On /audit, owners and admins see a "Tamper-evidence check" panel above the filter row with a "Verify chain integrity" button. Clicking it walks every event in your tenant's chain in createdAt order and recomputes SHA-256 over the canonical JSON of each row's predecessor — then checks each event's stored prev_hash against the recomputed value.
What "pass" looks like:
- Green chip: "✓ N events verified" - Below: "Walked N events through 2026-04-26T18:14:02Z. Every prev_hash matches its predecessor's SHA-256."
That's the load-bearing claim Kodori makes about tamper-evidence — a single hash anywhere in the chain detects modification of any prior event. The verifier proves it on every run, not on faith.
What "fail" looks like:
A red diagnostic panel listing the earliest mismatch: - The event id whose prev_hash didn't match - The event type, stream, version, and timestamp - The hash we recomputed (expected) vs what's stored on the row (actual) - A pointer to security@kumokodo.ai for triage
The hash inputs the verifier uses are kept in lockstep with the appender at packages/events/src/store.ts. If we ever change which fields the chain hashes (we haven't, and would not casually), we change them in both places in the same commit and the next run breaks every prior chain — that's a deliberate stability vs. flexibility tradeoff. Hash inputs are a public commitment.
Caps: 50,000 events per synchronous call (within Vercel's 300-second function budget). Larger tenants get a "Capped at 50k events per call" notice; an async workflow run that pages through 50k chunks lands when the first customer asks. Until then, "verified through 2026-04-26T18:14:02Z" is the operator-visible artifact.
Use cases:
- **SOC 2 evidence handoff.** Run the verifier with your auditor in the room. The "verified through" timestamp is the artifact; the manifest in /api/tenant/export bundles the chain itself for offline re-verification. - **21 CFR Part 11 audit trail.** Federal regulators auditing electronic-signature systems specifically want demonstrable tamper-evidence, not just a claim of it. - **E-discovery defensibility.** Opposing counsel challenging the integrity of records you produced gets a one-click rebuttal. - **Internal audits.** Run it monthly, save the timestamp, file in your compliance binder.