The latest articles on DEV Community by David Okeke (@thekingishere92). https://dev.to/thekingishere92 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3846176%2F61ca05da-e0eb-4bcd-b9c8-161994bb04ae.png https://dev.to/thekingishere92 en David Okeke Fri, 27 Mar 2026 14:17:05 +0000 https://dev.to/thekingishere92/how-i-built-cryptographic-audit-trails-for-ai-agents-and-why-it-matters-4b0a https://dev.to/thekingishere92/how-i-built-cryptographic-audit-trails-for-ai-agents-and-why-it-matters-4b0a <h2> <strong>Every company is deploying AI agents. Nobody knows what those agents are actually doing.</strong> </h2> <p>An autonomous agent can read your emails, call your Stripe API, export your database, and send messages — all without a human in the loop. When something goes wrong, there's no proof of what happened, no way to prove authorization, and no compliance trail.<br> I built MandateZ to solve this. Here's how it works technically.<br> The core problem<br> Traditional software has clear audit trails. An AI agent doesn't. When a LangChain agent calls send_email(), nothing records: who authorized it, which policy allowed it, what the payload was, or whether a human approved it. That's fine for demos. It's a blocker for any enterprise deployment.<br> The architecture<br> Everything flows from one data structure — the AgentEvent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">AgentEvent</span> <span class="p">{</span> <span class="nl">event_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// uuid v4</span> <span class="nl">agent_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// ag_ prefix + nanoid</span> <span class="nl">owner_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">timestamp</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// ISO 8601</span> <span class="nl">action_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">read</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">write</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">export</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">delete</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">call</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">payment</span><span class="dl">'</span><span class="p">;</span> <span class="nl">resource</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// e.g. "emails", "api/stripe"</span> <span class="nl">outcome</span><span class="p">:</span> <span class="dl">'</span><span class="s1">allowed</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">blocked</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">flagged</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">pending_approval</span><span class="dl">'</span><span class="p">;</span> <span class="nl">policy_id</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">signature</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// Ed25519 signature</span> <span class="nl">public_key</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// agent's public key</span> <span class="p">}</span> </code></pre> </div> <p>Every agent action produces one of these. Every event is Ed25519 signed — cryptographically proving which agent produced it and that it hasn't been tampered with.<br> Agent identity<br> Each agent gets a unique Ed25519 keypair on registration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">generateAgentIdentity</span><span class="p">,</span> <span class="nx">MandateZClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@mandatez/sdk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">agent</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateAgentIdentity</span><span class="p">();</span> <span class="c1">// { agent_id: 'ag_abc123', public_key: '...', private_key: '...' }</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">MandateZClient</span><span class="p">({</span> <span class="na">agentId</span><span class="p">:</span> <span class="nx">agent</span><span class="p">.</span><span class="nx">agent_id</span><span class="p">,</span> <span class="na">ownerId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your_owner_id</span><span class="dl">'</span><span class="p">,</span> <span class="na">privateKey</span><span class="p">:</span> <span class="nx">agent</span><span class="p">.</span><span class="nx">private_key</span><span class="p">,</span> <span class="na">supabaseUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_URL</span><span class="p">,</span> <span class="na">supabaseAnonKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_ANON_KEY</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Tracking events<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">track</span><span class="p">({</span> <span class="na">action_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">call</span><span class="dl">'</span><span class="p">,</span> <span class="na">resource</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api/stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">9900</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usd</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Under the hood this: generates an event ID, timestamps it, canonicalizes the payload (keys sorted alphabetically), signs it with the agent's private key using Ed25519, and inserts it into Supabase. The whole thing takes ~5ms.<br> Policy enforcement<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">track</span><span class="p">({</span> <span class="na">action_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">export</span><span class="dl">'</span><span class="p">,</span> <span class="na">resource</span><span class="p">:</span> <span class="dl">'</span><span class="s1">database/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// outcome: 'blocked' — policy rule matched, action never executed</span> </code></pre> </div> <p>Policies are JSON rules stored per owner. The engine evaluates them before the action executes. Blocked actions are logged with the matched rule ID.<br> Human oversight gate<br> For high-risk actions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">oversight</span> <span class="o">=</span> <span class="p">{</span> <span class="na">require_human_approval</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">export</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">delete</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">payment</span><span class="dl">'</span><span class="p">],</span> <span class="na">alert_channel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">slack</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout_seconds</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">timeout_action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">block</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <p>The agent pauses execution, fires a Slack alert, and waits for human approval. If no response in 5 minutes — auto-blocked and logged.<br> Why Ed25519 specifically<br> RSA and ECDSA are too slow for high-frequency agent event signing. Ed25519 signatures are 64 bytes, verification is ~0.05ms, and the keys are small enough to store as base64 strings without bloating your database. libsodium-wrappers handles all of this with a clean API.<br> The neutrality moat<br> MandateZ works with LangChain, n8n, AutoGen, CrewAI, and every other framework simultaneously. OpenAI, Anthropic, and Nvidia all have security layers — but only for their own agents. MandateZ is the only layer that works across all vendors without a conflict of interest.<br> <strong>Try it</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @mandatez/sdk </code></pre> </div> <p>Docs: <a href="https://dev.tourl">mandatez.mintlify.app</a><br> GitHub: <a href="https://dev.tourl">github.com/mandatez/core</a></p> ai security typescript agents