Source of truth: , Last updated: 2026-05-13 — v3.8.0

(T-43 — "Compliance Controls") and . Audit writes never throw: on any failure the call is silently swallowed so audit logging cannot break the main request flow.

)

produces one row. Action strings follow a (or ) pattern. Confirmed in-tree action types include:

, (defaults to ), , / (JSON), , , , , and . Sensitive keys (, , , , anything matching //, etc.) are recursively redacted to before the row is written.

)

. Schema (from ):

	/

— per-request usage roll-up
• — full per-request log (subject to row-cap, see below)
• — proxy traffic log (subject to row-cap)
• — legacy detailed request log (still pruned if present)

is created lazily by on first use:

CREATE TABLE IF NOT EXISTS audit_log (
  id            INTEGER PRIMARY KEY AUTOINCREMENT,
  timestamp     TEXT NOT NULL DEFAULT (datetime('now')),
  action        TEXT NOT NULL,
  actor         TEXT NOT NULL DEFAULT 'system',
  target        TEXT,
  details       TEXT,
  ip_address    TEXT,
  resource_type TEXT,
  status        TEXT,
  request_id    TEXT,
  metadata      TEXT
);

, , , , , and . Missing columns on legacy DBs are added via on demand.

		,
		, , ,

runs the retention pass. It is invoked on server startup from and . Each run logs a audit event with the per-table delete counts. Proxy/call log trimming is batched () to avoid long write locks.

(, ).

Opt-Out (per API key)

table () and is mirrored into an in-memory set for hot-path lookups.

# Create a no-log key (management auth required)
curl -X POST http://localhost:20128/api/keys \
  -H "Cookie: auth_token=..." \
  -H "Content-Type: application/json" \
  -d '{"name": "Privacy key", "noLog": true}'

):

— toggle the in-memory entry
• — checked on the request path; falls back to a 30 s cached read from
• (env, comma-separated) — preloaded into the in-memory set on boot; useful when you cannot toggle the column directly

not affected by — only per-request traffic logging is opted out.

matching for text filters):

, , , (or ), , (or )
• / , / — ISO timestamps
• (default , min , max )
• (default , max )

, , .

curl "http://localhost:20128/api/compliance/audit-log?action=provider.credentials&from=2026-05-01" \
  -H "Cookie: auth_token=..."

(). The page has two tabs:

Compliance () — admin audit events from . Filters by event type, severity (info / warning / critical, derived from action + status), and date range. Severity is computed client-side from the action/status strings.
• MCP () — MCP tool audit from , with filters by tool name and success/failure.

(compliance) and (MCP).

provides shaping helpers used by the provider-management routes when they emit credential events:

— strips , , , , and before the connection snapshot is written to .
• — composes a stable string for the field.
• — scans provider responses for policy/safety warnings (, , , , ) and surfaces up to 5 hits, each truncated to 400 chars.

.
• / to meet your retention policy. The 7-day defaults are conservative.
• ) on whatever cadence your compliance program requires — no built-in archival exists.
• and counts for brute-force detection.
• with a stable action string and pass the request context via so IP and are captured automatically.

— PII masking, prompt injection
• — MCP tool catalog and scopes
• — full env var reference
• , , ,