Second slice of the Welcome surface. Operator-facing
documentation now lives inside Studio as bundled assets and
renders inline via a modal sheet — no browser, no external
link, air-gap-tauglich.
- Four operator-readable explainers under `assets/docs/`,
each with an EN + DE pair:
architecture[_de].md — Hub / Module / Flow + how they fit
security[_de].md — sandbox model, declared perms,
operator ceiling
audit[_de].md — hash-chained log, WORM-1 mechanics,
`fai admin verify-events`
flows[_de].md — flow YAML, templating reference,
extract→summarize example
These are short (≈ 300-500 words each), operator-shaped
prose. Not copies of the architecture docs in
fai_platform/docs/architecture/ — those are
contributor-dense.
- pubspec.yaml declares `assets/docs/` so the markdown ships
inside the Studio binary. Air-gap deployments read them
with no network access.
- New `_DocReaderSheet` modal: 85 %-of-viewport bottom sheet,
drag handle + title bar with the doc icon and close button,
scrollable Markdown body styled to match Studio chrome.
Loads `assets/docs/<slug>_<locale>.md` first, falls back to
the EN file. Locale comes from
`Localizations.localeOf(context)`.
- `_DocsRow` on the Welcome page sits below the trust-posture
deck. Two-column grid on ≥ 640 dp, single column below.
Each card is icon + title + one-line blurb + chevron;
click opens the reader sheet for that slug.
- 12 new ARB keys for the docs section (header, blurb, four
card titles + blurbs, close button, error message).
- 4 new icons reused: `account_tree_outlined` (architecture),
`shield_outlined` (security), `verified_outlined` (audit),
`alt_route_outlined` (flows).
Implements Phase B of `docs/landing-page-design.md`. Phase C
(live getting-started checklist with persistent state) is the
last remaining slice.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2.3 KiB
Tamper-evident audit log
Every action the hub takes goes into one append-only event log. Module installs, flow runs, approval decisions, channel switches, daemon restarts — all recorded with the same shape.
What an event looks like
timestamp: 2026-05-08T14:32:11Z
event_id: ev_01H...
event_type: flow.completed
flow_name: extract-summarize
flow_execution: fe_01H...
duration_ms: 1240
module_name: text.summarize
module_version: 0.1.0
detail: { engine: "ollama", model_name: "gemma3:4b",
model_digest: "sha256:..." }
prev_event_sha256: 6f4e...8b5f
The prev_event_sha256 field is the key. Every new event
hashes its content together with the previous event's hash. To
falsify event N, an attacker would need to rewrite every event
from N+1 onwards — and the chain head would no longer match
what the operator's last verification recorded.
What "WORM-1" means
WORM-1 is our first WORM (write-once-read-many) tier:
- Append-only: the hub never deletes individual events.
The CLI / RPC has a single batch operation,
clear_event_log, which wipes the channel and seeds achain.resetmarker carrying reviewer + reason. Refused on beta / production channels. - Tamper-evident: the chain reveals any retroactive edit.
Verification runs end-to-end on every Doctor-page load and
via
fai admin verify-events. - Self-contained: SQLite + chain hash is enough; no external WORM sink needed.
WORM-2 (Linux append-only file attribute) and WORM-3 (external WORM sink) are roadmap items, not yet shipped.
What you'll see in this app
- Doctor → Event log: live "chain intact" / "tamper detected" indicator with verified-event count. Click "Verify now" for an explicit re-check.
- Audit page: live stream of recent events with filter chips (flow / step / module). Click any row to see the full event JSON.
- Doctor → Daemon files → Audit-DB: reveals the SQLite file in your file manager.
Reading the chain by hand
If you want to verify outside Studio:
fai admin verify-events
# Prints "Hash chain intact: N events verified" or names the
# first event whose hash mismatches.
The chain is the source of truth — every other audit-related piece of UI in Studio reads from it.