All use-cases

Governance & Trust

Immutable audit trail & export

Every mutation writes exactly one audit row; UPDATE/DELETE blocked for everyone, exportable under Object-Lock.

One immutable row per mutation — and a tamper-evident archive on demand.

Every write goes through trackFields to produce a field-level diff, then writeAudit in fail-closed mode: if the audit write fails, the caller's own mutation rolls back — no orphaned state. DB triggers block UPDATE/DELETE on the log for every role including service_role. Auditors query via RLS, and a cron (guarded by secret + lock) exports to S3 Object-Lock with KMS encryption.

Amber diamond = automatic check / guard Teal diamond = cron secret check (guarded trigger) Amber card = blocked / rollback
Any mutation runs insert / update / delete in caller trackFields produces FieldDiff[] — field-level diff writeAudit succeeds? yes audit_log row inserted workspace_id · actor · diff · ts UPDATE/DELETE on audit_log? no (read only) Auditor reads via RLS membership check · scoped query Cron secret + lock valid? ok S3 Object-Lock + KMS export watermark-driven · tamper-evident archive fails writeAudit throws caller rolls back mutation — no orphan yes DB trigger blocks UPDATE/DELETE denied incl. service_role no Cron rejected missing / invalid secret no export runs
app/audit-log
Live demo

recording from the demo site — coming soon

No mutation without a record — and no record that can be erased. writeAudit is fail-closed so the mutation rolls back if the audit write fails. DB triggers block UPDATE/DELETE for everyone. A cron-driven S3 Object-Lock export produces a tamper-evident archive.