Audit Action Reference

Complete categorized reference of all audited actions in Thallus. Each action's details field contains action-specific JSON metadata. The examples below show typical detail payloads.

Authentication (9 actions)

Action	When logged	Example details
`login`	User logs in successfully	`{"method": "password"}` or `{"method": "sso", "provider": "okta"}`
`logout`	User logs out	`{"method": "manual"}`
`login_failed`	Login attempt fails	`{"email": "user@example.com", "reason": "invalid_password"}`
`account_locked`	Too many failed login attempts	`{"email": "user@example.com", "failed_attempts": 5}`
`account_unlocked`	Admin unlocks a locked account	`{"target_user_id": "abc123"}`
`password_change`	User changes their own password	`{}`
`password_reset`	Admin resets a user's password	`{"target_user_id": "abc123"}`
`api_key_create`	User creates a new API key	`{"key_name": "CI pipeline", "prefix": "thal_G1x2"}`
`api_key_revoke`	User revokes an API key	`{"key_id": "abc123"}`

Queries & Conversations (3 actions)

Action	When logged	Example details
`query`	User sends a chat message	`{"mode": "research", "message_length": 142}`
`conversation_create`	New conversation started	`{"title": "Q3 analysis"}`
`conversation_delete`	Conversation deleted	`{"conversation_id": "abc123"}`

Agent & Tool Operations (3 actions)

Action	When logged	Example details
`tool_call`	An agent invokes a tool	`{"agent": "data_router", "tool": "query_database", "connection_id": "abc123"}`
`agent_execution`	An agent runs	`{"agent": "web_research", "plan_step": 2, "iterations": 3}`
`a2a_delegation`	Agent-to-agent delegation	`{"from_agent": "researcher", "to_agent": "data_analyzer"}`

Orchestrator Operations (7 actions)

Action	When logged	Example details
`llm_completion`	Direct LLM call (e.g., ask mode)	`{"model": "large", "tokens": 1250}`
`mode_detection`	Research mode auto-detected	`{"detected_mode": "research", "confidence": 0.92}`
`plan_created`	Execution plan generated	`{"steps": 4, "agents": ["web_research", "data_router"]}`
`plan_completed`	Plan finished	`{"steps_completed": 4, "total_steps": 4, "outcome": "success"}`
`replan_triggered`	Dynamic replanning decision	`{"reason": "incomplete_coverage", "new_steps": 2}`
`convergence_check`	Investigation convergence evaluated	`{"converged": false, "iteration": 3}`
`response_synthesis`	Final response synthesized	`{"citations": 5, "tokens": 2100}`

Data Access (4 actions)

Action	When logged	Example details
`data_query`	SQL/NoSQL query executed	`{"connection_id": "abc123", "query_type": "sql", "rows_returned": 42}`
`document_upload`	Document uploaded	`{"filename": "report.pdf", "size_bytes": 524288}`
`document_delete`	Document deleted	`{"document_id": "abc123", "filename": "report.pdf"}`
`document_search`	Document search performed	`{"query": "quarterly revenue", "results": 8}`

Integrations (5 actions)

Action	When logged	Example details
`email_read`	Email read via integration	`{"provider": "google", "count": 10}`
`email_send`	Email sent via integration	`{"provider": "google", "to": "user@example.com"}`
`calendar_read`	Calendar events read	`{"provider": "google", "count": 5}`
`calendar_write`	Calendar event created/updated	`{"provider": "google", "event_id": "abc123"}`
`contacts_read`	Contacts read	`{"provider": "google", "count": 25}`

Memory (2 actions)

Action	When logged	Example details
`memory_create`	Memory extracted and stored	`{"category": "PREFERENCES", "importance": 0.8}`
`memory_delete`	Memory deleted	`{"memory_id": "abc123"}`

Webhooks & Tasks (2 actions)

Action	When logged	Example details
`webhook_received`	Webhook event received	`{"source": "github", "event_type": "push"}`
`task_executed`	Background task executed	`{"task_type": "document_processing"}`

Provider Connections (2 actions)

Action	When logged	Example details
`provider_connect`	User connects an integration	`{"provider": "google", "auth_type": "oauth2"}`
`provider_disconnect`	User disconnects an integration	`{"provider": "google"}`

Admin Operations (5 actions)

Action	When logged	Example details
`user_create`	Admin creates a user	`{"target_email": "alice@acme.com", "role": "user"}`
`user_update`	Admin updates a user	`{"target_user_id": "abc123", "changes": {"role": "admin"}}`
`user_delete`	Admin deletes a user	`{"target_user_id": "abc123"}`
`account_deletion_requested`	User requests account deletion	`{"scheduled_for": "2026-03-08T00:00:00Z"}`
`account_deletion_cancelled`	User cancels deletion request	`{}`

Workflows (17 actions)

Action	When logged	Example details
`workflow_created`	Workflow created	`{"workflow_id": "abc123", "name": "Weekly report"}`
`workflow_updated`	Workflow modified	`{"workflow_id": "abc123", "version": 3}`
`workflow_deleted`	Workflow deleted	`{"workflow_id": "abc123"}`
`workflow_execution_started`	Workflow execution begins	`{"workflow_id": "abc123", "trigger": "scheduled"}`
`workflow_execution_completed`	Workflow execution finishes	`{"execution_id": "abc123", "nodes_executed": 5}`
`workflow_execution_failed`	Workflow execution fails	`{"execution_id": "abc123", "error": "timeout"}`
`workflow_node_execution`	Individual node executes	`{"node_type": "action", "node_id": "abc123"}`
`workflow_learning_event`	Workflow learning event recorded	`{"event_type": "performance", "workflow_id": "abc123"}`
`workflow_condition_locked`	Condition node locked	`{"node_id": "abc123", "reason": "evaluation_error"}`
`workflow_condition_unlocked`	Condition node unlocked	`{"node_id": "abc123"}`
`workflow_approval_requested`	Approval step triggered	`{"node_id": "abc123", "approvers": ["admin@acme.com"]}`
`workflow_approval_granted`	Approval granted	`{"node_id": "abc123", "approved_by": "admin@acme.com"}`
`workflow_approval_denied`	Approval denied	`{"node_id": "abc123", "denied_by": "admin@acme.com"}`
`workflow_approval_timeout`	Approval timed out	`{"node_id": "abc123", "timeout_hours": 24}`
`workflow_schema_drift`	Schema change detected	`{"connection_id": "abc123", "table": "orders"}`
`workflow_auto_healed`	Workflow auto-healed after drift	`{"workflow_id": "abc123", "changes": ["column_renamed"]}`
`workflow_tier_promotion`	Workflow promoted to higher tier	`{"workflow_id": "abc123", "from_tier": "draft", "to_tier": "active"}`

Data Connections (7 actions)

Action	When logged	Example details
`data_connection_created`	Database connection added	`{"connection_type": "postgresql", "name": "Production DB"}`
`data_connection_updated`	Connection settings changed	`{"connection_id": "abc123"}`
`data_connection_deleted`	Connection removed	`{"connection_id": "abc123"}`
`schema_introspection`	Schema discovery run	`{"connection_id": "abc123", "tables_found": 42}`
`column_pii_marked`	Column flagged as PII	`{"table": "employees", "column": "ssn", "pii_type": "SSN"}`
`column_pii_unmarked`	Column PII flag removed	`{"table": "employees", "column": "ssn"}`
`column_metadata_updated`	Column metadata changed	`{"table": "orders", "column": "status", "changes": {"description": "Order status"}}`

Agent Settings (5 actions)

Action	When logged	Example details
`platform_agent_settings_updated`	Platform-level agent settings changed	`{"agent": "data_router", "status": "deny"}`
`org_agent_settings_updated`	Org-level agent settings changed	`{"agent": "web_research", "org_id": "abc123", "status": "allow"}`
`group_agent_settings_updated`	Group-level agent settings changed	`{"agent": "data_analyzer", "group_id": "abc123", "status": "deny"}`
`user_agent_settings_updated`	User override set by admin	`{"agent": "web_research", "target_user_id": "abc123", "status": "allow"}`
`user_agent_override_updated`	User changes own tool preferences	`{"agent": "google", "tool": "google_send_email", "status": "deny"}`

Data RBAC (6 actions)

Action	When logged	Example details
`data_rbac_platform_updated`	Platform-level data access changed	`{"connection_id": "abc123", "table": "employees", "access": "deny"}`
`data_rbac_org_updated`	Org-level data access changed	`{"connection_id": "abc123", "org_id": "abc123", "access": "allow"}`
`data_rbac_group_updated`	Group-level data access changed	`{"connection_id": "abc123", "group_id": "abc123", "column": "salary", "access": "deny"}`
`data_rbac_user_override_updated`	User-level data access changed	`{"connection_id": "abc123", "target_user_id": "abc123", "access": "allow"}`
`data_access_denied`	Connection-level access denied at runtime	`{"connection_id": "abc123", "user_id": "abc123"}`
`data_table_access_denied`	Table/column access denied at runtime	`{"connection_id": "abc123", "table": "salaries", "user_id": "abc123"}`

Other (1 action)

Action	When logged	Example details
`other`	Uncategorized actions	Varies

Audit Logs — Querying, filtering, and exporting audit data
Agent Restrictions — Agent settings changes that generate audit events
Data RBAC Configuration — Data access changes that generate audit events
Workflow Monitoring — Workflow execution monitoring