Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Auditing

Akshi produces cryptographically signed audit receipts for agent actions.

What is audited

Every capability invocation generates a receipt:

  • Inference calls (model, prompt hash, response hash, cost)
  • HTTP fetch requests (URL, status code)
  • Journal writes (entry key, content hash)
  • A2A messages (sender, receiver, task ID)
  • Approval decisions (approval ID, decision, operator)
  • Spend transactions (amount, budget remaining)

Export receipts

# Export all receipts as JSON
akshi audit export --format json > receipts.json

# Export for a specific agent
akshi audit export --agent researcher --format json

# Export a time range
akshi audit export --since 2026-03-01 --until 2026-03-17

Verify receipts

Verify the integrity of exported receipts:

akshi audit verify receipts.json

This checks:

  1. Each receipt’s Ed25519 signature against the agent’s DID.
  2. Sequence continuity (no gaps or duplicates).
  3. Hash chain integrity (each receipt references the previous).

Audit bundles

Create a self-contained audit bundle for compliance:

akshi audit bundle --output audit-2026-03.tar.gz

The bundle includes receipts, the DID document, and verification metadata. Share the bundle with auditors; they can verify it with:

akshi audit verify-bundle audit-2026-03.tar.gz

Storage

Receipts are stored in data_dir/audit/:

akshi-data/
  audit/
    receipts.db       # SQLite database of all receipts
    chain.log         # Hash chain log

Retention

Configure audit retention:

[identity]
audit_retention_days = 365

Receipts older than the retention period are pruned on startup.