Problem
AuditLog in src/synthorg/security/audit.py records every security evaluation with agent, tool, verdict, and evidence. But there is no GET /security/audit query endpoint. The audit trail is write-only from an API perspective -- it can only be accessed via log sinks (file/syslog/HTTP) or by directly reading the persistence layer.
External control-plane consumers (SIEM integrations, compliance tooling) need queryable access to the audit trail.
Source: docs/research/control-plane-audit.md (G5), closes research #688.
Solution
Add GET /security/audit with filters:
agent_id -- filter by agentverdict -- filter by ALLOW, DENY, ESCALATEaction_type -- filter by tool/action categorysince / until -- time range
Response: paginated list of audit records. Consistent with the existing paginated response convention.
Files
src/synthorg/security/audit.py -- verify persistence layer supports querysrc/synthorg/api/controllers/security.py (or new audit.py) -- add route
Problem
AuditLoginsrc/synthorg/security/audit.pyrecords every security evaluation with agent, tool, verdict, and evidence. But there is noGET /security/auditquery endpoint. The audit trail is write-only from an API perspective -- it can only be accessed via log sinks (file/syslog/HTTP) or by directly reading the persistence layer.External control-plane consumers (SIEM integrations, compliance tooling) need queryable access to the audit trail.
Source:
docs/research/control-plane-audit.md(G5), closes research #688.Solution
Add
GET /security/auditwith filters:agent_id-- filter by agentverdict-- filter byALLOW,DENY,ESCALATEaction_type-- filter by tool/action categorysince/until-- time rangeResponse: paginated list of audit records. Consistent with the existing paginated response convention.
Files
src/synthorg/security/audit.py-- verify persistence layer supports querysrc/synthorg/api/controllers/security.py(or newaudit.py) -- add route