{ "slug": "modules/audit", "title": "Audit module", "description": "Tamper-evident audit logging for every administrative action with before/after diffs.", "url": "https://cuitty.com/docs/modules/audit", "markdown_url": "https://cuitty.com/docs/modules/audit.md", "json_url": "https://cuitty.com/docs/modules/audit.json", "frontmatter": { "title": "Audit module", "description": "Tamper-evident audit logging for every administrative action with before/after diffs.", "order": 1, "section": "Modules", "updatedAt": "2026-04-27" }, "headings": [ { "depth": 1, "slug": "audit-module", "text": "Audit module" }, { "depth": 2, "slug": "what-it-captures", "text": "What it captures" }, { "depth": 2, "slug": "how-to-send-events", "text": "How to send events" }, { "depth": 2, "slug": "hash-chain", "text": "Hash chain" }, { "depth": 2, "slug": "reads", "text": "Reads" } ], "body_markdown": "# Audit module\n\nThe audit module records every administrative action with a hash-chained log entry — a single mutation cannot be silently rewritten without breaking the chain.\n\n## What it captures\n\n- Actor (user ID + email)\n- Action verb (e.g. `project.create`, `secret.rotate`)\n- Resource type and id\n- Before/after diff of the resource\n- HTTP method, path, status code, duration\n- IP and User-Agent\n- Optional metadata (auth method, scopes)\n\n## How to send events\n\nThe TypeScript audit plugin instruments your framework middleware automatically. From any other language, POST a `type: \"audit\"` event to `/api/ingest`. See [Wire protocol](/docs/reference/wire-protocol#audit) for the schema.\n\n## Hash chain\n\nEvery audit entry stores `prev_hash = hash(prev_entry || row_payload)`. The portal exposes `cui admin verify-chain` to re-walk and verify the chain. Tampering with a row breaks every subsequent hash.\n\n## Reads\n\n| Endpoint | Returns |\n| ---------------------------------------- | -------------------------------------- |\n| `GET /api/modules/audit/events` | Paginated list of recent audit events |\n| `GET /api/modules/audit/events/{id}` | A single event with full payload |\n| `GET /api/modules/audit/verify` | Chain-integrity report |", "body_html": "

Audit module

\n

The audit module records every administrative action with a hash-chained log entry — a single mutation cannot be silently rewritten without breaking the chain.

\n

What it captures

\n\n

How to send events

\n

The TypeScript audit plugin instruments your framework middleware automatically. From any other language, POST a type: \"audit\" event to /api/ingest. See Wire protocol for the schema.

\n

Hash chain

\n

Every audit entry stores prev_hash = hash(prev_entry || row_payload). The portal exposes cui admin verify-chain to re-walk and verify the chain. Tampering with a row breaks every subsequent hash.

\n

Reads

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
EndpointReturns
GET /api/modules/audit/eventsPaginated list of recent audit events
GET /api/modules/audit/events/{id}A single event with full payload
GET /api/modules/audit/verifyChain-integrity report
", "links_out": [ "/docs/reference/wire-protocol#audit" ] }