Tracking Who Accessed What and When in Mercurial

The commit history told a story, but it wasn’t enough. You needed proof—who accessed the repository, what they touched, and when it happened.

Mercurial offers version control with precision, but default logs focus on code changes, not every access event. Tracking “who accessed what and when” requires combining its built‑in commands with server‑side access logs, hooks, and auditing tools. Done right, you gain a full timeline of repository activity, including reads, pulls, pushes, and clone operations.

Start with hg log to view commit authors and timestamps. This gives you the “what and when” for changes, but not all repository actions. To capture read access, enable HTTP(S) or SSH server logging. For HTTP, your web server access logs record every request. For SSH, authorized_keys forced commands can log hg operations per user.

Hooks add deeper insight. A pretxnchangegroup hook triggers when changesets are pushed, letting you write to a custom audit file with the username, source IP, date, and affected branches. The preoutgoing hook can record data when someone pulls. Combine these logs and you have an authoritative record—exactly who accessed what and when.

For teams enforcing strict compliance or investigating anomalies, integrate Mercurial’s logs with external audit pipelines. Centralizing this data means quicker incident response and easier reporting. Avoid gaps—log both read and write events, store them securely, and automate review.

The payoff is confidence. Every access event documented. Every change accounted for.

Want to see a full “who accessed what and when” audit trail without patchwork scripts? Try hoop.dev. Import your Mercurial project and watch real‑time access tracking go live in minutes.