Guardian Audit

SKILL.md

---
name: guardian-audit
version: 1.1
description: Tamper-evident audit logger that pairs with Guardian safety skill. Captures safety decisions (halts, approvals, escalations) in an append-only, hash-chained log. Use when Guardian makes a safety decision. Use for compliance audit trails. Does NOT activate on general logging requests like 'log this' or routine queries. Requires explicit safety context or compliance intent to trigger.
Support: support@ikkf.info
---

# Guardian Audit — Tamper-Evident Audit Logger (v1.1)

> *"Trust, but log."*

A companion skill to **Guardian** (or any safety gatekeeper) that captures every decision, action, and escalation in an **append-only, hash-chained audit trail**.

**Why this exists:** Guardian stops bad things. Guardian Audit proves it stopped them — or proves the agent did them anyway.

## Privacy & Data Warning

**Before using Guardian Audit, understand what it captures:**

This skill logs detailed operational data including: file paths, agent reasoning, human escalation responses, system commands, and safety decisions. These logs may contain:
- Internal system paths and configurations
- Sensitive operational details
- Personal or business data processed by agents
- Security decisions and approval context

**Best practices:**
- Review and redact logs before sharing or archiving
- Configure log retention policies appropriate to your compliance requirements
- Restrict log file access to authorized personnel only
- Do not log secrets, passwords, or API keys in agent reasoning fields
- Consider encryption for logs stored on shared or cloud-backed systems

## What It Logs

Every entry includes:

| Field | Purpose |
|-------|---------|
| `timestamp` | ISO-8601 with millisecond precision |
| `sequence` | Monotonic integer, no gaps allowed |
| `previous_hash` | SHA-256 of previous entry (chain integrity) |
| `event_type` | `GUARDIAN_CHECK`, `GUARDIAN_HALT`, `GUARDIAN_APPROVE`, `EXECUTED`, `ESCALATION_RESOLVED` |
| `agent_id` | Anonymous identifier (no platform specifics) |
| `operation` | What the agent tried to do |
| `target` | File / path / database / endpoint |
| `category` | CRITICAL / HIGH / MEDIUM / NON-DESTRUCTIVE |
| `backup_verdict` | VERIFIED / UNVERIFIED / STALE / PARTIAL |
| `backup_checks` | JSON array of which indicators matched |
| `decision` | PROCEED / HALT / AWAITING_HUMAN / DENIED |
| `approver` | `guardian-auto` / `human:anonymous` / `agent:rejected` |
| `agent_reasoning` | The agent's stated justification (quoted) |
| `guardian_notes` | Why Guardian made this decision |
| `outcome` | SUCCESS / FAILURE / TIMEOUT / CANCELLED |
| `entry_hash` | SHA-256 of this entry's content |

## The Hash Chain

```
Entry[N].previous_hash = SHA256(Entry[N-1].content)
Entry[N].entry_hash = SHA256(Entry[N].content)
```

If any entry is modified, every subsequent entry's `previous_hash` fails verification. The chain is self-validating.

## Log Format

Append-only line-delimited JSON (NDJSON), one entry per line:

```json
{"timestamp":"2026-05-19T13:58:45.112Z","sequence":42,"previous_hash":"a3f7...","event_type":"GUARDIAN_CHECK","agent_id":"agent-7f3a","operation":"rm -rf /tmp/old-builds","target":"/tmp/old-builds","category":"MEDIUM","backup_verdict":"VERIFIED","backup_checks":["git-clean"],"decision":"PROCEED","approver":"guardian-auto","agent_reasoning":"Cleaning up old build artifacts","guardian_notes":"CARS Medium risk auto-approved via git-clean verification","outcome":"SUCCESS","entry_hash":"9e2b..."}
```

## Where Logs Live

| Platform | Default Path |
|----------|-------------|
| Windows | `%LOCALAPPDATA%\guardian-audit\audit.log` |
| macOS | `~/.local/share/guardian-audit\audit.log` |
| Linux | `~/.local/share/guardian-audit\audit.log` |

**Immutable by convention:** The log file has append-only permissions. The executing agent cannot delete or modify entries. Only a human with elevated privileges can rotate logs.

## Verification Script

```bash
# Verify chain integrity
./scripts/verify-chain.py audit.log
# Output: "Chain valid: 1,247 entries, 0 breaks"
# Or: "CHAIN BROKEN at entry 843: hash mismatch"
```

## Integration with Guardian

Guardian calls Guardian Audit automatically after every decision:

```
Guardian Decision → Guardian Audit LOG → Continue / Halt
```

No additional agent action required. Guardian Audit is a **passive listener** that records what happened.

## Standalone Use

Sidenote: v1.1 now supports **JIT-GRANTED** tags in the audit log, marking operations performed during a human-authorized destructive window.

```python
# From any agent or tool
from guardian_audit import log_event

log_event(
    event_type="MANUAL_APPROVE",
    operation="deploy-production",
    target="api.production.internal",
    decision="PROCEED",
    approver="human:anonymous",
    agent_reasoning="Emergency fix for auth bug"
)
```

## Why This Matters

**Compliance frameworks requiring audit trails:**
- **EU AI Act** (Article 52): High-risk AI systems must maintain logs
- **SOC 2 Type II**: Change management and access control evidence
- **HIPAA §164.312(b)**: Mechanisms to record and examine activity
- **GDPR Article 5(1)(d)**: Accuracy and accountability

**Forensics:** When something goes wrong, you need to know:
- What did the agent try to do?
- Did Guardian stop it?
- Did a human approve it anyway?
- What was the agent's reasoning at the time?

## Mandatory Rules

1. **Append-Only:** Entries are never deleted. Log rotation creates new files, never modifies existing ones.
2. **Hash Chain:** Every entry references the previous. Tampering is detectable.
3. **No Agent Modification:** The executing agent cannot modify its own audit trail. Ever.
4. **Minimal Overhead:** Logging adds <5ms per decision. No perceptible latency.
5. **Human Readable:** NDJSON format means `tail -f audit.log` is meaningful without tooling.

## Scope

**Vanilla:** Not specific to Guardian. Works with any safety gatekeeper, human approval workflow, or agent runtime.

**Passive:** Does not block or delay operations. Logs after the fact.

**Mandatory:** Once enabled, all safety decisions are logged. No opt-out per-session.

## References

- `references/LOG-SCHEMA.md` — Complete field definitions and validation rules
- `references/COMPLIANCE-MAPPING.md` — Framework requirements (EU AI Act, SOC 2, HIPAA, GDPR)
- `references/REPLAY.md` — How to replay, search, and analyze audit trails
- `scripts/log-event.py` — Python event logger (cross-platform)
- `scripts/verify-chain.py` — Chain integrity verification
- `scripts/export-report.py` — Generate compliance-ready reports

## Based On

- IETF draft-sharif-agent-audit-trail-00 (Mar 2026): Standardized AI agent audit trail format
- AgentReceipt (2026): Immutable audit trails for AI agents
- OWASP Agentic AI Top 10: Logging and monitoring requirements
- GDPR Article 5 + EU AI Act Article 52: Regulatory audit trail mandates

## License

MIT — Audit trails should be a public la MIT — Audit trails should be a public good.