Structured Audit Logging
The HTTP runner service (ainl-runner-service, scripts/runtimerunnerservice.py) emits structured JSON log events for /run and /enqueue execution paths: runstart, per-adaptercall, runcomplete / runfailed, and policyrejecte
Structured Audit Logging
The HTTP runner service (ainl-runner-service, scripts/runtime_runner_service.py) emits structured JSON log events for /run and /enqueue execution paths: run_start, per-adapter_call, run_complete / run_failed, and policy_rejected when policy rejects a request before execution.
Not the same surface: embedding RuntimeEngine directly (e.g. CLI ainl run, tests, scripts/run_intelligence.py, MCP ainl_run) does not emit this JSON audit stream by default. Those paths may expose traces, counters (e.g. adapter call limits), or host logs, but not the runner’s structured event schema unless you wrap execution in a layer that emits it. For CLI-side per-step JSONL beside the .ainl file, see ../trajectory.md (--log-trajectory / AINL_LOG_TRAJECTORY) — that file is not the runner audit schema below.
This doc describes runner HTTP API audit events only. Audit logging is part of the runtime/host layer for that deployment shape. AINL provides the events from the runner; the hosting environment decides how to collect, store, and act on them. AINL does not provide a log aggregation service or alerting system.
Event types
run_start
Emitted at the start of every /run or /enqueue execution.
| Field | Type | Description |
|---|---|---|
| event | "run_start" | Event type |
| ts | ISO 8601 | UTC timestamp |
| trace_id | UUID | Unique execution trace |
| replay_artifact_id | string | Caller-supplied artifact ID |
| label | string | Requested entry label |
| policy_present | bool | Whether policy rules are active |
| limits_summary | object | Effective runtime limits |
adapter_call
Emitted for every adapter invocation during execution.
| Field | Type | Description |
|---|---|---|
| event | "adapter_call" | Event type |
| ts | ISO 8601 | UTC timestamp |
| trace_id | UUID | Execution trace |
| replay_artifact_id | string | Caller-supplied artifact ID |
| adapter | string | Adapter name (e.g. core, http) |
| verb | string | Adapter verb (e.g. Get, ADD) |
| duration_ms | float | Call duration in milliseconds |
| status | "ok" or "error" | Whether the call succeeded |
| args | array | Redacted call arguments |
| result_hash | string or null | SHA-256 of the JSON-serialised result |
| error_summary | string | Redacted error message (only on failure) |
run_complete
Emitted after successful execution.
run_failed
Emitted after execution failure (runtime error, not policy rejection).
policy_rejected
Emitted when a request is rejected by policy validation before execution.
Includes replay_artifact_id for traceability.
Safety properties
- No raw results in logs: only
result_hash(SHA-256) is logged. - Args are redacted: sensitive tokens (authorization, password, etc.)
are replaced with
[REDACTED]. - Error messages are redacted and truncated to 200 characters.
- Timestamps are UTC ISO 8601 for consistent cross-system correlation.
Relation to trajectory sandbox fields
When using CLI/runtime trajectory JSONL (docs/trajectory.md) with the optional sandbox shim connected, per-step rows may include avm_event_hash, sandbox_session_id, sandbox_provider, and isolation_hash. Those fields are additive to trajectory logging and are separate from the runner's ainl.runner structured audit stream documented here.
Usage
Audit logs are emitted via Python's logging module under the
ainl.runner logger at INFO level. To capture them:
import logging
logging.getLogger("ainl.runner").setLevel(logging.INFO)
For production deployments, configure a structured log handler (e.g.
JSON file handler, log aggregation service) on the ainl.runner logger.