Audit Trail
Sequenceware maintains an immutable audit log of every event, decision, and human intervention. This is your compliance-ready record of what happened, who did it, and why.
What gets audited
Every significant action creates an audit entry:
| Category | Events |
|---|---|
| Runs | Started, completed, failed |
| Tool calls | Initiated, completed, blocked |
| Policy decisions | Policy matched, action applied |
| Approvals | Requested, approved, rejected |
| Policies | Created, updated, deleted, enabled, disabled |
| Admin actions | API key created, user invited, settings changed |
Actor tracking
Each audit entry tracks who performed the action:
| Actor type | Format | Example |
|---|---|---|
agent | agent:{agentId} | agent:claude-code-maria |
system | system:policy:{policyId} | system:policy:block-destructive-ops |
user | user:{email} | user:reviewer@company.com |
This three-way distinction is critical for compliance. You can always answer: "Did a human approve this, or did the agent decide on its own?"
Querying audit logs
Dashboard
Navigate to the Audit page to browse and filter logs. Each run detail page also shows its audit timeline.
API
# All audit logs
curl http://localhost:3000/v1/audit \
-H "Authorization: Bearer $TOKEN"
# Filter by run
curl "http://localhost:3000/v1/audit?runId=run_abc123" \
-H "Authorization: Bearer $TOKEN"
# Filter by entity type and action
curl "http://localhost:3000/v1/audit?entityType=policy&action=matched" \
-H "Authorization: Bearer $TOKEN"
# Filter by actor
curl "http://localhost:3000/v1/audit?actorType=user" \
-H "Authorization: Bearer $TOKEN"
# Filter by date range
curl "http://localhost:3000/v1/audit?from=2026-03-01&to=2026-03-19" \
-H "Authorization: Bearer $TOKEN"
# Full-text search
curl "http://localhost:3000/v1/audit?search=deploy+production" \
-H "Authorization: Bearer $TOKEN"
SDK
// Get all audit logs for a run
const logs = await client.getAuditLogs('run_abc123');
// Each log entry contains:
logs.forEach((log) => {
console.log(log.timestamp); // When
console.log(log.actorType); // Who (agent, system, user)
console.log(log.actorId); // Which agent/user/policy
console.log(log.action); // What happened
console.log(log.entityType); // What entity was affected
console.log(log.metadata); // Additional context
});
Audit log structure
{
"auditId": "aud_abc123",
"runId": "run_xyz789",
"entityType": "tool_call",
"entityId": "tc_def456",
"action": "blocked",
"actorType": "system",
"actorId": "system:policy:block-destructive-ops",
"timestamp": "2026-03-19T10:32:15.000Z",
"metadata": {
"toolName": "shell_execute",
"inputPayload": { "command": "rm -rf /srv/releases" },
"policyName": "Destructive Script Block",
"reason": "Matched pattern: rm -rf"
}
}
Query parameters
| Parameter | Type | Description |
|---|---|---|
entityType | string | Filter by entity type (run, tool_call, policy, approval) |
entityId | string | Filter by specific entity |
runId | string | Filter by run |
actorType | string | Filter by actor type (agent, system, user) |
action | string | Filter by action |
from | ISO date | Start of date range |
to | ISO date | End of date range |
search | string | Full-text search |
limit | number | Max results (default: 100, max: 200) |
offset | number | Pagination offset |
Exporting audit logs
Export audit logs as CSV for compliance reporting, external audits, or archival:
# Export all audit logs as CSV
curl -O -J "http://localhost:3000/v1/audit/export" \
-H "Authorization: Bearer $TOKEN"
# Export logs for a date range
curl -O -J "http://localhost:3000/v1/audit/export?from=2026-03-01&to=2026-03-31" \
-H "Authorization: Bearer $TOKEN"
# Export only blocked actions
curl -O -J "http://localhost:3000/v1/audit/export?action=tool.blocked" \
-H "Authorization: Bearer $TOKEN"
The export endpoint supports the same filters as the query API and returns up to 10,000 records per export. The CSV includes all audit fields: timestamp, auditId, entityType, entityId, runId, action, actorType, actorId, and metadata (as JSON).
This is particularly useful for:
- EU AI Act compliance (Art. 12, 72): providing regulators with activity records
- FEDER fund reporting: documenting responsible AI deployment for public funding audits
- Internal reviews: periodic assessment of agent behavior and policy effectiveness