Summary
The phase_history field on a project only records phase transitions (from → to). All other state-changing operations — parameter updates, deliverable state changes, goal text edits — leave no trace. There is no general-purpose audit log for project mutations, making it impossible to answer "who changed what and when."
Steps to reproduce
projects_update(parameters_json={...}) — change validation_steps from 100 to 200. Succeeds. No history entry.
projects_update(goal="new goal text") — change the project goal. Succeeds. No history entry.
deliverables_set_state(state="draft") — un-ratify a previously ratified deliverable. Succeeds. No history entry.
projects_get(project) — inspect phase_history. Still only the original phase entry.
Actual result after multiple mutations
"phase_history": [
{
"from": "",
"to": "env-setup",
"at": "2026-06-05T03:07:17Z",
"by_actor": "system"
}
]
No record of:
- Who changed
parameters_json (and from what → to what)
- Who changed the project
goal
- Who un-ratified the
env-setup-report deliverable
- When any of these happened
Expected behavior
At minimum, the following operations should produce audit records:
projects_update — any field mutation
deliverables_set_state — any state transition
deliverables_add_component / deliverables_remove_component
criteria_set_state — met/failed transitions (currently recorded inline on the criterion, which is good)
The audit record should include: actor, timestamp, operation, old value, new value.
Impact
Proposed fix
- Extend
phase_history into a general audit_log or add a separate project_events stream
- Log:
projects_update, deliverables_set_state, deliverables_add_component, deliverables_remove_component
- Each entry:
{actor, timestamp, operation, target, old_value?, new_value?}
- Expose via
audit_read or a new project_audit_log endpoint
Affected project
- Project:
test-code-migration (id: 01KTAVZNCZGH1D9TJXAMWA636X)
- Verified by: changing
parameters_json, goal, and deliverable states — none recorded
Summary
The
phase_historyfield on a project only records phase transitions (from→to). All other state-changing operations — parameter updates, deliverable state changes, goal text edits — leave no trace. There is no general-purpose audit log for project mutations, making it impossible to answer "who changed what and when."Steps to reproduce
projects_update(parameters_json={...})— changevalidation_stepsfrom 100 to 200. Succeeds. No history entry.projects_update(goal="new goal text")— change the project goal. Succeeds. No history entry.deliverables_set_state(state="draft")— un-ratify a previously ratified deliverable. Succeeds. No history entry.projects_get(project)— inspectphase_history. Still only the original phase entry.Actual result after multiple mutations
No record of:
parameters_json(and from what → to what)goalenv-setup-reportdeliverableExpected behavior
At minimum, the following operations should produce audit records:
projects_update— any field mutationdeliverables_set_state— any state transitiondeliverables_add_component/deliverables_remove_componentcriteria_set_state— met/failed transitions (currently recorded inline on the criterion, which is good)The audit record should include: actor, timestamp, operation, old value, new value.
Impact
phase_historyfield that implies auditing exists, but it's misleadingly narrowProposed fix
phase_historyinto a generalaudit_logor add a separateproject_eventsstreamprojects_update,deliverables_set_state,deliverables_add_component,deliverables_remove_component{actor, timestamp, operation, target, old_value?, new_value?}audit_reador a newproject_audit_logendpointAffected project
test-code-migration(id:01KTAVZNCZGH1D9TJXAMWA636X)parameters_json,goal, and deliverable states — none recorded