Vapora/migrations/013_audit_merkle.surql

-- Merkle audit trail: tamper-evident append-only log with SHA256 block chaining.
-- Each entry stores prev_hash (previous block's hash) and block_hash
-- (SHA256 of canonical entry data including prev_hash), forming a chain
-- where tampering any entry invalidates all subsequent hashes.

DEFINE TABLE audit_entries SCHEMAFULL;

DEFINE FIELD seq          ON TABLE audit_entries TYPE int;
DEFINE FIELD entry_id     ON TABLE audit_entries TYPE string;
DEFINE FIELD timestamp    ON TABLE audit_entries TYPE datetime;
DEFINE FIELD workflow_id  ON TABLE audit_entries TYPE string;
DEFINE FIELD event_type   ON TABLE audit_entries TYPE string;
DEFINE FIELD actor        ON TABLE audit_entries TYPE string;
DEFINE FIELD details      ON TABLE audit_entries FLEXIBLE TYPE object;
DEFINE FIELD prev_hash    ON TABLE audit_entries TYPE string;
DEFINE FIELD block_hash   ON TABLE audit_entries TYPE string;

-- seq UNIQUE enforces monotonic ordering and prevents duplicate sequence numbers
DEFINE INDEX audit_seq_idx        ON TABLE audit_entries COLUMNS seq UNIQUE;
-- entry_id UNIQUE for idempotent inserts
DEFINE INDEX audit_entry_id_idx   ON TABLE audit_entries COLUMNS entry_id UNIQUE;
-- block_hash UNIQUE enforces Merkle chain integrity at the DB level
DEFINE INDEX audit_block_hash_idx ON TABLE audit_entries COLUMNS block_hash UNIQUE;
DEFINE INDEX audit_workflow_idx   ON TABLE audit_entries COLUMNS workflow_id;
DEFINE INDEX audit_event_type_idx ON TABLE audit_entries COLUMNS event_type;
DEFINE INDEX audit_actor_idx      ON TABLE audit_entries COLUMNS actor;
fix: eliminate stub implementations across 6 integration points - WorkflowOrchestrator and WorkflowService wired in main.rs (non-fatal) - try_fallback_with_budget actually calls fallback providers - vapora-tracking persistence: real TrackingEntry + NatsPublisher - vapora-doc-lifecycle: workspace + classify/consolidate/rag/NATS stubs - Merkle hash chain audit trail (tamper-evident, verify_integrity) - /api/v1/workflows/* routes operational; get_workflow_audit Result fix - ADR-0039, CHANGELOG, workflow-orchestrator docs updated 2026-02-27 00:00:02 +00:00			`-- Merkle audit trail: tamper-evident append-only log with SHA256 block chaining.`
			`-- Each entry stores prev_hash (previous block's hash) and block_hash`
			`-- (SHA256 of canonical entry data including prev_hash), forming a chain`
			`-- where tampering any entry invalidates all subsequent hashes.`

			`DEFINE TABLE audit_entries SCHEMAFULL;`

			`DEFINE FIELD seq ON TABLE audit_entries TYPE int;`
			`DEFINE FIELD entry_id ON TABLE audit_entries TYPE string;`
			`DEFINE FIELD timestamp ON TABLE audit_entries TYPE datetime;`
			`DEFINE FIELD workflow_id ON TABLE audit_entries TYPE string;`
			`DEFINE FIELD event_type ON TABLE audit_entries TYPE string;`
			`DEFINE FIELD actor ON TABLE audit_entries TYPE string;`
			`DEFINE FIELD details ON TABLE audit_entries FLEXIBLE TYPE object;`
			`DEFINE FIELD prev_hash ON TABLE audit_entries TYPE string;`
			`DEFINE FIELD block_hash ON TABLE audit_entries TYPE string;`

			`-- seq UNIQUE enforces monotonic ordering and prevents duplicate sequence numbers`
			`DEFINE INDEX audit_seq_idx ON TABLE audit_entries COLUMNS seq UNIQUE;`
			`-- entry_id UNIQUE for idempotent inserts`
			`DEFINE INDEX audit_entry_id_idx ON TABLE audit_entries COLUMNS entry_id UNIQUE;`
			`-- block_hash UNIQUE enforces Merkle chain integrity at the DB level`
			`DEFINE INDEX audit_block_hash_idx ON TABLE audit_entries COLUMNS block_hash UNIQUE;`
			`DEFINE INDEX audit_workflow_idx ON TABLE audit_entries COLUMNS workflow_id;`
			`DEFINE INDEX audit_event_type_idx ON TABLE audit_entries COLUMNS event_type;`
			`DEFINE INDEX audit_actor_idx ON TABLE audit_entries COLUMNS actor;`