feat: credential audit log — append-only record of secret usage per member
Apra Fleet is an open-source MCP server
Brought to you by:
apralabs
Menu
▾
▴
#159 feat: credential audit log — append-only record of secret usage per member
open
nobody
None
2026-04-23
2026-04-20
Anonymous
No
Originally created by: kumaakh
Summary
When {{secure.NAME}} is resolved today, there is no record of which member used which credential and when. An append-only audit log (no values, names only) would support post-incident review and compliance.
Proposed design
Every time a credential is resolved (any tool — execute_command, register_member, provision_vcs_auth, etc.), append a log entry to ~/.apra-fleet/credential-audit.log:
```
2026-04-20T05:12:34Z RESOLVED member=fleet-dev credential=github_pat tool=execute_command
2026-04-20T05:13:01Z RESOLVED member=fleet-dev credential=github_pat tool=execute_command
2026-04-20T05:14:22Z SET member=PM credential=deploy_key scope=fleet-dev
2026-04-20T05:14:55Z DELETED member=PM credential=session_tok
2026-04-20T05:15:10Z REJECTED member=fleet-rev credential=github_pat reason=scope_violation
```
Events to log
| Event | When |
|---|---|
SET |
credential_store_set called |
DELETED |
credential_store_delete called |
RESOLVED |
{{secure.NAME}} token resolved in any tool |
REJECTED |
Resolution attempted but denied (scope, expiry, not found) |
EXPIRED |
Credential purged by TTL sweep |
Security properties
- Log contains names only — no values, no ciphertext
- Append-only — no delete API; entries survive credential deletion
- File permissions:
0o600(owner read/write only) - Log rotation: cap at configurable size (default 10MB), rotate to
.1suffix
Notes
- No New tool needed
- Pairs with credential scoping (scope violations become auditable events)
🤖 Generated with Claude Code
Originally posted by: kumaakh
Technical direction: