{
"id": "app.matakite.audit",
"defs": {
"main": {
"key": "any",
"type": "record",
"record": {
"type": "object",
"required": [
"epoch",
"sequence",
"subjectUri",
"operation",
"observedAt",
"source",
"sourceRev",
"sourceTimeUs"
],
"properties": {
"epoch": {
"type": "string",
"format": "record-key",
"maxLength": 64,
"description": "Auditor-defined chronology epoch. Reference validators prohibit colon because it separates epoch from sequence in the record key. Sequence values are unique and monotonic within one auditor DID and epoch."
},
"record": {
"type": "unknown",
"description": "Exact public app.matakite.* source-record snapshot for create/update, including its $type. Omitted for delete/void. Reference validators require the $type to match the subject URI collection and its canonical DAG-CBOR CID to equal subjectCid. Unknown is used because common Lexicon validators do not currently validate record definitions nested through unions."
},
"source": {
"type": "string",
"maxLength": 640,
"description": "Observation transport. Provenance only; clients select trust by auditor DID and policy.",
"knownValues": [
"jetstream-legacy"
],
"maxGraphemes": 64
},
"sequence": {
"type": "integer",
"minimum": 1,
"description": "Auditor-issued total order within the epoch. This breaks observedAt ties and is the authoritative lifecycle order."
},
"voidNote": {
"type": "string",
"maxLength": 3000,
"description": "Optional public explanation for an operator-authorized void. Must not contain private source material.",
"maxGraphemes": 300
},
"operation": {
"type": "string",
"description": "Audit lifecycle entry. Create/update/delete mirror the source operation; void intentionally consumes an unrepresentable sequence. Reference validators reject unknown values until their lifecycle semantics are specified.",
"knownValues": [
"create",
"update",
"delete",
"void"
]
},
"sourceRev": {
"type": "string",
"format": "tid",
"description": "Source repository revision reported by the observation transport. It is repository-scoped provenance, not a global ordering key."
},
"observedAt": {
"type": "string",
"format": "datetime",
"description": "UTC time at which the auditor's durable intake first accepted the source event. Trusted scoring uses this time, not publication time."
},
"subjectCid": {
"type": "string",
"format": "cid",
"description": "CID observed for a create or update. Reference validators require the canonical DAG-CBOR CID of a create/update record snapshot to equal this value. For a delete or void, the last CID observed for the URI when known."
},
"subjectUri": {
"type": "string",
"format": "at-uri",
"description": "URI of the app.matakite.* source record observed by the auditor."
},
"voidReason": {
"type": "string",
"maxLength": 640,
"description": "Terminal exclusion reason. Required only for an explicitly operator-authorized void.",
"knownValues": [
"invalidSourceRecord",
"unsupportedSourceRecord",
"recordTooLarge",
"unrecoverable"
],
"maxGraphemes": 64
},
"previousCid": {
"type": "string",
"format": "cid",
"description": "CID previously observed at subjectUri when known. Meaningful only for update."
},
"sourceTimeUs": {
"type": "integer",
"minimum": 0,
"description": "Source event time_us in Unix microseconds. Retained for provenance and replay analysis; not used as trusted scoring chronology."
},
"sourceOperation": {
"type": "string",
"description": "Original repository operation. Required only when operation is void.",
"knownValues": [
"create",
"update",
"delete"
]
}
}
},
"description": "An append-only attestation that a policy-selected auditor observed an app.matakite.* record create, update, or delete, or intentionally voided an unrepresentable event. The auditor repository establishes observation chronology for clients that trust its DID; source-record createdAt and Jetstream time_us remain provenance rather than trusted time."
}
},
"$type": "com.atproto.lexicon.schema",
"lexicon": 1
}