Skip to main content
Every MCP tool call that completes — whether allowed, denied, or escalated — writes exactly one AgentActivityEvent row to activity_log (via the agent-platform columns added by migration 0042) via a Postgres trigger (the F4 IRON RULE: no direct INSERT path exists outside the trigger). Operators cannot delete or update rows; the table is append-only by design. The Trust Console tails this table in real time; the audit:stream MCP scope surfaces a read-only window of these events — the agent-event projection — to authorized agent runtimes.

Canonical URL

https://glide.co/schemas/agent-banking/v1/agent-activity-event.json

Required fields

FieldTypeNotes
eventTypestring (1–64 chars)Free-text event-kind label retained for backward compat with the original /draft/ placeholder shape. New producers SHOULD also set eventKind. If both are present they MUST match.
timestampisoDateTimeUtcWhen the event occurred (UTC, Z suffix required). Server-stamped at the producer — the trigger never trusts a clock value supplied by an agent runtime.
agentIdstring (1–128 chars)agent_principal_id of the acting agent. UUIDv4 in production; the looser string type keeps backward compat with placeholder draft data and operator-emitted events.

Optional fields

FieldTypeNotes
schemaVersion'v1'Locks the event to the v1 schema. Absence is treated as v1 by consumers; a non-'v1' value MUST be refused at ingest.
eventKindagentActivityEventKindClosed enum (see below). Preferred over eventType for new producers. Unknown values drop the event at ingest — don’t emit values outside the enum.
eventIduuidV4Unique identifier for this event row. Consumers de-duplicate on this. Older streams used the DB row id; new producers SHOULD always set it.
principalIduuidV4 | nullHuman principal whose vault is being acted on. Null for system-emitted events (kill-switch, scheduled jobs).
vaultIduuidV4 | nullVault the action targets. Together with principalId forms the RFC 8707 audience binding. Null for system events not tied to a specific vault.
grantIduuidV4 | nullJTI of the grant that authorized this action. Null for events not tied to a grant (e.g. operator-initiated kill-switch).
toolCallIduuidV4 | nullID of the MCP tool call this event describes. Null for non-tool-call events (e.g. consent_granted).
summarystring (1–280 chars)Human-readable one-line summary for the Trust Console list row. Plain text, no markdown, no PII unless the principal already has access to it.
extraobjectOpen-ended bag for kind-specific fields (risk verdict reason text, anomaly score, etc.). Producers MUST keep this under 4 kB. Consumers MUST treat unknown keys as opaque. Allows event-shape evolution without bumping schemaVersion.

eventKind vocabulary

ValueWhen emitted
tool_callAny MCP tool completes (allowed or denied).
reasoning_stepAgent runtime emits a reasoning trace to the Trust Console (opt-in).
risk_verdictPolicy engine produces a verdict (allow / allow_with_step_up / deny).
anomaly_detected@glideco/anomaly heuristics fire on a tool call.
consent_promptStep-up auth prompt sent to the principal.
consent_grantedPrincipal completed the step-up.
consent_deniedPrincipal declined or the prompt timed out.
step_up_requiredPolicy engine flipped verdict to allow_with_step_up.
step_up_completedStep-up sigil consumed; execution proceeds.
policy_violationTool call exceeded a hard cap or counterparty allowlist gate.
grant_issuedOAuth AS issued a new grant.
grant_revokedA grant was revoked (operator or principal action).
kill_switch_triggeredForensic kill-switch fired for an agent or vault.

Lifecycle

AgentActivityEvent rows are written by a Postgres trigger on the activity_log table — not by application code. This is the F4 IRON RULE: no direct INSERT path exists, and there is no UPDATE or DELETE path for any consumer. When emitted: on every MCP tool call commit (including denied calls — the row captures the denial). Non-tool-call events (consent_granted, kill_switch_triggered, etc.) are emitted by the corresponding server-side handlers via the same trigger path. Who consumes:
  • Trust Console UI — tails the table via a tRPC subscription with per-principal row-level security.
  • audit:stream MCP scope — exposes a read-only window to authorized agent runtimes. Scoped to the calling grant’s vaultId; cross-vault reads are refused.
  • Ops dashboards — query activity_log directly (read-only DB role), filtering on agent_principal_id IS NOT NULL.
Retention: the activity_log table is append-only with no TTL at v1. Row-level security ensures each principal can only read their own events. Future versions may introduce archival tiers (see @glideco/compliance-export).

Example

import { z } from 'zod';

// AgentActivityEvent is the JSON Schema shape; in TypeScript use the
// @glideco/schemas package for runtime validation.
const AgentActivityEvent = z.object({
  schemaVersion: z.literal('v1').optional(),
  eventType: z.string().min(1).max(64),
  eventKind: z.enum([
    'tool_call', 'reasoning_step', 'risk_verdict', 'anomaly_detected',
    'consent_prompt', 'consent_granted', 'consent_denied',
    'step_up_required', 'step_up_completed', 'policy_violation',
    'grant_issued', 'grant_revoked', 'kill_switch_triggered',
  ]).optional(),
  eventId: z.string().uuid().optional(),
  timestamp: z.string().datetime(),
  agentId: z.string().min(1).max(128),
  principalId: z.string().uuid().nullable().optional(),
  vaultId: z.string().uuid().nullable().optional(),
  grantId: z.string().uuid().nullable().optional(),
  toolCallId: z.string().uuid().nullable().optional(),
  summary: z.string().min(1).max(280).optional(),
  extra: z.record(z.unknown()).default({}),
});

const event = AgentActivityEvent.parse({
  schemaVersion: 'v1',
  eventType: 'tool_call',
  eventKind: 'tool_call',
  eventId: '11111111-1111-4111-8111-111111111111',
  timestamp: '2026-05-04T12:00:00.000Z',
  agentId: '22222222-2222-4222-8222-222222222222',
  principalId: '33333333-3333-4333-8333-333333333333',
  vaultId: '44444444-4444-4444-8444-444444444444',
  grantId: '55555555-5555-4555-8555-555555555555',
  toolCallId: '66666666-6666-4666-8666-666666666666',
  summary: 'Initiated $250.00 USDC payment via payments.initiate',
  extra: { risk_verdict: 'allow', rail: 'usdc-base' },
});

Validation

The event is validated three ways:
  1. At write time by the Postgres trigger — the trigger schema-checks required fields before inserting. Events that fail the check are rejected; the calling transaction rolls back.
  2. At build time via scripts/validate-manifests.mjs: 
    pnpm --filter '@glideco/schemas' validate-events
  3. Against the published JSON Schema for consumer-side validation: 
    npx ajv-cli validate \
  -s https://glide.co/schemas/agent-banking/v1/agent-activity-event.json \
  -d ./my-event.json

Common pitfalls

  • Setting eventKind but not eventType. The schema marks eventType as required for backward compat. Both fields must be set and must match.
  • Omitting eventId on new producers. Consumers de-duplicate on eventId. Without it, retried deliveries create duplicate Trust Console rows.
  • Passing a non-UTC timestamp. The isoDateTimeUtc type requires the Z suffix. +00:00 offset strings fail schema validation and are rejected at ingest.
  • Emitting an eventKind value outside the closed enum. Unknown values are dropped at ingest without error. The enum is CODEOWNERS-protected — new values require a schema migration.
  • Storing PII in summary. The summary field renders in the Trust Console list row, which may be visible to support staff. Keep it to action + amount + rail — no email addresses, phone numbers, or wallet addresses.

Reading list