Audit, Verification, And Retention

The backend records admin/sensitive actions in the audit log and public verification attempts in verification_log. The maintenance worker handles retention, verification metadata anonymization, and tamper-evident chain checks.

Audit Routes

RouteRoleScope
GET /admin/api/v1/auditPLATFORM_ADMIN, BILLING_OPERATORRecent audit rows across the instance.
GET /api/v1/auditCLIENT_ADMIN, AUDITORTenant-scoped audit rows.

Audit entries are append-oriented and include hash-chain fields. The maintenance worker verifies audit-chain continuity and records metrics/alerts on breaks.

Verification Routes

RouteRolePurpose
GET /admin/api/v1/verification-logPLATFORM_ADMIN, BILLING_OPERATORInspect public verification attempts and statuses.
GET /admin/api/v1/verification-log/exportPLATFORM_ADMIN, BILLING_OPERATORExport verification logs for SIEM or incident review.
GET / POST /verifyPublicVerify by public code, certificate ID, canonical hash, or tx hash.
GET / POST /api/v1/public/verifyPublicVersioned public verification alias.

Public verification attempts store hashed requester IP/user-agent metadata. Metadata is anonymized according to RETENTION_VERIFICATION_METADATA_TTL.

Verification Statuses

StatusMeaning
VALIDCertificate, canonical content, HMAC/PAdES, and anchor checks pass.
VALID_NO_ANCHORCertificate is valid but not anchored.
REVOKEDCertificate was revoked.
UNKNOWN_CERTIFICATENo certificate matched the supplied public identifiers.
IDENTIFIER_MISMATCHMultiple identifiers were supplied but did not point to the same certificate.
INVALID_SIGNATUREPAdES verification failed.
INVALID_HMACDefensive HMAC verification failed.
TAMPEREDCanonical data mismatch or integrity failure.
NOT_ANCHOREDExpected anchor data is missing.
BLOCKCHAIN_UNAVAILABLEChain lookup failed.
UNAUTHORIZED_ANCHOR_SENDERAnchor sender is not authorized for the certificate timestamp.
INVALID_REQUESTRequest did not contain a valid verification lookup.
RATE_LIMITEDPublic verification rate limit rejected the request.

Retention Settings

VariableDefault intent
RETENTION_AUDIT_LOG_TTLKeep audit logs for 5 years.
RETENTION_VERIFICATION_LOG_TTLKeep public verification logs for 5 years.
RETENTION_VERIFICATION_METADATA_TTLClear requester IP/user-agent hashes after 90 days.
RETENTION_CLEANUP_INTERVALMaintenance worker cadence.
RETENTION_BATCH_SIZEMaximum rows touched per pass.

WORM/Object Lock is deferred by product direction in this repository. Do not represent it as active until the product decision changes and storage policy is implemented.

Maintenance Worker

The command is:

  /app/worker maintenance
  

If WORKER_POLL_INTERVAL is unset, the worker uses the configured retention cleanup interval. It also verifies audit and receipt chains when the chain verification interval is configured.

Operator Checks

CheckSQL or route
Recent audit entriesGET /admin/api/v1/audit
Public verification anomaliesGET /admin/api/v1/verification-log
SIEM exportGET /admin/api/v1/verification-log/export
Retention progressMaintenance worker logs and row counts.
Audit chain breaksGrafana integrity metrics and maintenance worker logs.

When retention prunes the oldest audit rows, the first remaining row becomes the trusted start for later chain verification. Preserve external backups before any retention policy change.