DEV Community: AiGovernor The latest articles on DEV Community by AiGovernor (@aigovernorapp). https://dev.to/aigovernorapp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3974865%2F5bc9e0b0-47f9-4069-84b8-3339c09c0058.png DEV Community: AiGovernor https://dev.to/aigovernorapp en # How we built a tamper-evident WORM audit log for AI agents using SHA-256 hash chains and PostgreSQL AiGovernor Mon, 08 Jun 2026 21:39:12 +0000 https://dev.to/aigovernorapp/-how-we-built-a-tamper-evident-worm-audit-log-for-ai-agents-using-sha-256-hash-chains-and-g6a https://dev.to/aigovernorapp/-how-we-built-a-tamper-evident-worm-audit-log-for-ai-agents-using-sha-256-hash-chains-and-g6a <h1> How we built a tamper-evident WORM audit log for AI agents using SHA-256 hash chains and PostgreSQL </h1> <p><em>Published on dev.to | Tags: ai, security, postgres, node</em></p> <p>When your AI agents are making real decisions — sending emails, approving contracts, deleting records — "we have logs" is not the same as "we can prove what happened." This is the story of how we built a cryptographically tamper-evident audit log for <a href="https://aigovernor.app" rel="noopener noreferrer">AI Governor</a>, and why the implementation details matter more than people think.</p> <h2> The problem with normal audit logs </h2> <p>Most audit logs have a critical flaw: they can be altered after the fact. If someone with database access modifies a row, deletes it, or even changes the timestamp, there's no automatic way to detect it. For enterprise AI agents executing high-stakes actions, this is a compliance nightmare.</p> <p>We needed something stronger: a <strong>WORM</strong> (Write Once Read Many) log where any tampering — however subtle — is immediately detectable.</p> <h2> SHA-256 hash chaining: the core idea </h2> <p>The approach is borrowed from blockchain design, but stripped of all the unnecessary complexity.</p> <p>Every audit row stores two hash fields:</p> <ul> <li> <code>prev_hash</code> — the SHA-256 hash of the previous row</li> <li> <code>row_hash</code> — the SHA-256 hash of the current row's canonical fields + prev_hash </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">audit_log</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">org_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">(),</span> <span class="n">agent_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">verdict</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">model</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">cost_usd</span> <span class="nb">NUMERIC</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="mi">6</span><span class="p">),</span> <span class="n">task</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">stages</span> <span class="n">JSONB</span><span class="p">,</span> <span class="c1">-- WORM chain</span> <span class="n">prev_hash</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="s1">''</span><span class="p">,</span> <span class="n">row_hash</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> </code></pre> </div> <p>The <code>row_hash</code> is computed as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">row_hash</span> <span class="o">=</span> <span class="no">SHA256</span><span class="p">(</span><span class="nb">id</span> <span class="o">+</span> <span class="n">org_id</span> <span class="o">+</span> <span class="n">created_at</span> <span class="o">+</span> <span class="n">verdict</span> <span class="o">+</span> <span class="n">model</span> <span class="o">+</span> <span class="n">cost_usd</span> <span class="o">+</span> <span class="o">...</span> <span class="o">+</span> <span class="n">prev_hash</span><span class="p">)</span> </code></pre> </div> <p>If anyone edits any field in any row — or deletes a row and renumbers them — the chain breaks. Every subsequent row's <code>prev_hash</code> will no longer match the <code>row_hash</code> of its predecessor.</p> <h2> Why a database function, not application code </h2> <p>Here's where most implementations go wrong: they compute the hash in application code, then insert. This creates a race condition — two concurrent requests can both read the same "last row" and write the same <code>prev_hash</code>.</p> <p>We solved this with a PostgreSQL stored function that holds a per-org advisory lock:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">insert_audit_row</span><span class="p">(</span> <span class="n">p_org_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">p_agent_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">p_verdict</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="c1">-- ... other params</span> <span class="p">)</span> <span class="k">RETURNS</span> <span class="n">audit_log</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="n">v_prev_hash</span> <span class="nb">TEXT</span><span class="p">;</span> <span class="n">v_row_hash</span> <span class="nb">TEXT</span><span class="p">;</span> <span class="n">v_new_row</span> <span class="n">audit_log</span><span class="p">;</span> <span class="n">v_lock_id</span> <span class="nb">BIGINT</span><span class="p">;</span> <span class="k">BEGIN</span> <span class="c1">-- Per-org advisory lock: prevents concurrent inserts from racing on the hash chain</span> <span class="n">v_lock_id</span> <span class="p">:</span><span class="o">=</span> <span class="n">hashtext</span><span class="p">(</span><span class="n">p_org_id</span><span class="p">::</span><span class="nb">text</span><span class="p">);</span> <span class="n">PERFORM</span> <span class="n">pg_advisory_xact_lock</span><span class="p">(</span><span class="n">v_lock_id</span><span class="p">);</span> <span class="c1">-- Get the hash of the last row for this org</span> <span class="k">SELECT</span> <span class="n">row_hash</span> <span class="k">INTO</span> <span class="n">v_prev_hash</span> <span class="k">FROM</span> <span class="n">audit_log</span> <span class="k">WHERE</span> <span class="n">org_id</span> <span class="o">=</span> <span class="n">p_org_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">;</span> <span class="n">v_prev_hash</span> <span class="p">:</span><span class="o">=</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">v_prev_hash</span><span class="p">,</span> <span class="s1">''</span><span class="p">);</span> <span class="c1">-- Compute the new row_hash</span> <span class="n">v_row_hash</span> <span class="p">:</span><span class="o">=</span> <span class="n">encode</span><span class="p">(</span> <span class="n">digest</span><span class="p">(</span> <span class="n">p_org_id</span><span class="p">::</span><span class="nb">text</span> <span class="o">||</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">p_agent_id</span><span class="p">::</span><span class="nb">text</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="o">||</span> <span class="n">p_verdict</span> <span class="o">||</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">p_model</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="o">||</span> <span class="n">v_prev_hash</span><span class="p">,</span> <span class="s1">'sha256'</span> <span class="p">),</span> <span class="s1">'hex'</span> <span class="p">);</span> <span class="c1">-- Insert and return the new row</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">audit_log</span> <span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="n">agent_id</span><span class="p">,</span> <span class="n">verdict</span><span class="p">,</span> <span class="n">prev_hash</span><span class="p">,</span> <span class="n">row_hash</span><span class="p">,</span> <span class="p">...)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="n">p_org_id</span><span class="p">,</span> <span class="n">p_agent_id</span><span class="p">,</span> <span class="n">p_verdict</span><span class="p">,</span> <span class="n">v_prev_hash</span><span class="p">,</span> <span class="n">v_row_hash</span><span class="p">,</span> <span class="p">...)</span> <span class="n">RETURNING</span> <span class="o">*</span> <span class="k">INTO</span> <span class="n">v_new_row</span><span class="p">;</span> <span class="k">RETURN</span> <span class="n">v_new_row</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span><span class="p">;</span> </code></pre> </div> <p><code>pg_advisory_xact_lock</code> gives us per-org serialisation without locking the whole table. Two requests from the same org queue at the lock; requests from different orgs run fully parallel.</p> <h2> Verifying the chain </h2> <p>Chain verification walks every row for an org in order and checks:</p> <ol> <li>The current <code>prev_hash</code> matches the previous row's <code>row_hash</code> </li> <li>The current <code>row_hash</code> matches a fresh computation of the canonical fields </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Gateway verification endpoint: GET /audit/verify</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyChain</span><span class="p">(</span><span class="nx">orgId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">rows</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">audit_log</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, created_at, org_id, agent_id, verdict, model, cost_usd, prev_hash, row_hash</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">org_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">orgId</span><span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ascending</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">let</span> <span class="nx">prevHash</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">row</span> <span class="k">of</span> <span class="nx">rows</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check linkage</span> <span class="k">if </span><span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">prev_hash</span> <span class="o">!==</span> <span class="nx">prevHash</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">first_broken_id</span><span class="p">:</span> <span class="nx">row</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">detail</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Chain linkage broken</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// Recompute and check hash</span> <span class="kd">const</span> <span class="nx">expected</span> <span class="o">=</span> <span class="nf">computeRowHash</span><span class="p">(</span><span class="nx">row</span><span class="p">,</span> <span class="nx">prevHash</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">expected</span> <span class="o">!==</span> <span class="nx">row</span><span class="p">.</span><span class="nx">row_hash</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">first_broken_id</span><span class="p">:</span> <span class="nx">row</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">detail</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Row hash mismatch — row was modified</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> <span class="nx">prevHash</span> <span class="o">=</span> <span class="nx">row</span><span class="p">.</span><span class="nx">row_hash</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rows_checked</span><span class="p">:</span> <span class="nx">rows</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">detail</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Chain intact</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Making it public and auth-free </h2> <p>The most useful property: the chain can be verified by <strong>anyone without an account</strong>. We expose a public endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET https://api.aigovernor.app/v1/audit/public-verify?org_id=&lt;uuid&gt; </span></code></pre> </div> <p>No authentication required. A regulator, auditor, or third-party compliance tool can verify an organisation's full chain independently, without trusting us. This is the governance proof layer — not just "we recorded it," but "anyone can verify we didn't alter it."</p> <h2> What this means in practice </h2> <p>Before we built this, enterprise customers asking about AI Act compliance had to trust our word that logs weren't altered. Now they can hand a verification URL to their auditor. The auditor runs it. The hash checks out. Done.</p> <p>The audit log is available on every plan including free — because governance evidence isn't a premium feature, it's a basic requirement.</p> <p>If you're building AI agents in production and need this kind of governance infrastructure without building it yourself, we've packaged all of this into <a href="https://aigovernor.app" rel="noopener noreferrer">AI Governor</a>. One line of code to integrate — swap <code>base_url</code> and <code>api_key</code>. The full pipeline activates from your first call.</p> <p><strong>Links:</strong></p> <ul> <li> <a href="https://aigovernor.app" rel="noopener noreferrer">AI Governor</a> — try the free tier (500k tokens/month)</li> <li> <a href="https://aigovernor.app/security" rel="noopener noreferrer">Security page</a> — architecture details</li> <li> <a href="https://aigovernor.app/pricing" rel="noopener noreferrer">Pricing</a> — all plans</li> </ul> <p><em>Tags to use when posting: #ai #security #typescript #devops #compliance #devtools #openai</em></p> devtools ai security openai