{ "schema_version": "1.0", "baseline": "A-runtime-admin-phase-2b", "phase": "Phase 2b seed", "updated_at": "2026-04-19", "owner": "session_a", "honest_note": "Five canonical audit event envelopes, each grounded in docs/runtime/admin-control-plane/audit_event_model.json#base_shape with a real event_type drawn from event_types[]. These are PREVIEW shapes — nothing in Phase 2b delivers them to Kafka or WORM. The POST /api/policy/audit/preview endpoint renders envelopes in this exact shape for any (actor, action, subject) tuple. event_id values are frozen for doc stability; at runtime they would be ULID or aud-YYMMDD-{random8}.", "time_base_iso": "2026-04-19T06:00:00+07:00", "events": [ { "event_id": "aud-260419-1a2b3c4d", "event_type": "access.grant", "event_category": "access", "timestamp": "2026-04-19T05:30:12+07:00", "actor": { "user_id": "U-TA-1", "role_key": "tenant_admin", "tier": "admin", "tenant_id": "pty-zeroth", "assist_ctx_id": null, "view_as_ctx_id": null, "ip_fingerprint": "ip-sha256:aa11bb22", "user_agent_hash": "ua-sha256:cc33dd44" }, "subject": { "type": "case", "id": "CASE-002", "tenant_id": "pty-zeroth", "field_category": null }, "action": "read", "approval_refs": [], "mask_level_at_event": "unmasked", "session_ref": "sess-2026-04-19-a7b8", "reasons": [{"id": "tenant_sovereignty", "rule_ref": "access_policy.precedence_rules.prec-4"}], "producer": "admin-control-plane-service/2b-py-additive-0.1", "sink_status": "deferred", "honest_note": "Preview only · would go to ptt.audit.trail in Phase 2c" }, { "event_id": "aud-260419-2b3c4d5e", "event_type": "approval.granted", "event_category": "approval", "timestamp": "2026-04-19T05:55:03+07:00", "actor": { "user_id": "U-PG-1", "role_key": "platform_governance", "tier": "admin", "tenant_id": null, "assist_ctx_id": null, "view_as_ctx_id": null, "ip_fingerprint": "ip-sha256:ee55ff66", "user_agent_hash": "ua-sha256:77aabbcc" }, "subject": { "type": "asset", "id": "GEN-ASSET-87", "tenant_id": "pty-zeroth", "matrix_row": "row-sensitive-override" }, "action": "sign", "approval_refs": ["APP-260419-V200"], "mask_level_at_event": "unmasked", "session_ref": "sess-2026-04-19-c9d0", "reasons": [{"id": "dual_signer_complete", "rule_ref": "approval_queue_model.queue_shape.required_signer_count"}], "producer": "admin-control-plane-service/2b-py-additive-0.1", "sink_status": "deferred", "honest_note": "Second signer of a sensitive-override dual approval · full sign-off reached" }, { "event_id": "aud-260419-4d5e6f70", "event_type": "unmask.expired", "event_category": "access", "timestamp": "2026-04-19T06:55:00+07:00", "actor": { "user_id": "U-TA-2", "role_key": "tenant_admin", "tier": "admin", "tenant_id": "pty-zeroth", "assist_ctx_id": null, "view_as_ctx_id": null, "ip_fingerprint": "ip-sha256:gg77hh88", "user_agent_hash": "ua-sha256:99001122" }, "subject": { "type": "user", "id": "U-99", "tenant_id": "pty-zeroth", "field_category": "health" }, "action": "unmask_expired_auto", "approval_refs": ["APP-260419-P300"], "mask_level_at_event": "masked", "session_ref": "sess-2026-04-19-e1f2", "reasons": [{"id": "approval_expired", "rule_ref": "approval_queue_model.expiration_rules[0]"}], "producer": "admin-control-plane-service/2b-py-additive-0.1", "sink_status": "deferred", "honest_note": "Auto-revert to masked when approval TTL passed · prec-8 fail-safe" }, { "event_id": "aud-260419-5e6f7081", "event_type": "assist.start", "event_category": "assist", "timestamp": "2026-04-19T05:30:00+07:00", "actor": { "user_id": "U-SP-1", "role_key": "support_success", "tier": "staff", "tenant_id": null, "assist_ctx_id": "CR-assist-123", "view_as_ctx_id": null, "ip_fingerprint": "ip-sha256:jj99kk00", "user_agent_hash": "ua-sha256:33445566" }, "subject": { "type": "tenant", "id": "pty-zeroth", "case_ref": "CASE-002" }, "action": "assist_session_open", "approval_refs": [], "mask_level_at_event": "masked", "session_ref": "sess-assist-2026-04-19-b3c4", "reasons": [{"id": "tenant_granted_consent", "rule_ref": "assist_model.modes.assist.consent_required"}], "producer": "admin-control-plane-service/2b-py-additive-0.1", "sink_status": "deferred", "honest_note": "Support success opened assist session · 60min default TTL · case_ref attached" }, { "event_id": "aud-260419-6f708192", "event_type": "rollout.transition", "event_category": "transition", "timestamp": "2026-04-19T05:45:20+07:00", "actor": { "user_id": "U-DEC-1", "role_key": "dec_board", "tier": "admin", "tenant_id": null, "assist_ctx_id": null, "view_as_ctx_id": null, "ip_fingerprint": "ip-sha256:nn33oo44", "user_agent_hash": "ua-sha256:77889900" }, "subject": { "type": "flag_transition", "id": "flag:admin.control_plane_v1:transition:draft-to-internal", "matrix_row": "row-platform-global-propose" }, "action": "sign", "approval_refs": ["APP-260419-S800"], "mask_level_at_event": "n/a", "session_ref": "sess-2026-04-19-dec-07", "reasons": [{"id": "dec_seal_granted", "rule_ref": "approval_queue_model.queue_shape.required_signer_count"}], "producer": "admin-control-plane-service/2b-py-additive-0.1", "sink_status": "deferred", "honest_note": "DEC seal on flag transition · second signer · full sign-off · Phase 2c would fire the actual rollout state machine next" } ], "observability_note": "Running the audit preview endpoint also writes each envelope as a single NDJSON line to stdout. Operators can tail the service log to see exactly what would be delivered without any Kafka/WORM involvement.", "sink_status_global": "deferred", "delivery_mode_global": "preview-only" }