Purpose

The Helper API is the application-facing surface for participating in the SADAR audit fabric. Application code — agents, tools, and orchestrator-adjacent components — calls Helper API methods at appropriate points during invocation processing; the Helper API translates those calls into validated, phase-aware writes to thein-flight Telemetry Record.

This document covers the six methods exposed to application code, the boundary between SAI-internal and application-facing fields, how phase-immutability is enforced through the API and the structural guarantees that result. The exact method signatures,request/response envelopes, and authorization requirements live in the 7. searchAndInvoke companion document, Helper API surface section. This page is the orientation and the architectural framing.

Audience: implementers writing application code that participates in SADAR-conformant invocation flows; architects scoping integration patterns for SADAR adoption; and audit-tooling teams reasoning about what guarantees the resulting Telemetry Records carry.

What the Helper API Is

The Helper API is a structured interface between application code and the SADAR audit infrastructure. It is provided by searchAndInvoke (SAI), the invocation orchestrator that drives the four-phase Telemetry Record lifecycle. Each invocation receives a Helper API handle (or context); calls on that handle target the corresponding in-flight Telemetry Record.

The API exists as an intermediation layer rather than a direct field-write surface for several reasons:

• Schema enforcement. Writes are validated against the Telemetry Record schema; malformed writes are rejected at the API boundary, not at audit-time during a forensic investigation.

• Phase enforcement. Writes against sealed sections are rejected. Phase ordering is enforced. The application cannot accidentally (or intentionally) violate phase-immutability.

• Authorization. Only entitled application code may call specific methods. Authorization is checked centrally at the API boundary.

• Schema evolution. The application-facing API can remain stable while the underlying record schema evolves; SAI mediates between them.

• Cryptographic centralization. Signing, parity computation, attribution, and integrity operations stay in SAI. Application code does not implement these and cannot subvert them.

The result is a clean separation: application code writes its domain content through a small set of well-defined methods; SAI handles everything else. The boundary is the subject of the next section.

The Six Application-Facing Methods

The Helper API exposes exactlysix methods to application code: five writes (one per phase or any-phase) and one read. The method set is deliberately small. Anything more would risk exposing structural fields that SAI must own; anything less would not give application code enough to contribute its domain knowledge to the audit trail.

Method	Side / Phase	What it does
`set_criteria_extension`	Write — Search phase (before the resolver executes)	Augments the bilateral matching criteria with application-specific extensions before SAI queries the registry. Used when the application has matching needs that go beyond the standard NFR set.
`set_input_summary`	Write — Invocation phase	Records a compact summary of the input being sent to the invoked target. The actual input may be large or contain confidential payloads; this method captures a structured summary suitable for audit without reproducing the full content.
`set_output_summary`	Write — Outcome phase	Records a compact summary of the response received from the invoked target. Symmetric to `set_input_summary`; same rationale for compactness and confidentiality handling.
`add_audit_metadata`	Write — any active phase	Attaches domain-specific metadata to the audit trail: tags, correlation identifiers, business context, anything the application has and SAI does not. Multiple calls accumulate; each call attaches to the section sealed by the current phase.
`add_risk_adjustment`	Write — any active phase	Contributes a domain-specific risk signal to the Risk Score state. SAI's canonical Risk Score computation has standard inputs; this method lets the application inject events the canonical inputs do not capture (a declined confirmation, a detected anomaly, an elevated-trust step) into the running score.
`get_invocation_context`	Read — any phase	Returns the current invocation context: business process identifier, transaction instance ID, current phase, current Risk Score, the inbound SCT chain link reference, and other read-only state that application logic may need to reason about. Read-only; no side effects on the record.

All writes go through schema validation and phase-validity checking before taking effect on the in-flight record. Calls against sealed phases or with non-conforming payloads fail with a structured error in the urn:sadar:error:v1 namespace. Successful calls produce no return value beyond an acknowledgment; the modification is reflected in the in-flight record and will be visible to subsequent get_invocation_context calls and in the finalized record.

The SAI-Internal vs Application-Facing Field Boundary

Telemetry Record fields fall into two categories. The boundary between them is the most important architectural property of the Helper API design — it is what allows the resulting records to carry strong audit guarantees.

Application-facing fields

These are the fields the Helper API exposes for write access. They capture what the application knows that SAI does not: domain-specific extensions to matching criteria, summaries of opaque payloads, business-context tags, and risk signals from application-level monitoring.

Field area	Helper API access
Criteria extensions	`set_criteria_extension` — domain-specific bilateral matching extensions
Input summaries	`set_input_summary` — compact representation of inbound payload content
Output summaries	`set_output_summary` — compact representation of outbound payload content
Audit metadata	`add_audit_metadata` — application-domain tags, correlation IDs, business context
Risk adjustments	`add_risk_adjustment` — application-detected risk signals contributing to the Risk Score

SAI-internal fields

These are the fields SAI populates from its own knowledge — the structural, attributional, cryptographic, and lifecycle content that makes the record a coherent and trustworthy audit artifact. The Helper API does not expose write access to these. Application code cannot modify them.

Field area	Content
Identifiers and correlation	Trace IDs, span IDs, parent-span linkage, business process identifier, transaction instance ID, SCT chain root `jti`.
Provenance attribution	`telemetry.origin.environment` on spans; issuer attribution on Telemetry Records and SCT chain links.
Cryptographic operations	Signatures over records, parity values across layers, MAC computation, signing-key references.
Phase lifecycle	Phase ordering, section sealing at phase boundaries, finalization at end of Outcome phase.
Structural section content	Resolver results in the search section, selection logic in the selection section, the invoked operation and SCT chain link in the invocation section, status fields in the outcome section.
Risk Score computation	The canonical Risk Score algorithm and its standard inputs. (The application contributes `risk_adjustments` as inputs; the score itself is SAI's computation.)

The boundary is not a contingent design choice; it is the source of the record's audit value. Fields the application could subvert would be useless as audit evidence — an auditor could not rely on values an arbitrary application might have written. By keeping the structural fields SAI-internal and the domain fields application-facing, the Helper API produces records whose structural content is trustworthy and whose domain content is rich.

Phase-Immutability Enforcement

Phase-immutability is a property of the Telemetry Record (covered in Telemetry Record, sibling page) —once a phase ends, its sealed sections become permanently immutable. The Helper API is the mechanism that enforces this property mechanically, in the active path.

Enforcement works at the API boundary. Each write method has a defined set of phases in which it is valid. A call outside those phases is rejected with a structured error before any modification reaches the in-flight record.

• set_criteria_extension is valid during the Search phase only, and only before the resolver executes. After the resolver runs, or once Search seals, the call fails.

• set_input_summary is valid during the Invocation phase. Calls during Search, Selection, or Outcome fail.

• set_output_summary is valid during the Outcome phase. Calls during earlier phases fail.

• add_audit_metadata and add_risk_adjustment are valid during any active phase, with each call attaching to whichever phase is currently active. Calls after finalize fail.

• get_invocation_context is read-only and valid at any time during the in-flight lifecycle.

The application does not need to track phase transitions explicitly to use the API correctly: the lifecycle is driven by SAI, and the API simply rejects calls that arrive at the wrong time. Out-of-phase errors surface immediately in development; production code that is structured correctly never sees them.

The deeper property: phase-immutability does not depend on application-developer discipline. A SADAR-conformant implementation enforces the invariant whether the application author intended to respect it or not. This is the difference between a guideline (which any team can violate by accident or design) and a structural property (which the implementation produces by construction).

Structural Guarantees

The result of the field boundary plus phase-immutability enforcement is a set of structural guarantees that the Helper API produces about every Telemetry Record it builds. These are the properties that make the resulting records usable as audit evidence — not because the auditor trusts the application, but because the auditor can rely on what the implementation enforces.

Guarantee	What it means	Why it makes the record audit-grade
Schema conformance	All writes are validated against the canonical Telemetry Record schema; non-conforming attempts are rejected.	Auditors and downstream consumers can rely on records having the expected shape, every time.
Phase ordering	Phase transitions happen in the canonical Search → Selection → Invocation → Outcome order; out-of-order transitions are rejected.	Records have predictable lifecycle progression; reconstruction does not have to handle malformed phase sequences.
Section sealing	Once a phase ends, the sections it sealed cannot be rewritten through the Helper API.	Audit history is not retroactively editable; sealed-at-Search content is the content observed at Search.
Cryptographic parity	SAI maintains the parity-bearing values consistently across span attributes, SCT chain link claims, and Telemetry Record fields.	Cross-artifact reconstruction is verifiable; inconsistencies become structural errors rather than unresolvable ambiguities.
Signature integrity	The complete record is signed at finalize; the signature covers all section content.	Post-finalize tampering is cryptographically detectable; trustworthiness travels with the record.
Provenance integrity	Application code cannot write provenance attribution fields; SAI populates them from its own knowledge of the operating environment.	The record's emitter is reliably identified; applications cannot spoof identity.
Correlation integrity	Application code cannot write trace IDs, span IDs, or business process identifiers; these are SAI-managed.	Records cannot be forged into other flows; trace and chain identifiers reliably identify the flow a record belongs to.

In a typical audit context, trustworthiness depends on every participating application following audit discipline correctly. If any application skips audit, fabricates entries, or rewrites history, the audit story breaks. The Helper API inverts this: trustworthiness is a property of the implementation. Applications that use the Helper API correctly produce trustworthy records by construction; applications that try to subvert the audit story cannot, because the Helper API does not expose the means to do so. This inversion is what allows the resulting records to carry weight in cross-organizational audit scenarios where auditors do not know— and cannot reasonably verify — the discipline of every application that participated in a flow.

Boundaries — What's Not Here

This page covers the Helper API as an architectural surface. Several adjacent topics are intentionally out of scope here and live in dedicated documents:

Topic	Where it lives
Helper API wire format	The exact method signatures, request/response envelopes, error conditions, idempotency semantics, and authorization requirements. See 7. searchAndInvoke (Helper API surface section).
Telemetry Record schema	The full field-level structure of the artifact the Helper API writes to. See Telemetry Record (sibling page) and 6. Telemetry Record and Repatriation.
Authentication scopes for Helper API operations	The specific scopes within `urn:sadar:scope:v1` that authorize each Helper API method. See Authentication Scopes.
Risk Score canonical computation	How SAI computes the Risk Score from canonical inputs and `risk_adjustments`. See 8. Risk Score Specification.
searchAndInvoke as orchestrator	The orchestrator that provides the Helper API and drives the four-phase invocation lifecycle. See 7. searchAndInvoke.

Where to Learn More

• Telemetry Record — the per-invocation audit artifact the Helper API writes to; covers six sections, four phases, phase-immutability as a structural property.

• Observability Overview — the cross-cutting summary of SADAR observability; how the Telemetry Record (and therefore the Helper API) composes with OTel baggage, Repatriation, and Risk Score.

• Repatriation — the mechanism by which Telemetry Records produced through the Helper API cross trust boundaries to authorized recipients.

• Provenance Attribution — the span-level attribution mechanism whose values are SAI-internal and not Helper-API-writable.

• Authentication Scopes — the urn:sadar:scope:v1 namespace that authorizes Helper API method calls.

• 2. Scope §5.1.14 — Observability umbrella; the normative source for Telemetry Record requirements at the spec level.

• 4. SCT Operations — full SCT cryptographic semantics; SCT chain link references in the invocation section are managed by SAI per these operations.

• 6. Telemetry Record and Repatriation — the full normative content for the Telemetry Record schema, including which fields are SAI-internal versus Helper-API-writable.

• 7. searchAndInvoke — the orchestrator that provides the Helper API; full method signatures, request/response envelopes, error conditions, and invocation lifecycle.

• 8. Risk Score Specification — how SAI's canonical Risk Score computation incorporates risk_adjustments contributed via add_risk_adjustment.

‍