Audit log

Every action in Furx writes a row to ~/.furx/furx.db — a SQLite file with WAL journaling. The events table is append-only: SQLite triggers block UPDATE and DELETE at the DDL layer.

Why append-only

Two reasons:

• Forensic integrity. If Furx crashes mid-write, the SQLite WAL gives you crash-recovery semantics — no torn writes.
• Compliance. SOC2 + ISO 27001 controls require immutable audit trails. The triggers make Furx's log compliance-ready out of the box.

Schema

CREATE TABLE events (
  id          INTEGER PRIMARY KEY AUTOINCREMENT,
  ts          TEXT NOT NULL,        -- ISO-8601 UTC
  kind        TEXT NOT NULL,        -- 'pty', 'council', 'keychain', 'mcp', 'crash', ...
  pane_id     TEXT,                 -- the pane where it happened
  project     TEXT,                 -- detected project (git repo root)
  actor       TEXT,                 -- 'user', 'claude', 'codex', 'gemini', 'aider', 'system'
  payload     TEXT NOT NULL,        -- JSON, schema varies per kind
  payload_sha TEXT NOT NULL         -- SHA256 of payload (tamper detection)
);

CREATE TRIGGER block_update BEFORE UPDATE ON events
  BEGIN SELECT RAISE(ABORT, 'events.append-only'); END;
CREATE TRIGGER block_delete BEFORE DELETE ON events
  BEGIN SELECT RAISE(ABORT, 'events.append-only'); END;

What gets logged

• Pane open / close.
• Command executed in PTY.
• Council Mode dispatches (provider, model, latency, token-counts, cost-estimate).
• Keychain reads / writes / deletes (alias only, never secret).
• MCP server connections + tool calls.
• Crashes (PII-scrubbed).
• Auto-update events.

What is NOT logged

• Provider secret keys (only aliases).
• Prompt / response body of Council dispatch (only token-counts + hash). Opt-in "deep audit" logs prompts but stays local.
• Clipboard contents.
• Filesystem reads (only command-line invocations).

Retention

Local: forever by default. Configurable in Settings → Audit → Retention. Recommended: 90 days for Free, indefinite for Pro+ (you have the disk).

Cloud sync (Pro+): 30 days. Compliance Pack: 3 years escrowed encrypted backup.

Export

• JSON (one event per line): furx audit export --format json > audit.jsonl
• CSV: furx audit export --format csv > audit.csv
• .furxreplay bundle (audit + FS snapshot, share with team): Settings → Audit → Export bundle.

Replay scrubber (Pro+)

The desktop app and the dashboard both render a timeline scrubber over your audit. Slide through to replay any session — see which prompts ran, which voices won, which commands executed.

Cloud sync (opt-in, Pro+)

When opted-in, Furx pushes event metadata (timestamps, types, model names — never prompt/response bodies) to app.furx.cloudover TLS 1.3. Server-side it's stored encrypted in PostgreSQL with row-level encryption per-tenant.

To opt-out: Settings → Account → Cloud sync → OFF. The local log is unaffected.

Deleting your audit log

The triggers prevent row-level delete, but you can drop the whole file:

rm ~/.furx/furx.db ~/.furx/furx.db-wal ~/.furx/furx.db-shm
# Furx recreates on next launch with empty schema

For cloud-synced data: Settings → Account → Delete sync data (irreversible).

Next

• Keychain reference.
• Privacy policy for the legal version of all this.
• Security policy for the threat model.