Add .bms-actions logging (partial): auth login/refresh, create, note, delete. Need: update, assign, resolve.

scripts/bms-logging.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+# bms-logging.sh — Action logging for BMS skill
+# Centralized logging of user-initiated actions for audit/review
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Log directory (can be overridden)
+BMS_LOG_DIR="${BMS_LOG_DIR:-$HOME/.bms-actions}"
+
+# Ensure log directory exists
+mkdir -p "$BMS_LOG_DIR"
+
+# Current log file (by date, UTC)
+BMS_LOG_FILE="$BMS_LOG_DIR/$(date -u +%Y-%m-%d).jsonl"
+
+# Sanitize arguments: strip any sensitive values from a JSON object
+# Usage: sanitized=$(sanitize_args '{"password":"secret","token":"abc"}')
+sanitize_args() {
+  local input="$1"
+  # Remove known sensitive keys; preserve structure
+  jq 'del(.["BMS_PASSWORD"], .["BMS_MFA_CODE"], .["BMS_CLIENT_SECRET"], .["access_token"], .["refresh_token"], .["token"], .["Authorization"])' 2>/dev/null <<<"$input" || echo "$input"
+}
+
+# Log an action
+# Arguments: command, args_json, result_json, status (success|error)
+log_action() {
+  local command="$1"
+  local args_json="${2:-{}}"
+  local result_json="${3:-{}}"
+  local status="${4:-success}"
+
+  local timestamp
+  timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+  # Sanitize args and result
+  local safe_args safe_result
+  safe_args=$(sanitize_args "$args_json")
+  safe_result=$(sanitize_args "$result_json")
+
+  # Build log entry as single JSON line
+  local entry
+  entry=$(jq -n \
+    --arg ts "$timestamp" \
+    --arg cmd "$command" \
+    --argjson args "$safe_args" \
+    --argjson result "$safe_result" \
+    --arg stat "$status" \
+    '{timestamp: $ts, command: $cmd, args: $args, result: $result, status: $stat}')
+
+  # Append atomically
+  echo "$entry" >> "$BMS_LOG_FILE"
+}
+
+# Get current log file path
+get_log_path() {
+  echo "$BMS_LOG_FILE"
+}