← Back to proof
Portfolio case study
ProofVault Trust Case v1.0.1
A reproducible trust case for an offline-first encrypted evidence app, with a bounded guarantee surface, pinned specimen, drift enforcement, and a public release tied to an exact hosted-green commit.
A deliberately bounded trust case that reduces unearned claim surface through a pinned specimen, drift enforcement, and hosted-CI provenance.
Trust caseRelease integrityCIReproducibility
Summary
ProofVault now carries part of its own proof burden in the repository.
I built a trust dossier, a pinned specimen, automated regeneration and drift detection, and a hosted-CI-enforced release path that narrows the public claim to what the evidence can actually support.
The guarantee boundary was narrowed until the remaining claims could survive skeptical review.
Bounded claim
Hosted-green release binding
What I built
- •Bounded trust case and threat model.
- •Reduced claim surface so the public guarantee matches what the evidence can actually support.
- •Pinned demo specimen with observed outputs.
- •Verifier path showing valid and tampered behavior.
- •Local and hosted-CI specimen regeneration.
- •Drift detection that fails on trust-critical output changes.
- •Public release tags preserving provenance across v1.0 and v1.0.1.
What made this hard
Local success was not enough.
GitHub's hosted runner exposed cross-environment drift that did not appear on the initial local path.
The specimen had to be stabilized without weakening the invariant.
What I fixed
Timestamps
Normalized host-local timestamp rendering so observed output stopped drifting between environments.
Archive metadata
Eliminated archive metadata instability that only became visible on the hosted runner.
Node stamping
Stopped the pinned specimen metadata from incorrectly inheriting the live Node patch version.
Outcome
- •Claim surface is deliberately narrowed: the public guarantee is limited to what the specimen, verifier path, and hosted release can prove.
- •Pinned specimen is reproducible across local and hosted CI execution paths.
- •Verifier path demonstrates both valid and tampered behavior against the same specimen.
- •Hosted CI now validates the final non-debug release tree instead of a debug-adjacent surrogate.
- •proofvault-trust-case-v1.0 remains immutable while proofvault-trust-case-v1.0.1 publishes the hosted-stable corrective release.
Trust claims narrowed, legible, reproducible, and release-bound.
How to inspect it
Release provenance
Immutable baseline
proofvault-trust-case-v1.0 remains intact as the original public record.
Corrective cut
proofvault-trust-case-v1.0.1 publishes the hosted-stable release tied to the exact final non-debug commit.
Why it matters
- •Trust claims are narrowed and inspectable instead of rhetorical.
- •Release integrity depends on hosted evidence, not a private local path.
- •Drift becomes a visible failure condition instead of hidden uncertainty.