Replay an Incident

When something goes wrong — an agent made a call it shouldn't have, or was blocked unexpectedly — ShadowAudit lets you replay the exact decision to understand what happened and why.

Finding the relevant entry

# Search by agent ID
shadowaudit logs --agent finance-agent --json

# Review recent events
shadowaudit logs --audit-log audit.db --limit 100

Note the entry_hash or payload_hash from the JSON output.

Viewing a trace

shadowaudit trace a1b2c3d4

Output:

Trace ID:     a1b2c3d4
Timestamp:    2024-01-15 10:23:01 UTC
Agent ID:     finance-agent
Capability:   payments.transfer
Payload hash: sha256:e3b0c4...

Risk evaluation:
  Score: 82 / 100
  Keywords matched: ["transfer", "external_account"]
  Threshold: 70

Policy rules evaluated:
  Rule 1 (deny, amount_gt=50000): not matched (amount=2500)
  Rule 2 (require_approval, amount_gt=1000): MATCHED (amount=2500)

Decision:     require_approval
Reason:       threshold_exceeded
Policy file:  policies/payments_agent.yaml (sha256:c8d1f2...)

Replaying against a different policy

If you've updated your policy and want to see how the incident would have been handled:

# Replay the captured trace
shadowaudit replay incident.jsonl

This replays the captured payloads and prints deterministic replay output.

Replaying a batch of entries

Replay an entire time window against a policy:

shadowaudit simulate --trace-file daily.jsonl --taxonomy policies/new_policy.yaml --compare

This is useful for validating a policy change before deploying it.

Verifying log integrity before replay

Always verify the audit chain before relying on replay results:

shadowaudit verify --audit-log ./audit.db
✓ Audit chain intact. 1,284 entries verified.

If the chain is broken, the replay cannot be trusted.

Related concepts

• Replayability
• Audit chain
• FlowTracer API