Audit log surface

The immutable, filterable trail of "who did what, when" for a tenant — security/compliance events rendered as a sortable, searchable, exportable events table with a stable event model and tamper-evidence. Specializes the admin data table for append-only audit data. GitLab Pajamas (audit events) parity. Used by Koder ID, Flow, Console, and any product with compliance needs.

Status: v0.1.0 — Draft. Promoted from the GitLab Pajamas parity scan (metadocsstack #093). Source: https://design.gitlab.com/ (audit events). Retention/PII rules align with policies/identity-data-retention.kmd.

R1 — Event model (stable)

Each entry has a fixed shape: actor (who — usermachinesystem), action (what — a stable verb key), target (the affected resource), timestamp (UTC, with locale display), outcome (success/denied), and context (source IP / device / request id where applicable). The action verb is a stable key (not a free string) so filtering and i18n work.

R2 — Immutable & tamper-evident

  • The log is append-only: entries are never edited or deleted by users

    (retention purges are a system policy, not a user action).

  • Tamper-evidence (e.g. a hash chain / signed batches) is recommended for

    high-assurance tenants; the UI surfaces a verification status when present.

R3 — Filter / sort / search (specializes admin-data-table)

Built on specs/patterns/admin-data-table.kmd: filter by actor, action, target, date range, and outcome; sort by time (default newest-first); full-text search over targets. Large logs virtualize/paginate with any truncation disclosed (no silent cap).

R4 — Retention, PII, export

  • Retention follows policies/identity-data-retention.kmd /

    specs/multi-tenancy/contract.kmd; entries past the window are purged by the system, and that is itself disclosed (not silent).

  • No secrets/credentials are ever logged; PII is minimized and

    access-gated. The surface never renders raw sensitive payloads.

  • Export (CSV/JSON) is available to authorized roles and is itself an

    audited action.

R5 — Access control & tenancy

  • Visible only to authorized roles (security/admin); per-tenant isolation

    per specs/multi-tenancy/contract.kmd — a tenant sees only its events.

  • A failed/denied access attempt to the audit log is itself an auditable

    event.

R6 — Accessibility & i18n

  • A real table with header semantics (inherits admin-data-table a11y).
  • Action verbs + outcomes are localized from their stable keys

    (specs/i18n/contract.kmd); timestamps render in the viewer's locale + timezone with the UTC value available.

  • Outcome (success/denied) conveyed by text + icon, not color alone.

Não-escopo

  • The event-ingestion pipeline / storage backend (observe / kdb).
  • Application logs / debug logging (policies/observability-first.kmd).
  • The tamper-evidence cryptography itself (a backend contract).