Regulatory & compliance

Mandatory review is triggered automatically when confidence is below thresholds, evidence is missing, or fields are null.

Every event is written to audit.jsonl with timestamps, action type, and structured payload.

Screenshots and artifacts are retained alongside events for independent review.

Audit exports include SHA-256 hashes and Ed25519 signatures over the manifest.

Production signing uses customer-owned keys (AWS KMS default; Azure/GCP supported). Offline verification is supported.