Audit walkthrough
Walk an external auditor through inspecting a production agent run. The Fuze CLI (@fuze-ai/agent-cli) is the system of record; the dashboard exposes the same data.
Query by subject
Find every run that touched a given subject's data:
The output lists runId, agentPurpose, lawfulBasis, evidenceHashChainHead, and signedRunRoot. Subject lookup uses the indexed subjectRef field on every span where the tool's classification is non-public.
Replay a run
Replay reconstructs the run deterministically from the evidence stream:
This rehydrates the spans, re-orders them by sequence, and writes a JSON trace. The replay does not re-execute the model, it shows the recorded inputs, outputs, decisions, and timings.
Verify the hash chain
This walks every record in the run, checks each prevHash against the canonical hash of the previous record (RFC 8785 JSON canonicalization, then SHA-256), and confirms the final hash matches evidenceHashChainHead. Exit code 0 if valid, 1 otherwise.
In code:
Verify the signed run-root
The run-root is signed by @fuze-ai/agent-signing. Verify the signature against the agent's public key:
The signer is pluggable, LocalKeySigner for Dev/Cloud, KMS-backed signers via @fuze-ai/agent-signing-kms for Sovereign.
Verify the transparency log proof
Each signed run-root is anchored to a transparency log (Sigstore-style). The CLI fetches the inclusion proof and confirms the run-root is in the log under the witnessed checkpoint.
Export the evidence bundle
The bundle contains: the canonical record stream, the run-root, the run-root signature, the transparency log proof, the agent definition snapshot, the policy bundle hash, and the model fingerprint. This is the deliverable for AI Act Art. 26 deployer obligations.
Dashboard equivalent
The dashboard exposes the same operations through a UI. Filtering, replay, and chain-verification status are first-class.