All posts
April 14, 2026 open-sourcechaincompliance

strikaris-chain: Tamper-Evident Audit Records

For financial regulators and auditors

The Problem

Most audit logs can be silently altered after the fact. A record can be deleted, a timestamp changed, or an entry backdated; nothing in the system proves it happened. The institution controls the log, and the regulator reads whatever the institution presents.

This is not a novel risk. It is structural.

What strikaris-chain Does

Every record written to the chain includes the cryptographic hash of the record before it. Change any record (even a single character) and every record after it produces the wrong hash. The break is detectable by anyone with the chain and a calculator.

This is the same principle used in systems like Git and Bitcoin, stripped down to four Python files and a SQLite database. No blockchain runtime. No external dependencies. Verification requires only Python’s standard library.

An independent auditor process runs on a fixed schedule, recomputes hashes across each new window of records, flags any integrity gaps, and writes a timestamped anchor to a separate log. The anchor itself is a rolling hash of everything seen so far: a compact, durable proof of what the chain contained at that moment.

What a Regulator Gets

A regulator can run their own independent chain node. The institution’s system relays writs to that node over an authenticated connection. The regulator’s node interleaves those relayed records with local heartbeat ticks: liveness proofs that establish a continuous timeline.

The result: the regulator holds an independent copy of the record, hash-chained from the same genesis. They do not need to trust the institution’s copy. They can verify any block themselves:

curl https://their-chain-node/chain/block/42 > block.json

python3 -c "
import json, hashlib
b = json.load(open('block.json'))
entry = {k: b[k] for k in ['id','timestamp','agent','status','action','details']}
print(hashlib.sha256(json.dumps(entry, sort_keys=True).encode()).hexdigest())
"
# Must match block.json's 'hash' field.

That is the entire verification procedure. No proprietary tools. No vendor access.

What It Is Not

  • Not a database replacement. It sits alongside existing systems as a tamper-evident layer.
  • Not a compliance platform. It does not interpret regulations or generate reports.
  • Not a hosted SaaS product. You run it. The code is public.
  • Not a blockchain. There are no tokens, no consensus network, no runtime beyond Python and SQLite.

Deployment

Two machines: the institution’s system (author node) and an independently operated chain node (regulator’s mirror or a neutral third party). The author relays writs over SSH. The chain node extends the ledger, runs the heartbeat, and runs the auditor.

Systemd service files are included. The recommended layout is a single directory under /opt/chain/. A production instance is running at verify.strikaris.com with the chain status and block lookup endpoints publicly accessible.

License and Source

Apache 2.0. Source: github.com/Strikaris-Tech/strikaris-chain

Four files. Auditable in an afternoon.