Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.halite-app.com/llms.txt

Use this file to discover all available pages before exploring further.

Every decision Halite’s policy engine makes — allow or deny — is written to the audit log. This includes user logins, Salt command dispatches, key operations, settings changes, and any action that passes through a require_perm check. You can browse, paginate, and filter the log from the Audit page. For a conceptual explanation of what gets recorded and when, see Audit Log.
Table of audit entries with timestamp, user, action, resource, decision, and result code columns

Audit entry fields

Each entry in the log has the following fields (from AuditEntry in audit/models.py):
FieldTypeDescription
idintegerAuto-incrementing primary key
atdatetimeTimestamp of the event (timezone-aware)
user_idUUID or nullThe Halite user who triggered the action; null for unauthenticated requests
actionstringDot-separated action name (e.g. salt.run, user.create, settings.salt.update)
resourcestringThe resource path the action targeted (e.g. minion:*, user:alice)
args_jsonobject or nullThe request arguments — passwords are redacted to "<redacted>"
salt_jidstring or nullThe Salt JID if the action dispatched a Salt job
decisionstring"allow" or "deny"
result_codeintegerHTTP status code of the response
duration_msintegerRequest processing time in milliseconds

Browsing and filtering

The audit log endpoint is GET /api/audit. Results are sorted by at descending (newest first) and paginated.

Query parameters

user_id
UUID
Filter to entries created by a specific Halite user.
action
string
Filter to entries with an exact action name (e.g. salt.run).
decision
string
Filter to entries with a specific decision. Use allow or deny.
since
datetime (ISO 8601)
Return entries at or after this timestamp (inclusive lower bound on at).
until
datetime (ISO 8601)
Return entries strictly before this timestamp (exclusive upper bound on at).
limit
integer
default:"50"
Number of entries to return. Range: 1–500.
offset
integer
default:"0"
Number of entries to skip for pagination.

Example: reviewing recent denied requests

GET /api/audit?decision=deny&limit=50
This returns the 50 most recent deny decisions — useful for spotting permission misconfigurations or unauthorized access attempts.

Example: auditing a specific user’s actions

GET /api/audit?user_id=3f4b2c1a-0000-0000-0000-000000000001&since=2025-01-01T00:00:00Z
Returns all audit entries for the given user since 1 January 2025.

Example: finding all Salt jobs dispatched in a time window

GET /api/audit?action=salt.run&since=2025-06-01T09:00:00Z&until=2025-06-01T17:00:00Z
Returns every salt.run action recorded during business hours on June 1st, with the salt_jid field identifying each dispatched job.

Permissions

RouteRequired permission
GET /api/auditview:audit:*
The built-in viewer role does not include view:audit:*. Access to the audit log is restricted to the admin role (and any custom role you explicitly grant view:audit:*). This is intentional — the audit log contains user IDs and request arguments that may be sensitive.