Query the audit log

Every Domain owns a tamper-evident hash chain of audit entries. plexctl audit wraps /v1/domains/{domainId}/audit/*.

Prerequisites

• An authenticated session — see Log in with plexctl.
• The Domain UUID, and the auditor relation for plaintext fields.

Steps

Page the chain

plexctl audit entries list --domain <domain-uuid> --all
# SEQ  OCCURRED_AT  REASON   RELATION  OBJECT_TYPE  OBJECT_ID  CORRELATION_ID
# 1    …            granted  admin     domain       …          …
# 2    …            granted  auditor   project      …          …

Entries are returned in seq order. Use --limit/--cursor for bounded pages.

Fetch one entry with its proof

plexctl audit entries get --domain <domain-uuid> --seq 42
# SEQ  ENTRY_HASH  PREV_HASH  CANONICAL_BYTES_LEN
# 42   sha256:…    sha256:…   312

--seq is the per-Domain monotonic sequence (>= 1).

Verify the hash chain

plexctl audit verify --domain <domain-uuid>
# VALID  SEGMENT_FROM  SEGMENT_TO  DIVERGENT_SEQ  EXPECTED_HASH  OBSERVED_HASH
# true   1             1284        -              -              -

verify recomputes sha256(prev_hash ‖ sha256(canonical_bytes)) over the whole chain. It exits 0 on a clean chain and 1 on tampering, so a CI script can branch without parsing stdout. Bound the segment with --from-seq/--to-seq.

Verification

plexctl audit verify --domain <domain-uuid>; echo "exit=$?"
# exit=0  → chain intact

See also

• ../../reference/cli/plexctl/audit.md — every flag, including erase-identity.
• ../../contexts/audit/chain.md — the hash-chain model.