# pkcs11ex_audit v0.1.0 - Table of Contents

Append-only hash-chained audit log + RFC 3161 timestamp anchoring for pkcs11ex. Sister library; opt-in dep for deployments that need tamper-evident signature audit trails.

## Pages

- [pkcs11ex_audit](readme.md)
- [pkcs11ex_audit changelog](changelog.md)

## Modules

- [Pkcs11ex.Audit.CanonicalEncoding](Pkcs11ex.Audit.CanonicalEncoding.md): Stable canonical-bytes encoder for audit-chain hash inputs.

- Public API
  - [Pkcs11ex.Audit](Pkcs11ex.Audit.md): Append-only hash-chained audit log.
  - [Pkcs11ex.Audit.Entry](Pkcs11ex.Audit.Entry.md): A single entry in a hash-chained append-only audit log.

- Storage
  - [Pkcs11ex.Audit.Storage](Pkcs11ex.Audit.Storage.md): Pluggable storage backend for `Pkcs11ex.Audit`.
  - [Pkcs11ex.Audit.Storage.InMemory](Pkcs11ex.Audit.Storage.InMemory.md): In-memory audit log storage. Agent-backed; serializes appends through
the agent's mailbox.

- Anchoring
  - [Pkcs11ex.Audit.Anchor.RFC3161](Pkcs11ex.Audit.Anchor.RFC3161.md): RFC 3161 Time-Stamp Protocol — anchor an audit chain head against an
external Time-Stamping Authority (TSA).