Gateway
Audit history
Audit history
The Gateway keeps a bounded, metadata-only audit ledger in the shared OpenClaw state database. It answers operational questions such as "which agent ran, when, and how did it end", "which tool actions did a run execute", and, when message auditing is enabled, "did an accepted inbound message reach dispatch" and "did an outbound message reach a terminal delivery state".
The ledger stores identity, ordering, provenance, action, status, and normalized outcome codes. It never stores prompts, message bodies, tool arguments, tool results, attachments, filenames, URLs, command output, or raw error text.
Record families
Run and tool events are recorded whenever auditing is enabled (the default). Message lifecycle events are opt-in and disabled by default.
| Family | Actions | Default |
|---|---|---|
| Agent runs | agent.run.started, agent.run.finished |
on |
| Tool actions | tool.action.started, tool.action.finished |
on |
| Messages | message.inbound.processed, message.outbound.finished |
off |
Every record carries a stable event id, a monotonic ledger sequence, a
lifecycle timestamp, actor, action, status, schemaVersion: 1, and
redaction: "metadata_only". See Audit records for the full
field reference and query filters.
Message lifecycle events
Set audit.messages to choose what
is recorded, then restart the Gateway:
off(default): no message records.direct: only messages in direct conversations.all: direct, group, and channel messages.
Two authoritative boundaries produce message records:
- Inbound rows are written when an accepted message reaches core dispatch, including duplicate and terminal processing outcomes.
- Outbound rows are written when shared durable delivery reaches a
terminal outcome: sent, suppressed, failed, or an explicit
unknownfor crash-ambiguous sends. Queue recovery and dead-letter outcomes are included. Each original logical reply payload gets one terminal row; chunking and adapter fan-out aggregate intoresultCount.
Conversation-kind classification
direct mode is a privacy boundary, so a message is classified as a direct
conversation only when destination facts prove it: the sending path declared
the destination conversation kind, or the delivery session route names exactly
the channel and peer being delivered to. Weaker signals, such as policy state
or the originating conversation, can classify a message as group (excluding
it from direct collection) but can never claim direct. Messages that
cannot be proven direct are classified unknown and are not recorded in
direct mode. Channels that do not declare chat types may therefore record
fewer rows in direct mode than they do in all mode.
Privacy model
Message rows never store raw platform identifiers. Account, conversation,
message, and target identifiers, when correlation is available, are exported
only as installation-local keyed pseudonyms
(hmac-sha256:v1:<keyId>:<digest>):
- The HMAC key is generated on first use, is domain-separated per identifier kind, and lives in the same state database as the ledger.
- Pseudonyms are stable within one installation, so rows about the same conversation correlate without revealing the platform identifier.
- This is correlation, not anonymization: anyone with read access to the state database also has the key and can test candidate raw identifiers against the pseudonyms. RPC and CLI exports never include the key.
- If the key material is missing or corrupt while message rows are retained, the Gateway fails closed and drops new message records instead of silently rotating to a new key, which would split correlation.
Run and tool records retain sessionKey and sessionId for correlation;
canonical session keys can themselves contain platform account or peer ids.
Message records intentionally omit both.
Audit exports remain sensitive operational metadata even without content: timing, channels, outcomes, and stable pseudonyms can correlate activity. Protect exports with the same access controls and retention practices as other operator records.
Coverage and proof limits
The ledger is best-effort and deliberately bounded. Treat it as evidence of what was recorded, not as proof of what happened:
- Absence of a row proves nothing. Pre-admission inbound drops, sends from CLI processes without a running Gateway recorder, and plugin-local or direct-send paths that bypass shared durable delivery leave no record.
- Writes go through a bounded background worker; worker failure or queue saturation drops records and logs one operational warning.
- Crash-ambiguous outbound sends are recorded as
unknownrather than invented outcomes.
This ledger supports debugging and operational review. It is not a lossless compliance archive; if you need one, use an external system fed by OpenTelemetry or channel-level tooling.
Storage, retention, and migration
Records live in the shared state database (state/openclaw.sqlite) and are
written off the delivery hot path. Queries never return records older than 30
days, and the ledger is capped at 100,000 rows; expired rows are pruned during
startup, hourly maintenance, and later writes. Retention maintenance keeps
running even when collection is disabled.
Upgrading from a Gateway with the earlier run/tool-only ledger migrates the
schema automatically at startup (or via openclaw doctor --fix); existing
rows and their ledger sequences are preserved.
Querying
- CLI:
openclaw auditwith filters for agent, session, run, kind, status, direction, channel, time bounds, and cursor paging. - Gateway RPC:
audit.activity.list(requiresoperator.read) returns the versioned V1 activity event union; the shippedaudit.listRPC is unchanged for older run/tool clients. See Gateway protocol.