Audit log format — Documentation

Every mutating action writes a row to the audit log.

Row format

Field	Description
`actor`	display name + Cognito sub
`action`	`connection.open`, `document.share.create`, `vault.read`, `db.query.run`, `magellan.invoke`, `space.member.remove`, etc.
`target_kind`	kind of resource acted on
`target_id`	the resource id
`target_name`	human-readable label
`metadata`	JSON blob with action-specific detail
`ip`, `user_agent`	client context
`created_at`	ISO 8601 timestamp

What gets logged

Every credential access (vault.read, vault.write)
Every document edit (document.create, document.edit, document.share.create)
Every command run (connection.command.exec)
Every tool execution (tool.network_discovery, tool.bulk_command, etc.)
Every HTTP request (http.request.send)
Every DB query (db.query.run — query string truncated to 4000 chars per row)
Every Magellan invocation (magellan.invoke — stage + provider + token count)
Every Space mutation (space.member.add, space.delete, etc.)
Every cascade delete (each child row tagged via=cascade)

Scope

Personal-Space actions go to the user’s personal audit. Shared-Space actions go to that Space’s audit. Cross-Space queries require the explicit “include all Spaces” flag.

Cloud audit flusher

The local audit log mirrors to a cloud audit pipeline asynchronously. Two operational details worth knowing:

4xx as permanent — 404, 403, and 410 from the cloud (e.g. a deleted Space) are treated as permanent failures rather than retryable. This prevents a dead Space from pinning a retry loop forever.
Owner-suppressed vault.shared.list — the owner of a shared credential who reads its own list doesn’t generate audit spam. Other actors reading the same list still log.

Tier behavior

Free / Pro — local-only audit log, no export
Team / Enterprise — local audit + CSV export (see CSV export & filtering)
Enterprise — per-Space filtering for MSP client reporting