Verify the audit trail
OpenTRMS exposes both the business-facing deal history and the lower-level audit surface for aggregate events and hash-chain verification. This guide shows how to use both.
In local, you can run these calls without a token. In auth-on or server,
the caller needs audit:read and audit:verify.
1. Choose a deal or other aggregate ID
If you have not captured a deal yet, follow Book a trade
first and keep the returned DEAL_ID.
2. Read the deal's lifecycle history
The deal endpoint gives the event stream in deal terms:
curl -sS "http://localhost:8080/api/v1/deals/${DEAL_ID}/history" | jq .
Use this when you want the lifecycle as the deal API sees it.
3. Read the raw aggregate events
The audit endpoint exposes the lower-level aggregate event history:
curl -sS "http://localhost:8080/api/v1/audit/events/${DEAL_ID}" | jq .
This is the better surface when you are validating append-only event integrity rather than just reviewing a deal workflow.
4. Verify the hash chain
Run the integrity check over the aggregate:
curl -sS -X POST \
"http://localhost:8080/api/v1/audit/verify-chain/${DEAL_ID}" | jq .
Expected success shape:
{
"aggregateId": "...",
"eventCount": 2,
"valid": true
}
If the chain is broken, the response also reports:
brokenAtVersionexpectedHashactualHash
5. Optional: verify directly in PostgreSQL
For a database-level check, query the append-only event store table:
SELECT aggregate_id, version, event_type, hash, prev_hash, recorded_at
FROM event_store.events
WHERE aggregate_id = '<deal-uuid>'
ORDER BY version;
That query should line up with what GET /api/v1/audit/events/{aggregateId}
returns.
6. Trace valuation lineage when needed
For valuation investigations, use the lineage endpoint:
curl -sS "http://localhost:8080/api/v1/audit/lineage/${VALUATION_ID}" | jq .
That returns the recorded lineage from valuation to upstream sources such as deals, curves, and fixings.