Admin
Audit log
Every view, write, delete, export, and DENY — append-only, indexed by actor and entity.
The audit log records every action that touches the data layer: VIEW, CREATE, UPDATE, DELETE, EXPORT, and DENY. It is append-only — rows are never updated or deleted.
Auditing is invoked from the RBAC dependency in core/deps.py, which is why coverage is automatic: if a route requires the deps, it's audited. DENY entries are written even when an access check fails — that's how unauthorized attempts get a permanent trace.
| Actor | Who performed the action (user id). |
| Action | VIEW / CREATE / UPDATE / DELETE / EXPORT / DENY. |
| Entity / id | What was touched. |
| Patient | Which patient profile the action was scoped to (if any). |
| Metadata | Free-form JSON for the route to add context. |
| When / from | Timestamp, plus IP and user-agent where available. |