Append-Only Audit Log
An append-only audit log is a record of events that can only be added to, never edited or deleted — enforced at the database or storage layer — so the history of what happened is provable rather than just claimed.
A conventional audit log is a table like any other: rows can, in principle, be updated or deleted by anyone with sufficient database access, including an insider or an attacker who has compromised admin credentials. That means the log's trustworthiness ultimately rests on nobody misusing that access — a claim that's hard to verify after the fact and easy to violate quietly.
An append-only log removes the "update" and "delete" operations from the equation entirely, usually by enforcing INSERT-only access at the database-role level rather than trusting application code to behave. Once a record is written, no credential the application holds can alter or remove it — only a genuinely separate, more privileged operation (if one exists at all) could, and that operation itself would be logged.
Hash-chaining strengthens the guarantee further: each new entry includes a hash of the previous entry, so the entries form a chain where altering any historical record — even via a privileged bypass — would break the chain and be detectable. Together, append-only enforcement and hash-chaining turn "we have an audit log" into a claim you can actually verify rather than one you have to take on trust.
Append-Only Audit Log, in the product
Aanty's kernel is event-sourced, and its audit trail is DB-role-enforced INSERT-only and hash-chained — history is provable, not editable, even by someone with elevated database access. Dangerous actions additionally route through tiered confirmation (MFA recheck, dual approval for the most consequential) before they're even recorded.
Related terms and pages
See Append-Only Audit Log in a real workspace
Bring a channel from wherever your team works today. In fifteen minutes we'll show what append-only audit log looks like on a real conversation, not a slide.