Telemetry and Decision History
How Verdict stores governance decision history locally, what is collected, what is never collected, and how to opt out.
Verdict stores governance decision history locally on your machine by default. This powers features like verdict audit and feeds future Governance Intelligence in Compass.
This page documents exactly what is stored, what is never stored, and how to opt out.
The Short Version
What is stored Decision outcomes, risk scores,
condition pass/fail patterns,
override and approval events.
What is never Plan contents, resource names,
stored cost amounts, org identifiers,
policy file contents.
Where it lives ~/.obsidianwall/decisions.db
Local SQLite. Nothing is
transmitted off your machine
in this version of Verdict.
How to opt out export OW_HISTORY_ENABLED=false
Why This Exists
The local decision store powers three things today and one thing in the future.
Today:
verdict audit — the governance risk summary command reads from this store to show you decision history, condition failure patterns, policy effectiveness trends, and override rates across your evaluations.
verdict sentinel — post-deployment verification reads the stored policy path from a previous evaluation to re-verify the same policy against current infrastructure state, without requiring you to re-specify the policy file.
Replay — the replay engine re-executes stored evaluations for audit verification and regression testing.
In the future:
Compass will consume this local store to produce Governance Intelligence — correlating decisions with outcomes, surfacing policy drift, translating governance patterns into financial exposure. The richer the local history, the more useful Compass becomes when it ships.
What Is Collected
The following fields are written to ~/.obsidianwall/decisions.db on each verdict evaluate invocation when telemetry is enabled (the default):
Decision data
decision_id UUID of the governance decision
timestamp ISO 8601 timestamp
decision ALLOW / DENY / etc.
conditions_passed Whether all conditions passed
override_required Whether an override was required
override_possible Whether an override was available
requires_approval Whether approval was required
Policy identity
policy_name Name from policy metadata
policy_path File path to the policy YAML
(stored for Sentinel runtime use)
policy_content_hash SHA-256 of policy file contents
(first 16 hex chars — portable
across machines, not path-specific)
policy_family Governance intent classification
(cost_governance, security_compliance,
infrastructure_security,
identity_governance,
operational_governance, ai_governance,
or custom)
Risk data
overall_risk_score 0–100 composite risk score
effective_severity informational → critical
governance_severity governance-layer risk severity
total_findings Count of analyzer findings
analyzer_scores Per-domain risk scores (JSON)
Evaluation detail
failed_conditions Condition IDs that failed (JSON)
passed_conditions Condition IDs that passed (JSON)
plan_hash SHA-256 of the plan file PATH
(not its contents — 16 hex chars)
Workflow events (separate tables)
Override events Role, timestamp, approved/denied
Approval events Role, timestamp, approved/denied, notes
Outcome events Populated by Sentinel post-deployment
What Is Never Collected
Terraform plan contents
CloudFormation template contents
Resource names or identifiers
Cost amounts or budget values
Policy file contents
Organization names or identifiers
IP addresses or user identifiers
Environment variables or secrets
The plan is represented by a hash of its file path, not its contents. The policy is represented by a hash of its file contents — which is portable across machines — not the path itself.
:::note[A note on policy_path] The policy file path is stored as-is (not hashed) because Sentinel needs it to re-evaluate current infrastructure against the same policy without requiring you to re-specify it. If your file system paths contain folder names that reveal project or organization information, that information exists in your local decision history.
This data does not leave your machine in any current version of Verdict. :::
How to Opt Out
Set the following environment variable before running any verdict command:
export OW_HISTORY_ENABLED=false
Or add it to your .env file in your project root:
OW_HISTORY_ENABLED=false
To verify telemetry is disabled, run any verdict command — if the first-run notice is still displayed, check that the variable is set correctly in your shell.
The legacy environment variable OW_TELEMETRY_ENABLED=false also works for backward compatibility.
Where Data Lives
Database ~/.obsidianwall/decisions.db
Format SQLite (WAL mode)
Access Local only — no network connections
Retention Indefinite until you delete the file
To delete all local decision history:
rm ~/.obsidianwall/decisions.db
This clears all data from verdict audit. The database will be recreated on the next evaluation.
The First-Run Notice
The first time you run any verdict command, you will see a disclosure notice:
Verdict collects anonymous local usage data by default
(decision counts, risk scores, condition pass/fail —
never plan contents, costs, resource names, or org info).
Status: enabled
Stored locally at ~/.obsidianwall/decisions.db
Nothing is transmitted off this machine in this version.
Disable anytime: export OW_HISTORY_ENABLED=false
Learn more: https://obsidianwall.dev/concepts/telemetry
This notice appears once per machine. A marker file at ~/.obsidianwall/notice_shown prevents it from showing again.
Telemetry Layers
The decision store implements six telemetry layers:
| Layer | Table | What it records |
|---|---|---|
| 1 — Decision | decisions |
Governance decision outcome per evaluation |
| 2 — Evaluation | decisions |
Condition pass/fail detail, risk scores |
| 3 — Workflow | overrides, approvals |
Override and approval events |
| 4 — Outcome | outcomes |
Post-deployment outcomes (Sentinel) |
| 5 — Drift | outcomes |
Infrastructure drift events (Sentinel) |
| 6 — Effectiveness | policy_effectiveness |
Running totals per policy (derived) |
Looking Ahead
The current telemetry stores data locally only. Nothing leaves your machine.
A future release — Compass — is planned to offer optional, explicitly opt-in hosted storage for teams who want centralized governance intelligence across an organization. That will be a separate consent flow requiring explicit action. It will not be enabled by the current opt-out default and will not be applied retroactively to existing local installations.