SafeClaw Audit Trail FAQ

What is the audit trail?

SafeClaw's audit trail is a complete, tamper-proof log of every action an AI agent attempted and the policy decision that was made (allow, deny, or audit). Every entry records the action type, target, timestamp, the rule that matched, and the resulting effect. The audit trail is secured with a SHA-256 hash chain that makes retroactive alteration detectable. See also: What Is SafeClaw? FAQ.

How does the hash chain work?

Each audit trail entry includes a SHA-256 hash that incorporates the entry's data and the hash of the previous entry. This creates a cryptographic chain where altering any single entry invalidates the hash of every subsequent entry. Verifying the chain is a simple forward pass: recompute each hash and confirm it matches the stored value. Any mismatch reveals tampering and identifies the exact point of alteration.

What algorithm does SafeClaw use?

SafeClaw uses SHA-256 (Secure Hash Algorithm 256-bit) for its audit trail hash chain. SHA-256 is a widely trusted cryptographic hash function used in TLS certificates, blockchain systems, and digital signatures. It produces a 256-bit (32-byte) hash that is computationally infeasible to reverse or forge. No third-party cryptographic libraries are required — SafeClaw has zero third-party dependencies.

Can the audit trail be tampered with?

The hash chain makes tampering detectable. If any entry is modified, deleted, or inserted, the SHA-256 hashes of all subsequent entries will no longer match. Verification is automatic and can be performed at any time. While no system can make data physically impossible to alter, SafeClaw's hash chain ensures that any alteration is immediately and provably detectable. See also: Enterprise and Compliance FAQ.

What information is logged?

Each audit trail entry contains: the action type (file_write, shell_exec, or network), the target (file path, command, or URL), the timestamp, the policy rule that matched, the effect applied (allow, deny, or audit), the agent identifier, and the SHA-256 hash linking it to the previous entry. The Authensor control plane receives only action metadata — never API keys, file contents, or sensitive data. See also: Privacy and Trust FAQ.

Can I export audit logs?

Yes. SafeClaw audit logs can be exported from the browser dashboard for external analysis, compliance reporting, or archival. Exported logs include the full hash chain, enabling independent verification of integrity. Logs can be integrated with existing SIEM, logging, or compliance platforms. See also: Enterprise and Compliance FAQ.

How does it help with compliance?

The tamper-proof audit trail provides a verifiable record of every action an AI agent took, which is essential for regulatory compliance frameworks that require evidence of access control and activity logging. Auditors can independently verify the hash chain to confirm that logs have not been altered. This supports requirements in SOC 2, PCI-DSS, GDPR, and other frameworks that mandate auditable access records. See also: Enterprise and Compliance FAQ.

What happens if an entry is altered?

If any entry in the audit trail is altered, the SHA-256 hash chain breaks. The hash of the altered entry will no longer match the hash stored in the next entry. A verification pass will identify the exact point of alteration and flag all subsequent entries as untrustworthy. This provides both detection (something was changed) and localization (which entry was changed).

Where is the audit trail stored?

The audit trail is stored locally alongside the SafeClaw client. Action metadata is also sent to the Authensor control plane for dashboard access and remote review. The control plane only receives action metadata (action type, target, timestamp, decision) — it never receives API keys, file contents, or sensitive data. Users can also export logs for external storage. See also: Privacy and Trust FAQ.

Can other tools read the audit log?

Yes. SafeClaw audit logs use a structured format that can be parsed by standard log analysis tools, SIEM platforms, and custom scripts. The SHA-256 hash chain can be independently verified by any tool that implements SHA-256 hashing. The export format is designed for interoperability with existing security and compliance infrastructure.