visiq() call.
Envelopes are persisted server-side, off the request path, and then cryptographically attested: each one receives an asynchronous Ed25519 receipt, is committed to a Merkle batch whose root is signed by an HSM-backed key and countersigned by an independent RFC 3161 timestamp authority, and takes its place in a hash-chained transparency log. Decision Receipts covers the cryptography in depth.
What gets recorded
Each decision produces one envelope. An action-governance denial looks like this:source tells you which subsystem produced the decision, and each source carries its own decision vocabulary:
The
event field holds what happened — the payload the cryptographic receipt later signs — and attestation holds the decision metadata, both shaped per source:
action—event: { target_app, action, context },attestation: { reason, rule_id, mode }.moderecords the agent’s mode at decision time —enforce,monitor, oroff(anoff-mode call is permitted without evaluation but still recorded).retrieval—event: { operation, resource_type, resource_metadata },attestation: { reason_code, reason, rule_id }.hitl—event: { hitl_item_id, category, target_app, action, context, allow_decision_id },attestation: { responded_by, responded_at, ai_recommended_rule }.
Human adjudications are first-class evidence. When a responder approves or rejects a held action, a separate
hitl envelope records who responded and when, linked back to the originating decision via decision_id — and it receives its own cryptographic receipt like any other decision.event in a generated column the application cannot write. Verification later recomputes it, proving the record was not edited even in the window between ingest and signing.
How records become tamper-evident
Persisting the envelope is step one. An asynchronous pipeline — entirely off the decision hot path, adding zero latency to your agents — turns each envelope into independently verifiable evidence:- Ed25519 leaf receipt — the envelope’s
eventis canonicalized, hashed, and signed. The receipt (signature, public key, payload hash) is stored separately from the envelope it attests. - Merkle batching — a background worker gathers unbatched receipts and commits their leaf hashes to a single Merkle root.
- HSM root signature — the root is signed once with an HSM-backed key in AWS KMS. The private key never leaves the HSM.
- RFC 3161 timestamp — DigiCert’s timestamp authority countersigns the root: an independent third party attests when the batch existed.
- Hash-chained checkpoints — each signed batch commits to the previous batch’s root, forming an append-only transparency log whose checkpoints are published to write-once (WORM) object storage as an external witness. Deleting, reordering, or backdating any batch breaks the chain detectably — even for VisIQ.
Verify a record in one call
You don’t hand-roll any cryptography. One request re-derives and re-checks the full attestation chain:verified is true only when every applicable check passes. A freshly emitted record reports attestationStatus: "timestamp_pending" until the next batch sweep commits it — typically within a minute or two.
The dashboard runs this same verification for you: every governed event row (Harness → Runtime Enforcement) carries a record pill, and clicking through opens the record’s verification page with the full per-check breakdown.
What the audit trail proves
Consuming the trail
- Dashboard — Harness → Runtime Enforcement streams every governed event with its record attached; agent pages and the Escalations queue link to the same records.
- Query APIs —
GET /v1/allow/audit-logandGET /v1/recall/audit-logreturn the paginated decision logs, filterable by agent, decision, and date range. - Log streaming — stream decision envelopes and audit events to your SIEM. Datadog and Elasticsearch destinations are configured under Settings → Log Streaming (organization scope) or from the Integration → Connectors Log Streaming cards. Delivery is cursor-tracked: a failed batch is retried, never dropped.
- Evidence packs — export a signed, per-agent evidence bundle over a date range from the agent’s dashboard page, sized for handing to an auditor.
Cryptographic receipt issuance is plan-dependent. On every plan, all decisions are still recorded in the queryable audit logs above.
Next steps
Decision Receipts
The exact cryptography — canonicalization, signatures, Merkle proofs, timestamps — and how to verify offline.
Action Governance
How tool-call authorization decisions are made.
Retrieval Governance
How retrieval verdicts govern what context your agents see.
Platform Automation
Authenticating scripts and CI against the management API.