Skip to content

Auditing

Auditing today is partial. Some events are emitted to the bus (visible to subscribers); some are written to log files (visible to operators); some are stored as part of normal state. There is no unified "audit log" actor or stream yet. This section is honest about what exists and what is target state.

Pages in this section

  • Security logs — what is logged where, today.
  • Device events — Device-related events on the bus.
  • Package events — package install / runtime events.
  • Admin actions — operations that should be audited (revoke, namespace claim, principal suspend) and where they live today.

Why this is partial

The audit story has been deliberately deferred until the rest of the authorization model crystallizes. Building audit logs against a moving target produces logs that have to be migrated every time the underlying contract changes. The cost of "no audit yet" is operator inconvenience, not security regression: the security gates are in place, just not the post-hoc visibility.

The plan: once capability tokens land, there will be a clear "what was authorized" surface to log. Until then, audit the proxy events (state changes in system.auth, system.devices, system.factotum) plus the operator-side log files.