Audit trail for plugin/function calls #13813
Description
Semantic Kernel has solid agent orchestration but no built-in way to produce tamper-evident records of what each agent called and what the result was.
For finance and healthcare deployments this is table stakes. An auditor needs to prove that agent X called function Y with argument Z at timestamp T - not just logs that could be altered.
One approach: a middleware hook in the kernel pipeline that fires pre/post function invocation. Signature over (agent_id, function_name, inputs, outputs, timestamp). If the log is tampered or entries removed, the hash chain breaks.
I've been running something like this in production with asqav-mcp (MCP server, so it works with any MCP-compatible kernel setup). The gap is the kernel side doesn't expose a clean hook that downstream tooling can attach to without monkey-patching.
Is this on the roadmap? A KernelPlugin lifecycle callback would make this tractable without any core changes.