Skip to main content
code<spar>
DocsServersReferenceCookbooksSandbox
Concepts

Audit chain

An append-only, hash-chained record of every tool call and money movement — exactly-once, tamper-evident, and exportable for compliance.

1 min read

Audit chain

Why it exists

Agents move money. The audit chain is the CFO-grade record of everything they did — every tool call, every payment, every KYC check — written append-only and hash-chained so it can be proven untampered after the fact.

Every governed action in CodeSpar appends an event to a per-tenant audit chain:

  • Append-only. Events are never updated or deleted — corrections are new events that reference the original.
  • Hash-chained. Each event carries a hash over its contents plus the previous event, so any retroactive edit breaks the chain and is detectable.
  • Exactly-once. An action is attested once and only once, whether it was dispatched through session.execute(), the chat-loop session.send(), or a raw proxy_execute. Client-SDK tool calls are attested with attested_by: client_sdk; server-side dispatch with the server attestor.
  • Self-auditing exports. Even reading the chain out is itself an audited event.

What gets recorded

Meta-tool calls, raw provider calls, money movement (charge / pay / payout settlement), KYC dispositions, mandate spends, and policy decisions — each with its tool_call_id, resolved rail, idempotency key, and outcome.

API

EndpointPurpose
GET /v1/audit/eventsBrowse-only, paginated listing of chain events for the project
GET /v1/orgs/:orgId/audit/… (export)Stream a slice of the chain (Postgres cursor) for SIEM / archival. Over the row limit returns 413; the export itself appends an audit_export event
POST /v1/audit/anchors/verifyVerify chain integrity against the published anchors — confirms no event was altered or removed

Audit events also drive the incident lifecycle — anomalous or policy-flagged events can be opened, triaged, and resolved as incidents.

See also

  • Guardrails — the policy decisions that the chain records
  • Wallets — programmable spend, every movement attested
  • Async settlement — settlement events land on the chain
Edit on GitHub

Guardrails

The policy layer that gates every agent tool call before it dispatches — spend budgets, rate limits, and human approval — enforced server-side.

Directed-pay

Consumer-mandate flow — accounts charge an end-consumer's rail (Pix consent, card token, TED debit-auth) under a signed, capped, revocable consent. The non-wallet half of AgentGate's commerce primitives.

On this page

Audit chainWhat gets recordedAPISee also
Audit chain | CodeSpar