From 792254699c8dd9bbcce29557b584fae6f4de860b Mon Sep 17 00:00:00 2001
From: "Aaron D. Lee" <aaron.daniel.lee@gmail.com>
Date: Wed, 1 Apr 2026 19:45:14 -0400
Subject: [PATCH] Fix audit log surviving killswitch activation

The audit.jsonl file (containing usernames, actions, timestamps) was
not included in the PurgeScope.ALL destruction steps. An adversary
with filesystem access after a failed or partial purge could recover
operational evidence. Added destroy_audit_log step after temp files,
before config deletion.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/soosef/fieldkit/killswitch.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/soosef/fieldkit/killswitch.py b/src/soosef/fieldkit/killswitch.py
index 0007da7..e9dab85 100644
--- a/src/soosef/fieldkit/killswitch.py
+++ b/src/soosef/fieldkit/killswitch.py
@@ -98,6 +98,7 @@ def execute_purge(scope: PurgeScope = PurgeScope.ALL, reason: str = "manual") ->
                 ("destroy_attestation_log", lambda: _secure_delete_dir(paths.ATTESTATIONS_DIR)),
                 ("destroy_chain_data", lambda: _secure_delete_dir(paths.CHAIN_DIR)),
                 ("destroy_temp_files", lambda: _secure_delete_dir(paths.TEMP_DIR)),
+                ("destroy_audit_log", lambda: _secure_delete_file(paths.AUDIT_LOG)),
                 ("destroy_config", lambda: _secure_delete_file(paths.CONFIG_FILE)),
                 ("clear_journald", _clear_system_logs),
             ]