# Pattern: Central Audit Ledger Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, State Hub ## Problem Security-relevant events lose accountability when identity, policy, OpenBao, Kubernetes, deployment, and workload logs remain disconnected. ## Context Use this pattern when platform actions, tenant actions, agent actions, policy decisions, secret access, deployments, and data access must be correlated for operations, incident response, and customer trust. ## Forces - Logs are high volume, but audit events must be durable and searchable. - Tenants may need partial visibility without seeing platform secrets. - Agents and humans need distinct attribution. - Correlation ids must cross system boundaries. ## Solution Define a central security event taxonomy and durable audit ledger for security-sensitive actions. Every protected system emits events with actor, tenant, resource, action, decision, correlation id, and source. ## Implementation Sketch 1. Define security event classes and required fields. 2. Emit events from key-cape, flex-auth, Topaz, OpenBao, Kubernetes, artifact-store, ops-bridge, and workloads. 3. Preserve correlation ids across request, decision, secret, and data paths. 4. Protect ledger retention, access, and integrity. 5. Add tenant-visible projections where appropriate. ## Failure Modes | Failure | Mitigation | | --- | --- | | Logs exist but cannot answer who did what | require actor/resource/action fields | | Tenant-visible logs expose platform internals | define projection and redaction rules | | Agent events hide behind human account | require explicit agent identity | | Audit sink outage loses privileged events | fail closed for privileged paths or buffer under policy | ## Related Capabilities - Observability, detection, and audit. - Incident response and recovery. - Authorization and access control. - Agent access control. ## Maturity Seed. The need is clear, but storage, retention, projection, and State Hub integration decisions remain open. ## Verification - Critical systems emit events with required fields. - A single correlation id links identity, policy, secret, and workload events. - Ledger access is protected and audited. - Tenant-visible views contain only tenant-appropriate records. ## Research Basis Seeded by security logging, central log collection, audit trail, tenant visible audit logs, and security event taxonomy. ## References - Initial exploration: Observability, detection, and audit. - Initial exploration: Detection and response patterns.