A rejection is data. Until last week we were throwing it away. If an attacker submitted a forged signature against the public verify endpoint, we returned 404 signature_not_found and that was the entire footprint. Same for a cross-org access attempt on the replay endpoint, an agent that got suspended mid-run trying to sign once more, or a probe walking through random sig_* ids. An older trust-data-infrastructure project we read during a cold audit is explicit about this: log every invocation including the invalid ones, "para auditoria futura". It is the right call. We borrowed it. What landed One new table, rejected_attempts . Indexed on (organization_id, created_at) and (agent_id, created_at) for fast org-scoped time-window scans. One helper, log_rejected_attempt(db, request, endpoint, failure_reason, ...) . Captures IP, User-Agent, X-Request-ID. Truncates user-supplied bytes. Commits its own row. Swallows persistence failures so logging cannot become a 5xx.…