Goal
Replace the current best-effort runtime/telegram_actions/ action records with a hash-chained, append-only audit log so trust posture is verifiable. Today an attacker (or a buggy hook) could silently mutate or delete an approval record without detection.
Success Criteria
- New
orchestrator/audit_log.py exposing append_audit_event(cfg, event_type, payload) that writes to runtime/audit/audit.jsonl with each line carrying {ts, event_type, payload, prev_hash, hash} where hash = sha256(prev_hash + canonical_json(payload))
- All state-mutating events route through
append_audit_event: Telegram approvals, kill-switch toggles, mode changes, autonomous issue creation (groomer / log_analyzer), autonomous PR opens, autonomous PR merges
- New
audit_verify CLI entrypoint walks the chain and reports any tampering (broken hash link)
- Daily digest gains a "audit chain status: OK" line; on tamper detection, send Telegram alert
- Regression test: synthetic chain validates clean; mutated middle line fails verification; truncated tail fails verification
Constraints
- Audit writes must be atomic (
tempfile + os.replace) to prevent partial writes from breaking the chain
- File rotates at 10 MB; rotation preserves the chain across files via a manifest of (file, last_hash)
- Keep the hash function dependency-free (
hashlib.sha256 from stdlib)
Task Type
architecture
Why
The audit story today is "tail the log". Telegram approvals, kill-switch flips, and autonomous issue creation all happen via plain JSONL writes that could be silently edited. An immutable chain is the minimum bar before agent-os can claim a defensible trust posture for anything beyond the operator's own machine.
Re-queued Context
Last agent summary
Rendered prompt is 133453 bytes, exceeding the 100000-byte ceiling.
Blockers
- Prompt size 133453 bytes exceeds 100000-byte limit.
- Retrying with more prior-attempt context will not help; the task body itself must be trimmed.
Files changed
Goal
Replace the current best-effort
runtime/telegram_actions/action records with a hash-chained, append-only audit log so trust posture is verifiable. Today an attacker (or a buggy hook) could silently mutate or delete an approval record without detection.Success Criteria
orchestrator/audit_log.pyexposingappend_audit_event(cfg, event_type, payload)that writes toruntime/audit/audit.jsonlwith each line carrying{ts, event_type, payload, prev_hash, hash}wherehash = sha256(prev_hash + canonical_json(payload))append_audit_event: Telegram approvals, kill-switch toggles, mode changes, autonomous issue creation (groomer / log_analyzer), autonomous PR opens, autonomous PR mergesaudit_verifyCLI entrypoint walks the chain and reports any tampering (broken hash link)Constraints
tempfile + os.replace) to prevent partial writes from breaking the chainhashlib.sha256from stdlib)Task Type
architecture
Why
The audit story today is "tail the log". Telegram approvals, kill-switch flips, and autonomous issue creation all happen via plain JSONL writes that could be silently edited. An immutable chain is the minimum bar before agent-os can claim a defensible trust posture for anything beyond the operator's own machine.
Re-queued Context
Last agent summary
Rendered prompt is 133453 bytes, exceeding the 100000-byte ceiling.
Blockers
Files changed