Skip to content

Audit Log

The audit log is an append-only JSONL file that records every governance decision. Each line is a self-contained JSON event.

Location

Default: .kcp-harness/audit.jsonl (configurable in harness.yaml).

Event Schema

All events share these fields:

json
{
  "seq": 1,
  "ts": "2025-07-07T10:30:00.000Z",
  "type": "tool_call",
  "session": "abc123"
}
FieldTypeDescription
seqnumberMonotonically increasing sequence number
tsstringISO 8601 timestamp
typestringEvent type (see below)
sessionstringSession identifier

Event Types

tool_call

Logged for every tool call that passes through the harness.

json
{
  "seq": 1,
  "ts": "2025-07-07T10:30:00.000Z",
  "type": "tool_call",
  "tool": "Read",
  "governed": true,
  "targets": ["docs/api.md"],
  "decision": {
    "approved": true,
    "mode": "plan-first",
    "plan": { "units": 3, "eligible": 2 }
  },
  "session": "abc123"
}

session_start / session_end

Session lifecycle events.

json
{
  "seq": 0,
  "ts": "2025-07-07T10:00:00.000Z",
  "type": "session_start",
  "session": "abc123",
  "config": {
    "domains": 1,
    "policy": { "fail_closed": true }
  }
}

budget_spend

Logged when knowledge loading incurs a cost.

json
{
  "seq": 5,
  "ts": "2025-07-07T10:31:00.000Z",
  "type": "budget_spend",
  "source": "plan",
  "cost": { "amount": 0.25, "currency": "USDC" },
  "runningTotal": { "USDC": 0.25 },
  "ceiling": { "amount": 1.00, "currency": "USDC" },
  "session": "abc123"
}

budget_exceeded

Logged when a request is rejected because it would exceed the budget ceiling.

json
{
  "seq": 10,
  "ts": "2025-07-07T10:45:00.000Z",
  "type": "budget_exceeded",
  "requested": { "amount": 0.50, "currency": "USDC" },
  "current": { "USDC": 0.80 },
  "ceiling": { "amount": 1.00, "currency": "USDC" },
  "session": "abc123"
}

temporal_drift

Logged when a watched plan's temporal validity changes.

json
{
  "seq": 15,
  "ts": "2025-07-07T11:00:00.000Z",
  "type": "temporal_drift",
  "manifest": "./knowledge.yaml",
  "summary": "1 unit expired: 'api-v1-docs'",
  "session": "abc123"
}

plan_invalidated

Logged when a plan is removed from the session due to drift.

Security

The audit log redacts sensitive content:

  • Write tool content is replaced with [REDACTED: <length> chars]
  • Bash commands containing common secret patterns are redacted
  • Decision trace details (which may contain unit content) are stripped from audit events

Querying

The JSONL format is designed for streaming processing:

bash
# All governed tool calls
cat .kcp-harness/audit.jsonl | jq 'select(.governed == true)'

# Budget events
cat .kcp-harness/audit.jsonl | jq 'select(.type | startswith("budget"))'

# Temporal drift events
cat .kcp-harness/audit.jsonl | jq 'select(.type == "temporal_drift")'

# Session summary
cat .kcp-harness/audit.jsonl | jq 'select(.type == "session_end")'

Released under the Apache 2.0 License.