Audit API
Query the append-only audit trail with pagination, filtering by risk level, and hash chain integrity verification.
Audit API
CodeSpar maintains an append-only audit trail of all agent actions, user commands, and system events. Every entry is cryptographically linked to the previous one via a hash chain, ensuring tamper-evident integrity.
Query Audit Entries
Retrieve paginated audit log entries with optional filtering.
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
limit | integer | 20 | Entries per page (max: 100) |
page | integer | 1 | Page number (1-indexed) |
risk | string | all | Filter by risk level: low, medium, high, critical, all |
Request
With risk filtering:
With multi-tenant scoping:
Response
Response Schema
Pagination Wrapper
| Field | Type | Description |
|---|---|---|
entries | AuditEntry[] | Array of audit entries |
total | number | Total number of entries matching the filter |
page | number | Current page number |
pageSize | number | Entries per page |
totalPages | number | Total number of pages |
hasMore | boolean | Whether more pages exist |
AuditEntry Schema
| Field | Type | Description |
|---|---|---|
id | string | Unique entry identifier |
timestamp | string | ISO 8601 timestamp |
actorType | string | Who performed the action: user, agent, system |
actorId | string | Identifier of the actor (e.g., slack:U1234, agent-proj-abc123) |
action | string | The command or event (e.g., deploy, review, ci_event, kill) |
result | string | Outcome: completed, approved, denied, failed, processed |
metadata | object | Action-specific data (varies by action type) |
hash | string | SHA-256 hash linking this entry to the previous one |
Actor Types
| Actor Type | Description | Example actorId |
|---|---|---|
user | Human user via a channel | slack:U1234ABCD, whatsapp:5511999990000 |
agent | CodeSpar agent | agent-proj-abc123, agent-task-def456 |
system | Internal system event | webhook-handler, scheduler, startup |
Common Action Types
| Action | Actor Type | Description |
|---|---|---|
status | user | User queried status |
instruct | user | User requested a coding task |
fix | user/agent | Issue investigation triggered |
review | user/agent | PR review performed |
deploy | user | Deployment requested or completed |
rollback | user | Rollback requested or completed |
approve | user | Action approved |
deny | user | Action denied |
kill | user | Emergency kill switch activated |
autonomy_change | user | Autonomy level changed |
link | user | Repository linked |
unlink | user | Repository unlinked |
ci_event | system | CI/CD webhook event received |
agent_spawn | system | Ephemeral agent created |
agent_terminate | system | Ephemeral agent completed and terminated |
error | agent/system | Error occurred during processing |
Hash Chain Integrity
Each audit entry includes a hash field computed as:
The first entry in the chain uses a zero hash as the previous hash. This creates a tamper-evident log: modifying any entry would break the chain for all subsequent entries.
Verifying Integrity
To verify the audit chain integrity, iterate through entries in chronological order and recompute each hash:
Retention
Audit entries are retained for 365 days by default. After the retention period, entries are archived (if configured) or deleted.
| Setting | Default | Description |
|---|---|---|
| Retention period | 365 days | How long entries are kept |
| Storage | File-based (.codespar/audit/) | Default storage backend |
| Archive | Not configured | Optional external archive (S3, etc.) |
Examples
Get the latest 5 entries
Get only high-risk actions
Get only critical actions (deploys, rollbacks, kills)
Paginate through all entries
Next Steps
- Agent API — Manage agent lifecycle
- Security — RBAC and approval system
- Configuration — Environment variables