Immutable Session Logs

Cryptographic Audit Trail

Every filesystem operation, network connection, and command execution is recorded in a Merkle tree. Cryptographically verify session integrity after the fact.

Tamper-evident by construction

Every operation an AI agent performs inside nono is recorded as a leaf in a Merkle tree rooted in SHA-256 hashes. Each leaf contains the operation type, target, timestamp, and disposition (allowed/denied). The Merkle root is committed at session end, creating a cryptographic commitment over the entire session history.

This means you can verify after the fact that the audit log has not been tampered with. If any operation is modified, added, or removed, the Merkle root changes and verification fails. This is the same construction used by Git, certificate transparency logs, and blockchain systems.

What Gets Recorded

  • File reads, writes, creates, and deletes
  • Network connection attempts (allowed and denied)
  • Command executions (allowed and denied)
  • Supervisor approval prompts and responses
  • Sandbox policy violations

Filtering and Export

Filter audit logs by date range, operation type, or disposition. Export to JSON for integration with SIEM systems, compliance tools, or custom dashboards. The structured format makes it easy to build automated alerting on violation patterns.

terminal
$ nono audit show 20260228-143201-48291


Session: 20260228-143201-48291
Command: claude
Started: 2026-02-28 14:32:01


[000] Baseline at 2026-02-28 14:32:01  (24 files, root: 7d8f3e2a1b4c5d6e)
[001] Snapshot at 2026-02-28 14:32:15  (root: 9a3b7c1d4e5f6082)
  ~ src/auth/middleware.ts
  ~ package.json
  + package-lock.json


Merkle root: 9a3b7c1d4e5f60823a7b...
Files changed: 3
JSON export
$ nono audit show 20260228-143201-48291 --json | jq '.snapshots[1]'


{
  "index": 1,
  "timestamp": "2026-02-28T14:32:15Z",
  "merkle_root": "9a3b7c1d4e5f6082...",
  "changes": [
    { "path": "src/auth/middleware.ts", "type": "modified" },
    { "path": "package.json", "type": "modified" },
    { "path": "package-lock.json", "type": "created" }
  ]
}

Verification guarantees

The Merkle root is computed from the ordered sequence of all operation hashes. Verification recomputes the root from the raw log and compares against the committed root. Any modification — even changing a single byte of a single operation — produces a different root and fails verification. The audit trail is append-only during a session and sealed with the Merkle commitment at session end.

Related Infrastructure

Provenance

Sigstore supply chain signing

Learn more

Undo & Rollback

Atomic filesystem snapshots

Learn more

Guide: Runtime Governance

Policy, audit, and compliance

Learn more

Get started with nono

Runtime safety infrastructure that works on macOS, Linux, and in CI.

Read the DocsView on GitHub