CommandsSecurity
security audit
Inspect knowledge-state security findings and provider egress posture
What It Does
security audit scans the RAGit-owned security surface and reports findings instead of mutating state. The audit covers control-plane files, the current searchable store, repo-tracked durable docs, quarantine volume, admission ledger counts, and whether the active embedding provider conflicts with the configured remote egress policy.
When To Use / When Not To Use
When to use it
- You want to know whether raw-looking secret material is still present in
.ragit/**. - You want to inspect whether the current embedding provider is local or remote.
- You want a machine-readable posture check before release or before enabling automation.
When not to use it
- You already know the affected surface and want to rewrite or delete local state. Use
security purge. - You want the broader runtime diagnosis. Use
doctor.
Syntax
pnpm ragit security audit [--format text|json|both] [--cwd <path>]
Input And Output Contract
- There is no positional input and no JSON payload input.
- JSON output includes
summary,providerEgress, andfindings. summaryaggregatescritical,warn,info,quarantineEntries,legacyControlPlaneFiles,legacyStoreFindings, andrepoDocsFlagged.providerEgressreports the effective provider, whether it is treated aslocalorremote, the currentsecurity.remote_embedding_policy, and whether remote artifact embedding is allowed.summary.admissionBlockedandsummary.admissionQuarantinedsummarize recent admission findings, and repo-doc findings can report which documents would be blocked by current implicit ingest policy.- Findings do not rewrite repo-tracked docs. They only point you to the next action.
Examples
pnpm ragit security audit --format json
Failures And Cautions
security auditcan update internal audit state such aslastAuditAt, but it does not rewrite knowledge content.- Repo-doc findings are advisory. Fix the document yourself, then rerun
ingest.