Skip to content

[Future] Immutable audit logs with hash chain #141

Open
Open
[Future] Immutable audit logs with hash chain#141
Labels
P3low risktrack-securityTrack label for Agentic Era
Milestone
Agentic Era
@Raulgooo

Description

@Raulgooo
Raulgooo
opened on May 7, 2026

Future

Objective

Append-only audit logs with cryptographic integrity.

Problem

  • audit_logs is mutable
  • DeleteAuditLogsBefore() allows hard deletion
  • No hash chain

Fix

  1. previous_hash column
  2. SHA-256 hash per row
  3. DB trigger blocks DELETE
  4. immutable=true config

Files

  • internal/storage/sqlite.go
  • internal/audit/

Acceptance Criteria

  • Hash chain
  • DELETE blocked
  • Separate retention policies
  • Compliance ready

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3low risktrack-securityTrack label for Agentic Era

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions