Are you storing AI agent action logs in the same DB as your application? Because that's not an audit log.

Been building agent infrastructure for a while now and I keep seeing the same pattern: teams point to their MongoDB collection or Postgres table and call it their "audit log." The problem is that if your agent has write access to your application database — which most do, because that's where they do useful work — it has write access to its own event history. A misbehaving agent, a compromised session, or even just a botched migration can quietly alter or remove entries with no visible trace that anything changed. A real audit log needs one specific property: you cannot modify or delete an entry without the tampering being mathematically detectable. SHA-256 hash-chaining does this — each entry includes the hash of the previous one, so breaking the chain anywhere is immediately visible on validation. This matters for forensics. When the GitGuardian 2025 report found that 64% of API keys leaked in 2022 were still valid in early 2026, that's partially a detection problem. You need to be able to reconstruct exactly what an agent did, in sequence, with confidence that the record wasn't altered after the fact. Separate write path. Append-only storage. Hash-chained entries. Exportable. That's the baseline. Curious whether anyone here has actually implemented this properly in production — and if so, what stack you used for the log storage layer specifically.