AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

Audit Trail

Every operation produces an immutable version record with content hashes for integrity verification: 
{
  "id": "ver_a1b2c3",
  "path": "regulatory/q2-report.md",
  "versionNum": 3,
  "contentHash": "sha256:e3b0c44298fc1c...",
  "size": 4096,
  "operation": "write",
  "agentId": "key:78bd0ae5:kyc-agent",
  "principalId": "user_abc123",
  "createdAt": "2026-04-06T10:00:00.000Z"
}

Agent labeling

By default, agentId is derived from the API key (key:{keyId}). To distinguish multiple agents sharing the same key, there are two mechanisms: Automatic — Undisk captures the clientInfo.name from the MCP initialize handshake. If your client sends clientInfo: { name: "cursor" }, the agentId automatically becomes key:{keyId}:cursor — zero configuration needed. All major MCP clients (Claude Desktop, Cursor, Copilot, Windsurf) send this. Explicit — Send an X-Agent-Name header with each request to set a custom label: 
X-Agent-Name: kyc-agent
Priority: X-Agent-Name header > clientInfo.name > bare key:{keyId} The agentId becomes key:{keyId}:{name} — giving each agent a unique, human-readable identity in version history and activity context. Names must be 1–64 characters, alphanumeric with hyphens, underscores, and dots. For full EU AI Act Article 12 compliance, we recommend one API key per agent or consistent agent labeling so the audit trail can attribute each operation to a specific AI system. Export audit logs as NDJSON via the dashboard. Integrity hashes allow offline verification that no entries were modified after creation. Audit export is available on all plans; extended retention and compliance features are available on Pro+ plans.

Audit Export API

Export and verify audit logs programmatically for SIEM integration (Splunk, Datadog, etc.): 
GET /api/workspaces/:id/audit/export?format=ndjson&start=2026-01-01T00:00:00Z&end=2026-04-01T00:00:00Z&agentId=key:78bd:kyc-agent
Query parameters:
  • formatjson (default) or ndjson (recommended for streaming/SIEM)
  • start / end — ISO 8601 time range filter
  • agentId — filter by agent identity
  • operationType — filter by operation (e.g. writeFile, deleteFile)
  • filePath — filter by file path
Chain verification — cryptographically verify no audit entries were tampered with: 
GET /api/workspaces/:id/audit/verify?fromSeq=1&toSeq=100
Returns { "valid": true, "checked": 100 } or { "valid": false, "brokenAt": 42 }.

Workspace Templates

Use workspace_checkpoint to scaffold a workspace with a pre-defined template in a single tool call. Templates create directory structures, resolver documents, and operational files — then skip any files that already exist, making them safe to run on non-empty workspaces.

Available Templates

TemplateDescription
brainPersonal knowledge base with MECE directory structure — people/, companies/, deals/, meetings/, projects/, ideas/, concepts/, writing/, sources/, inbox/. Includes RESOLVER.md, schema.md, and per-directory README resolvers. Inspired by GBrain.

Usage

// List available templates
workspace_checkpoint({ action: "list_templates" })

// Preview files without creating them
workspace_checkpoint({ action: "preview_template", template: "brain" })

// Apply the template
workspace_checkpoint({ action: "apply_template", template: "brain" })

Unfold In An Existing Workspace

Templates are intentionally idempotent and safe for non-empty workspaces. 
// Existing workspace already contains your project files
workspace_checkpoint({ action: "create", name: "pre-brain-unfold" })

// First unfold: creates missing template files
workspace_checkpoint({ action: "apply_template", template: "brain" })
// -> "Created 13 files"

// Re-run unfold later (after you've edited files)
workspace_checkpoint({ action: "apply_template", template: "brain" })
// -> "Skipped 13 (already exist)"
This means you can add the Brain structure to an active workspace without overwriting your existing files.

Brain Template Operational Rules

After applying the brain template, follow these conventions:
  1. Read RESOLVER.md before creating any new page — it is the master filing decision tree
  2. Use append_log for timeline entries below the line — never rewrite timeline history
  3. Use search_files before creating pages — never duplicate entities
  4. Use workspace_checkpoint before bulk imports or enrichment passes
  5. Store API keys in vault_secret, not in brain files
  6. Follow compiled truth + timeline pattern: synthesis above the line, evidence below
Templates are advertised via discover_tools_and_capabilities in the workspace_templates field.

Multi-Agent Coordination

The workspace_collaborate tool provides shared primitives for concurrent agents: file locks, handoff notes, and active-agent discovery.

File locks

workspace_collaborate({ action: "claim_lock", path: "src/config.ts", ttl_seconds: 600 })
workspace_collaborate({ action: "release_lock", path: "src/config.ts" })
workspace_collaborate({ action: "list_locks" })

Handoff notes

workspace_collaborate({ action: "handoff_note", message: "Data enrichment complete — ready for QA" })
workspace_collaborate({ action: "handoff_note", message: "Review needed", to_agent: "key:abc123:reviewer" })
workspace_collaborate({ action: "list_notes" })

Active agents

workspace_collaborate({ action: "list_agents" })
Use-case walkthrough: /use-cases/multi-agent-ops.
Programmatic audit export endpoint details: /reference/audit-export-api.