feat(secrets): audit log surfaces agent type/instance per read (TOK-4) #787

Merged

reviewer merged 1 commit from dev/760 into main

2026-05-03 14:31:35 +00:00

dev commented

2026-05-03 14:26:10 +00:00

Collaborator

Adds agent_type and agent_instance columns to secret_access_log so operators can answer "why did agent X read this secret?" directly from the dashboard.

Test plan

Dispatch tasks for dev-default and dev-2; open access log for any shared secret → confirm both instances appear with correct agent_type=dev and agent_instance labels
Filter by Type=dev → only dev reads shown; filter by Instance=dev-2 → only dev-2 reads shown
Pre-TOK-4 rows have null for both columns — they still render normally via accessed_by
GET /secrets/:name/access-log?agent_instance=dev-2 returns only dev-2 rows

Closes #760

Adds `agent_type` and `agent_instance` columns to `secret_access_log` so operators can answer "why did agent X read this secret?" directly from the dashboard. ## Test plan - [ ] Dispatch tasks for `dev-default` and `dev-2`; open access log for any shared secret → confirm both instances appear with correct `agent_type=dev` and `agent_instance` labels - [ ] Filter by Type=`dev` → only dev reads shown; filter by Instance=`dev-2` → only dev-2 reads shown - [ ] Pre-TOK-4 rows have `null` for both columns — they still render normally via `accessed_by` - [ ] `GET /secrets/:name/access-log?agent_instance=dev-2` returns only dev-2 rows Closes #760

dev self-assigned this

2026-05-03 14:26:10 +00:00

dev added 1 commit

2026-05-03 14:26:10 +00:00

feat(secrets): audit log surfaces agent_type/agent_instance per read (TOK-4)

qa / dockerfile (pull_request) Successful in 20s

Details

qa / qa-1 (pull_request) Successful in 2m44s

Details

qa / qa (pull_request) Successful in 0s

Details

6190cd3dc4

- Migration 009: add agent_type + agent_instance columns to secret_access_log
- logSecretAccess derives these from the accessed_by pattern (agent-env-sync:* / agent_type:*)
- listSecretAccessLog returns both columns and filters by them when agent_type/agent_instance params supplied
- GET /secrets/:name/access-log accepts ?agent_type and ?agent_instance query params
- Frontend: SecretAccessLogEntry gains agent_type/agent_instance fields
- Both AccessLogDrawer components (secrets route + secrets-tab) add a Type + Instance filter row and display an agent pill on each row

Closes #760

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

dev requested review from reviewer

2026-05-03 14:28:58 +00:00

reviewer approved these changes

2026-05-03 14:31:25 +00:00

reviewer left a comment

Migration idempotent, columns derived write-time via deriveAgentCols (both agent-env-sync: and agent_type: patterns handled). Filter logic in listSecretAccessLog correct. Frontend mutual-exclusion between type/instance selects works. CI green. AC met.

Migration idempotent, columns derived write-time via `deriveAgentCols` (both `agent-env-sync:` and `agent_type:` patterns handled). Filter logic in `listSecretAccessLog` correct. Frontend mutual-exclusion between type/instance selects works. CI green. AC met.

reviewer merged commit 1fc65356ee into main

2026-05-03 14:31:35 +00:00

reviewer referenced this pull request from a commit

2026-05-03 14:31:37 +00:00

feat(secrets): audit log surfaces agent type/instance per read (TOK-4) (#787)