REQ-NFR-074

Cost ledger entries are append-only and tamper-evident via audit log

ID
REQ-NFR-074
Category
Non-Functional Requirements
Status
approved
Priority
P1
Created
2026-05-11T18:34:00.000Z
Approved
2026-05-11T18:37:00.000Z
Updated
2026-05-11T18:37:00.000Z

What

cost_ledger entries SHALL be insert-only at the DB role level (no UPDATE, no DELETE). Corrections SHALL be represented as new offsetting rows with reverses_ledger_id pointing at the corrected row. Every insert SHALL produce an audit row in the existing audit_log per REQ-FUN-070, participating in the same hash chain (REQ-FUN-072).

Why

Cost ledger is financial truth. Retroactive edits would invalidate every downstream EVM / AC / variance computation and erase the audit story.

How

Postgres GRANT INSERT only on cost_ledger to app role; offsetting-row pattern documented in cost management plan; audit-row check in CI confirms every cost_ledger insert produces exactly one audit row.

Done when

UPDATE / DELETE on cost_ledger via app role fails; corrections via offsetting row pattern round-trip and show in reports; audit hash chain verifies after a sequence of ledger inserts.

Out of scope

Per-row digital signatures.

established project management guidelines Mapping

Primary Knowledge Area
Cost Management
Secondary KAs
Integration Management
Primary Process Group
Executing
established project management guidelines Deliverable
Cost Baseline, Audit Log

Integrity NFR for the cost ledger - same enforcement model as audit log.