Reported as part of routine supply-chain monitoring. We reviewed 2.0.442 and cleared it as benign — this is a minor observability note, not a vulnerability report.
Summary
While reviewing the 2.0.441 → 2.0.442 diff, we noticed the local daemon's auth-failure path no longer records an audit event. Flagging as a friendly heads-up — the auth checks themselves look intact, this is purely about observability.
Details
In
guard/daemon/server.py, the_write_unauthorized()helper and its_record_auth_audit_event()call were removed; 401 responses are now written inline via_write_json(..., status=401). The 401s still fire (and/v1/events/streamactually gained a token check), but thedaemon.auth.unauthorizedevent — which captured method, path, origin, and which auth headers were present — is no longer emitted.Risk scenario
For a local security daemon, unauthorized-access attempts are exactly the signal worth retaining. Without the audit event, a local process probing daemon endpoints (e.g. a malicious tool the guard is meant to contain) leaves no trace in the event store.
Suggested mitigations
daemon.auth.unauthorizedaudit event on the inlined 401 paths.stable_digest.pyis excluded from CodeQL viapaths-ignore. The inline# codeql[py/weak-sensitive-data-hashing]suppression you already have is sufficient to silence that query — dropping thepaths-ignoreentry would keep the file under static analysis and avoid tripping third-party supply-chain heuristics that read "new crypto file + CodeQL exclusion" as a concealment signal.Reported as part of routine supply-chain monitoring. We reviewed 2.0.442 and cleared it as benign — this is a minor observability note, not a vulnerability report.