Audit
Hash-chained, signed change sets for every apply.
Every change in flagctl — apply, set, override write, override revoke — becomes one entry in a per-project hash chain. Each entry includes the actor, the diff, and the SHA-256 of the previous entry.
Tamper-evident chain
Because each entry signs the previous, any rewrite of history changes every hash downstream. Auditors can verify integrity in O(n) without trusting flagctl: download the chain, recompute hashes, compare.
Per-project listing
flagctl audit ls --project acme/web --limit 50
Export to JSONL/CEF
flagctl audit export --format jsonl > audit.jsonl flagctl audit export --format cef > audit.cef
JSONL for self-hosted SIEM ingestion. CEF for Splunk, ArcSight, and the legacy log management stack.