records
records
Configure the behavioral ledger for a machine. The records section controls what execution data is captured, how it is protected, how long it is kept, and what fields are redacted for privacy. Every machine execution produces behavioral ledger entries by default (ExecStart, StepRecords, PolicyDecisions, ExecEnd); this section lets you customize the scope and policy of that recording.
When to use
Use records when you need to:
- Enable or disable specific event categories
- Configure hash chain integrity for tamper-evident traces
- Set data retention policies (how long traces are kept)
- Redact sensitive fields from ledger entries (PII, secrets, credentials)
Most machines can omit records and rely on the default configuration (all events enabled, standard integrity, no redaction). Use it when you have specific compliance, privacy, or storage requirements.
Syntax
records events <category>: <enabled|disabled> integrity <setting>: <value> retention <setting>: <value> redaction <field_path>: <strategy>Subsections
events
Control which categories of behavioral ledger events are recorded.
events behavioral: enabled governance: enabled performance: enabled debug: disabled| Category | Default | Description |
|---|---|---|
behavioral | enabled | Step execution records (inputs, outputs, timing) |
governance | enabled | PolicyDecision events (allow, deny, redact, warn) |
performance | enabled | Timing, token usage, cost metrics |
debug | disabled | Verbose debug-level trace data |
integrity
Configure tamper-evident hash chaining for the behavioral ledger. Each step event contains (event_hash, prev_hash, index) forming an append-only chain (Inv 6: Trace Integrity).
integrity hash_algorithm: "sha256" chain: enabled| Setting | Default | Description |
|---|---|---|
hash_algorithm | "sha256" | Hash function for event hashes |
chain | enabled | Whether to chain event hashes (disable only for ephemeral machines) |
retention
Set how long behavioral ledger data is kept before automatic cleanup.
retention duration: "90d" archive: enabled| Setting | Default | Description |
|---|---|---|
duration | "90d" | Retention period. Supported units: d (days), h (hours), w (weeks) |
archive | disabled | Whether to archive (compress) data before deletion |
redaction
Declare fields that should be redacted from ledger entries. This is essential for machines that handle PII, credentials, or other sensitive data. Redaction happens at write time; once redacted, the original values are not recoverable from the ledger.
redaction input.password: "mask" input.ssn: "hash" steps.fetch_user.email: "mask"| Strategy | Description |
|---|---|
"mask" | Replace with ***REDACTED*** |
"hash" | Replace with a one-way hash (preserves equality comparison without revealing value) |
"drop" | Remove the field entirely from the ledger entry |
Examples
Compliance-oriented configuration
machine financial_processor records events behavioral: enabled governance: enabled performance: enabled integrity hash_algorithm: "sha256" chain: enabled retention duration: "7y" archive: enabled redaction input.account_number: "mask" input.ssn: "hash" steps.lookup.balance: "mask"Minimal configuration (disable debug noise)
machine utility_worker records events debug: disabled retention duration: "7d"Privacy-first with aggressive redaction
machine user_profiler records redaction input.email: "hash" input.name: "mask" input.phone: "drop" steps.enrich.address: "mask"Canonical ordering
records appears after optimizes and before verifies:
machine name ... ensures ... optimizes ... records ... <-- here (section 9) verifies ...Governance
The records section is itself part of the governance story. The behavioral ledger is the foundation for several runtime invariants:
- Inv 0 (Execution Contract): Every execution has ExecStart/ExecEnd events with hashes
- Inv 4 (Decision Completeness): Every governance decision is recorded append-only
- Inv 6 (Trace Integrity): Hash chains make the ledger tamper-evident
- Inv 7 (Measurement First-Class): Every run produces measures (cost, latency, success/failure)
Disabling events or integrity via records does not exempt a machine from governance mediation. Steps are still governed; the difference is whether the trace is captured. In production, disabling behavioral or governance events is strongly discouraged because it breaks auditability.
Translations
| Language | Keyword |
|---|---|
| English | records |
| Spanish | registra |
| French | enregistre |
| German | protokolliert |
| Japanese | 記録 |
| Chinese | 记录 |
| Korean | 기록 |
Sub-keywords
| English | Spanish | French | German | Japanese | Chinese | Korean |
|---|---|---|---|---|---|---|
| events | eventos | evenements | Ereignisse | イベント | 事件 | 이벤트 |
| integrity | integridad | integrite | Integritat | 整合性 | 完整性 | 무결성 |
| retention | retencion | retention | Aufbewahrung | 保持 | 保留 | 보존 |
| redaction | redaccion | expurgation | Schwarzung | 墨消し | 编辑 | 편집 |
See also
- ensures - Governance rules that produce PolicyDecision events
- optimizes - Metrics derived from the data records captures
- implements - Steps that produce StepRecord events