TAMPER-EVIDENT AUDIT TRAILS FOR AI AGENTS
Your AI agent logs
are not evidence.
Sasana makes them defensible.
A SHA-256 hash-chained audit trail where any modification — to any byte, in any historical event — is detectable. Raw content never leaves your machine: only hashes are stored.
A log that can’t prove its own integrity is just a claim in a database.
Every major observability tool — LangSmith, Arize, Langfuse — stores logs in mutable, operator-controlled storage. An administrator with file-system or database access can modify or delete a record with no detectable trace.
Those logs satisfy a reporting requirement. They do not prove what happened. When a credit-scoring model is challenged or a medical AI diagnostic is investigated, “we have logs but cannot prove they weren’t modified” is a gap in your risk management system.
Sasana is not observability. It is evidence production. They are complementary.
- [1/5]Structural validity... ⧗... PASSevery event carries the full 7-field envelope
- [2/5]Sequence integrity... ⧗... PASSseq increases monotonically — no reorder, no gaps
- [3/5]Hash chain integrity... ⧗... PASSeach event_hash recomputed and matched against prev_hash
- [4/5]Session completeness... ⧗... PASSSESSION_START and SESSION_END both present and linked
- [5/5]Seal signature... ⧗... PASSEd25519 seal verified against the pinned Archeion key
Not all evidence is equal.
The verifier doesn’t just say “valid.” It tells you how strong the guarantee is— measured by what an adversary would need in order to forge the log you’re holding.
The boundary between the top rung and everything below it is architectural: an independent sealing authority (Archeion) that the agent process structurally cannot impersonate.
./architecture — how the boundary is enforced →An independent sealing authority verified this log. The agent could not have forged this.
Ed25519 signatures present. Operator-attested — the operator says this happened.
Hash chain intact. Proves no post-hoc modification — not who wrote it, or when.
Every event is hashed over RFC 8785 canonical JSON. Any mutation — one byte, one field, one timestamp — changes the hash.
Each event commits to all prior events. Changing history breaks every subsequent link. The chain is the tamper alarm.
SESSION_START is anchored to an independent timestamp authority. Backdating the log means forging the TSA's signature.
A Rust binary (sasana-rs) verifies sessions with no Python dependency — for forensic environments where Python is not present or trusted.
Built for teams whose logs get subpoenaed.
implementing EU AI Act Article 12 — tamper-evident logging for high-risk AI systems in fintech, healthtech, HR tech.
./compliance →who need a cryptographically verifiable audit trail for incident response — one that survives an admin with database access.
./architecture →who need to prove a session log has not been touched since it ended — in CI, with an exit code.
./playground →| regulation | requirement addressed |
|---|---|
| EU AI Act Article 12 | Tamper-evident automatic recording for high-risk AI systems |
| SOC 2 CC7.2 | System monitoring with cryptographically verifiable audit trail |
| HIPAA §164.312(b) | Audit control for healthcare AI; raw PHI never recorded |
Start producing evidence.
MIT licensed. Self-hosted only — there is no cloud offering, on purpose. Zero code changes required with the passive observer.
every OpenClaw session automatically produces ~/.openclaw/sasana/<session_id>.jsonl — no configuration required