grith.aidocs

grith audit

Browse and export the audit log of every filter decision.

grith audit [list | show | export | exfil-stats]

The audit log is the persistent record of every decision grith made — including auto-allows. It lives in a SQLite database under ~/.local/share/grith/audit/.

Subcommands

SubcommandWhat it does
(default) / listPrint recent events, newest first.
show <id>Full record for one event.
export --format jsonDump records as JSON (stdout or file).
export --format csvSame, as CSV.
exfil-statsAggregate exfiltration analytics over the recent window.

Common queries

grith audit                      # last 50 events
grith audit --limit 500          # last 500
grith audit --session abc1234... # one session
grith audit --decision deny      # only denials
grith audit --since 1h           # last hour

--since accepts duration shorthand (30s, 15m, 1h, 7d) or absolute ISO 8601 timestamps.

Export

grith audit export --format json > audit.json
grith audit export --format csv --since 24h --output today.csv

JSON output is one record per array element. CSV uses a fixed column order documented in Reporting & exports for Pro analytics parity.

Exfil stats

grith audit exfil-stats

Aggregates the recent window (last EXFIL_STATS_RECENT_COUNT events, default 500) into a small report:

  • Most-frequent denied destinations
  • Most-frequent canary fires (if any)
  • Top destinations by data-volume estimate
  • Sessions with the most queue events

Useful for the weekly review.

What a record looks like

{
  "id": "uuid-...",
  "ts": "2026-05-14T09:14:23Z",
  "session": "abc12345-...",
  "operation": "file_read",
  "target": "/home/you/.ssh/config",
  "decision": "queue",
  "resolved": "deny",
  "composite_score": 4.2,
  "filters": [
    { "name": "sensitive_path", "score": 3.5 },
    { "name": "path_match",     "score": 1.2 }
  ],
  "profile": "claude-code",
  "pid": 17421,
  "command": "claude"
}

decision is what the pipeline returned (allow / queue / deny). resolved is what ultimately happened (auto-allows have no resolved transition; queues resolve to allow/deny via review or timeout).

Storage and retention

The SQLite DB grows monotonically. Default retention is forever — no automatic cleanup. For storage-bounded deployments, tune:

[general]
audit_retention_days = 90        # delete events older than 90 days
audit_max_db_mb     = 500        # cap DB size; oldest events drop first

See Logging & audit retention for the trade- offs.

See also

Previousgrith digestNextgrith log
Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.