flagctl
Concepts

Audit

Hash-chained, signed change sets for every apply.

Every change in flagctl — apply, set, override write, override revoke — becomes one entry in a per-project hash chain. Each entry includes the actor, the diff, and the SHA-256 of the previous entry.

Tamper-evident chain

Because each entry signs the previous, any rewrite of history changes every hash downstream. Auditors can verify integrity in O(n) without trusting flagctl: download the chain, recompute hashes, compare.

Per-project listing

flagctl audit ls --project acme/web --limit 50

Export to JSONL/CEF

flagctl audit export --format jsonl > audit.jsonl
flagctl audit export --format cef > audit.cef

JSONL for self-hosted SIEM ingestion. CEF for Splunk, ArcSight, and the legacy log management stack.