Audit Logging
HMAC-chain tamper-evident audit logging with SIEM integration for compliance.
Audit Logging
Baker Street's enterprise audit system produces a tamper-evident log of every significant action. Events are signed with an HMAC chain, making it cryptographically detectable if any entry is modified, deleted, or reordered after the fact.
How It Works
Every auditable event produces a structured log entry with these fields:
{
"timestamp": "2025-03-15T10:30:00.000Z",
"eventType": "tool_call",
"service": "brain",
"userId": "user_abc123",
"conversationId": "conv_def456",
"toolName": "command_execute",
"toolInput": {"command": "kubectl get pods -n baker-street"},
"guardrailResult": "approved",
"traceId": "trace_789...",
"sequence": 10847,
"hmac": "sha256:abcdef123456..."
}
Each entry's hmac field is computed over the entry content plus the previous entry's HMAC, forming a chain. If any entry in the chain is tampered with, all subsequent HMACs become invalid.
Write-Only Architecture
The audit system is write-only from the application's perspective. The Brain and Workers can append events but cannot read or modify the audit trail. This is enforced at the infrastructure level:
- Audit events are shipped to an external sink (Loki, Splunk, Datadog, or a file-based collector)
- The application has no credentials to query or delete from the audit sink
- Retention and access policies are managed by the SIEM, not by Baker Street
Event Types
The audit system captures these event categories:
| Event Type | Description |
|---|---|
conversation_start | New conversation initiated |
tool_call | Any tool invocation (with input and output) |
guardrail_check | Guardrail evaluation result (approve/reject) |
approval_request | Human-in-the-loop approval requested |
approval_response | Human approved or denied an operation |
memory_write | New memory stored or existing memory updated |
memory_delete | Memory entry deleted |
extension_connect | MCP extension connected |
extension_disconnect | MCP extension disconnected |
task_pod_launch | Ephemeral task pod created |
auth_event | Login, logout, token refresh |
config_change | Configuration or personality file change |
SIEM Integration
Configure the audit sink via environment variables on the Brain:
# Loki (push API)
AUDIT_SINK: "loki"
AUDIT_LOKI_URL: "http://loki.observability:3100"
AUDIT_LOKI_LABELS: "app=baker-street,env=production"
# Splunk (HEC)
AUDIT_SINK: "splunk"
AUDIT_SPLUNK_URL: "https://splunk.example.com:8088"
AUDIT_SPLUNK_TOKEN: "splunk-hec-token"
# Datadog
AUDIT_SINK: "datadog"
AUDIT_DATADOG_API_KEY: "dd-api-key"
AUDIT_DATADOG_SITE: "datadoghq.com"
# File (for development/testing)
AUDIT_SINK: "file"
AUDIT_FILE_PATH: "/var/log/baker-street/audit.jsonl"
Verification
The HMAC chain can be verified offline with the included verification tool:
# Verify chain integrity from exported audit log
baker-audit verify --input audit-export.jsonl --key $AUDIT_HMAC_KEY
Verified 10,847 events. Chain integrity: VALID
No gaps, modifications, or reordering detected.
This verification can run as a scheduled job, a CI pipeline step, or a manual compliance check. Any broken link in the chain indicates tampering.
Retention
Audit retention is configured at the SIEM level, not within Baker Street. Typical configurations:
- SOC 2 -- minimum 1 year retention
- ISO 27001 -- per organizational policy, typically 1-3 years
- Internal -- 90 days for development, 1 year for production