AegisGitea-MCP/docs/audit.md

# Audit Logging

## Design

Audit logs are append-only JSON lines with hash chaining:
- `prev_hash`: previous entry hash.
- `entry_hash`: hash of current entry payload + previous hash.

This makes tampering detectable.

## Event Types

- `tool_invocation`
- `access_denied`
- `security_event`

Each event includes timestamps and correlation context.

## Integrity Validation

Use:

```bash
python3 scripts/validate_audit_log.py --path /var/log/aegis-mcp/audit.log
```

Exit code `0` indicates valid chain, non-zero indicates tamper/corruption.

## Operational Expectations

- Persist audit logs to durable storage.
- Protect write permissions (service account only).
- Validate integrity during incident response and release checks.