Trust & Governance

Trust Decision Log

Every trust-related decision on the DRD platform is recorded in an immutable, hash-chained decision log. Query decisions by type, outcome, agent, confidence score, and time range. The decision log is your single source of truth for governance auditing.

Decision Types

DRD classifies decisions into four categories. Each type has its own evaluation logic, approval flow, and audit requirements.

Policy Decisions

policy

Automated evaluations by the policy engine. These are the most common decision type and include allow/deny verdicts for agent actions based on configured policy rules.

Enforcement Decisions

enforcement

Actions taken against agents or content that violate policies. Includes DMCA takedowns, agent suspensions, trust score penalties, and content removal orders.

Approval Decisions

approval

Human-in-the-loop decisions where a workspace admin approves or rejects an agent's action. Triggered by policies with require_approval rules.

Trust Decisions

trust

Trust score adjustments, tier changes, and badge assignments. Includes both automated recalculations and manual overrides by administrators.

Decision Structure

Every decision includes full context, confidence scoring, decision trace, and audit chain hashes for tamper-evidence.

Decision Object

{
  "id": "dec_01abc...",
  "type": "policy",
  "timestamp": "2026-02-14T10:30:00Z",
  "agentId": "01956abc-def0...",
  "agentName": "Content Scanner v2",

  // What was decided
  "action": "send_email",
  "outcome": "denied",
  "reason": "Rate limit exceeded: 50 emails in 1 hour",

  // Confidence and scoring
  "confidence": 0.95,
  "riskScore": 72,

  // Decision trace
  "trace": {
    "policiesEvaluated": ["email-rate-limit", "pii-filter", "spam-detection"],
    "matchedPolicy": "email-rate-limit",
    "matchedRule": "context.emailCount > 50",
    "evaluationTimeMs": 12,
    "context": {
      "emailCount": 52,
      "target": "user@example.com"
    }
  },

  // Audit chain
  "chainHash": "sha256:a1b2c3d4...",
  "previousHash": "sha256:9f8e7d6c...",
  "sequenceNumber": 12847,

  // Review (for approval decisions)
  "review": {
    "reviewerId": "user_01xyz...",
    "reviewedAt": "2026-02-14T10:35:00Z",
    "reviewOutcome": "approved",
    "reviewNotes": "One-time exception for marketing campaign"
  }
}

Tamper-evidence: Every decision is hash-chained to the previous one. The chainHash is computed as SHA-256 of the decision payload concatenated with the previousHash. Any tampering breaks the chain and is detected automatically.

Outcome Tracking

After a decision is made, reviewers can mark the outcome to build a feedback loop for improving trust algorithms.

Allowed

Neutral to slightly positive trust impact

Denied

Negative (repeated denials lower score)

Escalated

Neutral until resolved by reviewer

Pending

No impact until resolved

Confidence Scores

Each decision includes a confidence score (0.0 to 1.0) indicating the system's certainty in its evaluation. Low-confidence decisions can be configured to automatically escalate for human review.

0.9-1.0High confidence -- auto-execute without review
0.7-0.9Medium confidence -- may require human review
0.0-0.7Low confidence -- auto-escalate to human reviewer

confidence-config.ts

// Configure confidence-based escalation
await drd.policies.update("policy_01abc...", {
  confidenceThresholds: {
    autoApprove: 0.95,       // >= 0.95: allow without review
    requireReview: 0.70,     // 0.70-0.95: queue for human review
    autoDeny: 0.0,           // < 0.70: deny and alert
  },
});

Query API

Query the decision log with filters for type, outcome, agent, confidence range, and time period.

GET /v1/decisions

curl "https://api.drd.io/v1/decisions?\
  type=policy&\
  outcome=denied&\
  agentId=01956abc-def0...&\
  from=2026-02-01T00:00:00Z&\
  to=2026-02-14T23:59:59Z&\
  minConfidence=0.8&\
  limit=25" \
  -H "Authorization: Bearer drd_ws_..."

// Response
{
  "data": [
    {
      "id": "dec_01abc...",
      "type": "policy",
      "outcome": "denied",
      "action": "send_email",
      "agentId": "01956abc-def0...",
      "confidence": 0.95,
      "reason": "Rate limit exceeded",
      "timestamp": "2026-02-14T10:30:00Z",
      "chainHash": "sha256:a1b2c3d4..."
    }
  ],
  "meta": {
    "total": 142,
    "cursor": "cursor_abc...",
    "hasMore": true
  }
}

SDK: Query Decisions

query-decisions.ts

import { DRDClient } from "@drd/sdk";

const drd = new DRDClient({ apiKey: process.env.DRD_API_KEY! });

// Query denied policy decisions
const { data: deniedDecisions, meta } = await drd.decisions.list({
  type: "policy",
  outcome: "denied",
  agentId: "01956abc-def0...",
  from: "2026-02-01T00:00:00Z",
  to: "2026-02-14T23:59:59Z",
  limit: 25,
});

for (const decision of deniedDecisions) {
  console.log(decision.id, decision.action, decision.reason);
  console.log("  Confidence:", decision.confidence);
  console.log("  Policy:", decision.trace.matchedPolicy);
}

// Get a specific decision with full trace
const decision = await drd.decisions.get("dec_01abc...");
console.log("Policies evaluated:", decision.trace.policiesEvaluated);
console.log("Evaluation time:", decision.trace.evaluationTimeMs, "ms");
console.log("Chain hash:", decision.chainHash);

// Get decision statistics
const stats = await drd.decisions.stats({
  agentId: "01956abc-def0...",
  period: "daily",
  from: "2026-02-01",
  to: "2026-02-14",
});

for (const day of stats.dataPoints) {
  console.log(day.date);
  console.log("  Total:", day.total);
  console.log("  Allowed:", day.allowed, "Denied:", day.denied);
  console.log("  Escalated:", day.escalated);
  console.log("  Avg confidence:", day.avgConfidence);
}

// Verify decision chain integrity
const integrity = await drd.decisions.verifyChain({
  from: "2026-02-01T00:00:00Z",
  to: "2026-02-14T23:59:59Z",
});

console.log("Chain valid:", integrity.valid);
console.log("Decisions verified:", integrity.count);
console.log("First sequence:", integrity.firstSequence);
console.log("Last sequence:", integrity.lastSequence);

Export for Compliance

Export decision logs for compliance audits, legal discovery, or external analysis. Exports are available in JSON, CSV, and NDJSON formats.

export.ts

// Create an export job
const exportJob = await drd.decisions.export({
  format: "csv",
  from: "2026-01-01T00:00:00Z",
  to: "2026-01-31T23:59:59Z",
  filters: {
    types: ["policy", "enforcement"],
    outcomes: ["denied", "escalated"],
  },
  includeTrace: true,
  includeChainHashes: true,
});

console.log("Export ID:", exportJob.id);
console.log("Status:", exportJob.status);

// Poll for completion or use webhook
const completed = await drd.decisions.exportStatus(exportJob.id);
if (completed.status === "ready") {
  console.log("Download URL:", completed.downloadUrl);
  console.log("Expires at:", completed.expiresAt);
  console.log("File size:", completed.fileSizeBytes);
}

Retention: Decision logs are retained for 7 years by default to meet regulatory requirements (SOC2, GDPR Art. 30, EU AI Act). Custom retention periods can be configured at the workspace level.

Next Steps

Trust Network

Manage trust contacts and CRM

Learn more →

DRD Score

Understand trust scoring

Learn more →

Agent Health

Monitor agent health

Learn more →

Policy Engine

Rule-based governance driving trust decisions

Learn more →

Trust & Governance

Trust Decision Log

Decision Types

DRD classifies decisions into four categories. Each type has its own evaluation logic, approval flow, and audit requirements.

Policy Decisions

policy

Automated evaluations by the policy engine. These are the most common decision type and include allow/deny verdicts for agent actions based on configured policy rules.

Enforcement Decisions

enforcement

Actions taken against agents or content that violate policies. Includes DMCA takedowns, agent suspensions, trust score penalties, and content removal orders.

Approval Decisions

approval

Human-in-the-loop decisions where a workspace admin approves or rejects an agent's action. Triggered by policies with require_approval rules.

Trust Decisions

trust

Trust score adjustments, tier changes, and badge assignments. Includes both automated recalculations and manual overrides by administrators.

Decision Structure

Every decision includes full context, confidence scoring, decision trace, and audit chain hashes for tamper-evidence.

Decision Object

{
  "id": "dec_01abc...",
  "type": "policy",
  "timestamp": "2026-02-14T10:30:00Z",
  "agentId": "01956abc-def0...",
  "agentName": "Content Scanner v2",

  // What was decided
  "action": "send_email",
  "outcome": "denied",
  "reason": "Rate limit exceeded: 50 emails in 1 hour",

  // Confidence and scoring
  "confidence": 0.95,
  "riskScore": 72,

  // Decision trace
  "trace": {
    "policiesEvaluated": ["email-rate-limit", "pii-filter", "spam-detection"],
    "matchedPolicy": "email-rate-limit",
    "matchedRule": "context.emailCount > 50",
    "evaluationTimeMs": 12,
    "context": {
      "emailCount": 52,
      "target": "user@example.com"
    }
  },

  // Audit chain
  "chainHash": "sha256:a1b2c3d4...",
  "previousHash": "sha256:9f8e7d6c...",
  "sequenceNumber": 12847,

  // Review (for approval decisions)
  "review": {
    "reviewerId": "user_01xyz...",
    "reviewedAt": "2026-02-14T10:35:00Z",
    "reviewOutcome": "approved",
    "reviewNotes": "One-time exception for marketing campaign"
  }
}

Outcome Tracking

After a decision is made, reviewers can mark the outcome to build a feedback loop for improving trust algorithms.

Allowed

Neutral to slightly positive trust impact

Denied

Negative (repeated denials lower score)

Escalated

Neutral until resolved by reviewer

Pending

No impact until resolved

Confidence Scores

Each decision includes a confidence score (0.0 to 1.0) indicating the system's certainty in its evaluation. Low-confidence decisions can be configured to automatically escalate for human review.

0.9-1.0High confidence -- auto-execute without review
0.7-0.9Medium confidence -- may require human review
0.0-0.7Low confidence -- auto-escalate to human reviewer

confidence-config.ts

// Configure confidence-based escalation
await drd.policies.update("policy_01abc...", {
  confidenceThresholds: {
    autoApprove: 0.95,       // >= 0.95: allow without review
    requireReview: 0.70,     // 0.70-0.95: queue for human review
    autoDeny: 0.0,           // < 0.70: deny and alert
  },
});

Query API

Query the decision log with filters for type, outcome, agent, confidence range, and time period.

GET /v1/decisions

curl "https://api.drd.io/v1/decisions?\
  type=policy&\
  outcome=denied&\
  agentId=01956abc-def0...&\
  from=2026-02-01T00:00:00Z&\
  to=2026-02-14T23:59:59Z&\
  minConfidence=0.8&\
  limit=25" \
  -H "Authorization: Bearer drd_ws_..."

// Response
{
  "data": [
    {
      "id": "dec_01abc...",
      "type": "policy",
      "outcome": "denied",
      "action": "send_email",
      "agentId": "01956abc-def0...",
      "confidence": 0.95,
      "reason": "Rate limit exceeded",
      "timestamp": "2026-02-14T10:30:00Z",
      "chainHash": "sha256:a1b2c3d4..."
    }
  ],
  "meta": {
    "total": 142,
    "cursor": "cursor_abc...",
    "hasMore": true
  }
}

SDK: Query Decisions

query-decisions.ts

import { DRDClient } from "@drd/sdk";

const drd = new DRDClient({ apiKey: process.env.DRD_API_KEY! });

// Query denied policy decisions
const { data: deniedDecisions, meta } = await drd.decisions.list({
  type: "policy",
  outcome: "denied",
  agentId: "01956abc-def0...",
  from: "2026-02-01T00:00:00Z",
  to: "2026-02-14T23:59:59Z",
  limit: 25,
});

for (const decision of deniedDecisions) {
  console.log(decision.id, decision.action, decision.reason);
  console.log("  Confidence:", decision.confidence);
  console.log("  Policy:", decision.trace.matchedPolicy);
}

// Get a specific decision with full trace
const decision = await drd.decisions.get("dec_01abc...");
console.log("Policies evaluated:", decision.trace.policiesEvaluated);
console.log("Evaluation time:", decision.trace.evaluationTimeMs, "ms");
console.log("Chain hash:", decision.chainHash);

// Get decision statistics
const stats = await drd.decisions.stats({
  agentId: "01956abc-def0...",
  period: "daily",
  from: "2026-02-01",
  to: "2026-02-14",
});

for (const day of stats.dataPoints) {
  console.log(day.date);
  console.log("  Total:", day.total);
  console.log("  Allowed:", day.allowed, "Denied:", day.denied);
  console.log("  Escalated:", day.escalated);
  console.log("  Avg confidence:", day.avgConfidence);
}

// Verify decision chain integrity
const integrity = await drd.decisions.verifyChain({
  from: "2026-02-01T00:00:00Z",
  to: "2026-02-14T23:59:59Z",
});

console.log("Chain valid:", integrity.valid);
console.log("Decisions verified:", integrity.count);
console.log("First sequence:", integrity.firstSequence);
console.log("Last sequence:", integrity.lastSequence);

Export for Compliance

Export decision logs for compliance audits, legal discovery, or external analysis. Exports are available in JSON, CSV, and NDJSON formats.

export.ts

// Create an export job
const exportJob = await drd.decisions.export({
  format: "csv",
  from: "2026-01-01T00:00:00Z",
  to: "2026-01-31T23:59:59Z",
  filters: {
    types: ["policy", "enforcement"],
    outcomes: ["denied", "escalated"],
  },
  includeTrace: true,
  includeChainHashes: true,
});

console.log("Export ID:", exportJob.id);
console.log("Status:", exportJob.status);

// Poll for completion or use webhook
const completed = await drd.decisions.exportStatus(exportJob.id);
if (completed.status === "ready") {
  console.log("Download URL:", completed.downloadUrl);
  console.log("Expires at:", completed.expiresAt);
  console.log("File size:", completed.fileSizeBytes);
}

Retention: Decision logs are retained for 7 years by default to meet regulatory requirements (SOC2, GDPR Art. 30, EU AI Act). Custom retention periods can be configured at the workspace level.

Next Steps

Trust Network

Manage trust contacts and CRM

Learn more →

DRD Score

Understand trust scoring

Learn more →

Agent Health

Monitor agent health

Learn more →

Policy Engine

Rule-based governance driving trust decisions

Learn more →