Audit Schema
Fulcrum maintains two levels of audit trails: Policy Evaluations and General Audit Logs.
1. Policy Evaluations (fulcrum.policy_evaluations)
Records every decision made by the governance engine. This table is primarily used for real-time enforcement and immediate history.
| Field | Type | Description |
|---|---|---|
id |
UUID | Primary Key. |
envelope_id |
UUID | Link to the execution envelope. |
policy_id |
UUID | Link to the evaluated policy. |
decision |
String | ALLOW, DENY, WARN, APPROVAL. |
message |
Text | Human-readable explanation of the decision. |
details |
JSONB | Full Protobuf EvaluationResult for replay/audit. |
created_at |
Timestamptz | Time of evaluation. |
2. General Audit Logs (fulcrum.audit_logs)
Records administrative actions, security events, and configuration changes. This is the canonical immutable audit trail for compliance.
| Field | Type | Description |
|---|---|---|
id |
UUID | Primary Key (auto-generated). |
org_id |
String | Tenant or Organization ID. |
timestamp |
Timestamptz | Exact time the event occurred. |
actor_id |
String | ID of the user, service account, or system performing the action. |
actor_email |
String | Email of the actor (if available) for readability. |
action |
String | Action performed (e.g., CREATE_POLICY, DELETE_API_KEY). |
resource_type |
String | Type of resource affected (e.g., Policy, Tenant, APIKey). |
resource_id |
String | Unique ID of the affected resource. |
resource_name |
String | Human-readable name of the resource (at time of event). |
changes |
JSONB | Delta or full state change represented as JSON. |
ip_address |
INET | Source IP address of the request. |
user_agent |
Text | User agent string of the client. |
status |
String | Outcome of the action: success or failure. |
error_message |
Text | Details if the status was failure. |
Compliance & Retention
- Immutability: Audit logs are intended to be immutable once written.
- Isolation: Row Level Security (RLS) ensures tenants can only see their own audit logs.
- Scope Requirement: Accessing these logs via the API requires the
audit:readscope. - Retention: By default, general audit logs are retained for 365 days, while evaluation history may have a shorter retention period based on storage costs.