Chandra is an open protocol for append-only, hash-chained, attributed audit records. This page explains what Chandra is, how it works, and why it produces compliance-grade audit trails that competing approaches cannot.
Every act — every human decision, every automated action, every agent operation — produces an audit record at the moment it occurs. That record is immutable. It is linked to its predecessor by a cryptographic hash. It is attributed to the human or agent responsible. It cannot be edited, deleted, or backdated.
The audit record is not produced after the fact. It is the simultaneous product of the work itself. There is no gap between act and record because the record is the act. This is the Auditable by Construction principle.
The atomic unit of Chandra. Immutable once written. Contains a structured header (attribution, timestamp, chain link, event type) and a variable artifact (the payload). Every write to any governed subject produces exactly one CU atomically with the mutation. There is no write without a record.
An ordered, append-only sequence of CUs for a given subject. Each CU references its predecessor by id and by cryptographic hash. The chain is sealed: any tampering is immediately detectable because it breaks the hash link. A broken chain halts all new appends — the chain cannot grow from a compromised state.
Embedded in every CU header. Who acted — human, agent, or system. What model was used if AI-produced. What session. What source address. Attribution is required at the protocol level. Anonymous CUs are rejected. There is no opt-out.
A complete, self-contained, AI-readable representation of a CU and its full lineage chain. The unit of distribution. An agent or human can reconstruct the full context of any subject from its snapshot without access to the live repository.
A forward-scheduled CU with a trigger time and a target. Fires once at the declared trigger time. The federation primitive — two Chandra instances can notify each other via ticklers. Cancellation is a superseding append, not a deletion. Immutability is preserved.
Chandra organizes audit records into a hierarchy that maps naturally to organizational and regulatory structures.
This hierarchy is not configured manually. It derives automatically from three values that every database-backed application already has: the database name, the table name, and the record primary key. No schema redesign. No topology declarations. No audit middleware.
Git is human-speed code memory. It allows history rewrite. Organizational memory that can be rewritten is not organizational memory — it is a shared draft. Git was not built for operational audit trails and has no attribution model for agent actions.
Blockchain serializes everything through a single global chain. Chandra runs millions of independent chains in parallel, because unrelated governed records should never contend. Blockchain is trustless consensus for strangers. Chandra is governed memory for organizations with identified principals.
Database audit logs are controlled by the database administrator. They can be disabled, truncated, or altered by anyone with sufficient access. Chandra chains are append-only by protocol. No administrator access enables deletion or modification of existing records.