Audit-ready by construction, not by clean-up

Ask most infrastructure software what happened to a work order last March and it will run a query against the current state of a row and infer the past. If that row was edited, the inference is wrong, and there is no way to tell. For a private company that is an inconvenience. For a government agency facing a public-records request, a dispute, or a federal audit, it is a liability.

Ithil is built the other way around. The record of what happened is the source of truth, and the current state is derived from it, not the reverse.

The event store is the system of record

Work orders and inspections are event-sourced. Every state change, created, assigned, transitioned, completed, approved, is appended to an immutable event store as a new fact. The row you see in a list is a projection rebuilt from those events. The history is not a log written alongside the data; it is the data.

That single decision changes what the platform can promise. You can reconstruct the exact state of any inspection at any point in time. You can answer “who changed this, when, and from what” without trusting that someone remembered to log it.

Tamper-evidence beyond access control

Access control keeps the wrong people out. It does nothing to prove the right people didn’t quietly change a record after the fact. So every aggregate’s events are linked in a SHA-256 hash chain: each event carries the hash of the one before it. Altering a historical event breaks every hash downstream of it, and the break is detectable by construction.

A background worker replays every chain across every tenant on a daily schedule and pages a human on any mismatch. Tampering is caught because the math stops adding up, not because an auditor happened to spot-check the right row.

Evidence the other side can verify without trusting us

The hard part of an audit trail is not generating it. It is convincing a skeptical third party, opposing counsel, a public-records officer, a 3PAO, that it is genuine. If verification requires trusting the vendor that produced it, it isn’t evidence.

Ithil exports audit evidence as cryptographically signed packets. A recipient verifies a packet offline, using an open-source command-line tool and their own copy of the trust anchor. They confirm the chain is intact and the signature is valid without trusting Ithil and without Ithil holding the key. The audit trail becomes verifiable by the party that actually needs to rely on it.

Why this matters for the daily workflow

None of this asks the field crew to do anything differently. An inspector records a finding; a supervisor approves a work order. The tamper-evident history accrues as a side effect of normal work. The difference shows up later, when a record is challenged and the answer is a verifiable fact instead of a best guess.

Compliance auditability isn’t a module you turn on. It’s a property of how the system stores what happened. Build it in at the substrate and every workflow above it inherits it.