Skip to main content
aivault maintains an append-only audit log that records every secret lifecycle event and proxied invocation. The log is designed for compliance, forensics, and anomaly detection.

What gets logged

Event typeTrigger
Secret createdaivault secrets create
Secret rotatedaivault secrets rotate
Secret deletedaivault secrets delete
Secret pinnedAuto-pin to registry provider
Group attachedaivault secrets attach-group
Group detachedaivault secrets detach-group
Capability invokedaivault invoke, json, markdown
Master key rotatedaivault rotate-master

Viewing the log

# Last 200 events (default)
aivault audit

# Last 50 events
aivault audit --limit 50

# Events before a specific timestamp
aivault audit --before-ts-ms 1700000000000

Storage

Audit events are stored as newline-delimited JSON (JSONL) files in the vault directory: 
~/.aivault/data/vault/audit/*.jsonl
Each event includes:
  • Timestamp (milliseconds since epoch)
  • Event type
  • Relevant IDs (secret, credential, capability)
  • Execution context (workspace, group, client IP)

Disabling disk logs

For environments where audit logs should not be written to disk (e.g. ephemeral containers), set: 
export AIVAULT_DISABLE_DISK_LOGS=1
This suppresses all disk-based audit logging. Events are still processed in-memory for rate limiting and policy enforcement.

Using audit logs

Compliance: the audit log provides a complete record of who accessed what and when, suitable for SOC 2, HIPAA, and similar compliance frameworks. Forensics: if a secret is suspected of being misused, the audit log shows every invocation that used it, including the capability, client IP, and workspace context. Anomaly detection: monitor for unusual patterns — spikes in invocation frequency, requests from unexpected workspace contexts, or capabilities that shouldn’t be active. Next: Registry