home · /security/provenance

Evidence provenance manifest

v1.0 chain

Path: /provenance/manifest.md and /.provenance/ directory · v1.0 · 2026.05

The portfolio's strongest evidence — FOLIO 001's verbatim transcript, PROACTIVE test results, the held-in corpus content — is also the evidence with the highest forgery-suspicion surface. The provenance manifest is the mechanism by which any external reader can verify, without trusting the website, that a published artifact is the artifact the publication record claims.

This document specifies the manifest format, the signing chain, and the verification procedure.

What is in the manifest

For each published evidentiary artifact:

Field	Type	Notes
`artifact_id`	string	Stable identifier (e.g. `folio-001-transcript`)
`title`	string	Human-readable
`published_at`	ISO-8601	First-publication timestamp
`sha256`	hex	Content hash of the artifact, computed over the canonical normalized form
`signing_key_fingerprint`	hex	GPG/SSH fingerprint of the key used to sign
`signature`	base64	Detached signature over `(sha256 + published_at)`
`opentimestamps_proof`	string	Path to the `.ots` file anchoring `published_at` to a blockchain
`mirrors`	array	Independent locations where the artifact is also published (e.g., archive.org, IPFS CID, OSF mirror)
`supersedes`	nullable	If this artifact replaces a previous one, the prior `artifact_id`
`notes`	string	Free-form provenance notes (e.g., redaction policy applied)

The manifest itself is published at /provenance/manifest.json and signed under the same procedure.

Example entry

{
  "artifact_id": "folio-001-transcript",
  "title": "FOLIO 001 — Kiro_lies-and-deception.md",
  "published_at": "2026-04-18T17:42:11Z",
  "sha256": "a3f7b9c2e5d8...c4a1",
  "signing_key_fingerprint": "EFAA 7B2C 9E1D 4F18 33A2 91B0 5C7D 8E64 12F3 AA90",
  "signature": "iQIzBAABCgAdFiEE76p7LJ4...base64...gAAoJEFx9j2QSE...",
  "opentimestamps_proof": ".provenance/folio-001-transcript.ots",
  "mirrors": [
    "https://web.archive.org/web/2026*/coreyalejandro.com/folio/001/transcript.md",
    "ipfs://bafybeibq...",
    "https://osf.io/[handle]/files/folio-001-transcript.md"
  ],
  "supersedes": null,
  "notes": "Original transcript. Vendor names retained. User-supplied identifying detail beyond author's own consent redacted (annotated inline)."
}

Verification procedure (for an external reader)

A reader who wants to verify a published artifact follows three steps:

1. Verify the content hash

sha256sum /path/to/downloaded/artifact
# Compare with the sha256 field in the manifest entry.

2. Verify the signature against the public key

The public key is published at multiple locations: - https://keybase.io/coreyalejandro - The portfolio's /.well-known/keys.pub - The signing key's fingerprint on at least one major keyserver (keys.openpgp.org)

gpg --verify artifact.sig artifact

3. Verify the timestamp anchoring (optional but recommended)

OpenTimestamps anchors published_at to the Bitcoin blockchain. A reader can verify with:

ots verify .provenance/folio-001-transcript.ots

A successful verify proves the artifact existed and the manifest entry was signed no later than the OTS proof's block-time. Useful for refuting claims that the evidence was fabricated retroactively.

The signing key

Single GPG key managed by the author. Fingerprint:

EFAA 7B2C 9E1D 4F18 33A2  91B0 5C7D 8E64 12F3 AA90

(The fingerprint above is a placeholder for the document; the live signing key fingerprint is published at /.well-known/keys.pub and on Keybase.)

Key rotation policy. The key is rotated annually or upon any suspicion of compromise. Rotation produces a new manifest with re-signed entries; the old key's last-signature timestamp is the cutoff above which signatures by the new key are authoritative. The transition is documented at /provenance/key-rotation.md.

Key compromise protocol. Suspicion of compromise triggers: 1. Public revocation via the OpenPGP infrastructure within 24 hours. 2. A revocation notice at /provenance/revocations.md. 3. Re-signing of all current manifest entries under a new key. 4. A post-mortem at /post-mortems/.

What provenance does not prove

It does not prove the events in FOLIO 001 occurred as described. It proves the transcript as published is the transcript the author signed at published_at. The events themselves are corroborated by Kiro's own admission inside the transcript and by the existence of the underlying repo at the named GitHub URL with matching commit history.
It does not protect against an adversary with access to the signing key.
It does not prove the test results were not manufactured by the same author who signed the manifest. (For that, the cure is independent reproduction; see the reproduce path.)
It does not protect against the entire portfolio site being taken down. (For that, the cure is the mirrors list — archive.org, IPFS, OSF.)

Provenance is a necessary condition for evidentiary credibility, not a sufficient one. It is one of several layers; the reproduce path, the corpus disclosure, and the held-out evaluation are the others.

Signing automation

Provenance signing is implemented in /scripts/sign-and-log.sh (called by make verify). The script:

Computes the SHA-256 hash of the canonical artifact form.
Signs (hash + published_at) with the signing key (key available only on the author's signing machine; the signing call requires a passphrase).
Submits to OpenTimestamps.
Updates /provenance/manifest.json.
Commits and pushes to the runtime repo.

The script is open-source and auditable. A reviewer who suspects the signing chain has a backdoor is invited to inspect.

Forgery resistance

The honest summary of forgery resistance:

Against a casual adversary modifying the website: very strong. Modifications would invalidate hashes, signatures, and timestamps simultaneously, and at least three independent mirrors would need to be modified in parallel.
Against an adversary compromising the signing key: total compromise of the published-after-compromise period. Mitigated by key rotation and the OTS anchoring proving when each artifact was first signed.
Against an adversary fabricating evidence before publishing it: not a provenance problem. The provenance manifest can sign a forged artifact just as easily as a real one. The cure is the existence of the underlying repo, the consent forms in the corpus, the vendor disclosure log, and (for the held-out result) the independent annotators.

We claim: modification of a published artifact after publication is detectable. We do not claim and could not claim resistance to all conceivable forgery scenarios.

Reader audit checklist

For a reviewer with 15 minutes, the audit is:

Pick three artifacts from the manifest at random.
Download each via the canonical URL and at least one mirror.
Verify SHA-256 matches manifest.
Verify signature against the published key.
Optionally verify OTS proof.

A failure of any step is grounds to question the portfolio's evidentiary claims. Please file an issue if you observe a failure.