Audit Orchestrator (MCP)

One audit run.
Every engine.
Tamper-evident proof.

The Master Control Plane coordinates static scanning, runtime testing, compliance wizards, and regulatory checks into a single provenance-tracked audit run. SHA-256 hash-chained event logs prove exactly what was tested, when, and by whom.

Launch Audit Run Book Demo

148

Automated Tests

95 integration + 53 adversarial

Attack Scenarios Survived

Concurrent races, tamper, session expiry

SHA-256

Hash-Chained Event Log

Every transition is tamper-evident

Silent Failures

Fail-closed architecture throughout

Deterministic State Machine

Every audit run follows a strict, auditable state machine. Engines execute in sequence. Each transition is hash-chained. No shortcuts, no silent skips.

Created

Inventory

Static Scan

Runtime Test

Wizard

Regulatory

Completed

Engines can be skipped (static_skipped, runtime_skipped, etc.). Terminal states: completed, failed, cancelled, integrity_compromised.

For CISOs & Security Leaders

Built for Zero-Trust Audit Environments

Every security claim below is verified by automated tests. No marketing. No aspirational features. Only what the code does today.

Tamper-Evident Audit Trail

Every state transition is SHA-256 hash-chained. Modifying any event breaks the chain. The system detects tampering and marks the run as integrity_compromised — no silent pass.

Atomic State Transitions

cancelRun, failRun, and createRun use Prisma $transaction with ReadCommitted and Serializable isolation levels. No race conditions, no partial state corruption.

Zero-Trust Webhook Auth

CI webhooks use SHA-256 full-token hash comparison (not prefix-only), 5-minute replay protection window, and per-org rate limiting at 10 requests/minute.

Tenant Isolation Enforced

Every API route checks session + userId ownership. Cross-org access returns 403. Unauthenticated requests return 401. No exceptions.

Provenance Chain

Config snapshot frozen at run start. Engine versions captured at start and end. Version drift detected automatically. Run fingerprint = SHA-256(configHash + engine hashes + event log hash).

Adversarial-Hardened

Tested against 7 adversarial scenarios: concurrent startRun races, cancel-during-completion, cross-org webhook abuse, commitSha mismatch, event row tampering, 5MB payloads, and session expiry.

For Compliance Managers

One Dashboard. Every Engine. Complete Visibility.

Stop juggling separate scan results. The Audit Orchestrator gives you a single run with a unified score, downloadable audit pack, and real-time progress tracking.

One Run, Every Engine

Configure which engines to run (static, runtime, wizard, regulatory), set jurisdiction, and launch. The orchestrator sequences everything automatically.

Unified Risk Score

Weighted composite score across all engines. See exactly where your AI system stands — not scattered across 4 different dashboards.

Real-Time Progress

Poll-driven state machine shows exactly which engine is running, which completed, and which were skipped. Heartbeat monitoring detects stale runs.

Downloadable Audit Pack

JSON or HTML report containing all engine results, provenance hashes, config snapshot, and event log summary. One artifact for your auditor.

CI/CD Integration

Attach CI scan results to audit runs via webhook. 6-point validator checks existence, ownership, freshness, commitSha match, contract compatibility, and no double-attach.

Version Drift Detection

Engine versions captured at run start and end. If any engine was updated mid-run, drift is flagged in the audit pack.

For Developers

RESTful API. Webhook Integration. Full Control.

8 API endpoints. Session-based auth. JSON responses. Integrate audit runs into your CI/CD pipeline or trigger them from your own dashboard.

Create a Run

POST /api/audit-orchestrator
{
  "aiSystemId": "sys_abc123",
  "engines": {
    "static": { "enabled": true, "executionMode": "ui" },
    "runtime": { "enabled": true },
    "wizard": { "enabled": true, "framework": "soc2" }
  },
  "jurisdiction": "nyc_ll144"
}

Poll Status

GET /api/audit-orchestrator/{runId}

// Response
{
  "status": "static_running",
  "currentEngine": "static",
  "overallScore": null,
  "lastHeartbeatAt": "2026-02-13T..."
}

Verify Chain Integrity

GET /api/audit-orchestrator/{runId}/verify-chain

// Response
{
  "chainValid": true,
  "eventsVerified": 13,
  "finalEventHash": "a3f8c2..."
}

CI Webhook

POST /api/audit-orchestrator/webhook/ci-complete
Authorization: Bearer <API_KEY>
{
  "scanId": "ci-scan-001",
  "repositoryUrl": "https://github.com/org/repo",
  "commitSha": "abc123def456",
  "status": "completed",
  "correlationId": "unique-id"
}

Full API documentation in SYSTEM-OF-RECORD.md, Section 2.6

Adversarial-Hardened. 148 Tests. Zero Failures.

We don't just test happy paths. We attack our own system with the same scenarios a malicious actor would use.

Two concurrent startRun calls

Exactly 1 succeeds. Unique constraint prevents duplicates.

cancelRun during recordEngineCompletion

All 5 rounds end in valid state. Atomic transactions enforced.

Webhook with valid key but wrong org

403 Forbidden. Ownership check rejects cross-org scans.

CI scan with wrong commitSha

6-point validator rejects. commitSha mismatch detected.

Tamper with event row in database

Chain breaks at tampered seq. Cascade effect on subsequent events.

5MB dummy findings payload

Server handles without crash. DB stores successfully.

Session expiry mid-run

All 4 endpoints reject 401. Stale detection catches abandoned run.

Ready to run your first unified audit?

One click. Every engine. Tamper-evident proof. Download your audit pack and hand it to your auditor.

Launch Audit Run Book a Demo

One audit run.Every engine.Tamper-evident proof.