الانتقال إلى المحتوى الرئيسي

Universal Source-Audit

One sentence. Pipe events from any server, device, website, or hardware into the Zeq audit_log chain — same row shape regardless of source — and verify them anywhere with the public proof formula.

The problem

Every system that matters keeps an audit log. Most of them are bespoke per-source: a Mongo trigger here, a Postgres LISTEN there, a custom HTTP webhook receiver, an S3 notification consumer, an MQTT logger for IoT. Each one rolls its own schema, its own integrity story, its own retention model. Reconciling across them is a project.

Universal source-audit collapses that down to one chain, one row shape, one proof formula, one observer.

The shape

                            ┌──────────────────────────┐
   any source ──── adapter ─→  Stamper (KO42 + zeqond) ─→  audit_log chain
                            │  ZeqProof = sha256(…)     │   (Postgres,
   HTTP webhook              │                          │    SHA-256 prev_hash
   filesystem watch          │  ZID-XXXXXXXX agent     │    linkage)
   generic polling           │  per source              │
   MongoDB change stream     │                          │
   Postgres LISTEN/NOTIFY    └──────────┬───────────────┘
   S3 / SQS notifications               │
   MQTT (IoT)                  ┌────────┴────────┐
   Redis keyspace              │                 │
   Kafka consumer       Observer feed     LLM Narrator
                        (SOURCE-AUDIT     (BYOK forensic
                         filter pill)      prose)

Same audit_log table the framework already maintains for state-machine ticks. New rows have:

  • transition_type: "event"
  • operator_id: "SOURCE-AUDIT" (in the envelope)
  • proof_digest: 64-hex SHA-256
  • envelope contains source_type, source_id, source_namespace, event_type, document_hash, source_token

The proof formula

Verifiable offline. Anyone with the event payload + zeqond + phase + source_type + source_id can recompute the digest:

proof_digest = sha256(JSON.stringify({
  doc_hash:    sha256(canonical(event_payload)),
  zeqond:      Math.floor(unix_time / 0.777),
  phase:       (unix_time mod 0.777) / 0.777,
  operator:    "KO42",
  source_type: "<adapter type>",
  source_id:   "<stable id within source>"
}))

canonical(...) is RFC 8785 JSON Canonicalization Scheme (sorted keys, ISO Date strings). Same algorithm zeq-portable used; existing tooling re-verifies.

What "universal" means

Source axisConcretely
ServersAny HTTP server can POST to the webhook adapter. Postgres / MongoDB / Kafka / Redis hosts get their dedicated adapters.
DevicesThe standalone daemon runs on laptops, Raspberry Pi, embedded Linux, Docker, VPS, anywhere with Node 20+.
WebsitesStripe, GitHub, Shopify, Zapier, Discord — anything with a webhook config — becomes an audit source in two clicks.
HardwareMQTT brokers carry sensor payloads; the MQTT adapter stamps each reading. Filesystem-watch covers anything that writes to disk.

The entangled state doesn't know which adapter produced a row. It just knows it received an event, computed a proof, linked it to the previous row's hash, and committed.

Identity: ZIDs, not opaque UUIDs

Each source-audit agent is addressable as ZID-XXXXXXXX — same identity primitive used by human users and genetic agents. ZID-c74dd5a7 could be your "Production logs" filesystem watcher, talked to by name in a chat (/agent ZID-c74dd5a7) and clickable in the picker on every chat surface.

Owner relationships, role grants, and audit attribution all reuse the existing ZeqAuth-V3 stack — no new identity model.

Operational guarantees

  • Boot-restore. Every agent with status='running' on api-core start is automatically resumed from its last_checkpoint. Restarting the framework doesn't lose anything.
  • Idempotent sweep. POST /api/zeq/audit-source/:id/sweep re-reads from the checkpoint with documentHash dedupe upstream — safe to re-run.
  • Tamper detection. The narrator daemon's verifier walks the entangled state every 10 zeqonds, recomputes hashes, flags broken prev_hash linkage as tamper_events.
  • Per-agent rate limit. webhook intake is 600 req/min/agent; spawn / sweep / kill are auth-gated and rate-capped.

When to use it

Use it when you need durable, cross-source proof of what happened. Compliance audits, financial reconciliation, IoT sensor traces, file-integrity monitoring, reproducible bug reports, regulatory submissions. Anywhere your answer to "did event X actually happen at time T?" needs to be more than "I think so."

Don't use it as a metrics pipeline. It's append-only and per-event; high-cardinality counters belong in your existing telemetry stack. Ship the rolled-up summary as one source-audit event per period if you want a chained record.

Getting started

  • Browser-only path (no terminal): open /apps/zeq-audit-daemon/, pick a machine, spawn an http_webhook agent, point your upstream at /api/zeq/audit-source/:id/event.
  • Local-source path (filesystem, Mongo, Postgres, MQTT, Redis, Kafka): run the standalone daemon — see Operate → Audit Daemon.
  • API reference: API → Audit Source.

Reference

  • Live dashboard: /apps/zeq-audit-daemon/ on any zeq-dev origin.
  • Public API: /api/zeq/audit-source/*.
  • Standalone daemon: apps/zeq-audit-daemon/ in the framework repo.
  • Schema: app/lib/db/migrations/0003_universal_source_audit.sql.

KO42 is mandatory. Every event lands at 1.287 Hz, sealed by a recomputable digest. Awaiting next Zeqond.