Product · Proof Ledger

Every verdict is written down. On purpose.

The proof ledger is an append-only, hash-chained record of every evaluation this workspace has ever produced — tenant-scoped, tamper-evident, and replayable end-to-end.

What gets recorded

  • Canonical input hash — the exact normalized proposal + policy + evidence packet the pipeline evaluated.
  • Ordered gate sequence — every gate that ran, in order, with status, reason code, and timing.
  • Judgment transcript — for evaluations that invoked judgment review, the full analyst / challenger / classifier exchange plus model identity and fallback state.
  • Final verdict — proceed / defer / block, harm band, reason family, and the surface the caller acted on.

Append-only, hash-chained

Every ledger entry references the hash of the entry before it. Tampering with any historical record breaks the chain and is detectable by any subsequent read. Deletion is not a supported operation — corrections are appended, not overwritten.

Tenant isolation is not a feature flag

Every read is gated by row-level security scoped to the calling tenant. Cross-tenant access is not a permission — it is a schema impossibility. Enterprise deployments can pin the ledger to a dedicated database silo.

Built for the auditor in the room

Compliance teams, internal auditors, regulators, insurers, and your own engineering team all need the same thing when an AI action goes sideways: exactly what was proposed, exactly what was decided, and exactly why. The ledger is the answer to all three at once.