# Audit ## What this is Audit is the place to verify run history and understand what happened after a Protege executed in Hookshot™. Audit includes fleet-wide runs, Protege-specific history, run detail timelines, tool usage, logs, feedback, and analytics. ## When to use it Use Audit when: * Event Feed shows `ran` * You need to review outcomes * You need to explain or share what the Protege did * You want to teach a Protege by providing feedback on a run ## What you need first * A Protege that has already been triggered ## Views ### Fleet runs The main Audit view shows recent runs across all Proteges. Use it when you are comparing runs or reviewing overall workspace activity. Summary metrics at the top show: * **Runs in view**: Total filtered runs * **Orchestration OK**: Percentage of runs that finished without executor error * **Failed outcomes**: Count of business-reported failures * **Reviewed**: Count of runs marked as reviewed Filter by Protege, search across run details, or narrow the time range. ### Protege-specific audit From the Protege aggregate view, you can inspect one Protege's history including: * **Summary metrics**: Total runs, success rate, action rate, average duration, credits consumed * **Outcomes**: Status breakdown (success vs failure) * **Decision mix**: How often the Protege decided to run vs not run * **Top triggers**: Most common event sources * **Tool usage**: Per-tool call counts, failure rates, and read/write classification * **Recent runs**: Last 12 runs with trigger, duration, and output summary ### Should-I-Run Review The decisions view shows every dispatch evaluation as a first-class audit record, grouped by trigger event. For each event, you can see which Proteges evaluated it, whether they decided to run or not, the confidence level, and the reason for the decision. Use this view when: * A Protege is being skipped and you want to understand why * You want to review whether the dispatch confidence is appropriate * You need to trace a decision back to its trigger event ### Analytics The analytics view shows aggregated trends: * **Run outcomes**: Status distribution (success, failure, dead letter) with percentages * **Decision summary**: Run vs did-not-run counts over time * **Tool usage across runs**: Which tools are used most, classified as read or write, with failure correlation ## Steps ### 1. Find the relevant run Start from the Protege or from Event Feed and open the run you want to inspect. Use the fleet view when you are comparing runs across Proteges. Use Protege audit when you are focused on one automation. ### 2. Review the outcome Look for: * Whether the run completed as expected * Whether the output matches the intended workflow * Whether the run result is clear enough for another teammate to review * Whether the run performed an external action or only read information * Which tools were used and whether logs explain the result ### 3. Inspect a single run Open a run to see five tabs: | Tab | What it shows | | ------------ | ------------------------------------------------------------------------ | | **Overview** | Decision assessment, operator review, pending writes, tool usage summary | | **Events** | Unified timeline with filters: all, actions, reads, issues, background | | **IO** | Input event payload and run output as JSON | | **Session** | Combined log stream or full session export | | **Teach** | Operator feedback form | ### 4. Teach your Protege The **Teach** tab lets you provide feedback on a run: * **Should this Protege have run?**: Yes, No, or Unclear * **Guidance**: Free-text instructions that help the Protege make better decisions in the future Teaching notes are stored permanently on the run and contribute to the Protege's ongoing behavior calibration. ### 5. Use Audit as your proof point Audit is the best place to answer: * What happened? * Which Protege ran? * What was the result? * What action did it take? * Was the action a read or a write? {% hint style="info" %} If you see the expected run in Audit, it means Hookshot™ moved beyond event intake and executed a workflow you can inspect. {% endhint %} ## Tool classification Every tool call in Audit is classified as **Read** or **Write**: * **Read** operations access or retrieve information without changing external state * **Write** operations create, update, or delete information in external systems Classification is sourced from the integration catalog when available. Use this classification to quickly assess whether a Protege only read context or also made changes. ## How to verify ### You're done when... * You can locate the run * You can describe the run outcome in one sentence * The outcome matches the event you saw in Event Feed * The action label and tool usage match what the Protege actually did * You have provided teaching notes for any run where the behavior was unexpected ## Common failures * Searching Audit before confirming the event exists in Event Feed * Reviewing the wrong run after testing several events * Seeing a run but not checking whether it was scoped correctly * Treating a `No Action` run as a failure when the Protege intentionally read context without writing to another system * Skipping the Teach tab when the Protege made an incorrect decision ## Next step * [Event Feed](/event-feed.md) * [Troubleshooting](/event-feed/troubleshooting.md) * [Work Hub](/event-feed/work-hub.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.tryprotege.com/event-feed/audit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.