Proof & Audit

Audit & SIEM

Every decision becomes a verifiable event. Append-only hash chain per provider, Postgres-backed segments, four canonical SIEM presets, and a bounded retention worker.

Append-only audit chain

20-kind canonical audit vocabulary shipped
Hash chain per provider shipped
Postgres-backed audit segments shipped
Audit segment rotation runner shipped
Audit retention worker shipped

Audit export

Sealed audit segments can be exported to durable storage via the export-job runner. Exports are checksummed and signed.

Export job runner shipped
GCS production export adapter operator-gated
S3 export adapter bounded

SIEM delivery

Four canonical mapping presets ship today. The mapper runs over already-redacted events; raw payloads are never serialized to a SIEM sink.

Splunk CIM mapper shipped
Elastic ECS mapper shipped
Signed webhook (canonical NDJSON) shipped
Datadog canonical mapper bounded

Dead-letter queue

Network sinks have a local-file dead-letter queue (chmod 0600, bounded total bytes, rotating NDJSON). An outage never silently drops events. Operator drains the DLQ via pnpm siem:replay.

Retention

Audit segments enter retention once sealed. The retention worker is two-phase (eligible → deleted) and gated by the explicit DELETE_ENABLED flag. Row-count mismatch in the sequence-range delete refuses to proceed.

Retention worker RETENTION_WORKER_ENABLED + DELETE_ENABLED two-flag gate shipped
Bounded sequence-range deleter with row-count mismatch refusal shipped
Long-window burn-rate alerts on retention metrics shipped

Boundaries

Live GCS bucket export is operator-gated (service-account key required).
Live Alertmanager tenant integration is operator-gated.
External signed-webhook receivers are operator-gated.