REQ-NFR-074
Cost ledger entries are append-only and tamper-evident via audit log
What
cost_ledger entries SHALL be insert-only at the DB role level (no UPDATE, no DELETE). Corrections SHALL be represented as new offsetting rows with reverses_ledger_id pointing at the corrected row. Every insert SHALL produce an audit row in the existing audit_log per REQ-FUN-070, participating in the same hash chain (REQ-FUN-072).
Why
Cost ledger is financial truth. Retroactive edits would invalidate every downstream EVM / AC / variance computation and erase the audit story.
How
Postgres GRANT INSERT only on cost_ledger to app role; offsetting-row pattern documented in cost management plan; audit-row check in CI confirms every cost_ledger insert produces exactly one audit row.
Done when
UPDATE / DELETE on cost_ledger via app role fails; corrections via offsetting row pattern round-trip and show in reports; audit hash chain verifies after a sequence of ledger inserts.
Out of scope
Per-row digital signatures.
established project management guidelines Mapping
Integrity NFR for the cost ledger - same enforcement model as audit log.