Skip to content

feat: audit log for sensitive operations#425

Merged
kacy merged 2 commits into
mainfrom
feat/audit-log
May 24, 2026
Merged

feat: audit log for sensitive operations#425
kacy merged 2 commits into
mainfrom
feat/audit-log

Conversation

@kacy
Copy link
Copy Markdown
Owner

@kacy kacy commented May 24, 2026

adds an append-only audit log so operators can see who did what: secret
changes, app apply/rollback, agent join/drain, policy changes, and
backup/restore. first half of the audit-log item in next-steps.md.

summary

  • new audit_log table (via migration) + store appendAuditEntry/
    listAuditEntries helpers, newest-first with a limit.
  • src/state/audit.zig records ops under a threadlocal actor so concurrent
    API requests never clobber each other's identity. the actor is coarse today
    (no RBAC yet): api-token / join-token / local (CLI) / unauthenticated.
    the actor column is free-text so a named-token identity drops in later.
    recording is best-effort — a storage failure is logged, never propagated, so
    auditing can't break the operation it records.
  • dispatch() tags each request with the caller's actor from the existing auth
    flags; CLI processes default to local.
  • hooks at the sensitive op sites (secrets, policies, app apply/rollback, agent
    register/drain, backup/restore/secret-rotate).
  • GET /v1/audit?limit=N (default 50, max 500) returns recent entries, gated by
    the api token like other /v1 routes.

audit entries are local to the node that performed the op (the control-plane
leader is the authoritative record). cluster-wide aggregation and
retention/rotation are follow-ups.

tested

  • YOQ_SKIP_SLOW_TESTS=1 zig build test — 2175 passed, 2 skipped, 0 failed.
  • unit tests: append/list round-trip (newest-first, limit, null target);
    record writes under the set actor; actor defaults to local and resets;
    /v1/audit route dispatch + method-not-allowed; backup validator accepts the
    new table (count 20).
  • zig fmt --check clean.

follow-up

yoq audit CLI to read the log from the terminal (next PR); that PR will also
cover the HTTP round-trip end to end.

kacy added 2 commits May 24, 2026 14:11
@kacy
feat: add append-only audit log store and module
1a0eeb4 
new audit_log table (migration) + store append/list helpers, and an
audit module that records sensitive ops under a threadlocal actor
(api-token / join-token / local / unauthenticated; defaults to local
for CLI processes). recording is best-effort — a storage failure is
logged, never propagated. backup validator now expects audit_log too.
@kacy
feat: record sensitive ops and expose GET /v1/audit
535ee10 
dispatch() tags each request with the caller's actor; secret set/delete/
list, policy add/delete, app apply/rollback, agent register/drain, and
the backup/restore/secret-rotate CLI ops record audit entries. GET
/v1/audit?limit=N returns recent entries (api-token gated like other
/v1 routes).
@kacy kacy merged commit 23487fc into main May 24, 2026
10 checks passed
@kacy kacy deleted the feat/audit-log branch May 24, 2026 14:12
@kacy kacy mentioned this pull request May 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kacy