The Rōvn hash-chained audit log, made visible. Every action that touches a worker's record writes a Receipt. Every Receipt links to the prior Receipt via hash_prev. The chain signs into S3 Object Lock with a 7-year retention shelf. This is the spine procurement-safe credentialing rests on.
What each receipt carries
actor | which AI agent or human caused the event |
worker_id | pseudonymous worker key |
action | e.g. license.verify, npdb.query, oig.sweep, doc.extract, committee.approve |
source | upstream authority name + URL |
source_ts | timestamp returned by the source |
depth_label | ATTESTED · PROCESSED · VERIFIED · APPROVED |
artifact_hash | SHA-256 of the raw source response |
hash_prev | SHA-256 of the previous receipt, what makes the chain a chain |
signer | signing block id (signed every N receipts) |
Why a hash chain instead of "just an audit table"
A flat audit table can be silently rewritten. A hash chain cannot, flipping any field anywhere in history breaks every downstream hash_prev and fails verification on replay. This is the receipt model Joint Commission / CMS surveyor and CMS auditors find defensible because tampering is detectable, not just discouraged.
See the production schema and the receipt-bound trust gates: 06.7 Compliance Binder · 04.4 AI Doctrine · 07.7 Source Authority Rail.