Append-Only Provenance
A record-keeping model in which context artifacts are written once and never modified, producing a verifiable chain of operational history.
Definition
Append-only provenance is a record-keeping model in which every context artifact is written once and never modified. When new information is added to the operational record, it is appended as a new artifact — the prior record is not overwritten.
This produces a verifiable, auditable chain of operational history. Every decision, capture, and checkpoint that ever occurred is preserved in its original form.
Why It Matters
Traditional version control and change-management systems allow records to be modified. This introduces a category of question that append-only provenance eliminates: has this record been changed since it was written?
In AI-assisted engineering, the cost of this ambiguity is high. If context records can be modified, the AI model cannot be certain whether the context it is consuming reflects the original governed decision or a subsequent edit. The governed baseline becomes uncertain.
With append-only provenance, the question is closed. A record’s content is fixed at the time of its creation. The only way to change operational context is to append a new artifact — which itself becomes part of the immutable record.
Operational Example
An engineer authors an architectural decision record (ADR) and captures it into the Yanzi corpus. That artifact is hashed and timestamped at creation. Later, the engineer changes their mind. The updated decision is captured as a new artifact. Both the original decision and the revision remain in the corpus — the model can observe that the decision was revisited, when, and by whom.
This is distinct from editing the original record. The full lineage of the decision is preserved.
Relationship to Determinism
Append-only provenance is a prerequisite for deterministic context composition. If records can be modified, the same corpus could produce different context at different points in time. With append-only provenance, the corpus state at any checkpoint is fixed and reproducible.
In Yanzi
Yanzi enforces append-only provenance by design. The SQLite corpus accepts new records but does not support in-place modification of existing artifacts. Every artifact carries a cryptographic hash that allows consumers to verify it has not been altered.