Mary · Proof

Mary's audit trail is hash-chained,
not trust-based.

Mary anchors a hash-chained reconciliation receipt to the Bonis Knox chain for each successful per-vendor sweep, each vendor review decision, and each nightly run summary. Each receipt carries a sequence number, a SHA-256 hash chained to the prior receipt, and a timestamp. The verification primitive is chain-index lookup. The math doesn't depend on trusting TerraVault.

Back to Mary for Compliance →List Your Products — Free

Hash-chain model is live. Public chain-index read endpoint and OTS-Bitcoin checkpoint activate when activation conditions clear; they are not claimed as live on this page.

What the proof model is

Hash-chained reconciliation receiptsevery sweep, every review, every nightly run
SHA-256 hash chaineach event references the previous
Chain-index lookupthe verification primitive
Hash-chain math, not trustthe math doesn't depend on TerraVault

TL;DR

Every successful daily sweep, every vendor review decision, and every nightly run summary is appended to a SHA-256 hash chain. Each event embeds the hash of the prior event, so any tamper with any prior event breaks every downstream hash. The verification primitive is lookup by chain-index — given a sequence number, any reader who can run SHA-256 can recompute the event hash and walk the chain. The math is operator-portable; it does not depend on trusting TerraVault. A public read endpoint activates when activation conditions clear; today, chain-index lookup is operator-mediated.

What gets anchored

Three kinds of receipt.

The reconciliation surface anchors three receipt kinds end to end — sweep, review, nightly run summary. No silent receipts, no off-chain reconciliation decisions.

Per-vendor sweep receipt

One receipt per vendor per successful daily sweep.

Anchored when Mary's read-only pull against the vendor's state track-and-trace account completes and the reconciliation report is produced. The payload carries the canonical sweep record.

Per-vendor review receipt

One receipt per vendor review submission.

Anchored when the vendor submits a review decision against the sweep's reconciliation report. The payload carries the decision state and free-text capture of the corrective action taken in the state system and in TerraVault.

Nightly run receipt

One receipt per nightly scheduled run.

Anchored at the end of each nightly run that fans out across all credentialed vendors. The payload carries the per-vendor success and failure summary for the run.

What each event carries

Seven fields per event.

Every Knox event is the same shape regardless of type. The fields are the inputs the verification math requires.

sequence: Monotonic integer. Position of this event in the chain. The verification primitive is lookup by sequence.
type: Identifies which kind of receipt this is — sweep, review, or nightly run summary.
id: Per-event identifier. 8 bytes of randomness rendered as 16 hex characters. Used for stable cross-reference inside a single chain.
previousHash: SHA-256 hex of the prior event. Null for the genesis event of a chain instance. Any tamper with any prior event breaks every downstream hash.
hash: SHA-256 hex over the canonical concatenation: sequence | timestamp | type | previousHash | JSON of the payload. Deterministic given the inputs; reproducible by any reader.
timestamp: ISO-8601 UTC. The wall-clock at which the event was anchored. Treated as evidence of order alongside sequence — sequence is the load-bearing ordering.
payload: The structured record being anchored. Sweep records, vendor review records, and nightly run summaries each follow a closed schema. Vendor-identifying fields are scoped to the anchoring tenant.

Hash input — canonical concatenation

SHA-256( sequence | timestamp | type | previousHash | JSON(payload) )

Pipe characters are literal separators. The previousHash slot holds the literal string "ZERO" on the genesis event of a chain instance. JSON serialization is the form the payload was serialized to at anchor time, reproducible by re-serializing with the same JSON serializer (Node.js JSON.stringify).

How to verify

Three checks. SHA-256 and a chain walk.

Recompute the hash
Concatenate sequence | timestamp | type | previousHash | JSON of the payload in canonical order. SHA-256 the concatenation. If the result equals the stored hash field, the event is internally consistent — its payload has not been silently amended.
Walk the chain
For each event in sequence, verify that previousHash equals the hash of the prior event. A single tampered event breaks the chain from that point forward. The verification cost is linear in chain depth.
Look up by chain index
Given a sequence number, retrieve the event and run the two checks above. Mary's daily-sweep workflow surfaces the sequence for each anchored event back to the operator. The verification math does not require trusting TerraVault — it requires the same SHA-256 function the operator can run anywhere.

Activation gate

What activates next.

Each item below is planned and is not claimed as live on this page. The hash-chain math is already live; the access surface around it activates as activation conditions clear.

Public read endpoint

A third-party-accessible read endpoint that maps chain-index to event payload activates when activation conditions clear. The hash-chain math itself is live; chain-index lookup is operator-mediated today.

OTS-Bitcoin checkpoint

Chain-tip checkpoints into the OpenTimestamps proof model — and from there into the Bitcoin blockchain — are planned. The proof model is independent of any single operator once the checkpoint is taken. Not live today.

Per-event proof bundle

A downloadable per-event proof bundle that packages payload, recomputable hash inputs, and chain-position context for offline verification is part of the public read-endpoint capability when it activates.

What this proof is not

This proof model is not a regulator's signature. The state track-and-trace system remains the system of record; Knox anchoring is a tamper-evident receipt layer over the vendor's own data, not an attestation by the state.
This proof model does not substitute for the operator's state license, the operator's compliance officer, or the operator's auditor. Mary anchors what happened; vendor and counsel decide what it means.
Anchoring is not authorization. A review-decision receipt proves the vendor recorded a decision; it does not prove the decision was correct under the vendor's policies or under state law.
The hash chain proves event integrity. It does not prove the underlying state-system data was complete or accurate at sweep time. That is the state system's responsibility; Mary reads what is there.
Knox events do not contain raw state-system credentials, full state-system payloads outside the sweep record, or any data classified by the vendor as confidential outside the sweep scope.

Hash-chain math, not trust.

Mary's daily reconciliation is the operational layer. The Knox-anchored hash chain is the evidence layer. The vendor stays in control of every action; the math stays in the open.