Audit log for signing policy changes

[Parsh]

As a Bitcoin Keeper user with a server key, I want a history of all changes made to my signing policy, so that I can detect unauthorized or unexpected modifications and understand the full lifecycle of my security configuration.

---

Background

Problem

If my signing policy is modified (even with a valid 2FA token), I have no way to:

• Know that a change happened
• See what the policy looked like before the change
• Know when the change was made
• Distinguish between a change I initiated vs. one from a delayed policy update being applied

This is a meaningful security gap. Policy changes are high-impact events, they directly affect how much can be spent, how quickly, and who can authorize it.

Requested behavior

When any of the following events occur, a record should be created:

• Signing policy updated (immediate or delayed apply)
• Secondary verification option added
• Secondary verification option removed

This log should be retrievable so I can review it.

[antuz123]

Feature Title

Wallet Security History for Server Key Policy Changes

Context

GitHub issue #6963 requests an audit log for Server Key signing policy changes. Users with a Server Key currently have no clear way to review when signing policy changes happened, what changed, or whether a delayed policy update was applied. This creates a security visibility gap because these policies affect spending limits, signing delay, and secondary verification. 

The log should be shown from:

Wallet Settings → Security History

This is wallet-level because the signing policy applies to that wallet’s Server Key behavior.

Goal

Add a wallet-level Security History screen that shows audit log entries for Server Key signing policy changes.

The user should be able to see:

• when a policy-related change happened
• what kind of change happened
• old policy values
• new policy values
• whether the change was immediate or delayed
• whether secondary verification was added or removed

Non-Goals

• Do not create a global app-wide audit log.
• Do not place this only inside Server Key settings.
• Do not change the Server Key signing policy flow itself unless required to emit audit events.
• Do not expose internal names like POLICY_SERVER.
• Do not imply Keeper can spend with the Server Key alone.

User Flow

User opens an eligible wallet.

They go to:

Wallet Settings → Security History

If history exists, the screen shows a timeline of security events.

If no history exists, the screen shows an empty state.

Tapping an event opens event details with before/after policy values.

Screens / States

Screen: Wallet Settings Entry

Screen type
Wallet settings list item

Title
Security History

Body copy
Review changes to this wallet’s security settings.

Button labels
None

Warnings / info text
None

Error text
None

Success text
None

Behaviours

• Show this row only for wallets where security history is supported.
• If the wallet has no Server Key, still allow entry if other wallet security events may later use this screen.
• For this issue, populate only Server Key signing policy events.
• Tap opens Security History.

Navigation transitions
Wallet Settings → Security History

⸻

Screen: Security History

Screen type
Full screen timeline/history screen

Title
Security History

Body copy
Review important security changes for this wallet.

Button labels
None

Warnings / info text
Info box at top:

Server Key is only one key in your wallet. Keeper cannot spend your bitcoin with this key alone.

Error text
Couldn’t load security history. Try again.

Success text
None

Behaviours

• Use existing Keeper timeline/history pattern.
• Events should be sorted newest first.
• Each event row should show:
  • event title
  • date and time
  • short summary
  • status if relevant
• Tapping an event opens Security Event Details.
• Pull to refresh if supported by existing history screens.
• Do not show raw backend/internal event names.

Navigation transitions
Security History → Security Event Details
Back → Wallet Settings

⸻

State: Empty Security History

Screen type
Empty state inside Security History

Title
No security changes yet

Body copy
Security changes for this wallet will appear here.

Button labels
None

Warnings / info text
Keep the Server Key clarification info box visible above the empty state.

Error text
None

Success text
None

Behaviours

• Show when API returns no events.
• Do not treat empty history as an error.

Navigation transitions
Back → Wallet Settings

⸻

Screen: Security Event Details

Screen type
Full screen detail view

Title
Security Change

Body copy
Show event-specific details using labels, not long paragraphs.

Button labels
None

Warnings / info text
For Server Key events:

Server Key is only one key in your wallet. Keeper cannot spend your bitcoin with this key alone.

Error text
Couldn’t load this security change. Try again.

Success text
None

Behaviours
Display fields where available:

• Change type
• Date and time
• Status
• Applied immediately / Applied after delay
• Old policy
• New policy
• Secondary verification status
• Initiated by user / Applied automatically, if backend provides this distinction

Use plain labels:

• Previous policy
• New policy
• Applied
• Secondary verification
• Status

Navigation transitions
Back → Security History

⸻

Event Types

Event: Signing Policy Updated

Timeline title
Signing policy updated

Timeline summary
Server Key signing policy was changed.

Detail title
Signing policy updated

Required fields

• date/time
• previous policy
• new policy
• immediate or delayed
• status

⸻

Event: Delayed Policy Update Applied

Timeline title
Delayed policy applied

Timeline summary
A scheduled Server Key policy change was applied.

Detail title
Delayed policy applied

Required fields

• date/time
• previous policy
• new policy
• original request time, if available
• applied time
• status

⸻

Event: Secondary Verification Added

Timeline title
Secondary verification added

Timeline summary
An extra verification step was added for Server Key signing.

Detail title
Secondary verification added

Required fields

• date/time
• verification method, if safe to show
• status

⸻

Event: Secondary Verification Removed

Timeline title
Secondary verification removed

Timeline summary
An extra verification step was removed from Server Key signing.

Detail title
Secondary verification removed

Required fields

• date/time
• verification method, if safe to show
• status

Copy Requirements

Use:

• Server Key
• Security History
• signing policy
• secondary verification
• wallet

Do not use:

• Policy Server
• vault
• custodial key
• Keeper-controlled key
• crypto

Required clarification wherever Server Key history is shown:

Server Key is only one key in your wallet. Keeper cannot spend your bitcoin with this key alone.

Design Requirements

• Reuse existing Wallet Settings list row pattern.
• Reuse existing timeline/history pattern.
• Reuse existing full-screen detail layout.
• Use existing warning/info box styling.
• Do not introduce a new audit log visual pattern.
• Timeline entries must remain readable on small screens.
• Long policy values should wrap, not truncate.
• Security-critical text must not be truncated.

Existing Components

Use existing components for:

• Wallet Settings row
• timeline/history list
• info box
• empty state
• full-screen detail view
• loading state
• error state

Existing Assets

No new assets required.

Implementation Notes

• Backend/API must store and return audit records for Server Key signing policy changes.
• Each record should include:
  • wallet identifier
  • event type
  • created timestamp
  • applied timestamp, if different
  • old policy snapshot
  • new policy snapshot
  • delayed/immediate flag
  • event status
  • secondary verification change, if relevant
• Events must be scoped to the selected wallet.
• App must not show raw internal identifiers to the user.
• Internal code may continue using POLICY_SERVER, but user-facing copy must say Server Key.
• If old policy data is unavailable for legacy events, show:
  • Previous policy: Not available
• Do not block the main wallet flow if history loading fails.

Acceptance Criteria

• Wallet Settings includes a Security History row.
• Security History opens from Wallet Settings.
• Server Key signing policy updates create retrievable history records.
• Delayed policy application creates a separate retrievable history record.
• Adding secondary verification creates a retrievable history record.
• Removing secondary verification creates a retrievable history record.
• History is shown newest first.
• Event details show old and new policy values where available.
• Empty state appears when no history exists.
• Loading failure shows a retryable error.
• User-facing copy says Server Key, not Policy Server.
• User-facing copy says wallet, not vault.
• Server Key clarification copy is shown on Security History and event details.
• Keeper does not imply it can spend with Server Key alone.

Open Questions

• Should Security History later include other wallet-level security events, such as key changes, wallet scheme changes, or archived wallet creation? For this issue, scope is Server Key signing policy changes only.