Concepts

Audit logs

Mobius writes immutable audit records for security- and configuration-relevant mutations: creating an automation, rotating a webhook secret, granting a role, revoking an API key, archiving a project, or changing integration settings. Each record names the principal, credential, resource, and change.

There are two scopes: org-wide and project-scoped. Both use the same record shape.

What's in a record

Field	Notes
`action`	`create`, `update`, `delete`, `archive`, `restore`.
`resource_type`	`automation`, `agent`, `action`, `integration`, `project`, `api_key`, `role`, `webhook`, `secret`, and more.
`resource_id`, `resource_name`	The affected resource.
`principal_id`	Durable identity that performed the action: human, API client, agent, or system principal.
`principal_kind`	Principal family when available, such as `human`, `service`, `agent`, or `system`.
`credential_id`	API key or CLI credential used for the request. Browser sessions may not have a Mobius credential row.
`project_id`	Set for project-scoped resources.
`changes`	Per-field diff for update actions.
`ip_address`, `user_agent`	Request metadata.
`created_at`	RFC 3339 timestamp.

Older records or transitional producers may still display legacy actor fields in internal tooling, but public filters and new records should be read as principal plus credential.

What gets logged, what does not

The audit log covers configuration changes. CRUD on automations, agents, integrations, secrets, API keys, roles, webhooks, and projects belongs here.

The audit log does not cover run execution. Step transitions, tool calls, and action calls live on the run event stream, which is a separate observability surface. The split matters: "who changed configuration?" is an audit question; "what did the runtime do at 4am?" is a runs question.

Useful queries

"Who flipped this automation to active yesterday?"

mobius audit-logs list \
  --resource-type automation \
  --resource-id aut_01... \
  --action update \
  --created-after 2026-05-27T00:00:00Z

"What did this API client mutate during the April incident?"

mobius audit-logs list \
  --principal-id prin_01... \
  --created-after 2026-04-12T18:00:00Z \
  --created-before 2026-04-12T22:00:00Z

"Which credential rotated the Slack integration last?"

Filter on resource_type=integration and action=update. The credential_id on the matching record names the API key or CLI credential that did it.

"Show me the org-wide picture, not just one project."

mobius audit-logs list-org --created-after 2026-05-01T00:00:00Z

When you'd reach for this

Three repeating patterns:

Incident response. Narrow by time window and walk forward, looking for the change that preceded the symptom.
Access reviews. Filter by resource_type=role_assignment over the last quarter to catch lingering elevated access.
"Did this happen?" When a teammate insists they did not change a thing, you can prove it or correct yourself in two CLI commands.

Retention and immutability

Records are append-only. There is no delete or edit by design. If a record contains a value you wish had not been logged, such as a secret inside a changes blob, fix the producer instead of trying to scrub history.

Roles decide who is allowed to do the mutations the audit log records.
API keys provide the credential_id on machine-driven mutations.
Machine identities explains API client and agent principals.
Projects scope project-level audit reads; organization-level reads use the org-wide command.