stratt.run · evaluation slice · stamped 2026-05-08 14:52:28 UTC build@214422e

Real audit slice

The page below describes its own deploy. Every claim it makes is demonstrated inline.

Surface stratt.run · version 0.2.0

Build fingerprint

blake3:e80d3a888711b57699d10710b4263944945eeaf7b0675fe9033d8fb734a974e9

Canonical Blake3 of the build descriptor (surface, version, git sha, built-at) for the value above, blake3:e80d3a888711b57699d10710b4263944945eeaf7b0675fe9033d8fb734a974e9. Same algorithm 14 canonical-serialisation test vectors (TV-01 through TV-14) pin in packages/fingerprint/tests/vectors.ts. Click the hex to select it, or email it.

What is this
Prompt engineering infrastructure for teams whose AI-mediated decisions need to be auditable the way their code is.
Who deployed it
CI build at commit 214422e, signed by an ephemeral Ed25519 keypair. The public key is embedded in the token; the audit-viewer verifies against it directly.
When
2026-05-08 14:52:28 UTC
Verifiable
Yes. Same canonical pipeline ships in @stratt/cli (14 test vectors, blake3-wasm pinned at 2.1.5).
Chronological events of this deploy (5)
Time Actor Kind Description Hash
2026-05-08 14:52:28 UTC ci Build

Astro static bundle for stratt.run@0.2.0.

 blake3:e80d3a8…a974e9
2026-05-08 14:52:28 UTC vercel Deploy

Commit 214422e pushed to main.

 blake3:84cd868…37ca58
2026-05-08 14:52:28 UTC you Demo

Edit the slug below. The canonical Blake3 recomputes in your browser, deterministically.

{
  "council": "pathfinder",
  "kind": "task",
  "scope": "stratt.run",
  "slug": "verify-deploy-provenance",
  "version": "0.1.0"
}

With JS off, run bun stratt fingerprint <path> on a unit with the same fields; the value below matches.

Default slug blake3:6836695dd710d292567c9bb3ac3a36262cca7b76ffc3b54b31e3bf7270c792b5

Computed blake3:6836695dd710d292567c9bb3ac3a36262cca7b76ffc3b54b31e3bf7270c792b5

blake3:6836695…c792b5
2026-05-08 14:52:28 UTC stratt.run Audit

Open the signed token. The audit-viewer verifies Ed25519 against the embedded public key.

Open /inspect/eyJwYXlsb2FkIjp7In…jBaIn0 expires 2026-11-04 14:52:28 UTC

blake3:828a5a9…871405
2026-05-08 14:52:28 UTC you Install

Add the CLI and run it on any unit. Same canonical pipeline as the demo above.

bun add @stratt/cli

Then bun stratt fingerprint <path> on any unit. Sample output for the demo unit above: blake3:6836695dd710d292567c9bb3ac3a36262cca7b76ffc3b54b31e3bf7270c792b5.

Cryptographic detail

Canonical pipeline

Parse → strip the fingerprint field, remove nulls recursively → NFC-normalise every string → sort keys in UTF-16 code unit order → compact JSON → UTF-8 → Blake3. The build hash blake3:e80d3a888711b57699d10710b4263944945eeaf7b0675fe9033d8fb734a974e9 is one example; the demo unit produces blake3:6836695dd710d292567c9bb3ac3a36262cca7b76ffc3b54b31e3bf7270c792b5 by the same steps. 14 canonical-serialisation test vectors (TV-01 through TV-14) pin the algorithm.

Implementation pins

blake3-wasm is fixed at 2.1.5; the v3.0.0 release shipped an async API break. The browser path uses @noble/hashes/blake3 over the same canonical bytes. Ed25519 via @noble/curves, SHA-512 via @noble/hashes/sha2. The page ships ≤ 25 KiB of client JS (the bundle at /landing.js) plus Vercel Analytics; no other third-party.

Audit token

eyJwYXlsb2FkIjp7InNlc3Npb25JZCI6ImRlbW8tcHJvY3VyZW1lbnQtZXZhbHVhdGlvbiIsImlzc3VlZEF0IjoiMjAyNi0wNS0wOFQxNDo1MjoyOC4zNDhaIiwiZXZlbnRzIjpbeyJzZXNzaW9uSWQiOiJkZW1vLXByb2N1cmVtZW50LWV2YWx1YXRpb24iLCJldmVudElkIjoiZXZ0LTAxIiwic3RyYXQiOiJzdHJhdHQ6Ly9kZXYvdGFzay9yZXZpZXctcHVsbC1yZXF1ZXN0QDEuMC4wIiwiYmxha2UzIjoiYmxha2UzOjA0NmZkMjA1NWQxNGU3ZTM0OThkMDBmYzMyNDgyYzJiNmJlOTlkMzk0MzgwM2E2Zjc2NDkwNmI0YTczZTQzMzQiLCJhY3RvciI6IldBVE5FWS0wMiIsImtpbmQiOiJwdWJsaXNoIiwidHMiOiIyMDI2LTA1LTA4VDE0OjUyOjI4LjM0OFoifSx7InNlc3Npb25JZCI6ImRlbW8tcHJvY3VyZW1lbnQtZXZhbHVhdGlvbiIsImV2ZW50SWQiOiJldnQtMDIiLCJzdHJhdCI6InN0cmF0dDovL2Rldi9jaGFpbi9zb2wtMS1ib290QDEuMC4wIiwiYmxha2UzIjoiYmxha2UzOjc0MmRmN2VjZjhhM2ZlODg2NGJkMjM3OTVkMjQ4ZmY4Mzk4NjU2N2FiMzM2Y2VjOGMwMGQ3NzM3MTM4YWQ0MTQiLCJhY3RvciI6IldBVE5FWS0wMSIsImtpbmQiOiJnYXRlIiwidHMiOiIyMDI2LTA1LTA4VDE0OjUyOjI4LjM0OFoifV19LCJzaWciOiJmS1pLMmNpR0ItYzB2LVl4OVg0RkUyUEtNWFRoWWtVTEJlZFFRRE0wOG41ZExFNmwwRGhPeExHNXZtb2VtQWltdTVaMFhwVlJoNjN5TG84LVU5RVlCUSIsInB1YmxpY0tleSI6Ik5rSGVTX2tEMC1qdk53aXZPblVWMHAyN2xQU3NDUEs2ZFdHYjhKNE5Gc3MiLCJraWQiOiJzdHJhdHQucnVuL2RlbW8tZXBoZW1lcmFsIiwiZXhwIjoiMjAyNi0xMS0wNFQxNDo1MjoyOC4zNjBaIn0

Verify locally

Decode the token (base64url JSON envelope, embedding the public key). Re-canonicalise the payload by the steps above. Check the Ed25519 signature. Reference implementation: @stratt/signature.verifyToken. The audit-viewer at /inspect/<token> runs exactly this check in the browser, no orchestrator round-trip.