Problem
Security teams need to export audit logs for:
- SIEM integration (Splunk, Elastic, Datadog) — ingest ClawForge events into centralized security monitoring
- Compliance reporting — produce audit reports for SOC 2, ISO 27001, etc.
- Incident investigation — download and analyze events offline
- Long-term archival — store events beyond the retention period
Currently there is no way to get audit data out of ClawForge except through the query API page by page.
Proposed Solution
API Endpoint
GET /api/v1/audit/:orgId/export
Query parameters (same as existing query endpoint):
format — csv or json (default: json)startDate / endDate — time range filteruserId, eventType, toolName, outcome — standard filterslimit — max rows (default: 10000, max: 100000)
Response:
- Streams the response with appropriate
Content-Type and Content-Disposition headers
- JSON format: newline-delimited JSON (NDJSON) for streaming compatibility
- CSV format: standard CSV with headers
Admin Console
- Add "Export" button to the audit page
- Export applies current filter state
- Show download progress for large exports
Future: Webhook-based streaming
- Configure a webhook URL that receives audit events in near-real-time
- Supports integration with external SIEM without polling
Acceptance Criteria
Problem
Security teams need to export audit logs for:
Currently there is no way to get audit data out of ClawForge except through the query API page by page.
Proposed Solution
API Endpoint
GET /api/v1/audit/:orgId/exportQuery parameters (same as existing query endpoint):
format—csvorjson(default: json)startDate/endDate— time range filteruserId,eventType,toolName,outcome— standard filterslimit— max rows (default: 10000, max: 100000)Response:
Content-TypeandContent-DispositionheadersAdmin Console
Future: Webhook-based streaming
Acceptance Criteria