feat(security): add tamper-evident audit chain logger

[gemini2026]

Closes #891

What this does

Adds a tamper-evident audit logger under nemoclaw/src/security/. It writes JSONL entries where each entry includes a SHA-256 hash of the previous one — modifying or deleting any entry breaks the chain downstream.

Comes with verifyChain() to validate an entire log file, plus exportEntries() and tailEntries() for querying.

Three new files, no changes to existing NemoClaw code.

How the chain works

Each entry has: seq (monotonic), chain_id (random hex per instance), prev_hash, entry_hash, type, time, data. The logger resumes from an existing file by reading the last entry for continuation state.

verifyChain catches: modified data, broken hash links, sequence gaps (block deletion), and chain_id mismatches (splice attacks).

Test plan

• 38 tests passing (npx vitest run src/security/audit-chain.test.ts)
• tsc --noEmit clean
• All pre-commit hooks pass
• Tamper scenarios: modified data, broken prev_hash, deleted entries, chain splicing
• Edge cases: malformed JSONL lines, empty files, single-entry chains, 100-entry stress test

Signed-off-by: Charan Jagwani cjagwani@nvidia.com

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a tamper‑evident append‑only JSONL audit chain: new AuditLogger that resumes state, SHA‑256 chained entries, verification and query helpers (verifyChain, exportEntries, tailEntries), plus tests and reference documentation.

Changes

Cohort / File(s)	Summary
Implementation nemoclaw/src/security/audit-chain.ts	New module implementing append‑only JSONL audit chain, SHA‑256 entry hashing (entry_hash), chain_id generation, resume semantics, AuditLogger, verifyChain, exportEntries, and tailEntries.
Tests nemoclaw/src/security/audit-chain.test.ts	Comprehensive Vitest suite covering initialization, chaining, resume behavior, tamper scenarios (modified data, broken prev_hash, sequence gaps, malformed lines, splices), API validation errors, export/tail semantics, and high‑volume writes.
Documentation docs/reference/audit-chain.md	New reference doc describing entry format, chain rules, API surface, TypeScript interfaces, examples, and operational notes.

sequenceDiagram
    autonumber
    participant Client as Client
    participant Logger as AuditLogger
    participant FS as FileSystem
    participant Verifier as verifyChain
    Client->>Logger: log(type, data)
    Logger->>FS: append JSONL entry (seq, chain_id, prev_hash, entry_hash, ...)
    FS-->>Logger: write ack
    Client->>Verifier: verifyChain(path)
    Verifier->>FS: read JSONL lines
    FS-->>Verifier: return lines
    Verifier->>Verifier: parse lines, validate seq, chain_id, prev_hash, recompute entry_hash
    Verifier-->>Client: VerifyResult (valid / error, entries)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through lines of JSON bright,
I bind each hop with SHA‑256 light,
A tiny chain that never lies,
I guard the tale with watchful eyes,
Append, resume—truth held tight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(security): add tamper-evident audit chain logger' directly and clearly describes the primary change—a new security module for audit logging with tamper detection.
Linked Issues check	✅ Passed	The pull request fully implements all coding requirements from issue #891: hash-chained JSONL audit logger with AuditLogger class, verifyChain/exportEntries/tailEntries functions, proper entry structure, append-only persistence, resume on startup, comprehensive Vitest tests, and documentation.
Out of Scope Changes check	✅ Passed	All changes are scoped to the three new files specified in issue #891 (audit-chain.ts, audit-chain.test.ts, audit-chain.md); no modifications to existing NemoClaw code or unrelated areas.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (7)

docs/reference/audit-chain.md (3)

39-40: One sentence per line.

Lines 39–40 contain two sentences on the same line.
Split them for cleaner diffs.

The `chain_id` is a random 24-character hex string generated when the logger creates a new file.
It remains constant across all entries in a single chain and persists when the logger resumes from an existing file.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/audit-chain.md` around lines 39 - 40, The line describing
`chain_id` currently contains two sentences on the same line—split it into two
separate lines so each sentence is its own line: one line stating "The
`chain_id` is a random 24-character hex string generated when the logger creates
a new file." and the next line stating "It remains constant across all entries
in a single chain and persists when the logger resumes from an existing file."
so diffs are clean.

---

85-86: One sentence per line.

Multiple sentences appear on a single line here.
Split each sentence onto its own line for readable diffs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/audit-chain.md` around lines 85 - 86, The documentation line
describing the constructor currently contains multiple sentences on one line;
split each sentence into its own line so diffs are readable—e.g., separate "The
constructor creates parent directories if they do not exist." and "If the file
already contains entries, the logger resumes the chain from the last entry."
into two lines under the constructor documentation.

---

113-114: One sentence per line.

Lines 113–114 and 119–120 each have two sentences on the same line.
Split them for cleaner diffs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/audit-chain.md` around lines 113 - 114, Split the two
combined-sentence lines so each sentence is on its own line: change the line
that currently contains "When `limit` is omitted or zero, all matching entries
are returned. Malformed lines are silently skipped." into two lines ("When
`limit` is omitted or zero, all matching entries are returned." and "Malformed
lines are silently skipped.") and do the same for the other occurrence around
lines 119–120; ensure each sentence is a separate line to keep diffs clean.

nemoclaw/src/security/audit-chain.test.ts (1)

558-578: Test name "concurrent writes" is misleading.

This test performs rapid sequential writes from a single thread, not concurrent writes from multiple threads.
Since appendFileSync is synchronous, the writes are serialized.
Consider renaming to "rapid sequential writes" or similar to accurately reflect what's being tested.

True concurrency testing would require multiple worker threads writing simultaneously.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw/src/security/audit-chain.test.ts` around lines 558 - 578, The test
title "concurrent writes" is misleading because it performs serialized writes
using AuditLogger (which uses appendFileSync); rename the describe or it block
to accurately reflect the behavior (e.g., change describe("concurrent writes")
or it("handles rapid sequential writes without data loss") to "rapid sequential
writes" or similar) so the test name matches the implementation, referencing the
AuditLogger, appendFileSync, readEntries, and verifyChain symbols to locate the
test to update.

nemoclaw/src/security/audit-chain.ts (2)

346-350: Consider a structured logging approach instead of console.error.

Using console.error during readTailState can produce unexpected output in production or library consumers.
Options:

1. Return a diagnostic in the TailState result for the caller to handle.
2. Accept an optional logger callback.
3. Silently skip (current behavior minus the log).

Given this is a security module where malformed lines could indicate tampering, silent skipping may be appropriate since verifyChain handles detection separately.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw/src/security/audit-chain.ts` around lines 346 - 350, The
console.error in readTailState should be removed and replaced with a structured
diagnostic approach: update the readTailState signature to either accept an
optional logger callback (e.g., logger?: (level: string, msg: string, meta?:
any) => void) or add a diagnostic field on the returned TailState (e.g.,
diagnostics: Array<{line: string, error: string}>), then use that mechanism
instead of console.error when skipping a malformed line; ensure callers (or
verifyChain) can inspect diagnostics if needed and that default behavior remains
silent if no logger is provided.

---

110-113: No file locking for multi-process writes.

appendFileSync provides atomicity at the OS level for small writes, but concurrent appends from multiple processes can interleave or corrupt entries on some platforms.

If multi-process logging is a future requirement, consider:

• Advisory file locking (flock equivalent)
• A separate log aggregator process
• A database-backed alternative

For single-process use as currently tested, this is fine.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw/src/security/audit-chain.ts` around lines 110 - 113, The current
append in AuditChain.write (appendFileSync(this.path, ...)) can interleave or
corrupt when multiple processes write; replace the direct append with a
multi-process-safe approach such as acquiring an advisory lock before writing
(e.g., flock via a native binding or fs-ext's flockSync), or implement a
dedicated log-writer/aggregator process or DB-backed store; ensure the code
acquires the lock on this.path (or on a separate .lock file), performs the
append of JSON.stringify(entry)+"\n", updates this.seq and this.prevHash only
after a successful write, and always releases the lock even on error.

docs/reference/injection-scanner.md (1)

23-25: One sentence per line.

Lines 23-24 contain multiple sentences on single lines. Per coding guidelines, each sentence should be on its own line to make diffs readable.

 The injection scanner detects prompt injection patterns in agent tool inputs and outputs.
-It applies text normalization and pattern matching to identify attempts to override system prompts, inject instructions, manipulate tools, or exfiltrate data.
+It applies text normalization and pattern matching to identify attempts to override system prompts, inject instructions, manipulate tools, or exfiltrate data.

(The second sentence is already on its own line, but verify the source has one sentence per line throughout.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/injection-scanner.md` around lines 23 - 25, The two sentences
in the README paragraph should be split so each sentence is on its own line:
replace the single line containing "The injection scanner detects prompt
injection patterns in agent tool inputs and outputs. It applies text
normalization and pattern matching to identify attempts to override system
prompts, inject instructions, manipulate tools, or exfiltrate data." with two
lines — one containing "The injection scanner detects prompt injection patterns
in agent tool inputs and outputs." and a second containing "It applies text
normalization and pattern matching to identify attempts to override system
prompts, inject instructions, manipulate tools, or exfiltrate data."; also scan
the rest of the document to ensure every sentence follows the
one-sentence-per-line guideline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/reference/injection-scanner.md`:
- Around line 113-115: The documentation for maxSeverity incorrectly states its
return type as `Severity | ""`; update the doc to match the implementation and
tests by changing the return type to `Severity | null` and the description to
say it returns null for an empty findings array; reference the maxSeverity
function and the existing test that asserts null to ensure consistency.

---

Nitpick comments:
In `@docs/reference/audit-chain.md`:
- Around line 39-40: The line describing `chain_id` currently contains two
sentences on the same line—split it into two separate lines so each sentence is
its own line: one line stating "The `chain_id` is a random 24-character hex
string generated when the logger creates a new file." and the next line stating
"It remains constant across all entries in a single chain and persists when the
logger resumes from an existing file." so diffs are clean.
- Around line 85-86: The documentation line describing the constructor currently
contains multiple sentences on one line; split each sentence into its own line
so diffs are readable—e.g., separate "The constructor creates parent directories
if they do not exist." and "If the file already contains entries, the logger
resumes the chain from the last entry." into two lines under the constructor
documentation.
- Around line 113-114: Split the two combined-sentence lines so each sentence is
on its own line: change the line that currently contains "When `limit` is
omitted or zero, all matching entries are returned. Malformed lines are silently
skipped." into two lines ("When `limit` is omitted or zero, all matching entries
are returned." and "Malformed lines are silently skipped.") and do the same for
the other occurrence around lines 119–120; ensure each sentence is a separate
line to keep diffs clean.

In `@docs/reference/injection-scanner.md`:
- Around line 23-25: The two sentences in the README paragraph should be split
so each sentence is on its own line: replace the single line containing "The
injection scanner detects prompt injection patterns in agent tool inputs and
outputs. It applies text normalization and pattern matching to identify attempts
to override system prompts, inject instructions, manipulate tools, or exfiltrate
data." with two lines — one containing "The injection scanner detects prompt
injection patterns in agent tool inputs and outputs." and a second containing
"It applies text normalization and pattern matching to identify attempts to
override system prompts, inject instructions, manipulate tools, or exfiltrate
data."; also scan the rest of the document to ensure every sentence follows the
one-sentence-per-line guideline.

In `@nemoclaw/src/security/audit-chain.test.ts`:
- Around line 558-578: The test title "concurrent writes" is misleading because
it performs serialized writes using AuditLogger (which uses appendFileSync);
rename the describe or it block to accurately reflect the behavior (e.g., change
describe("concurrent writes") or it("handles rapid sequential writes without
data loss") to "rapid sequential writes" or similar) so the test name matches
the implementation, referencing the AuditLogger, appendFileSync, readEntries,
and verifyChain symbols to locate the test to update.

In `@nemoclaw/src/security/audit-chain.ts`:
- Around line 346-350: The console.error in readTailState should be removed and
replaced with a structured diagnostic approach: update the readTailState
signature to either accept an optional logger callback (e.g., logger?: (level:
string, msg: string, meta?: any) => void) or add a diagnostic field on the
returned TailState (e.g., diagnostics: Array<{line: string, error: string}>),
then use that mechanism instead of console.error when skipping a malformed line;
ensure callers (or verifyChain) can inspect diagnostics if needed and that
default behavior remains silent if no logger is provided.
- Around line 110-113: The current append in AuditChain.write
(appendFileSync(this.path, ...)) can interleave or corrupt when multiple
processes write; replace the direct append with a multi-process-safe approach
such as acquiring an advisory lock before writing (e.g., flock via a native
binding or fs-ext's flockSync), or implement a dedicated log-writer/aggregator
process or DB-backed store; ensure the code acquires the lock on this.path (or
on a separate .lock file), performs the append of JSON.stringify(entry)+"\n",
updates this.seq and this.prevHash only after a successful write, and always
releases the lock even on error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a1657469-f7fc-48b6-b329-fb8a4cbfad82

📥 Commits

Reviewing files that changed from the base of the PR and between b2164e7 and d20cb17.

⛔ Files ignored due to path filters (2)

• nemoclaw/package-lock.json is excluded by !**/package-lock.json
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (10)

• .github/PULL_REQUEST_TEMPLATE.md
• .github/workflows/pr.yaml
• Dockerfile
• docs/reference/audit-chain.md
• docs/reference/injection-scanner.md
• install.sh
• nemoclaw/src/security/audit-chain.test.ts
• nemoclaw/src/security/audit-chain.ts
• nemoclaw/src/security/injection-scanner.test.ts
• nemoclaw/src/security/injection-scanner.ts

💤 Files with no reviewable changes (1)

• .github/workflows/pr.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Documentation-code mismatch: maxSeverity returns null, not "".

The documented return type Severity | "" does not match the implementation, which returns Severity | null. The test at injection-scanner.test.ts:623-625 confirms maxSeverity([]) returns null via .toBeNull(). Callers following this documentation would incorrectly check for an empty string instead of null.

📝 Proposed fix

-### `maxSeverity(findings: Finding[]): Severity | ""`
+### `maxSeverity(findings: Finding[]): Severity | null`

-The highest severity level present in the findings array, or an empty string if the array is empty.
+The highest severity level present in the findings array, or `null` if the array is empty.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	### `maxSeverity(findings: Finding[]): Severity | ""`
	The highest severity level present in the findings array, or an empty string if the array is empty.
	### `maxSeverity(findings: Finding[]): Severity | null`
	The highest severity level present in the findings array, or `null` if the array is empty.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/injection-scanner.md` around lines 113 - 115, The
documentation for maxSeverity incorrectly states its return type as `Severity |
""`; update the doc to match the implementation and tests by changing the return
type to `Severity | null` and the description to say it returns null for an
empty findings array; reference the maxSeverity function and the existing test
that asserts null to ensure consistency.

[wscurran]

✨ Thanks for submitting this PR with a detailed summary, it proposes a new security feature to improve audit logging and prevent tampering.

[gemini2026]

This pairs with the injection scanner (#870) and session tracker (#965) — together they add application-layer security on top of the container isolation.

Also fixed the H1 to match the NemoClaw naming convention.

[miyoungc]

Docs review

The doc content is accurate — every API surface, interface, default, and behavioral claim matches the implementation in audit-chain.ts. Nice work on the thoroughness.

A few style guide items to fix before merge:

1. Frontmatter description needs main/agent structure

The current frontmatter uses a flat description: string, but all existing reference pages and the contributing guide template use the nested format with main and agent fields. The agent field with "Use when..." triggers is what the docs-to-skills pipeline relies on for routing.

Current:

description: "Reference for the tamper-evident audit chain module..."

Should be:

description:
  main: "Reference for the tamper-evident audit chain module that writes SHA-256 hash-chained JSONL entries and provides verify, export, and tail utilities."
  agent: "References for the tamper-evident audit chain module that writes SHA-256 hash-chained JSONL entries and provides verify, export, and tail utilities. Use when looking up audit chain entry format, hash chaining behavior, or the verify/export/tail API."

2. Em dash in title

The style guide says "Do not use em dashes." The title currently has one:

NemoClaw Audit Chain — Tamper-Evident Hash-Chained Audit Log

The existing reference pages use colons (e.g., NemoClaw Architecture: Plugin, Blueprint, and Sandbox Structure). To stay consistent with those:

NemoClaw Audit Chain: Tamper-Evident Hash-Chained Audit Log

Update both title.page and the H1 heading to match.

3. Passive voice (2 occurrences)

The style guide requires active voice. Two lines under exportEntries and tailEntries say:

Malformed lines are silently skipped.

Change to:

The function silently skips malformed lines.

or simply:

Skips malformed lines.

4. MyST cross-reference in generated skill file

.agents/skills/nemoclaw-user-reference/references/audit-chain.md line 159 has:

- See {doc}`/reference/architecture` for how security modules integrate into the NemoClaw plugin.

The {doc} directive is Sphinx syntax that does not render in plain markdown (which is how agents read skill files). The docs-to-skills script should rewrite these as skill-to-skill pointers. If this file was generated by the pre-commit hook and the cross-ref was not converted, that is a script issue. If the file was created manually, it should not have been — the contributing guide says to never edit generated files under .agents/skills/nemoclaw-user-*/.

Either way, the Next Steps line in docs/reference/audit-chain.md is the source. After fixing it there, re-run the skill generation to pick up the corrected output:

python scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user

[gemini2026]

All four fixed in 0db9334:

1. Frontmatter — split into main/agent fields
2. Em dash → colon in title.page and H1
3. Passive voice → active ("Skips malformed lines")
4. Cross-ref — {doc} → relative link in docs source; re-ran docs-to-skills.py which converted it to a skill pointer in the generated file

Let me know if anything else needs a pass.

[gemini2026]

All currently raised feedback on this branch should be addressed now.

Latest maintainer review is approved and checks are green on the current head.

@brandonpelfrey when you have a moment, could you please take a final pass?

[wscurran]

Thanks for the audit chain logger work. The codebase has changed significantly since March 25 — including a full TypeScript migration — so this will need a rebase on origin/main before we can review it. You also have a related PR in #870 (prompt injection scanner) — coordinating the rebase across both would be helpful. Note that #916 covers similar audit logging ground from a different contributor, so we'll need to reconcile the two approaches once both are rebased. Please rebase and resolve any conflicts, and we'll take a look.

Really appreciate the dedication and support for NemoClaw!

[github-actions]

❌ Brev E2E (full): FAILED on branch feat/audit-chain — See logs