Agent Operations Platform

Audit

Every governed action — tool call, model call, lifecycle change, policy decision — emits an immutable event with the full context that produced it. The vocabulary is uniform across the three control points, which means a single query can reconstruct an incident regardless of where it happened.

Dome Control Plane

LIVE

TimeAgentCallTokensResult

Workflow

Capture an action.Stream it everywhere.

The same loop applies to every event the platform produces. Captured at the source, enriched with context, streamed in real time, and exported to wherever your operators, SOC, or compliance team already lives.

01
Audit
Every governed action emits an immutable event at the source — Registry, Gateway, or Broker.
02
Observe
Query, tail, and filter from the UI, CLI, or API. Full caller chain on every event.
03
Stream
Subscribe to the live event stream for real-time monitoring, alerts, and downstream automation.
04
Export
Project events to your SIEM, lakehouse, or compliance evidence store. Dome remains the system of record.

Consistent operations

One vocabulary, three control points

A unified event model is what turns three independent enforcement points into a single accountable system. The Registry, Gateway, and Broker each emit their own event classes, but the shape is the same — same caller chain, same decision trace, same export targets.

Capture

Each control point emits a typed event at the moment of decision or transition.

Enrich

Caller chain, scope, policy version, and request digest attached automatically.

Stream

Live tail, query, and subscription APIs serve the events in real time.

Export

Projected to SIEM, lakehouse, or compliance evidence store — Dome stays the system of record.

Unified vocabulary

agent.* events from the Registry, tool.* from the Gateway, llm.* from the Broker, policy.* across all three. One schema. One query language. One audit story per incident.

Caller chain

Every event records the agent, the end-user act-as claim, the parent agent if chained, and the rule version that produced the decision. Reconstruct any path through the system.

Multiple sinks

Query from the UI or CLI, subscribe via the API for real-time downstream automation, or export to Splunk, Snowflake, S3, or any sink your operations team already runs.

Options

What audit lets you do

Beyond capturing events, the audit layer surfaces operational controls — what you can configure via the CLI, API, or Terraform to shape how events flow and persist.

Real-time subscriptions

Stream events as they happen via gRPC or webhook. SOC platforms and SOAR playbooks can trigger off Dome events without polling.

Query-time filtering

Filter by agent, workspace, decision, time window, or full-text. Save common queries; subscribe to filtered streams.

Multi-sink export

Mirror events to Splunk, Microsoft Sentinel, Datadog, Snowflake, BigQuery, or S3. Configure transformation and retention per sink.

Retention policies

Hot for query, warm for compliance, cold for archive. Per-tenant retention windows with automatic tiering and lifecycle.

Compliance evidence packs

Generate signed evidence bundles for any time window — useful for SOC 2, ISO 27001, and customer audit responses.

SDK-emitted events

Agents can emit custom events from inside the process via the SDK. These flow through the same pipeline as platform-emitted events, with the same caller chain attached.

In practice

From query to export

Audit is queryable from the UI, the CLI, and the API. The same events can be exported to SIEM, lakehouse, or compliance evidence stores.

Query and tailbash

# What did this agent do recently?
dome audit query --agent support-triage --since 1h

# Live tail
dome audit stream --agent support-triage

# Filter by decision
dome audit query \
  --workspace support \
  --decision deny \
  --since 24h

Export to your stackbash

# Export to Splunk
dome audit export splunk \
  --hec https://splunk.example.com/services/collector \
  --token $SPLUNK_HEC_TOKEN

# Stream to Snowflake or S3
dome audit export s3 \
  --bucket dome-audit-prod \
  --prefix workspace=support/

Caller chain

Full context on every event

An audit event records the full caller chain: this agent, on behalf of this user, calling this tool, with these arguments, against this rule version, with this outcome. That is the level of detail compliance and incident response need.

Example: a single tool.call eventjson

{
  "event": "tool.call",
  "ts": "2026-06-02T14:03:22.418Z",
  "agent": {
    "id": "agt_3mw7kp",
    "name": "support-triage",
    "workspace": "support"
  },
  "actas": {
    "subject": "jane.smith@example.com",
    "verified_by": "oidc"
  },
  "tool": "zendesk/update_ticket",
  "arguments_digest": "sha256:9b...",
  "decision": "allow",
  "policy": {
    "version": "v23",
    "rule": "workspace/support/zendesk.cedar#L12"
  }
}

Architecture

Where audit fits

Audit is part of the control plane beneath the three control points. Every governed action flows through the same event vocabulary, which is what makes the platform legible end-to-end.

User

Dome

Environment

Experience

Capabilities

Integrations

User

UX Surface

CodeToolModel

Runtime

Dome

SDK API CLI MCP

Registry Gateway Broker

Authorization Audit

Management

IdP APM SIEM Secrets SOAR

Environment

Self-managedHosted

Audit

Capture an action.Stream it everywhere.

Audit

Observe

Stream

Export

One vocabulary, three control points

Unified vocabulary

Caller chain

Multiple sinks

What audit lets you do

Real-time subscriptions

Query-time filtering

Multi-sink export

Retention policies

Compliance evidence packs

SDK-emitted events

From query to export

Full context on every event

Where audit fits