Observability & audit

Concept

Greenlight separates two things that often get conflated. The audit log is the record of every action that affected what an app can do — who took it, when, against what, and why. Runtime observability is the live picture of how apps and integrations are performing: logs, metrics, errors, latency. Both are surfaced in the IT dashboard; the underlying stores are different so they scale independently.

What’s audited

Every action that affects an app’s permissions, code, configuration, or state writes an audit event. The set of audited categories is fixed and visible in the dashboard.

Category	Examples
Platform actions	App registered, integration granted, policy added or changed, role assigned
Agent actions	Pull request opened, Knowledge proposal submitted, proxy call made, policy bundle read
IT actions	Policy check overridden, app killed or restored, integration credential rotated, user role changed

Reading data through the data broker is also audited at the per-call level, with the bound user attached.

Audit event shape

Every event has the same shape, regardless of category:

{
  "id": "evt_01HQX5MWGRTYBJ7C7C7C7C7C7C",
  "at": "2026-03-12T14:08:11.412Z",
  "actor_user_id": "usr_jane_doe",
  "actor_kind": "human",
  "actor_session": "sess_abc123",
  "type": "knowledge.proposal_accepted",
  "target": { "kind": "knowledge_entry", "id": "kn_pf2", "scope": "app", "app_id": "app_k9x2m3p" },
  "diff": { "version": [3, 4], "title_changed": false, "body_chars_added": 412 },
  "reason": null
}

actor_kind distinguishes human from agent. Agent events still attribute to a user — the user the agent session is bound to — but the actor_session plus actor_kind makes it clear when a human or an agent on the human’s behalf is the proximate cause.

Runtime logs and metrics

Each app’s stdout and stderr are captured per pod and surfaced live in the dashboard. Logs are scoped per app per environment. Default retention is configurable per org.

Per-app metrics covered out of the box: request rate, p50/p95/p99 latency, error rate, container CPU and memory, integration call rate per upstream, AI inference call rate per model alias. These feed the app detail page in the dashboard and the org-level health view.

There is no separate APM agent to install. Greenlight collects from the platform’s natural seams (the ingress controller, the data broker, the AI gateway, the Kubernetes runtime) and stitches everything together by app id.

Exports and integrations

The audit log can be exported as CSV or JSON for any time range. A SIEM webhook integration — push audit events to Splunk, Datadog, or any HTTPS endpoint — is on the near-term roadmap. Customers can also tap the runtime logs through their own log aggregator using the cluster’s native log shipping (Azure Monitor, Cloud Logging, CloudWatch).

Note

The audit log is append-only in the current release. The retention horizon is the org’s policy choice; old events are not archived to a tape backup, they remain in the live store. Tamper-evident chaining is a planned hardening step.

Next

Audit & evidence The retention, export, and review story for security reviewers.

Governance & policy The actions that emit the most important audit events.

Audit & monitoring The IT-admin workflow inside the dashboard.