> ## Documentation Index
> Fetch the complete documentation index at: https://docs.eventdbx.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auditability

> Trace every decision across time with append-only histories and proofs.

EventDBX bakes auditability into the storage model. Every event carries human-readable metadata, snapshots supply quick checkpoints, and Merkle proofs give you cryptographic evidence when regulators ask “how do you know?”.

## Build complete timelines

Use metadata to capture actor, channel, and reason for each event (metadata keys must start with `@` and stay within the size limit):

```bash theme={null}
dbx aggregate apply person p-110 person_address_changed \
  --payload '{"city":"New York","country":"US"}' \
  --metadata '{
    "@actor":"csr-22",
    "@ticket":"INC-4922",
    "@source":"support-portal"
  }'
```

Later, fetch the state and events together:

```bash theme={null}
dbx aggregate get person p-110 --include-events
```

Include snapshots when sharing with audit teams so they can see derived state without replaying the entire list:

```bash theme={null}
dbx aggregate snapshot person p-110 --comment "quarterly review"
```

## Verify integrity

Recompute the Merkle root and share it with auditors alongside the snapshot:

```bash theme={null}
dbx aggregate verify person p-110 --json > verify.json
```

`verify.json` contains the aggregate type/id and Merkle root. Pair it with the exported snapshot so auditors can detect tampering. Per-event proof paths are not emitted; use the Merkle root as the checksum.

## Schema change audit log

Schema versions carry an audit trail of who published or activated them and why:

```bash theme={null}
dbx tenant schema history payments --audit
```

The audit log entries capture the actor (overridable via `--actor`) and optional reason (`--reason`) supplied to `dbx schema publish` / `dbx schema activate`.

## Tamper-evident exports

When exporting data for regulators or partners:

1. Generate a domain backup: `dbx backup --output /backups/eventdbx.tar.gz`.
2. Sign the archive (e.g., `gpg --detach-sign /backups/eventdbx.tar.gz`).
3. Provide the signature plus aggregate Merkle roots in the transfer manifest.

Anyone can verify the signature plus the Merkle proof to ensure nothing changed in transit.

## Operational playbook

* **Incident review**: pull the relevant aggregates, replay commands, and attach proofs to the RCA.
* **Access review**: compare aggregate histories and schema audit logs with token issuance records to confirm only authorized actors touched sensitive data.
* **Policy enforcement**: reject events that violate schema (set `--restrict strict`) and require metadata keys so context is always captured.

Because EventDBX never mutates prior events, you always have the source data needed to answer “what happened, when, and who did it?”.
