Skip to content

Audit log

The operational audit log is a chronological record of who changed what in your workspace administration. It answers questions like “who removed this member?”, “when was that project deleted?”, and “who last changed the workspace settings?” (#859, ADR-0157).

It is Owner/Admin-visible only. A plain Member cannot read the log — the events it records (role changes, removals, ownership transfers) are administration concerns, not team-visible activity.

Every entry captures an actor, an event type, an optional target, and a structured metadata object. The following workspace administration events are recorded:

Event typeWhen it firesTargetMetadata
member_addedA user accepts an invite and joins the workspaceThe new memberrole, source
member_role_changedAn Owner/Admin changes a member’s workspace roleThe memberold_role, new_role
member_removedAn Owner/Admin deactivates a memberThe memberrole
ownership_transferredThe Owner transfers workspace ownershipThe new ownernew_owner_user_id
project_createdA project is createdThe project
project_deletedA project is deleted (soft or hard)The projectmode (soft/hard)
workspace_settings_changedWorkspace General settings are savedThe workspacefields (the names of the fields that changed)
workspace_export_triggeredA workspace export is startedThe export job

On a soft delete, the project’s members also receive an in-app project-delete notification so a project never simply vanishes from under the team.

Each entry stores a human-readable actor_label (the actor’s name or email) at the moment the event is recorded, in addition to a nullable foreign key to the user. If the user is later deleted, the foreign key becomes null but the label remains — the log stays readable. System-initiated events have a blank label and no actor.

GET /api/v1/workspace/audit-events/

The endpoint is cursor-paginated (newest first) and supports filtering:

Query parameterDescription
event_typeOne of the event types above. Unknown values return 400.
actorA user id. Returns only events performed by that user.
sinceISO 8601 date or datetime. Returns events at or after this time.
untilISO 8601 date or datetime. Returns events at or before this time.
page_sizePage size (default 50, maximum 200).
  • Owners and Admins can read the log.
  • Members, Schedulers, Viewers, and unauthenticated callers receive 403 (or 401 when not signed in).

The community edition applies no retention or pruning — entries accumulate for the life of the deployment. They are stored in a single indexed table and cursor-paginated, so read performance does not degrade as the log grows, but the table itself is unbounded. Operators who need a retention policy should plan for table growth or upgrade to the Enterprise edition.

The community log is mutable and operational — a convenience record for day-to-day workspace administration. It makes no immutability, signing, or tamper-evidence guarantees.

The Enterprise edition layers a compliance-grade, immutable, signed audit trail on top of the same events, with retention policy, cross-workspace aggregation, and SOC 2-aligned export. It does this by registering a receiver against the OSS audit_event_created signal — the community core never imports Enterprise code. If you need a defensible audit trail for compliance, that is an Enterprise capability.