Owner: Robert Taylor (Eng) · Department: Engineering · Status: Live · Version: 1.0
Effective Date: 2026-06-13 · Last Reviewed: 2026-06-13 · Next Review Date: 2026-09-13
Source of Truth: code (FastAPI backend) · Maturity: 4 (Operational)
ComplianceAuditLog is the canonical, append-only compliance event table.
flowchart LR
SVCS[verify/COA/license/pos/audit-pack/product-scan] --> CAL[(compliance_audit_log<br/>append-only trigger)]
CAL --> EXP[Audit pack export<br/>signed + checksummed]
- Append-only enforced by a DB
BEFORE UPDATE OR DELETE trigger.
- Per-row: entity_type/id, actor, timestamp, evidence_snapshot, rule_version_id, supersedes_id.
- Corrections = append a new row with
supersedes_id.
- Tenant-scoped by vendor_id.
- No per-row hash / no hash chain — a regulator cannot recompute a tamper-evident chain (§11.11-12,19).
- Seal issuance/scan/revocation do NOT write here (§11.24).
- Not all decisions populate rule_version_id (§9.5).
Architecture index · Home
Distilled from docs/audits/backend-truth-audit-2026-06-13.md and portal-maturity-audit-2026-06-13.md.