Service 08

Audit + Compliance Trail

Every bypass is an event. With an actor. With a reason. With a TTL. SOC2 evidence by construction — your override log isn't a story you tell, it's a file you export.

The problem

--no-verify is silent. SOC2 audits aren't.

The default "bypass the gate" path on most teams is --no-verify. It produces no record. Nobody knows it happened. Compliance can't audit what wasn't recorded. SOC2 auditors ask "show me your override log" and the answer is "we don't have one; we trust engineers to commit responsibly."

That answer doesn't pass an audit. It also doesn't pass a post-incident review when a bypass turns out to have been the proximate cause.

How it works

Append-only NDJSON with structured reason taxonomy.

The trail is an append-only NDJSON file at .git/agent-reviews/_runs.ndjson. Every gate run writes one line. Every bypass writes a line with a structured reason from the policy taxonomy — actor, timestamp, gate, reason ID, TTL, optional evidence link (an issue, an incident, a cycle doc section).

The bypass actor allowlist is enforced at runtime — only authorized actors can pass a structured bypass; everyone else gets a hard refusal. The reason taxonomy is loaded from darkfactory.yaml; no free-text overrides are accepted. Exporting a SOC2-mapped compliance bundle is a single command — the trail is already structured for it.

.git/agent-reviews/_runs.ndjson — one line per gate decision, append-only
Bypass entries carry: actor, ts, gate, reason (from taxonomy), ttl, evidence_link
Pre-defined reason taxonomy — no free-text overrides
Bypass actor allowlist enforced at runtime — only authorized actors can override
Exportable as compliance bundle: gate decisions, bypass events, drift incidents, all SOC2-mapped

.git/agent-reviews/_runs.ndjson ndjson

{"ts":"2026-05-17T18:42:11Z","sha":"5d8e1a3","gate":"critic-orchestrator","verdict":"CHANGES_REQUESTED","actor":"dev-alex","action":"halt"}
{"ts":"2026-05-17T18:46:02Z","sha":"5d8e1a3","gate":"critic-orchestrator","verdict":"CHANGES_REQUESTED","actor":"dev-alex","action":"bypass","reason":"pre-existing-main-blocker","evidence_link":"github://issues/482","ttl_expires_at":"2026-06-16T18:46:02Z"}
{"ts":"2026-05-17T18:46:08Z","sha":"5d8e1a3","gate":"branch-protection-audit","verdict":"PASS","actor":"github-actions"}
{"ts":"2026-05-17T18:46:11Z","sha":"5d8e1a3","gate":"cycle-doc-validation","verdict":"PASS","actor":"github-actions"}
{"ts":"2026-05-17T18:46:14Z","sha":"5d8e1a3","gate":"merge-queue-admission","verdict":"ADMITTED","actor":"github-actions","admission_reason":"all-required-green,thread-resolution-complete"}

# Bypass command (refused if actor not in allowlist or reason not in taxonomy):
$ DARKFACTORY_BYPASS="pre-existing-main-blocker:#482" git push origin feat/x

# Compliance export (Business tier):
$ darkfactory compliance export --from 2026-04-01 --to 2026-05-17 \
    --format soc2-cc --out audit-2026-Q2.json

Pricing relevance

Trail is a platform invariant — every tier writes it. The compliance bundle export (mapped to SOC2 CC controls) is a Business-tier feature; auditor-ready packets are Enterprise.

Open-source posture

NDJSON schema is OSS-published. The local trail is OSS. The hosted multi-repo aggregation + auditor packet generation stay closed.

Get Started

Compliance-as-code. Bypass events, not bypass stories.

Auditors get a file, not an email thread. Bypasses are structured, reasoned, allowlisted, TTL'd — the override log is forensic-grade by construction.

Request Early Access → See Pricing