Skip to main content

crewship audit

Surface the workspace audit log from the terminal. Filters mirror the /api/v1/audit query params 1:1 — the same expressiveness as the admin UI’s filter chips. Names are kept identical to the UI fields so a user clicking through the dashboard can reproduce the same view from the CLI by reading the URL bar.
crewship audit [flags]
Requires an authenticated session (requireAuth) and a selected workspace (requireWorkspace). --action values are intentionally not enumerated in the help text. The audit table stores domain verbs (agent.run, workspace.create, credential.rotate, backup.export, …) that grow over time; listing a stale “create/update/delete” trio in the help would misdirect users. Pointing at the server-side enum is more honest.

Flags

FlagDefaultPurpose
--action <verb>""Domain verb (agent.run, workspace.create, credential.rotate, …).
--entity-type <kind>""Entity kind (AGENT, BACKUP, CREDENTIAL, CREW, USER, …).
--entity-id <id>""Narrow to a specific entity row (e.g. an agent ID).
--user <user-id>""Filter by the user ID who performed the action.
--since <when>""Start of date range. RFC3339 (2026-05-01T00:00:00Z) or duration sugar (1h, 24h, 7d).
--until <when>""End of date range. Same syntax as --since.
--search <text>""Free-text search across action, entity_type, and the user’s email/name.
--page <n>01-based page number for pagination. 0 means “no page param sent”.
--lines <n>50Entries per page. Server caps at 100.
The global --format flag (table / json / yaml / ndjson / quiet) is honoured by the underlying formatter.

Output

Default table columns:
TIMEACTIONENTITYENTITY_IDUSER
2026-05-19 14:02:11agent.runAGENTa_abc123def4petra@acme-engineering.com
2026-05-19 14:01:48credential.rotateCREDENTIALc_xyz789ghi0pavel@acme-engineering.com
Entity IDs are truncated to 12 characters in the table view; switch to --format json to see the full ID and additional fields.

Examples

Latest 50 entries

crewship audit

Find every agent run in the last day

crewship audit --action agent.run --since 24h --lines 100

Credential changes only

crewship audit --entity-type CREDENTIAL --since 7d

Who rotated which credential

crewship audit --search rotate --until 2026-05-01T00:00:00Z
--search matches across action, entity_type, and the user’s email/name, so this catches both credential.rotate events and any rotation-tagged automation.

Activity for one user

crewship audit --user u_abc123 --page 2 --lines 100

One specific entity’s full history

crewship audit --entity-type AGENT --entity-id a_xyz789ghi0 --since 30d

Pipe to jq

crewship audit --action workspace.create --format json | jq '.[].user_email'

Common errors

  • bad --since: … / bad --until: … — the value is neither RFC3339 nor a duration. Accept formats: 2026-05-01T00:00:00Z, 1h, 24h, 7d.
  • HTTP 403 Forbidden (surfaced as a generic CLI error) — audit reads are restricted to OWNER / ADMIN by default. Ask an owner to grant access or check your role with crewship whoami.

See also