Telemetry and Decision History

How Verdict stores governance decision history locally, what is collected, what is never collected, and how to opt out.

Verdict stores governance decision history locally on your machine by default. This powers features like verdict audit and feeds future Governance Intelligence in Compass.

This page documents exactly what is stored, what is never stored, and how to opt out.


The Short Version

What is stored     Decision outcomes, risk scores,
                   condition pass/fail patterns,
                   override and approval events.

What is never      Plan contents, resource names,
stored             cost amounts, org identifiers,
                   policy file contents.

Where it lives     ~/.obsidianwall/decisions.db
                   Local SQLite. Nothing is
                   transmitted off your machine
                   in this version of Verdict.

How to opt out     export OW_HISTORY_ENABLED=false

Why This Exists

The local decision store powers three things today and one thing in the future.

Today:

verdict audit — the governance risk summary command reads from this store to show you decision history, condition failure patterns, policy effectiveness trends, and override rates across your evaluations.

verdict sentinel — post-deployment verification reads the stored policy path from a previous evaluation to re-verify the same policy against current infrastructure state, without requiring you to re-specify the policy file.

Replay — the replay engine re-executes stored evaluations for audit verification and regression testing.

In the future:

Compass will consume this local store to produce Governance Intelligence — correlating decisions with outcomes, surfacing policy drift, translating governance patterns into financial exposure. The richer the local history, the more useful Compass becomes when it ships.


What Is Collected

The following fields are written to ~/.obsidianwall/decisions.db on each verdict evaluate invocation when telemetry is enabled (the default):

Decision data
  decision_id           UUID of the governance decision
  timestamp             ISO 8601 timestamp
  decision              ALLOW / DENY / etc.
  conditions_passed     Whether all conditions passed
  override_required     Whether an override was required
  override_possible     Whether an override was available
  requires_approval     Whether approval was required

Policy identity
  policy_name           Name from policy metadata
  policy_path           File path to the policy YAML
                        (stored for Sentinel runtime use)
  policy_content_hash   SHA-256 of policy file contents
                        (first 16 hex chars — portable
                        across machines, not path-specific)
  policy_family         Governance intent classification
                        (cost_governance, security_compliance,
                        infrastructure_security,
                        identity_governance,
                        operational_governance, ai_governance,
                        or custom)

Risk data
  overall_risk_score    0–100 composite risk score
  effective_severity    informational → critical
  governance_severity   governance-layer risk severity
  total_findings        Count of analyzer findings
  analyzer_scores       Per-domain risk scores (JSON)

Evaluation detail
  failed_conditions     Condition IDs that failed (JSON)
  passed_conditions     Condition IDs that passed (JSON)
  plan_hash             SHA-256 of the plan file PATH
                        (not its contents — 16 hex chars)

Workflow events (separate tables)
  Override events       Role, timestamp, approved/denied
  Approval events       Role, timestamp, approved/denied, notes
  Outcome events        Populated by Sentinel post-deployment

What Is Never Collected

Terraform plan contents
CloudFormation template contents
Resource names or identifiers
Cost amounts or budget values
Policy file contents
Organization names or identifiers
IP addresses or user identifiers
Environment variables or secrets

The plan is represented by a hash of its file path, not its contents. The policy is represented by a hash of its file contents — which is portable across machines — not the path itself.

:::note[A note on policy_path] The policy file path is stored as-is (not hashed) because Sentinel needs it to re-evaluate current infrastructure against the same policy without requiring you to re-specify it. If your file system paths contain folder names that reveal project or organization information, that information exists in your local decision history.

This data does not leave your machine in any current version of Verdict. :::


How to Opt Out

Set the following environment variable before running any verdict command:

export OW_HISTORY_ENABLED=false

Or add it to your .env file in your project root:

OW_HISTORY_ENABLED=false

To verify telemetry is disabled, run any verdict command — if the first-run notice is still displayed, check that the variable is set correctly in your shell.

The legacy environment variable OW_TELEMETRY_ENABLED=false also works for backward compatibility.


Where Data Lives

Database    ~/.obsidianwall/decisions.db
Format      SQLite (WAL mode)
Access      Local only — no network connections
Retention   Indefinite until you delete the file

To delete all local decision history:

rm ~/.obsidianwall/decisions.db

This clears all data from verdict audit. The database will be recreated on the next evaluation.


The First-Run Notice

The first time you run any verdict command, you will see a disclosure notice:

Verdict collects anonymous local usage data by default
(decision counts, risk scores, condition pass/fail —
never plan contents, costs, resource names, or org info).

Status: enabled
Stored locally at ~/.obsidianwall/decisions.db
Nothing is transmitted off this machine in this version.

Disable anytime:  export OW_HISTORY_ENABLED=false
Learn more:        https://obsidianwall.dev/concepts/telemetry

This notice appears once per machine. A marker file at ~/.obsidianwall/notice_shown prevents it from showing again.


Telemetry Layers

The decision store implements six telemetry layers:

Layer Table What it records
1 — Decision decisions Governance decision outcome per evaluation
2 — Evaluation decisions Condition pass/fail detail, risk scores
3 — Workflow overrides, approvals Override and approval events
4 — Outcome outcomes Post-deployment outcomes (Sentinel)
5 — Drift outcomes Infrastructure drift events (Sentinel)
6 — Effectiveness policy_effectiveness Running totals per policy (derived)

Looking Ahead

The current telemetry stores data locally only. Nothing leaves your machine.

A future release — Compass — is planned to offer optional, explicitly opt-in hosted storage for teams who want centralized governance intelligence across an organization. That will be a separate consent flow requiring explicit action. It will not be enabled by the current opt-out default and will not be applied retroactively to existing local installations.


Privacy Policy → · Vocabulary → · Platform Architecture →