ctx.db.insert() exclusively — there are no delete or update mutations in the audit code.
Event Structure
| Field | Description |
|---|---|
category | Event classification (see table below) |
eventType | Specific action within the category |
resourceType | Type of entity affected (run, agent, step, etc.) |
resourceId | ID of the affected entity |
actor | User or agent that triggered the event |
timestamp | When the event occurred |
detail | Event-specific payload with structured data |
Audit Categories
| Category | Example Event Types |
|---|---|
| Governance | approval_requested, approval_resolved, trust_level_changed |
| Execution | step_dispatched, step_completed, step_failed, step_timed_out |
| Lifecycle | workflow_started, workflow_completed, workflow_cancelled |
| Security | security_posture_updated, auth_failure |
| Configuration | agent_created, agent_updated, model_registered, gateway_synced |
| Deploy | deployment_created, deployment_deactivated |
Retention
Configurable retention policies per category. Security and governance events default to indefinite retention. Execution events can be pruned after a configurable window. A daily cron enforces TTL-based cleanup — audit events default to 365 days, token events to 90 days.
Run Audit Packets
Aggregated audit view for a single workflow run, collecting all related events across categories into one timeline. Used for post-mortem analysis and compliance reporting. Query byrunId to retrieve the complete event history for any execution — dispatches, governance decisions, step completions, token events, and errors in chronological order.
In Burgundy: Browse the audit log from the audit page. →