SEIF
Concepts

Provenance and governance

Evidence URLs, the transparency log, and the classification gate that keeps secrets in.

Provenance answers "can I trust this artifact?". Governance answers "is it safe to share?". SEIF treats both as first-class.

Evidence and verification

Signing produces an Evidence URL. The record it points to carries:

FieldMeaning
SignatureEd25519 signature over the content hash
HashSHA-256 of the exact bytes signed
TimestampOpenTimestamps anchor (independently verifiable)
ClassPUBLIC, INTERNAL, or CONFIDENTIAL

Verification does not require SEIF's servers to be online — the cryptographic chain stands on its own.

seif verify <evidence-url>

The transparency log

Signed artifacts are appended to a transparency log compatible with Certificate-Transparency-style auditing. The log is append-only and supports inclusion proofs, so the history cannot be quietly rewritten.

The classification gate

Before any content leaves a workspace, it passes the classification gate.

PUBLIC

Open evidence, verifiable by anyone with the URL. Default for open work.

INTERNAL

Workspace-scoped. Evidence is visible only to authenticated members.

CONFIDENTIAL

Hash-anchor only in the public log; the full record needs authenticated retrieval.

Escalation is one-way

Classification only escalates, never silently downgrades. Markers such as password, token, api_key, secret, and CVE auto-escalate to CONFIDENTIAL. Promotion to PUBLIC requires explicit human confirmation.

On this page