An append-only event store you can prove wasn't tampered with — in one file.
Audit logs, transaction ledgers, and compliance trails need three things at once: keep the whole history, prove it was never altered, and still query it cheaply. AT-1 Ledger does all three in a single compressed, byte-exact file — by chaining a hash across every append.
Append-only
Add a batch of events and the file grows by one chained frame — every earlier frame stays byte-for-byte identical. No rewrite, no re-compression of history.
Queryable & aggregatable in place
Filter, project, and SUM/MIN/MAX/COUNT across every append without decompressing — predicate pushdown reads the blocks a query touches; totals come straight from the footer.
Tamper-evident
Each append is hashed into the previous one. Change, insert, delete, or reorder any past event and `verify` fails at exactly that frame. Append-only, provably.
Portable & byte-exact
It's one ordinary file you own — not a managed service. It still reconstructs every original byte, and (where enabled) a subject can be erased for GDPR.
It grows in place — history never moves
The file is created on the first append and grown in place after that. Each batch becomes a new frame; every earlier frame is copied byte-for-byte, so the past is literally untouched.
# the file is CREATED on the first append, then grows in place at1 ledger append audit.at1 monday.csv # genesis — first batch of events at1 ledger append audit.at1 tuesday.csv # +1 chained frame; monday's bytes never change
The proof: one command says intact, or pinpoints the tampering
Each append's frame is hashed into the one before it (link_i = sha256(link_(i-1) + sha256(frame_i))). Altering, inserting, deleting, or reordering any past event breaks the chain at exactly that point — andverify names the frame.
at1 ledger verify audit.at1 # OK APPEND-ONLY INTACT — 5 events across 2 appends, chain head f17a09a2 # now someone quietly edits one old event and re-saves the file: at1 ledger verify audit.at1 # !! BROKEN at frame 0 (inserted / deleted / reordered / altered)
Still a database, not a black box
Query and total across the whole history without decompressing it.
# search and total across every append, without decompressing at1 ledger query audit.at1 --where amount:1000:5000 --select user,amount at1 ledger agg audit.at1 amount --op sum
Forget a person — without breaking the proof
A tamper-evident log and a GDPR “right to be forgotten” usually fight: deleting a record changes the bytes, which breaks the very hash chain that proves nothing was altered. AT-1 Ledger resolves it with crypto-erasure. A subject's PII is encrypted under their own key; erasing them destroys the key, leaving the ciphertext bytes exactly where they were. The person is gone (unrecoverable), the analytic rows stay queryable — and because not a single byte moved, the chain still verifies. verify tells authorized erasure apart from tampering.
# encrypt a subject's PII per-person at append time at1 ledger append audit.at1 events.csv --subject user --pii user # later: forget one person — destroy their key at1 ledger erase audit.at1 --subject alice@example.com at1 ledger verify audit.at1 # OK APPEND-ONLY INTACT — chain unaffected; 1 subject AUTHORIZED-ERASED # (key destroyed — the ledger bytes did not move)
It may be the only tamper-evident ledger that can also forget a person on demand — the proof and the erasure don't fight, because the bytes never move.
Why a file, not a service
| Approach | Compressed | Queryable | Tamper-evident | Portable file |
|---|---|---|---|---|
Append-only DB log queryable, but a live service — not a small, portable, sealed artifact | partial | |||
Blockchain / ledger DB tamper-evident, but heavy infrastructure and not a compressed file you hold | partial | |||
gzip / zstd of a log small and portable, but opaque — any query means a full restore, and no integrity | ||||
AT-1 Ledger all four, in one file |
AT-1 Ledger uses the same well-known hash-chaining as Certificate Transparency, AWS QLDB, and blockchains — it is tamper-evident(it detects tampering), not magic. What's new is putting that guarantee inside a compressed, queryable, byte-exact, erasable file you hold, instead of a service you rent.
Built for
Audit logs · financial & transaction ledgers · regulatory event trails · IoT / device event histories · security & access logs — anywhere you must keep an event history, prove it wasn't tampered with, still query it cheaply, and (for PII) erase a subject.
Decoding and verifying a ledger is always free and needs no account; appending and querying are metered against a connected account.