feat: add --siem flag to security-audit report for NDJSON export

[jlima8900]

Summary

Adds SIEM-ready output to security-audit report using NDJSON format (one JSON event per line). The existing audit-log command has SIEM export (Splunk, syslog, Sumo, Azure) for event streaming, but security-audit report (posture snapshots) has no SIEM output.

Usage

security-audit report --siem --output posture.ndjson
security-audit report --siem --breachwatch --output breach.ndjson

Output format (NDJSON — one line per user)

{"event_type":"keeper.security_audit","timestamp":"2026-03-14T22:30:00+00:00","source":"keepersecurity.eu","user":{"email":"user@company.com","securityScore":52,"weak":8,"reused":6,"twoFactorChannel":"none"},"security_score":52,"risk_factors":["weak_passwords","reused_passwords","no_2fa"]}

Design decisions

• NDJSON not wrapped JSON — supports streaming ingestion. A 10k user enterprise produces 10k lines, not one giant blob. Compatible with jq -c, Filebeat, Splunk HEC, Datadog logs.
• --siem flag not --format siem — avoids modifying the shared report_output_parser used by all commands. Clean addition, no side effects.
• Risk factors from data, no hardcoded severity — the output includes risk_factors and security_score. SIEM correlation rules should define what's critical for each organization, not Commander.
• .ndjson extension — standard for newline-delimited JSON files.

No breaking changes

• Existing formats (table, csv, json, pdf) unchanged
• --siem is additive — only affects output when explicitly used
• audit-log SIEM targets unaffected

Test plan

• --siem produces valid NDJSON (one JSON object per line)
• Each line parses independently with jq
• --breachwatch --siem includes at_risk/passed/ignored
• --output writes to file with .ndjson extension
• Without --output, prints to stdout
• Existing --format json output unchanged

[aaunario-keeper]

This gets silently ignored when --record-details is set, because the method returns from the record-detail branch before it ever reaches the SIEM branch. If we want to support that combination, it needs handling there; otherwise we should reject the flag combo explicitly instead of accepting it and returning the normal record-detail report.

[aaunario-keeper]

This silently bypasses the shared --format / report-output path. Once --siem is set, fmt no longer governs behavior, and --output is honored even though the shared parser help says output is ignored for table mode. The main issue here is the lack of validation or explicit contract for how --siem interacts with --format and the normal report-output path. I would either validate the combination and fail closed, or make the override explicit in the CLI contract.

[aaunario-keeper]

For the empty case this produces a single blank line, not zero NDJSON records, because "\n".join([]) + "\n" is just "\n". That is not actually "one JSON object per line" output, and some ingest pipelines will treat the blank line as a parse error. We should special-case the empty report to emit an empty string/file instead.

[jlima8900]

Good catches across the board — addressing each:

--siem + --record-details conflict: You're right, --siem is silently ignored when --record-details is set because it returns early. I'll add explicit validation that rejects the combination with a clear error message rather than silently dropping the flag.

--siem bypassing --format/output path: Agreed this needs an explicit contract. I'll add validation that rejects --siem with --format (other than the default) and document in the CLI help that --siem produces NDJSON exclusively, bypassing the normal format/output pipeline.

Empty report blank line: Good edge case — "\n".join([]) + "\n" does produce "\n" instead of empty output. I'll special-case the empty report to emit an empty string/file so ingest pipelines don't choke on a stray blank line.

Clear-text storage (CodeQL): Will review the flagged line and ensure sensitive fields are masked or excluded from the NDJSON output.