Audit Source
Universal source-audit. Generalises the zeq-portable continuous-audit pattern into a framework primitive that audits any server, any device, any website, any hardware.
Group root /api/zeq/audit-source/* Storage Postgres audit_log chain Identity ZID-XXXXXXXX
What it is
A pluggable "source adapter" pattern. The adapter reads events from any upstream — an HTTP webhook, a local directory, a polled JSON endpoint, a Mongo change stream, a Postgres logical-decoding slot, an S3 bucket, an MQTT topic, a Redis keyspace notification, a Kafka consumer group — and pipes each event into the existing Zeq audit_log chain.
Each event becomes one chain row with:
transition_type: "event"operator_id: "SOURCE-AUDIT"proof_digest = sha256({ doc_hash, zeqond, phase, operator: "KO42", source_type, source_id })- envelope contains source type, source id, namespace, raw event verb, optional source token
Every running source-audit agent has its own ZID, the same identity primitive used by human users and genetic agents. Agents survive api-core restarts via bootRestoreSourceAudits() which resumes from last_checkpoint.
Built-in adapters
| Type | What it audits | Config |
|---|---|---|
http_webhook | Anything that can POST JSON | { secret?, defaultEventType?, defaultNamespace? } |
filesystem_watch | Any directory on disk | { path, recursive?, debounceMs?, hashContents?, maxFileBytes? } |
generic_polling | Any HTTP/JSON endpoint | { url, intervalZeqonds?, headers?, method?, body?, emitOn?, timeoutMs?, maxBytes? } |
mongo_change_stream | MongoDB collection or whole cluster | { uri, db?, collections?, fullDocument? } |
postgres_logical | Postgres LISTEN/NOTIFY channel | { uri, channel } |
s3_notification | S3 bucket events via SQS | { region, queueUrl } |
mqtt | IoT MQTT broker | { url, topics[], username?, password? } |
redis_keyspace | Redis key changes | { url, patterns[] } |
kafka_consumer | Kafka topic | { brokers[], groupId, topics[] } |
Native adapters use dynamic import() so api-core only loads the driver you actually configure. Install the matching npm package on the host running the daemon (mongodb, pg, @aws-sdk/client-sqs, mqtt, redis, kafkajs).
ZeqProof formula (verifiable offline)
proof_digest = sha256(JSON.stringify({
doc_hash: sha256(canonical(event_payload)),
zeqond: Math.floor(unix_time / 0.777),
phase: (unix_time mod 0.777) / 0.777,
operator: "KO42",
source_type: "<adapter type>",
source_id: "<stable id within source>",
}))
Anyone with the event payload + the entangled state row's zeqond, phase, source_type, source_id can recompute the digest and confirm the row was not retroactively rewritten.
Endpoints
- GET /audit-source/types — adapter registry
- POST /audit-source/spawn — register a new source-audit agent
- GET /audit-source/list — list agents for a machine
- GET /audit-source/:id/status — full status + metrics
- POST /audit-source/:id/event — webhook intake (used by
http_webhook) - POST /audit-source/:id/sweep — one-shot catch-up
- POST /audit-source/:id/kill
- GET /audit-source/:id/narrations — LLM forensic prose
Standalone daemon
For "any server, any device" deployment, the framework ships apps/zeq-audit-daemon/ — a single Node process that connects to your zeq-framework over HTTPS, registers source-audit agents from a config file, runs them locally, and pipes events back through the API. See Self-hosting → Audit Daemon.
Reference
- Source:
shared/api-core/src/lib/dataSourceAudit/ - Routes:
shared/api-core/src/routes/dataSourceAudit.ts - Schema:
app/lib/db/src/schema/{data-source-audits,source-audit-metrics,source-narrations}.ts - Migration:
app/lib/db/migrations/0003_universal_source_audit.sql
Universal across servers, devices, websites, and hardware. KO42 phase-locked at 1.287 Hz.