omnigraph/docs/user/operations/audit.md

# Audit & Actor Tracking

Every write in OmniGraph records **who made it**. The actor id is persisted on the
graph commit, so the commit history is an audit trail of which actor changed the
graph and when.

## Where the actor comes from

The actor is resolved differently depending on the front end, but it always lands
on the commit:

- **HTTP server** — the actor is resolved **server-side from the bearer token**. A
  client cannot set its own actor id; it is derived from the authenticated token.
  See [policy](policy.md) for how tokens map to actors.
- **CLI / embedded** — the actor is self-declared through one resolution chain:

  1. `--as <actor>` on the command,
  2. then `operator.actor` in `~/.omnigraph/config.yaml` (see the
     [CLI reference](../cli/reference.md)),
  3. otherwise none.

This difference is intentional: storage credentials imply a self-declared actor,
while a server resolves the actor from a token it trusts.

## Reading the audit trail

Actor ids are stored on each commit in the [commit graph](../branching/index.md).
List commits to see who made each change:

```bash
omnigraph commit list graph.omni
```

System-initiated writes use reserved actor ids — for example, automatic recovery
of an interrupted write records `omnigraph:recovery`, so operator changes and
machine repairs are distinguishable in the history:

```bash
omnigraph commit list --filter actor=omnigraph:recovery graph.omni
```

## What is tracked

Every successful publish — load, change, branch merge, and schema apply — appends a
commit carrying the resolving actor. Because publishes are atomic, the actor on a
commit is exactly the actor responsible for that whole change.
docs(user): split language/branching pages + add front-door pages (Phase 2) (#225) Content build-out on top of the Phase 1 topic move. No behavior changes. Splits (existing content relocated, cross-linked): - queries/index.md → mutations/index.md (insert/update/delete + the inserts-vs-deletes rule) and search/index.md (the multi-modal search functions + a hybrid-ranking overview tying nearest/bm25/rrf together). queries/index.md now covers the read shape and points at both. - branching/index.md → branching/time-travel.md (snapshots/time travel) and branching/merge.md (three-way merge + the 7 conflict kinds, verified against error.rs MergeConflictKind). New pages (written from the code, user-facing): - quickstart.md — init → load → query → branch, with verified CLI flags. - concepts/index.md — what OmniGraph is + the L1/L2 (Lance/OmniGraph) framing. Expanded operations/audit.md from a 7-line struct dump into a real actor-tracking page (server token-resolved vs CLI --as chain; reading the trail; the omnigraph:recovery reserved actor). Index wiring: docs/user/index.md and AGENTS.md's topic table link every new page; also normalized AGENTS.md's docs/user link display text to match the Phase 1 retargeted paths. Verified: zero broken .md links; check-agents-md.sh green (57 links, 54 docs). Deferred to Phase 3: de-dev polish (grammar paths, IR internals still in queries/branching), guides/, and a possible reference/config.md split (the config schema is already coherent in cli/reference.md). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-14 13:53:46 +03:00			`# Audit & Actor Tracking`
Refactor AGENTS.md from encyclopedia to map; move spec into docs/ Splits the 990-line AGENTS.md into a 184-line map (architecture, where-to-find index, always-on invariants, capability matrix, maintenance contract) plus 18 new docs/*.md files holding the deep content per topic (storage, schema and query languages, indexes, embeddings, branches/commits, runs, merge, changes, execution, policy, server, CLI reference, audit, errors, CI, constants, v0.3.1 notes). Adds scripts/check-agents-md.sh and a check_agents_md CI job that verifies every docs/ link in AGENTS.md resolves and every doc in the canonical set is linked. CLAUDE.md remains a symlink to AGENTS.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-28 23:31:08 +02:00
docs(user): split language/branching pages + add front-door pages (Phase 2) (#225) Content build-out on top of the Phase 1 topic move. No behavior changes. Splits (existing content relocated, cross-linked): - queries/index.md → mutations/index.md (insert/update/delete + the inserts-vs-deletes rule) and search/index.md (the multi-modal search functions + a hybrid-ranking overview tying nearest/bm25/rrf together). queries/index.md now covers the read shape and points at both. - branching/index.md → branching/time-travel.md (snapshots/time travel) and branching/merge.md (three-way merge + the 7 conflict kinds, verified against error.rs MergeConflictKind). New pages (written from the code, user-facing): - quickstart.md — init → load → query → branch, with verified CLI flags. - concepts/index.md — what OmniGraph is + the L1/L2 (Lance/OmniGraph) framing. Expanded operations/audit.md from a 7-line struct dump into a real actor-tracking page (server token-resolved vs CLI --as chain; reading the trail; the omnigraph:recovery reserved actor). Index wiring: docs/user/index.md and AGENTS.md's topic table link every new page; also normalized AGENTS.md's docs/user link display text to match the Phase 1 retargeted paths. Verified: zero broken .md links; check-agents-md.sh green (57 links, 54 docs). Deferred to Phase 3: de-dev polish (grammar paths, IR internals still in queries/branching), guides/, and a possible reference/config.md split (the config schema is already coherent in cli/reference.md). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-14 13:53:46 +03:00			`Every write in OmniGraph records who made it. The actor id is persisted on the`
			`graph commit, so the commit history is an audit trail of which actor changed the`
			`graph and when.`

			`## Where the actor comes from`

			`The actor is resolved differently depending on the front end, but it always lands`
			`on the commit:`

			`- HTTP server — the actor is resolved server-side from the bearer token. A`
			`client cannot set its own actor id; it is derived from the authenticated token.`
			`See [policy](policy.md) for how tokens map to actors.`
			`- CLI / embedded — the actor is self-declared through one resolution chain:`

			1. `--as <actor>` on the command,
			2. then `operator.actor` in `~/.omnigraph/config.yaml` (see the
			`[CLI reference](../cli/reference.md)),`
			`3. otherwise none.`

			`This difference is intentional: storage credentials imply a self-declared actor,`
			`while a server resolves the actor from a token it trusts.`

			`## Reading the audit trail`

			`Actor ids are stored on each commit in the [commit graph](../branching/index.md).`
			`List commits to see who made each change:`

			```bash
			`omnigraph commit list graph.omni`
			```

			`System-initiated writes use reserved actor ids — for example, automatic recovery`
			of an interrupted write records `omnigraph:recovery`, so operator changes and
			`machine repairs are distinguishable in the history:`

			```bash
			`omnigraph commit list --filter actor=omnigraph:recovery graph.omni`
			```

			`## What is tracked`

			`Every successful publish — load, change, branch merge, and schema apply — appends a`
			`commit carrying the resolving actor. Because publishes are atomic, the actor on a`
			`commit is exactly the actor responsible for that whole change.`