The predicate-authorityd sidecar generates a cryptographic proof event for every authorization mandate it issues or denies. How you handle these events depends on your environment.
By default, the sidecar writes verification events and mandate receipts to a local queue file. This mode is designed for local development, single-agent testing, and CI/CD pipeline debugging.
predicate-authorityd \
--local-identity-enabled \
--local-identity-registry-file ./.predicate-authorityd/local-identities.jsonLocal queue endpoints:
GET /ledger/flush-queue - List pending audit eventsGET /ledger/dead-letter - List quarantined eventsPOST /ledger/flush-now - Trigger immediate flushPOST /ledger/requeue - Retry a quarantined eventLocal sidecar logs are deliberately ephemeral:
principal_id, action, resource) are redacted in API responses# Configure TTL (default: 86400 seconds / 24 hours)
--queue-item-ttl-seconds 86400This design reflects the operational reality of distributed systems, not an artificial limitation.
Relying on isolated sidecar logs in a production, multi-agent fleet introduces strict operational constraints:
| Constraint | Impact |
|---|---|
| Ephemeral data loss | If a container crashes or scales down, local logs are destroyed. You lose the cryptographic proof of what the agent did. |
| Lack of immutability | Local log files are mutable. A compromised host can alter or delete logs to erase an agent's tracks. |
| Fleet blindness | No native way to query a single intent_hash or principal_id across 50+ distributed sidecars. |
| Compliance gaps | SOC2, ISO 27001, and similar frameworks require Write-Once-Read-Many (WORM) retention and strict access controls. |
Building a compliant audit pipeline from ephemeral sidecar logs requires:
principal_id, intent_hash, mandate_id queriesFor production workloads, connect sidecars to the Predicate Control Plane. Instead of writing to local disk, the sidecar streams signed proof events directly into the Audit Vault.
predicate-authorityd \
--mode cloud_connected \
--control-plane-enabled \
--control-plane-tenant-id "your-tenant" \
--control-plane-project-id "your-project"| Capability | Description |
|---|---|
| Immutable retention | Append-only event storage with configurable retention periods |
| Global search | Query across your entire fleet by principal_id, intent_hash, or mandate_id |
| Integrity proofs | Merkle tree inclusion proofs for any audit event |
| SIEM streaming | Webhook delivery to Datadog, Splunk, or any HTTP endpoint |
| Legal hold | Preserve audit exports beyond normal retention for investigations |
Verify any audit event is included in the tenant's tamper-evident log:
# Get current Merkle root
curl -s "https://api.predicatesystems.dev/v1/audit/integrity/root?tenant_id=your-tenant" \
-H "Authorization: Bearer $TOKEN" | jq
# Get inclusion proof for specific event
curl -s "https://api.predicatesystems.dev/v1/audit/integrity/proof/<event_id>?tenant_id=your-tenant" \
-H "Authorization: Bearer $TOKEN" | jqExport audit events for compliance reporting or external analysis:
# Create export job
curl -s -X POST "https://api.predicatesystems.dev/v1/audit/exports" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"tenant_id": "your-tenant",
"start_time": "2024-01-01T00:00:00Z",
"end_time": "2024-01-31T23:59:59Z",
"format": "jsonl"
}' | jq
# Download completed export
curl -s "https://api.predicatesystems.dev/v1/audit/exports/<export_id>/download" \
-H "Authorization: Bearer $TOKEN" -o audit-export.jsonl.gz| Environment | Recommended Approach |
|---|---|
| Local development | Local sidecar logging (default) |
| CI/CD pipelines | Local sidecar logging with test assertions |
| Staging / Pre-prod | Control-plane connected for integration testing |
| Production | Control-plane connected with SIEM streaming |
| Regulated industries | Control-plane with legal hold and retention attestation |