An Append-Only WORM Ledger You Can Verify Without Us

A hardware-anchored, write-once chain where every artifact carries its own proof — verifiable years later from its own bytes plus a published public key, even if the vendor is gone.

What

Hyfstele Ledger is an append-only chain of sealed records. Each block, and each periodic checkpoint over the chain, is signed by a hardware security module under Cloud KMS — the signing key never leaves the HSM. Records are write-once, read-many (WORM): once a block is sealed it cannot be edited, reordered, or silently dropped without breaking the chain.

The defining property is offline, vendor-independent verification. Every artifact is a self-contained bundle — the canonical record, its SHA-256 digest, the block linkage, and the HSM signature. An auditor checks it against a single published HSM public key. No call to a Hyfstele API. No live ledger lookup. No trust in Hibiscus being alive, online, or cooperative at audit time.

Why this matters

Most audit logs answer "what does the database say now." Federal and regulated records have to answer a harder question: prove this record is exactly what was written then, and prove nothing has been changed since — on a 7-year retention floor, against an adversary who may control the system the log lives on.

• Survives the vendor going dark. Verification depends only on the artifact bytes and a public key, not on a running service. A record sealed today is checkable in 2033 whether or not Hyfstele still exists.
• Tamper-evident, not tamper-promised. Any edit, reordering, or deletion breaks the hash linkage or the HSM signature. Tampering is detected by math, not caught by policy.
• Hardware root of trust. Block and checkpoint signatures come from an HSM-held ECDSA P-256 key under Cloud KMS — the private key is non-exportable by construction.
• Runs anywhere. The verification protocol is deterministic and dependency-light — in the live Army ITV demo it runs entirely in the browser, with no server in the loop.

Where it ships

• AI decision provenance — every cair-v1 inference event is anchored into the ledger, giving each model decision a permanent, checkable home.
• Pharma MLR — each promotional-copy review exports a signed bundle whose audit chain verifies without contacting the vendor.
• Coalition logistics (Army ITV) — sealed custody batches publish to the ledger; tampered events fail a deterministic, browser-side verification protocol.
• CAPA / NCR — manufacturing deviation and non-conformance records sealed with the same WORM guarantees, ready for FDA / AS9100 inspection.

Status

Production reference implementation: hyfstele-ledger. Live today behind the Army ITV console and the Hyfstele MLR signed-bundle export. Canonical hashing, HSM-anchored block and checkpoint signing, and offline artifact verification are shipping; the same primitives back the CAIR inference protocol and the upcoming CAPA / NCR surfaces.