## ADDED Requirements

### Requirement: PostToolUse audit logging
- **WHEN** a tool is used
- **THEN** the tool name, input summary, and timestamp are appended to the JSONL audit buffer

### Requirement: Stop hook flush
- **WHEN** a response completes
- **THEN** the audit buffer is flushed to the session audit trail and index is updated

### Requirement: UserPromptSubmit context injection
- **WHEN** a user message is submitted
- **THEN** session context (session ID, record count, critical alerts) is injected into the prompt

### Requirement: Anomaly detection
- **WHEN** audit records are checked against alert rules
- **THEN** anomalies at CRITICAL level are injected into the context

#### Scenario: Full audit trail
- **WHEN** an agent runs 10 tool calls across 3 turns
- **THEN** the audit trail contains 10 JSONL records, a session summary, and an updated index