From f00110705646c7f6e372b6afce05fa3f3dedfa56 Mon Sep 17 00:00:00 2001
From: Catherine <whitequark@whitequark.org>
Date: Sun, 26 Apr 2026 22:55:07 +0000
Subject: [PATCH] Create audit records as read-only when using FS backend.

There is no reason to ever modify the records.
---
 src/backend_fs.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/backend_fs.go b/src/backend_fs.go
index d507946..6d54953 100644
--- a/src/backend_fs.go
+++ b/src/backend_fs.go
@@ -489,7 +489,7 @@ func (fs *FSBackend) AppendAuditLog(ctx context.Context, id AuditID, record *Aud
 		panic(fmt.Errorf("audit ID collision: %s", id))
 	}
 
-	return fs.auditRoot.WriteFile(id.String(), EncodeAuditRecord(record), 0o644)
+	return fs.auditRoot.WriteFile(id.String(), EncodeAuditRecord(record), 0o444)
 }
 
 func (fs *FSBackend) QueryAuditLog(ctx context.Context, id AuditID) (*AuditRecord, error) {