docs: document DENO_AUDIT_PERMISSIONS=otel (2.8)

runtime/fundamentals/security.md

@@ -96,10 +96,11 @@ By default, Deno will not generate a stack trace for permission requests as it
 comes with a hit to performance. Users can enable stack traces with the
 `DENO_TRACE_PERMISSIONS` environment variable to `1`.
 
-Deno can also generate an audit log of all accessed permissions; this can be
-achieved using the `DENO_AUDIT_PERMISSIONS` environment variable to a path. This
-works regardless if permissions are allowed or not. The output is in JSONL
-format, where each line is an object with the following keys:
+Deno can also generate an audit log of all accessed permissions, regardless of
+whether the access was allowed or denied.
+
+Set `DENO_AUDIT_PERMISSIONS` to a **file path** to write JSONL — each line is
+an object with the following keys:
 
 - `v`: the version of the format
 - `datetime`: when the permission was accessed, in RFC 3339 format
@@ -112,7 +113,25 @@ A schema for this can be found in
 
 In addition, this env var can be combined with the above-mentioned
 `DENO_TRACE_PERMISSIONS`, which then adds a new `stack` field to the entries
-which is an array contain all the stack trace frames.
+which is an array containing all the stack trace frames.
+
+Starting in Deno 2.8 you can also set `DENO_AUDIT_PERMISSIONS=otel` to emit
+each access as an OpenTelemetry **log record** instead of writing to a file.
+The records are sent to whichever exporter you have configured via
+[`OTEL_DENO`](/runtime/fundamentals/open_telemetry/) and carry these
+attributes:
+
+- `deno.permission.type`
+- `deno.permission.value`
+- `deno.permission.stack` (if `DENO_TRACE_PERMISSIONS` is also set)
+
+This is the recommended setup if you already collect OpenTelemetry data — the
+permission audit lands next to your traces and metrics so you can correlate it
+with request handling.
+
+```sh
+OTEL_DENO=true DENO_AUDIT_PERMISSIONS=otel deno run -A main.ts
+```
 
 ### Configuration file
 

runtime/reference/env_variables.md

@@ -153,6 +153,7 @@ The Deno runtime has these special environment variables.
 | DENO_V8_FLAGS        | Set V8 command line options                                                                                                                                                       |
 | DENO_JOBS            | Number of parallel workers used for the `--parallel` flag with the test subcommand.<br />Defaults to number of available CPUs.                                                    |
 | DENO_KV_ACCESS_TOKEN | Personal access token used when connecting to Deno KV databases (for example via [`Deno.openKv`](/api/deno/~/Deno.openKv) or `@deno/kv` with a KV Connect URL).                   |
+| DENO_AUDIT_PERMISSIONS | Audit every permission access. Set to a file path to write JSONL, or to the literal value `otel` (Deno 2.8+) to emit OpenTelemetry log records via the configured OTel exporter. See [permissions audit](/runtime/fundamentals/security/#permission-flags) for the field set. |
 | DENO_WEBGPU_TRACE    | Path to a directory to output a [WGPU trace](https://github.com/gfx-rs/wgpu/pull/619) to when using the WebGPU API                                                                |
 | DENO_WEBGPU_BACKEND  | Select the backend WebGPU will use, or a comma separated list of backends in order of preference. Possible values are `vulkan`, `dx12`, `metal`, or `opengl`                      |
 | HTTP_PROXY           | Proxy address for HTTP requests (module downloads, fetch)                                                                                                                         |