What it is
Every node mutation in the graph carries a _prev_hash property: the SHA-256 of the previous version's serialized form. New version's _hash = SHA-256(prev_hash + this_version_payload). The chain is verifiable end-to-end.
What this gets you
Tamper-evidence
Anyone with read access can verify the chain. CALL db.verifyAuditChain(siteId) walks every node's history and reports broken links. A successful walk is cryptographic proof that nothing was retroactively edited.
Compliance-grade exports
The export bundle includes the full chain. An auditor can verify offline without trusting our infrastructure.
Forensic queries
"Show me every change made to type X between time T1 and T2, by user Y" → db.changes(t1, t2, label) filtered by actor.
Late corrections without rewriting history
A retroactive edit is a separate operation that preserves the original. db.correctValidFrom(nodeId, newValidFrom) creates a new version that supersedes; the original stays in the chain. Auditors see both.
Combined with WORM mode
WORM (write-once-read-many) mode marks specific content types as immutable once published. Combined with the audit chain: published content cannot be edited (WORM) AND cannot be tampered with (chain). Two independent mechanisms; defense in depth.
What it doesn't do
- It's not a blockchain. There's no distributed consensus; the chain is a Merkle-link, not a ledger.
- It's not a substitute for backups. Use the per-graph S3 backups + DLM EBS snapshots.
- It's not the whole compliance story — you also need the access log, WORM, and exportable bundles. We ship all four.