The audit trail
Whatever the outcome of a request — allowed, confirmed, denied, unaddressable —
kovra records it. kovra audit queries that trail. It answers “what happened to
my secrets, and who asked?” without becoming a new place a secret can leak:
the trail holds coordinates, sensitivity, timestamps, and origin — never a
value, and never a fingerprint complete enough to confirm a guess.
~ % kovra auditTIMESTAMP ACTION COORDINATE SENS ORIGIN FPR RESULT2026-06-05T19:29:26Z create dev/db/password medium human - created2026-06-05T19:29:51Z reveal dev/app/api-key medium human - revealed2026-06-05T19:32:07Z timeout prod/stripe/api-key high human - timeout2026-06-05T19:32:29Z reveal prod/stripe/api-key high human - revealed2026-06-05T19:32:44Z inject dev/db/password medium human - injected5 event(s).Windows — coming soon. The same model on Windows Hello + Credential Manager.
The columns
Section titled “The columns”| Column | Meaning |
|---|---|
TIMESTAMP | When it happened (UTC, RFC-3339). |
ACTION | create, reveal, inject, timeout, … |
COORDINATE | The env/component/key touched — never the value. |
SENS | The secret’s sensitivity at the time. |
ORIGIN | human or agent — who initiated it. |
FPR | A short truncated fingerprint when relevant; never the full hash. |
RESULT | What the request resolved to (revealed, injected, denied, timeout, …). |
Filtering
Section titled “Filtering”Narrow the trail to what you’re investigating:
kovra audit --coordinate dev/db/password # one exact coordinatekovra audit --env prod # everything in an environmentkovra audit --action reveal # only revealskovra audit --since 2026-06-01T00:00:00Z # a time window--component and --until are available too. Because every entry carries the
origin, the trail also shows exactly what an agent did on your behalf — and,
just as usefully, what it was refused.