Trust Ledger: Merkle append-only event log on Cloudflare Workers

If a marketplace claims its contractor verifications, payouts, dispute resolutions, and re-bid decisions are honest, it has to be auditable. We have made the claim on /commitments and /transparency since the apex launch; Wave 292D is the substrate that lets a third party verify the claim retroactively.

The Trust Ledger is an append-only event log. Every event has a subject (pros:netanel-presman, projects:abc123, agents:legal-compliance), a type, a timestamp, a payload, and a chain hash. Each event's chain hash is SHA-256 of (previous chain hash || canonical-JSON of this event). Per-subject chains are computed independently so a single subject's history can be verified without replaying the whole ledger.

Hourly, a batcher reads all subject heads and computes a Merkle tree over them. The Merkle root is published to a public endpoint at /commitments/ledger-root and to a Cloudflare KV with TTL=48h for fast verifier reads. The published root commits the entire ledger state at that hour boundary. Anyone can take a single event from any subject, walk the per-subject chain back to the head at the publish boundary, and verify the head against the Merkle root.

The implementation uses Web Crypto only because we run on Cloudflare Pages Functions where Node crypto is not available. lib/trust-ledger/hash.ts is the canonical-JSON sort-keys implementation plus the SHA-256 wrapper. lib/trust-ledger/writer.ts appends an event and re-computes the head. lib/trust-ledger/batcher.ts is the hourly Merkle root computer. lib/trust-ledger/verifier.ts is the public verification function.

The first events on the ledger are the public ones: every commit SHA on the engineering changelog, every contractor license verification (Wave 181), every re-bid decision (Wave 292D /partners/rebid-2026), every Lane-Classifier classification (Wave 292C). Private events — escrow movements, dispute resolutions — go through the same chain but the payload is hashed not stored, so the ledger commits to the existence and ordering without exposing the content.

Wave 294A filed the patent provisional for this design (dossier 03 at /docs/patents/). Wave 28.4 of the master plan calls for /research/trust-ledger-spec to publish the third-party verification protocol. We are not the first marketplace to claim a transparent ledger, but we are the first one I can name where the cryptographic substrate is on disk and verifiable against the Merkle root we publish hourly. Houzz, Buildertrend, Hipages, Angi, Thumbtack, HomeAdvisor — none of them publish a hash chain.

Capacity: at 100 marketplace events per minute, 1 KB average payload, the per-subject chain costs are bounded by the subject count, not the event volume. Cloudflare KV writes for hourly root publication are cheap. The bottleneck will be Merkle tree size at very large subject counts; the master plan calls for ~100M events by Phase 30, which corresponds to ~1M unique subjects, which is well within Web Crypto's per-request budget for the hourly batcher.