DES Audit Trail Guide
Overview
The Deterministic Execution System (DES) maintains an immutable audit trail of all nWave workflow executions. This provides complete traceability and enables compliance validation.
Audit Trail Structure
Location
.nwave/des/logs/audit-YYYY-MM-DD.log (project-local) or ~/.claude/des/logs/audit-YYYY-MM-DD.log (global fallback)
Format
JSONL (JSON Lines) - one JSON object per line, newline-delimited.
{"timestamp": "2026-02-01T10:30:45.123Z", "event": "TASK_INVOCATION_STARTED", "step_id": "01-01", "project_id": "plugin-arch", "agent": "software-crafter"}
{"timestamp": "2026-02-01T10:30:45.456Z", "event": "PHASE_STARTED", "step_id": "01-01", "phase_name": "RED_UNIT"}
{"timestamp": "2026-02-01T10:35:22.789Z", "event": "PHASE_COMPLETED", "step_id": "01-01", "phase_name": "RED_UNIT", "outcome": "PASS"}
File Rotation
- Daily logs with date rotation
- File format:
audit-YYYY-MM-DD.log - New file created at midnight UTC
- Previous day's file remains (append-only)
Events Logged
| Event | Description | Fields |
|---|---|---|
TASK_INVOCATION_STARTED |
Agent execution begins | step_id, project_id, agent |
TASK_INVOCATION_VALIDATED |
Pre-invocation hooks passed | step_id, validations_passed |
PHASE_STARTED |
TDD phase begins | step_id, phase_name |
PHASE_COMPLETED |
TDD phase finishes | step_id, phase_name, outcome, duration_seconds |
SCOPE_VIOLATION |
File modified outside declared scope | file_path, scope_declaration |
TIMEOUT_WARNING |
Phase execution exceeding threshold | step_id, phase_name, threshold_seconds, actual_seconds |
COMMIT_CREATED |
Git commit created | step_id, commit_hash, message |
Query Examples
Find all scope violations
grep '"event":"SCOPE_VIOLATION"' .nwave/des/logs/audit-*.log | jq .
Count violations by file
jq -r 'select(.event=="SCOPE_VIOLATION") | .file_path' .nwave/des/logs/audit-*.log | sort | uniq -c | sort -rn
View phase execution timeline
jq -r 'select(.event | startswith("PHASE_")) | "\(.timestamp) \(.step_id) \(.phase_name) \(.outcome)"' .nwave/des/logs/audit-*.log
Find slow phases
jq -r 'select(.event=="PHASE_COMPLETED") | select(.duration_seconds > 600) | "\(.step_id) \(.phase_name) \(.duration_seconds)s"' .nwave/des/logs/audit-*.log
Export audit trail as CSV
jq -r '[.timestamp, .event, .step_id, .phase_name] | @csv' .nwave/des/logs/audit-*.log > audit.csv
Retention Policy
| Time Period | Action |
|---|---|
| Days 0-90 | Live logs in .nwave/des/logs/ |
| Day 91+ | Archive to docs/evolution/audit-archive/ |
| Manual cleanup | No automatic deletion |
Immutability & Integrity
Each log entry includes:
- ISO 8601 timestamp (UTC)
- SHA256 content hash (for integrity verification)
- Sequence number (for ordering guarantees)
To verify integrity:
jq -r '.content_hash' .nwave/des/logs/audit-2026-02-01.log | \
while read hash; do
echo -n "$hash " && echo "$hash" | sha256sum | cut -d' ' -f1
done
Hashes should match (one per line).
Compliance Use Cases
Audit Trail Query for Compliance Report
# Generate compliance report for project X, dates Y-Z
jq -r 'select(.project_id=="plugin-arch") | select(.timestamp >= "2026-02-01" and .timestamp <= "2026-02-28") | "\(.timestamp) \(.step_id) \(.event) \(.outcome)"' \
.nwave/des/logs/audit-*.log > plugin-arch-audit-2026-02.txt
Verify Complete Execution
# Ensure all steps were executed for project X
project="plugin-arch"
steps=$(jq -r "select(.project_id==\"$project\") | select(.event==\"PHASE_COMPLETED\") | .step_id" .nwave/des/logs/audit-*.log | sort -u)
echo "Executed steps: $steps"
Check for Scope Compliance
# Verify no scope violations in project X
violations=$(jq -r "select(.project_id==\"$project\") | select(.event==\"SCOPE_VIOLATION\")" .nwave/des/logs/audit-*.log | wc -l)
if [ "$violations" -eq 0 ]; then
echo "✅ No scope violations"
else
echo "❌ Found $violations scope violations"
fi