autonomy audit query

Query retained audit records

Synopsis

Reads audit records from the local audit store and prints matching records.

When –pg-url is set (or AUTONOMY_AUDIT_PG_URL is in the environment), records are read from the PostgreSQL audit_events table. Otherwise the local JSONL file store is used (–audit-dir).

Filters (all optional, ANDed together): –event-type exact event name (e.g. “rollout.plan.created”) –category audit domain: rollout | ha | relay | cert | auth | system | rollback –actor operator identity (e.g. “alice@example.com”) –outcome result: success | failure | denied | pending –source emitting component: orchestrator | edge | cli –start-time RFC3339 inclusive lower bound (e.g. “2026-01-01T00:00:00Z”) –end-time RFC3339 inclusive upper bound –limit maximum records to return (default 100, 0 = no limit)

Output: –output text tabwriter table (default): TIMESTAMP EVENT ACTOR RESOURCE OUTCOME SOURCE –output json pretty-printed JSON array

Usage

autonomy audit query [flags]

Options

      --actor string        filter by operator identity
      --audit-dir string    audit storage directory (default: AUTONOMY_AUDIT_DIR or XDG state path)
      --category string     audit domain filter: rollout | ha | relay | cert | auth | system | rollback
      --end-time string     inclusive RFC3339 end time
      --event-type string   exact event name filter (e.g. "rollout.plan.created")
      --limit int           maximum records to return (0 = no limit) (default 100)
      --outcome string      result filter: success | failure | denied | pending
      --output string       output format: "text" (tabwriter table) or "json" (array) (default "text")
      --pg-url string       PostgreSQL URL for DB-backed audit query (env: AUTONOMY_AUDIT_PG_URL)
      --source string       component filter: orchestrator | edge | cli
      --start-time string   inclusive RFC3339 start time (e.g. 2026-01-01T00:00:00Z)

See also

• autonomy audit — Query and export retained audit records