e
envx
Back to Home

Audit & Access Logs

Security and traceability are paramount when sharing environment credentials. envx-cli-tmr maintains a tamper-proof audit trail tracking all actions performed across your projects.

# Audit Logs Overview

Every time a developer pulls credentials, publishes edits, creates projects, or joins workspaces, the activity is securely recorded in the centralized log database. This allows admins and security teams to monitor credential flows in real-time, detect leakage or credential misuse, and verify team compliance effortlessly.

Why Traceability Matters

  • Tamper-Proof Records: Action logs are permanently recorded at the database layer and cannot be modified or deleted by general project members.
  • Accountability: Each entry is directly cryptographically bound to a user's verified GitHub account and OAuth identity.
  • Compliance Readiness: Meets enterprise compliance checklists requiring access history for production credentials.

# CLI Command (envx logs)

Retrieve recent access logs directly in your terminal using the envx logs command. You will be prompted with an interactive dropdown of your projects to select from:

$ envx logs
? Select a project to view audit logs:
❯ Backend API (project_abc123)
Frontend Web (project_xyz789)
📋 Retrieving audit trail logs...
[2026-06-01 12:41:02] @john PULL Backend API
[2026-06-01 14:15:30] @founder PUSH Backend API
[2026-06-01 16:02:11] @john LOGIN via GitHub
✔ Log retrieval completed (3 events found).

# Tracked Actions

The following core events are tracked with high precision and stored on the central coordination server:

Pull Events (PULL)

Logged whenever a developer runs `envx pull`. Records the project ID, user, timestamp, and local system environment signature. Helps detect anomalous credential pulling frequencies.

Push Events (PUSH)

Logged whenever project variables are modified or updated via `envx push`. Records which keys were changed, the publisher, and version indices for rolling updates.

# Security & Compliance

Audit logs are accessible to project admins and team founders, allowing them to review user logs. PULL events track variables access so that if a developer leaves or a device is compromised, you know exactly which project credentials have been read and might need to be rotated.

Compliance Note

For security reasons, actual secret values (decrypted credential payloads) are never logged or stored inside audit logs. We strictly track action signatures (who pulled/pushed, what keys were present) to preserve cryptographic isolation.

You are all set! Share envx-cli-tmr with your developers.