Activity log

LIVE

The activity log is L7 from the operator’s seat. Every payment, every policy evaluation, every key mutation, every KYA promotion lands in oris_audit_log with a hash chain link plus an hourly Merkle root anchored on chain.

What gets logged

Event class	Examples
Transactions	payment.completed, payment.blocked, payment.escalated, payment.refunded
Policy evaluations	policy.evaluated, policy.denied, policy.escalated
Key mutations	key.registered, key.rotated, key.deleted
Agent state	kya.promoted, kya.demoted, agent.suspended, agent.reactivated
Compliance	sanctions.matched, revocation.added, sar.flagged

Every row is RLS-scoped to the tenant and ships with a hash_chain_curr = sha256(hash_chain_prev || row_canonical_bytes) link.

Hash chain integrity

Tampering with any row breaks the next row’s link. The verify endpoint walks the chain and confirms against the on-chain anchor.

Python

status = client.audit.verify(developer_id="dev_...")
assert status.valid is True
assert status.anchor_matches is True
print(status.chain_length)            # 4821
print(status.last_anchor_block)

TypeScript

const status = await client.audit.verify({ developerId: 'dev_...' });
if (!status.valid || !status.anchorMatches) {
  throw new Error('audit chain compromised');
}
console.log(status.chainLength);
console.log(status.lastAnchorBlock);

Query the trail

Filter by agent, action, date range. Returns paginated rows with inclusion proofs.

Python

rows = client.audit.list(
    agent_id=agent.id,
    action="payment.completed",
    start_date="2026-05-01",
    end_date="2026-05-31",
    limit=100,
)

for r in rows:
    print(r.id, r.created_at, r.verdict, r.amount, r.sar_flagged)

TypeScript

const rows = await client.audit.list({
  agentId: agent.id,
  action: 'payment.completed',
  startDate: '2026-05-01',
  endDate: '2026-05-31',
  limit: 100,
});

for (const r of rows) {
  console.log(r.id, r.createdAt, r.verdict, r.amount, r.sarFlagged);
}

On-chain anchor

Every hour a Merkle root over the new entries commits to OrisAuditLogRegistry on Base Sepolia (0xAde6DC06178904194FaE72CC83C6d2ec65Ed34c8). The contract is pausable and append-only. Even an operator with full database access cannot rewrite history; the next anchor would catch them.

Retention

Seven years from created_at. After the window, a daily sweeper deletes the row and its sealed envelope. The on-chain anchor remains (Merkle root only, no PII).

SAR auto-flag

Rows are flagged automatically when:

• risk_tier = High or Blocked
• sanctions_clean = false
• amount_usd_e6 >= 10_000_000_000 (ten thousand USD)
• Tier 1 revocation event for the agent within 24 hours

Flagged rows roll up to the regulator review queue. See audit trail compliance for the SAR escalation flow.

Where to go next

• L7 Audit for the cryptographic ground truth behind the log.
• Audit API for the full endpoint reference.
• Audit compliance guide for fetching trails and validating inclusion proofs.
• Regulator portal for the disclosure path.