Audit Log
What the Audit Log captures
Every action AI Partner takes that matters is logged to the audit trail. The Audit Log panel lets you query, filter, and review this trail with full context.
Go to sidebar → Settings → Audit Log (or navigate directly if it's in your sidebar).
Event categories
| Category | What's logged |
|---|---|
tool_call | Every MCP tool call: tool name, arguments, result, iteration, goal ID |
goal | Goal lifecycle: started, completed, failed, cancelled, paused, resumed |
authority | Every AuthorityPolicy evaluation: action, counterparty, verdict (auto/ask/block) |
approval | HITL approval events: question asked, user response (approved/edited/skipped), timeout |
financial | Write operations on Stripe, HubSpot, S3, Sentry, Outlook — tamper-evident |
security | Login attempts, API key creation/revocation, permission changes |
system | Server start/stop, migration runs, configuration changes |
memory | Memory consolidation runs, biographic fact updates |
meeting | Meeting join, leave, transcript save, action item extraction |
Using the Audit Log panel
Filtering
The panel has a filter bar at the top:
Category: [All ▼] Severity: [All ▼] User: [All ▼] Date: [Last 7 days ▼]
Search: _________________________ [Search]
Filter by category: tool_call, goal, authority, approval, financial, security, system
Filter by severity: info, warning, error
Filter by date range: last 24h, 7 days, 30 days, or custom
Full text search: searches event descriptions and metadata
Reading an entry
2026-05-13 14:03:22 tool_call INFO
Action: web_search
Args: { "query": "Sequoia India fund 2026" }
Result: { "results": [...] }
Goal ID: goal_xyz789
Iteration: 3
Duration: 847ms
For authority decisions:
2026-05-13 14:05:11 authority INFO
Action: reply_email
Counterparty: sarah@acme.com (class: client)
Verdict: draft_and_ask
Outcome: approved (user tapped "Approve" at 14:05:34)
Telegram msg ID: 8745623
For financial operations:
2026-05-13 15:22:07 financial WARNING
Service: stripe
Action: stripe_issue_refund
Args: { "charge_id": "ch_xxx", "amount": 4999 }
Verdict: draft_and_ask → approved
Result: { "id": "re_xxx", "status": "succeeded" }
Hash: sha256:abc123... ← tamper-evident hash
Statistics view
Switch to the Stats tab to see aggregate counts:
Last 7 days:
tool_call: 842 (↑18% vs. prior period)
goal: 47 (↑12%)
authority: 23 (8 auto, 12 ask, 3 block)
financial: 2 (all approved)
security: 1 (1 login)
By severity:
info: 903
warning: 9
error: 1
Financial audit log
Financial write operations (Stripe, HubSpot, S3, Sentry, Outlook) have additional protections:
- Each entry includes a SHA-256 hash of the operation parameters + timestamp + previous hash (chained)
- This makes the log tamper-evident — if a record is modified or deleted, the chain breaks
- The chain is verified on each page load; any broken chain shows a warning
This provides an auditable record suitable for financial compliance purposes.
Log retention
Logs are retained for 90 days by default. Older entries are pruned automatically.
To change retention:
AUDIT_LOG_RETENTION_DAYS=180
To manually prune:
POST /api/audit/prune
{ "olderThanDays": 30 }
API access
# Query with filters
GET /api/audit/logs?category=authority&severity=warning&limit=50&offset=0
# Aggregate statistics
GET /api/audit/stats?period=weekly
# Filter by goal
GET /api/audit/logs?goalId=goal_xyz789
# Financial log only
GET /api/audit/financial
Who has access
The Audit Log is visible to all users. In a multi-user setup (with auth enabled), /api/audit/logs is strictly scoped to the calling user — a client-supplied userId is ignored, so one user can never read another's trail. Admins see the org-wide log (with a per-user filter) in Admin Console → Activity, backed by GET /api/admin/activity. Pruning old entries (POST /api/audit/prune) is admin-only.
For SOC2 / compliance use cases: the /api/audit/financial endpoint can be integrated with your compliance tooling — it returns structured JSON suitable for automated verification.