TAMPER-EVIDENT AUDIT TRAILS FOR AI AGENTS

Your AI agent logs
are not evidence.
Sasana makes them defensible.

A SHA-256 hash-chained audit trail where any modification — to any byte, in any historical event — is detectable. Raw content never leaves your machine: only hashes are stored.

try to tamper with a log
sasana — verifier
seq=1PROBLEM_STATEMENT

A log that can’t prove its own integrity is just a claim in a database.

Every major observability tool — LangSmith, Arize, Langfuse — stores logs in mutable, operator-controlled storage. An administrator with file-system or database access can modify or delete a record with no detectable trace.

Those logs satisfy a reporting requirement. They do not prove what happened. When a credit-scoring model is challenged or a medical AI diagnostic is investigated, “we have logs but cannot prove they weren’t modified” is a gap in your risk management system.

Sasana is not observability. It is evidence production. They are complementary.

seq=2VERIFIER_CHECKS
what `sasana verify` actually checks
  • [1/5]Structural validity... ⧗... PASSevery event carries the full 7-field envelope
  • [2/5]Sequence integrity... ⧗... PASSseq increases monotonically — no reorder, no gaps
  • [3/5]Hash chain integrity... ⧗... PASSeach event_hash recomputed and matched against prev_hash
  • [4/5]Session completeness... ⧗... PASSSESSION_START and SESSION_END both present and linked
  • [5/5]Seal signature... ⧗... PASSEd25519 seal verified against the pinned Archeion key
exit 0 INTACTexit 1 COMPROMISEDexit 2 PARTIALexit 3 ERROR— suitable for CI pipeline integration
seq=3EVIDENCE_CLASS

Not all evidence is equal.

The verifier doesn’t just say “valid.” It tells you how strong the guarantee is— measured by what an adversary would need in order to forge the log you’re holding.

The boundary between the top rung and everything below it is architectural: an independent sealing authority (Archeion) that the agent process structurally cannot impersonate.

./architecture — how the boundary is enforced
AUTHORITATIVE_EVIDENCE

An independent sealing authority verified this log. The agent could not have forged this.

to forge, an adversary needs:the TSA's private key, Archeion's signing key, or a SHA-256 collision
─── ARCHEION AUTHORITY BOUNDARY ───
▲ SEALING SIDE — security team’s perimeter. SDK is type-blocked from emitting CHAIN_SEAL.
SIGNED_NON_AUTHORITATIVE

Ed25519 signatures present. Operator-attested — the operator says this happened.

to forge, an adversary needs:the Ed25519 private key
NON_AUTHORITATIVE_EVIDENCE

Hash chain intact. Proves no post-hoc modification — not who wrote it, or when.

to forge, an adversary needs:nothing — rewrite the whole chain and it verifies clean
seq=4MECHANISM
SHA-256 over canonical JSON

Every event is hashed over RFC 8785 canonical JSON. Any mutation — one byte, one field, one timestamp — changes the hash.

prev_hash chains everything

Each event commits to all prior events. Changing history breaks every subsequent link. The chain is the tamper alarm.

RFC 3161 anchors time

SESSION_START is anchored to an independent timestamp authority. Backdating the log means forging the TSA's signature.

A Rust binary (sasana-rs) verifies sessions with no Python dependency — for forensic environments where Python is not present or trusted.

seq=5AUDIENCE

Built for teams whose logs get subpoenaed.

Compliance engineers

implementing EU AI Act Article 12 — tamper-evident logging for high-risk AI systems in fintech, healthtech, HR tech.

./compliance
Security teams

who need a cryptographically verifiable audit trail for incident response — one that survives an admin with database access.

./architecture
DevSecOps engineers

who need to prove a session log has not been touched since it ended — in CI, with an exit code.

./playground
regulationrequirement addressed
EU AI Act Article 12Tamper-evident automatic recording for high-risk AI systems
SOC 2 CC7.2System monitoring with cryptographically verifiable audit trail
HIPAA §164.312(b)Audit control for healthcare AI; raw PHI never recorded
seq=6SESSION_END

Start producing evidence.

MIT licensed. Self-hosted only — there is no cloud offering, on purpose. Zero code changes required with the passive observer.

every OpenClaw session automatically produces ~/.openclaw/sasana/<session_id>.jsonl — no configuration required