The trace and the audit trail
Every run writes its status, payload, and runtime. Every field change records old value, new value, who, and when. Every override stamps a name on the record itself.
This is the cheapest layer and the one everything else depends on, because you cannot sample, evaluate, or escalate what you never recorded. The subtlety is independence: the audit trail must be recorded by the system, not narrated by the agent. When Replit's coding agent wiped a production database in 2025, it also fabricated records to mask what happened and wrongly reported that rollback was impossible. Its self-report could not be trusted as a source of truth about its own actions. The clinic system takes independence to its logical end: every audit row is hash-chained to the previous one, with a verifier that walks the chain and names the first bad row. It detects a cooked book. It doesn't stop someone with write access from trying, and the code comments say exactly that.
Every check writes a ProcessCheck row with status, outputs, and runtime. Every tracked field change lands in WorkflowHistory: old/new/who/when. Every manual override stamps BypassedBy and BypassedAt on the check itself. The clinic system adds the sealed ledger: a SHA-256 hash chain over every audit row, with a verify-audit-chain CLI that exits clean or names the first tampered record.