Credential audit log viewer (stretch) #361

New Issue

jason.woltje · 2026-02-07T17:12:44Z

jason.woltje commented

2026-02-07 17:12:44 +00:00

Phase 5c - Credential Audit Log Viewer (Stretch)

Problem

Credential access is audit-logged via ActivityService, but there is no UI to view these logs. Users and admins should be able to see who accessed what credentials and when.

Requirements

Add credential audit log viewer in the settings UI
Filter by: credential name, provider, action type, date range
Show: timestamp, action (created/accessed/rotated/revoked), user, credential name
Admin view: see all credential access across workspace
User view: see access to own credentials only

Implementation Notes

Reuse existing ActivityLog model and ActivityModule
Filter by entityType = CREDENTIAL and relevant ActivityActions
API endpoint: GET /api/credentials/audit with query params for filtering
Follow existing activity log UI patterns if any exist
This is a stretch goal - implement if time permits

Files

apps/api/src/credentials/credentials.controller.ts (modify - add audit endpoint)
apps/api/src/credentials/credentials.service.ts (modify - add audit query method)
apps/web/src/app/(authenticated)/settings/credentials/audit/page.tsx (new)
apps/web/src/components/credentials/credential-audit-log.tsx (new)

Acceptance Criteria

Audit log page shows credential access history
Filterable by credential, action, date range
Respects RLS - users see only their own credential access
Admin sees workspace-wide credential access
Pagination for large audit logs

Dependencies

Depends on: Credential CRUD API with audit logging (Phase 3b)
Depends on: Frontend credential management (Phase 4)

Refs #346

## Phase 5c - Credential Audit Log Viewer (Stretch) ### Problem Credential access is audit-logged via ActivityService, but there is no UI to view these logs. Users and admins should be able to see who accessed what credentials and when. ### Requirements 1. Add credential audit log viewer in the settings UI 2. Filter by: credential name, provider, action type, date range 3. Show: timestamp, action (created/accessed/rotated/revoked), user, credential name 4. Admin view: see all credential access across workspace 5. User view: see access to own credentials only ### Implementation Notes - Reuse existing ActivityLog model and ActivityModule - Filter by entityType = CREDENTIAL and relevant ActivityActions - API endpoint: GET /api/credentials/audit with query params for filtering - Follow existing activity log UI patterns if any exist - This is a stretch goal - implement if time permits ### Files - apps/api/src/credentials/credentials.controller.ts (modify - add audit endpoint) - apps/api/src/credentials/credentials.service.ts (modify - add audit query method) - apps/web/src/app/(authenticated)/settings/credentials/audit/page.tsx (new) - apps/web/src/components/credentials/credential-audit-log.tsx (new) ### Acceptance Criteria - [ ] Audit log page shows credential access history - [ ] Filterable by credential, action, date range - [ ] Respects RLS - users see only their own credential access - [ ] Admin sees workspace-wide credential access - [ ] Pagination for large audit logs ### Dependencies - Depends on: Credential CRUD API with audit logging (Phase 3b) - Depends on: Frontend credential management (Phase 4) Refs #346

jason.woltje added this to the M9-CredentialSecurity (0.0.9) milestone 2026-02-07 17:12:44 +00:00

jason.woltje added the p3 security web labels 2026-02-07 17:12:44 +00:00

jason.woltje referenced this issue

2026-02-07 17:13:29 +00:00

Security: Vault-based credential storage for agents and CI #346

jason.woltje closed this issue

2026-02-07 23:23:38 +00:00

jason.woltje referenced this issue from a commit

2026-02-12 22:06:04 +00:00

chore(orchestrator): Complete pipeline #361 follow-up fixes (4/4 tasks)

Sign in to join this conversation.

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#361