code<spar>
Dashboard

Audit Trail

The dashboard's immutable event log — searchable, filterable, hash-chain verified, with real-time updates and expandable event details.

Audit Trail

The Audit Trail page at /dashboard/audit provides a complete, immutable record of every action taken by agents, users, and the system. Every entry is part of a cryptographic hash chain, making the log tamper-evident and verifiable.

The page header displays:

Audit Trail
Immutable event log · Hash chain integrity · 2,847 events

                                        [Chain verified ✓]
ElementDescription
Title"Audit Trail"
SubtitleDescription with total event count
Chain verified badgeGreen badge confirming hash chain integrity. The dashboard verifies the chain on initial load by checking that each entry's hash correctly references the previous entry.

Filters

Two rows of filter controls appear below the header:

Type Filters

Filter events by category. Each filter shows its event count:

FilterDot ColorDescription
AllShow all events (default)
TasksAgent Green (#10B981)Task execution events: task.start, task.complete, task.fail
ReviewsChannel Purple (#8B5CF6)Review events: review.start, review.complete, review.approve
DeploysAlert Amber (#F59E0B)Deploy events: deploy.request, deploy.approve, deploy.execute
IncidentsCritical Red (#EF4444)Incident events: incident.detect, incident.investigate, incident.resolve

Each filter button displays a colored dot (not an emoji) followed by the label and a count badge:

[● All (2,847)]  [● Tasks (1,203)]  [● Reviews (892)]  [● Deploys (445)]  [● Incidents (307)]

Risk Filters

Filter events by risk level using pill-shaped buttons:

FilterDot ColorDescription
AllShow all risk levels (default)
LowAgent Green (#10B981)Low-risk events (formatting, linting, status checks)
MediumAlert Amber (#F59E0B)Medium-risk events (code changes, PR reviews)
HighCritical Red (#EF4444)High-risk events (deploy requests, config changes)
CriticalDeep Red (#DC2626)Critical events (production deploys, security incidents)
[● All]  [● Low]  [● Medium]  [● High]  [● Critical]

System Events Toggle

A "System events" toggle appears alongside the filter controls. When disabled (the default), GitHub and Vercel webhook events are hidden from the timeline. These events include push notifications, deployment status updates, and CI/CD triggers that can add noise when reviewing agent activity. Enable the toggle to see the full, unfiltered event stream.

A search input below the filters searches across multiple fields:

  • Actor — who performed the action
  • Action — the event type
  • Detail — the event description
  • Project — the associated project name
  • Event ID — the unique event identifier

Search is performed client-side on the currently loaded events and triggers a server-side search for broader results when the user presses Enter.

🔍 Search events by actor, action, detail, project, or event ID...

Event Table

The main content area is a table displaying audit events. Events are ordered newest-first.

Table Columns

ColumnDescriptionWidth
RiskColored dot indicating risk level40px
TimeRelative timestamp (e.g., "2m ago", "1h ago")80px
ActorWho performed the action, color-coded by type150px
ActionEvent type in monospace font160px
DetailTruncated event description (max 60 characters)Flexible
RiskRisk level badge (LOW, MEDIUM, HIGH, CRITICAL)80px
ResultOutcome badge (SUCCESS, FAILURE, PENDING)80px
ExpandChevron to expand row details40px

Actor Color Coding

Actor TypeText ColorExample
AgentSignal Blue (#3B82F6)"project-agent", "review-agent"
UserChalk (#F5F5F7)"Sarah Chen", "U0123ABC"
SystemSlate (#6B7280)"System", "webhook"

The formatActor function resolves Slack UIDs to human-readable display names. For example, U0ABC123XY becomes "Sarah Chen" if that mapping exists. Otherwise, the raw UID is displayed.

Action Badges

Action types are displayed in monospace (JetBrains Mono) font with a subtle background:

task.complete    review.start    deploy.request    incident.detect

Risk Badges

LevelColorBackground
LOWAgent Greenrgba(16, 185, 129, 0.1)
MEDIUMAlert Amberrgba(245, 158, 11, 0.1)
HIGHCritical Redrgba(239, 68, 68, 0.1)
CRITICALDeep Redrgba(220, 38, 38, 0.2)

Result Badges

ResultColorDescription
SUCCESSAgent Green (#10B981)Action completed successfully
FAILURECritical Red (#EF4444)Action failed
PENDINGAlert Amber (#F59E0B)Action awaiting approval or completion

Example Table Row

● 3m ago  Sarah Chen  task.complete  "Added health check endpoint at /api/h…"  LOW  SUCCESS  ▸

Expandable Rows

Clicking the chevron (or anywhere on the row) expands it to show full event details:

┌─────────────────────────────────────────────────────────────┐
│ ● 3m ago  Sarah Chen  task.complete  "Added health…"  LOW  │
├─────────────────────────────────────────────────────────────┤
│ Event ID:   evt-a1b2c3d4-e5f6-7890-abcd-ef1234567890       │
│ Timestamp:  2025-03-20T14:32:15.847Z                        │
│ Project:    codespar/codespar                                │
│ Hash:       sha256:9f86d08...c7e8c                           │
│ Full Detail: Added health check endpoint at /api/health     │
│              that returns server status, uptime, and         │
│              database connectivity information.              │
└─────────────────────────────────────────────────────────────┘
FieldDescription
Event IDUnique UUID for this event
TimestampFull ISO 8601 timestamp
ProjectAssociated repository (owner/repo format)
HashSHA-256 hash that chains to the previous event, providing tamper evidence
Full DetailComplete, un-truncated event description

Pagination

The audit trail uses server-side pagination:

← Previous    Page 1 of 143    Next →
  • Page size: 20 events per page
  • Previous / Next buttons navigate between pages
  • Page indicator shows current page and total page count
  • Filters and search are applied server-side, so pagination reflects the filtered result set

LIVE Indicator

When the dashboard is connected to a live backend and actively polling for new events, a LIVE indicator appears in the top-right corner of the audit trail:

● LIVE

The dot pulses gently to indicate active polling. New events appear at the top of the table automatically without requiring a page refresh.

When the backend is unreachable or polling is paused, the indicator disappears.

Hash Chain Verification

The audit trail's hash chain provides tamper evidence. Each event's hash is computed from:

  1. The event's own data (ID, timestamp, actor, action, detail, risk, result)
  2. The hash of the previous event
hash(event_n) = SHA-256(event_n.data + hash(event_n-1))

The "Chain verified" badge in the header confirms that the dashboard has validated the chain for all displayed events. If a chain break is detected (a hash doesn't match the expected value), the badge changes to a red warning:

[Chain broken ✕]

This would indicate that an event has been modified or deleted outside of normal operation.

API Endpoints

The audit trail page interacts with these endpoints:

EndpointMethodDescription
GET /api/auditGETFetch paginated audit events
GET /api/audit?type=tasksGETFilter by event type
GET /api/audit?risk=highGETFilter by risk level
GET /api/audit?search=deployGETSearch events
GET /api/audit?page=2&limit=20GETPaginate results
POST /api/audit/:id/approvePOSTApprove a pending action

All requests include the x-org-id header for tenant isolation.

Next Steps

  • Agent Detail — view activity for a specific agent
  • Settings — configure team roles and policies
  • Security — learn about RBAC and approval flows

Previous

Agent Detail Page

Next

Dashboard Settings

On this page