> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ironrun.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# ironrun audit — Verify the Tamper-Evident Execution Log

> ironrun audit verify checks the hash-chained audit log for tampering. The log records every sealed execution — command and secret names, never values.

Every sealed command execution appends a tamper-evident record to the audit log at `$XDG_STATE_HOME/ironrun/audit.log`. Records are hash-chained — each entry includes the hash of the previous one — so any deletion, insertion, or modification of a record breaks the chain and is detectable.

## What is logged

Each record contains:

* **Command ID** — the `id:` field from your policy
* **argv** — the literal argument list that was executed
* **Secret entry names** — the alias or key names of secrets that were injected
* **Timestamp** — when the command ran
* **Exit code** — what the child process returned

## What is never logged

* Secret values
* Plaintext credentials of any kind
* Command output

## Usage

```bash theme={null}
ironrun audit verify
```

`audit verify` walks every record in the log, recomputes each hash, and confirms it matches the stored chain link.

<CodeGroup>
  ```bash Intact log theme={null}
  $ ironrun audit verify
  audit log intact: /home/you/.local/state/ironrun/audit.log
  ```

  ```bash Tampered log theme={null}
  $ ironrun audit verify
  TAMPER DETECTED at line 47 in /home/you/.local/state/ironrun/audit.log
  # exits with code 1
  ```
</CodeGroup>

## Flags

### `audit verify`

<ParamField query="--log" type="string" default="resolved from env/policy">
  Path to the audit log to verify. By default, the path is resolved in order from `IRONRUN_AUDIT_LOG`, then the `audit_log:` field in `ironrun.yml`, then the platform default.
</ParamField>

## Configuration

You can redirect or disable the audit log in two ways:

**In `ironrun.yml`:**

```yaml theme={null}
audit_log: /path/to/custom/audit.log   # write to a custom path
# or
audit_log: "off"                       # disable entirely
```

**Via environment variable:**

```bash theme={null}
IRONRUN_AUDIT_LOG=/path/to/audit.log   # write to a custom path
IRONRUN_AUDIT_LOG=off                  # disable entirely
```

The environment variable takes precedence over the policy field.

## Default location

The default audit log location is:

```
$XDG_STATE_HOME/ironrun/audit.log
```

On most Linux systems this resolves to `~/.local/state/ironrun/audit.log`. On macOS, `$XDG_STATE_HOME` defaults to `~/.local/state` as well unless you have overridden it.

<Note>
  If the audit log cannot be opened at startup — for example, because the directory doesn't exist or permissions prevent writing — ironrun prints a warning to stderr and continues normally. Sealed command execution is never blocked by an audit log failure.
</Note>
