Documentation Index
Fetch the complete documentation index at: https://aivault.moldable.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
aivault maintains an append-only audit log that records every secret lifecycle event and proxied invocation. The log is designed for compliance, forensics, and anomaly detection.
What gets logged
| Event type | Trigger |
|---|
| Secret created | aivault secrets create |
| Secret rotated | aivault secrets rotate |
| Secret deleted | aivault secrets delete |
| Secret pinned | Auto-pin to registry provider |
| Group attached | aivault secrets attach-group |
| Group detached | aivault secrets detach-group |
| Capability invoked | aivault invoke, json, markdown |
| Master key rotated | aivault rotate-master |
Viewing the log
# Last 200 events (default)
aivault audit
# Last 50 events
aivault audit --limit 50
# Events before a specific timestamp
aivault audit --before-ts-ms 1700000000000
Storage
Audit events are stored as newline-delimited JSON (JSONL) files in the vault directory:
~/.aivault/data/vault/audit/*.jsonl
- Timestamp (milliseconds since epoch)
- Event type
- Relevant IDs (secret, credential, capability)
- Execution context (workspace, group, client IP)
Disabling disk logs
For environments where audit logs should not be written to disk (e.g. ephemeral containers), set:
export AIVAULT_DISABLE_DISK_LOGS=1
Using audit logs
Compliance: the audit log provides a complete record of who accessed what and when, suitable for SOC 2, HIPAA, and similar compliance frameworks.
Forensics: if a secret is suspected of being misused, the audit log shows every invocation that used it, including the capability, client IP, and workspace context.
Anomaly detection: monitor for unusual patterns — spikes in invocation frequency, requests from unexpected workspace contexts, or capabilities that shouldn’t be active.
Next: Registry