---
name: regulatory-logging
description: >
  Audit-logging rules for regulated flows. Use whenever code creates, modifies, or
  deletes a financial transaction, or touches the audit_events table.
---

# Regulatory Logging

Every state change to a transaction MUST emit an audit event.

## Required fields
- actor_id, actor_type (human|service|agent)
- before_state, after_state (redacted per the `pii-handling` skill)
- correlation_id, timestamp (UTC RFC3339)

## How
- Call `audit.Emit(ctx, event)` — never write `audit_events` directly.
- Retention: 7 years. Never write code that deletes from `audit_events`.

## Validate
- Confirm every transaction mutation has a matching emit before marking done.

Keep bulky field tables / validators in references/ and scripts/ (tier-3).