Guides
Review the Audit Trail
Understand and work with the Permission Guard audit trail.
Every tool execution in CoreLayer is logged. This guide shows how to review and work with audit logs.
Accessing Audit Logs
Open Control Center → Permissions → Audit Log.
Log Entry Format
Each entry contains:
[2026-06-15 14:32:01] tool-name
Source: mcp | native | skill | rest
Risk: read | write | external | destructive
Policy: allow | confirm | deny
Decision: approved | denied | auto-allowed
Parameters: { ... }
Result: success | errorFiltering Logs
Filter by:
- Date range — specific time period
- Tool name — find specific tool calls
- Risk level — see only write/destructive operations
- Decision — find denied or approved calls
Common Use Cases
Security Review
Check what external API calls were made:
- Filter by Risk: external
- Review the tool names and parameters
- Verify all calls were expected
Debugging
Find why a tool call failed:
- Filter by Result: error
- Check the error message in the log entry
- Verify the tool parameters were correct
Compliance
Generate a report of all data modifications:
- Filter by Risk: write and Risk: destructive
- Export the log entries
- Review all data changes
Log Retention
Audit logs are stored locally in the configured database and persist across sessions. By default, logs are kept indefinitely. To limit disk usage, set permissions.auditRetentionDays in config.json — entries older than the specified number of days are automatically pruned on startup.
Next Steps
- Permissions — configure policies
- Permission Guard — safety model details