01 · Receipts
Tamper-evident by construction.
sha256(previous hash + event) - append-only, verifiable on read
Every view, download, and share in a delivered gallery is written to an append-only audit chain. Each event's hash is the SHA-256 of the previous event's hash plus the event itself, so the log can't be quietly edited after the fact - alter or remove one row and the chain breaks at exactly that row. Verification re-walks the whole chain and re-computes every hash.
The same chain carries account-level security events - password changes, 2FA on or off, recovery-code rotation, new devices - so "tamper-evident receipts" covers the account, not just the gallery. Even platform-level trust and safety review of a studio's content is written to a chain; cross-tenant access is never silent.