Loading...
Loading...
DRD records every agent action as an immutable, hash-chained event. This creates a tamper-evident audit trail that serves as the single source of truth for compliance, forensic investigation, and dispute resolution.
Every action an agent takes is recorded as a domain event in the DRD event store. Events are append-only and cannot be modified or deleted once written. Each event captures the full context of what happened, who did it, and when, providing a complete history of the system state over time.
{
"id": "019event-a1b2-c3d4-e5f6-789012345678",
"aggregateId": "01956abc-def0-7890-abcd-1234567890ab",
"eventType": "agent.action",
"version": 42,
"timestamp": "2026-02-13T12:00:00.000Z",
"payload": {
"action": "send_email",
"target": "user@example.com",
"policyResult": "allowed"
},
"metadata": {
"workspaceId": "ws-019...",
"agentId": "01956abc-...",
"correlationId": "corr-019...",
"causationId": "cause-019..."
},
"chainHash": "sha256:a1b2c3d4e5f6a7b8c9d0e1f2...",
"previousHash": "sha256:f0e9d8c7b6a5049382716050..."
}Events can never be modified or deleted. Every state change is recorded as a new event.
Each event includes a SHA-256 hash linking it to the previous event, forming a verifiable chain.
Server-assigned timestamps with microsecond precision ensure accurate temporal ordering.
DRD defines a set of core event types that capture all significant actions within the platform. Custom event types can also be ingested via the SDK.
| Event Type | Description | Level |
|---|---|---|
agent.action | Any action performed by an agent (API call, data access, content generation) | info |
policy.evaluated | A governance policy was evaluated against an agent action | info |
content.scanned | Content was scanned for infringement or safety violations | info |
enforcement.created | An enforcement action was issued against an agent | warning |
trust.updated | An agent's trust score was recalculated based on new evidence | info |
Every event in the DRD audit trail is cryptographically linked to the previous event using SHA-256 hash chains. This ensures that any tampering with historical events would break the chain and be immediately detectable.
previousHash + eventType + timestamp + payload.chainHash for this event and the previousHash for the next.Each event's hash incorporates the previous hash, forming an unbreakable chain.
For batch integrity proofs, DRD groups events into Merkle trees. This allows efficient verification of any single event within a batch without replaying the entire chain, and enables compact proofs suitable for third-party auditors.
Events are grouped into batches (default: 1,000 events). Each batch produces a Merkle root that summarizes all contained events.
Auditors can verify any single event belongs to a batch using an O(log n) Merkle inclusion proof without accessing other events.
Merkle roots can be anchored to external timestamping services or blockchains for independent verification.
A proof for one event in a 1,000-event batch requires only ~10 hashes (log2 1000), making proofs lightweight and portable.
{
"batchId": "batch-019-a1b2c3...",
"merkleRoot": "sha256:root-hash-a1b2c3d4e5f6...",
"eventCount": 1000,
"firstEventId": "019event-0001-...",
"lastEventId": "019event-1000-...",
"startTime": "2026-02-13T10:00:00.000Z",
"endTime": "2026-02-13T10:15:32.000Z",
"anchoredAt": "2026-02-13T10:16:00.000Z",
"anchorRef": "https://timestamp.drd.io/batch-019-a1b2c3"
}To maintain storage efficiency without sacrificing auditability, DRD supports batch compaction. Older events are compressed and archived while preserving their hash chain integrity and Merkle proofs.
Because the event log is the source of truth, you can replay events to reconstruct state at any point in time. Projections transform raw events into queryable read models optimized for specific use cases.
DRD uses Command Query Responsibility Segregation (CQRS) to separate write operations (event ingestion) from read operations (queries). Events flow into optimized read models that serve the dashboard, API, and alerting systems.
| Read Model | Source Events | Purpose |
|---|---|---|
| Agent Activity Feed | agent.action, policy.evaluated | Dashboard timeline of agent actions |
| Trust Score History | trust.updated | Time-series trust score graph and trends |
| Enforcement Log | enforcement.created | Compliance dashboard and alerting |
| Audit Report | All events | Exportable compliance reports for regulators |
| Anomaly Detection | agent.action | Real-time anomaly scoring for swarm monitoring |
Use the DRD TypeScript SDK to ingest events into the hash-chained audit trail. Events are automatically batched and chained by the platform.
import { DRDClient } from "@drd.io/sdk";
const drd = new DRDClient({
apiKey: process.env.DRD_API_KEY!,
workspaceId: "ws-019...",
});
// Ingest a batch of events
const result = await drd.events.ingest({
events: [
{
type: "agent.action",
agentId: "01956abc-def0-7890-abcd-1234567890ab",
timestamp: new Date().toISOString(),
data: {
action: "send_email",
target: "user@example.com",
subject: "Order Confirmation",
policyResult: "allowed",
},
},
{
type: "content.scanned",
agentId: "01956abc-def0-7890-abcd-1234567890ab",
timestamp: new Date().toISOString(),
data: {
contentId: "019content-abcd-...",
scanType: "fingerprint",
matchCount: 0,
},
},
],
});
console.log(`Ingested ${result.ingested} events`);
console.log(`Chain hash: ${result.events[0].chainHash}`);
// => "Ingested 2 events"
// => "Chain hash: sha256:a1b2c3d4e5f6..."Verify the integrity of the audit trail by replaying events and checking the hash chain. This can be done programmatically or via the DRD dashboard.
import { createHash } from "crypto";
import { DRDClient } from "@drd.io/sdk";
const drd = new DRDClient({
apiKey: process.env.DRD_API_KEY!,
workspaceId: "ws-019...",
});
// Replay events for an aggregate
const { events } = await drd.events.replay({
aggregateId: "01956abc-def0-7890-abcd-1234567890ab",
fromVersion: 1,
});
// Verify the hash chain
let previousHash = "genesis";
let valid = true;
for (const event of events) {
const input = previousHash
+ event.eventType
+ event.timestamp
+ JSON.stringify(event.payload);
const expectedHash = "sha256:" + createHash("sha256")
.update(input)
.digest("hex");
if (event.chainHash !== expectedHash) {
console.error(`Chain broken at event ${event.id}`);
console.error(` Expected: ${expectedHash}`);
console.error(` Actual: ${event.chainHash}`);
valid = false;
break;
}
previousHash = event.chainHash;
}
console.log(valid
? "Hash chain verified successfully"
: "Hash chain verification FAILED"
);
// => "Hash chain verified successfully"Export the full event history for a time period to satisfy regulatory requirements (EU AI Act, GDPR Article 30). Generate audit reports with cryptographic proof of completeness.
When an incident occurs, replay the event stream to reconstruct exactly what happened. Time-travel to any point and inspect the full agent state and decision context.
Provide tamper-evident evidence in disputes. Hash chain verification and Merkle inclusion proofs demonstrate that the audit trail has not been altered since the events occurred.