Skip to main content
Every policy decision emits an on-chain event from altheia::audit. Each event carries the policy version at decision time, for incident replay. Allowed actions and lifecycle changes index straight from chain. Denials never land on-chain, so the agent records them itself.
Chronicle: every action allowed or denied, settled on-chain

On-chain events

EventEmitted when
AllowedActionAn action passed policy. Carries agent_id, policy_version, amount, target_package, timestamp_ms.
PolicyRevokedThe owner revoked the agent.
PolicyUpdatedCaps, scope, actions, or pause state changed. Carries version before and after.
WithdrawalAttestedA withdrawal closed its receipt. Carries amount_in, amount_out, recipient.
Read them with readAuditLog(client, corePkg, limit), which queries the audit module’s events in descending order and returns the event type, transaction digest, timestamp, and parsed payload.

Denials are recorded off-chain

A denied action aborts inside check_and_consume and emits nothing, so no chain query can find it. To make denials visible, the agent dry-runs the transaction first; if the policy aborts, it posts a denied row with the decoded reason and skips submitting. This is what guardedSubmit does, and it is how a denial reaches the dashboard Chronicle even though it never lands on-chain.
const r = await guardedSubmit(client, exec, agentAddr, buildSwap(refs, amount), {
  baseUrl, token, agent_id, action_type: "deepbook_swap", amount: 0.05, asset: "SUI",
});
// r.ok === false, r.reason_code === "over_per_tx_cap"  — logged, never submitted

How to read the trail

SurfaceWhat you seeAuth
Dashboard ChronicleEvery action, allowed or denied, with reason and digest.Operator wallet.
readAuditLogThe raw on-chain events from corePkg.None. Public chain data.
A Sui explorerThe same events under the package, plus the transaction digests.None. Public chain data.
The on-chain events are the source of truth for allowed actions and lifecycle changes. An auditor can read them directly without trusting the backend.

Provision an agent

From the dashboard form to a funded, signable agent key.