Hash-Chained Audit Pipeline (C-362)

IP claim: C-362 · Tier A candidate · Author trail: ARIA_ORACLE_AND_MICROSITE_v1.md §4 Comment 3

Thesis

Every decision your platform makes — every claim asserted, every lead routed, every email drafted, every Aria response — is appended to a Merkle-style hash-chain. The chain provides cryptographic continuity: you can later prove "the platform said X on date Y" with the same rigor a blockchain provides, without the substrate cost of a blockchain.

Salesforce field-history is mutable; admin override can re-write it. Our chain is not.

How It Works

  1. Every constitutional event (Aria response, lead routing, brand-voice rejection, claim-state-change) emits to glass_events with a payload.
  2. Nightly job (scripts/audit/append_chain.pyqueued) computes SHA256(prev_hash || payload_canon_json) and appends to audit_chain table.
  3. Verifier (scripts/audit/verify_chain.pylive) recomputes the chain from genesis; mismatched rows surface immediately.
  4. Customer can ask Aria "prove your chain" — Aria invokes the verifier (read-only, operator-permission) and returns exit_code + row_count + last_verified_at.

Live Verifier

EMBED PLACEHOLDER
Server-side embed: scripts/microsite/embed_chain_verifier.py (Phase D.3 — NOT YET WRITTEN).
When rendered, this card displays: last_verified_at · chain_length · genesis_hash · tip_hash.
Customer can re-run the verifier with operator-permission via the Aria widget.

Head-to-Head

CapabilityOrchestrAi (C-362)Salesforce field-history
Cryptographic continuityYes (SHA256 chain)No
Admin-override-proofYes (append-only)No (admin can purge)
Customer-runnable verifierYes (read-only)No
Multi-class scopeClaims + VPs + lessons + Aria responses + GTM eventsField changes only
SOX-defensibilityYes (C-366 pipeline)Partial
Honest-tense (Law #19): Verifier (scripts/audit/verify_chain.py) referenced is LIVE. The append job + embed are PROPOSED (D.3 deliverables). The chain has a genesis row but daily cadence not yet wired.
Ask Aria → Phase D.2