Books a user can read: the trust kernel's audit trail

Record format

An audit record is written synchronously with the access it describes — an access that cannot be recorded does not happen. Each record binds four identities: the grant that authorises the scope, the task the user initiated, the resource actually read, and the output artifact the read contributed to. Records are hash-chained per user, so deletion or reordering is detectable by any client holding the previous head.

record #84,113   prev: 9f2c…
  grant    calendar.read     issued 2026-01-12
  task     morning-brief     initiated_by user
  access   events[thu..fri]  ts 07:14:03
  output   deadline-flag #3,402
  chain    sha256(prev ∥ record)   ✓ verified

Budgets on top of records

Because every read is attributed to a task and an output, the kernel can enforce read budgets: a maximum ratio of accesses to produced artifacts per scope. The budget converts over-reading from a policy violation someone must notice into a resource exhaustion the kernel enforces mechanically. Two of our own features exceeded budget during development and were redesigned; we regard the friction as the control working.

One view, no bypass

The differentiating constraint is presentational: the user-facing answer to "what did you read this week and why" is generated from the same chained records the on-call engineer queries. There is no internal view with more rows. This forces a discipline on feature design — an access that cannot be explained in one rendered sentence is redesigned, not footnoted — and it makes the trail a product surface rather than a compliance artifact.

Costs are nontrivial: synchronous writes add 3–7ms p50 to context reads, and chain verification adds client complexity. We accept both. The lanes this company intends to enter run on data where the audit trail is not a feature of the product; it is the precondition for being allowed to build it.