# Audit

Every LLM call an agent makes and every network destination it reaches is recorded. `dvx audit` is how you review that history - for incident response, compliance, or just understanding what an agent has been doing.

## LLM activity

```bash
dvx audit llm
dvx audit llm <id>          # full detail for one request
```

Each entry is a single LLM request/response. Narrow the view with filters:

```bash
dvx audit llm --agent my-agent --since 1h
dvx audit llm --model claude-sonnet-4-6 --status 200 --limit 50
dvx audit llm --since 2026-06-01T00:00:00Z --until 2026-06-02T00:00:00Z
```

- `--agent` - by agent name or ID
- `--model` - by model
- `--status` - by HTTP status code
- `--since` / `--until` - RFC3339 timestamps (or a duration like `1h` for `--since`)
- `--limit` - cap the number of entries

## Network activity

```bash
dvx audit network --agent my-agent
dvx audit network --outcome blocked
dvx audit network --hostname api.github.com
dvx audit network --has-findings        # only entries where content inspection flagged something
```

- `--agent` - by agent name or ID
- `--outcome` - e.g. `allowed`, `blocked`
- `--hostname` - by destination host
- `--has-findings` - only requests where inspection raised a finding

Add `--json` to either command to pipe results into other tools. Audit entries are retained as the durable record of agent behavior - approvals decisions (see [Approvals](/cli-approvals/)) and policy actions show up here too.