The Sectum AI evidence chain

Every Sectum AI run produces an evidence pack an auditor or DPO accepts. The pack is tamper-evident: anyone with the OSS sectum-ai verify can independently confirm that the pack was produced at a stated time, against stated test conditions, and has not been altered since.

Goals

Every run produces an EvidencePack with a stable schema, versioned for forward compatibility.
The pack is tamper-evident: mutating any field breaks verification with a specific [FAIL] reason.
Verification is independent of Sectum AI — the verifier and its supporting code are Apache 2.0; no Sectum AI installation is required to check a pack the customer received.
Findings carry control mappings (SOC 2 CC6.x, ISO 27001 A.8.x, GDPR Art. 17/32, EU AI Act Art. 15, NIST AI RMF MEASURE 2.7, OWASP LLM08:2025) so auditor walkthroughs map directly.

Construction

The pack is built deterministically. The steps:

Canonicalize the run. The run record — run_id, started_at, finished_at, scenario_hash, manifest_hash, adapter_versions, probe_versions, the list of findings — is serialized as canonical JSON: sorted keys, fixed numeric precision, no floats where avoidable.
Hash the canonical run. SHA-256 over the canonical JSON yields the run_digest. This is the single value the rest of the chain anchors to.
Timestamp the digest. The run_digest is submitted to an RFC 3161 Time-Stamp Authority. The returned TSA token binds the digest to a public time. Development uses a free TSA; production deploys configure a pinned TSA (or the customer's preferred TSA, where the auditor wants control).
Record in a transparency log. The digest plus signature is recorded as a Sigstore Rekor transparency-log entry; the inclusion proof is stored in the pack. Keyless signing via OIDC is the default where available; the operator can also configure a private Rekor or a self-managed key.
Wrap as in-toto attestation. The canonical run goes into an in-toto Statement envelope (subject = run_digest, predicate = the run + control mappings) so the artifact slots into existing supply-chain attestation tooling.
Render the audit PDF. A human-readable PDF covers the executive summary, scope, methodology, per-finding detail with mapped controls, and instructions for the recipient to verify the pack independently.

What ships in a pack

File	Purpose
`evidence.json`	Machine-readable, schema-versioned evidence record. Loaded by `sectum-ai verify` to validate the chain.
`audit-pack.pdf`	Human-readable: executive summary, scope, methodology, per-finding evidence, control mappings, verification instructions.
`attestation.intoto.json`	The in-toto Statement envelope binding the run digest to the predicate.
TSA token (in-band)	RFC 3161 timestamp token over the run digest.
Rekor inclusion proof (in-band)	Log index, inclusion proof, signed entry timestamp. Optional — on by default for Sectum Cloud, opt-in for OSS local runs.

Independent verification

The verifier ships in the Apache 2.0 OSS. Anyone can run it:

pip install sectum-ai
sectum-ai verify evidence.json \
  --tsa-cert tsa-cert.pem \
  --tsa-root tsa-root.pem \
  [--rekor-key rekor.pem]

Exit codes follow the rest of the CLI: 0 verified, 4 verification failed. A failure prints a [FAIL] line that explains exactly which check broke (e.g., run_digest mismatch, TSA signature invalid, Rekor inclusion proof does not match).

Tamper-evidence in practice

The properties an auditor cares about:

Mutating any field in evidence.json changes the run_digest; the TSA-signed digest no longer matches; sectum-ai verify exits with [FAIL] run_digest mismatch.
Re-signing the digest with a different TSA breaks the TSA-certificate-chain check; sectum-ai verify exits with [FAIL] tsa signature invalid or [FAIL] tsa certificate chain.
Forging a Rekor inclusion proof requires control of a Rekor key pinned in the verify call. Public Rekor proofs are validated against the publicly-published Sigstore root.
The manifest hash in the evidence pack binds the test conditions to the run. Editing the manifest after the fact changes its hash; the pack's stored value no longer matches; verification fails.

The non-goal

Sectum AI verifies and attests. It does not remediate. Findings include remediation pointers — specific surface, specific marker count — but the change to the customer's stack belongs to the platform team. The evidence chain proves what was tested, what was found, and when. Fixing the findings is a separate motion.

Sample artifacts

Real sample evidence packs ship in the OSS repo: docs/samples/. Includes a sample evidence.json, audit-pack.pdf, and attestation.intoto.json the buyer's auditor can inspect before signing an engagement.