Open governance, readable by outsiders
-- IF.TTT is a receipt‑first governance layer. It binds a source artifact to an output with a - trace page, stable no‑login links, and optional offline bundles anyone can verify. -
++ Open verification for governance: third parties can verify receipts without your credentials. + Artifacts > adjectives. +
+ +Black/white: what the receipt proves vs what it doesn’t.
+ +
shareId (trace, dossier, pack, source).- We don’t claim “compliance”. We support audits by producing verifiable receipts that third parties can check without your - credentials. + If it’s not verifiable, label it as a gap. Don’t endorse it. + This is how you keep governance legible to outsiders.
+- This is the sequence third‑party reviewers actually care about. Every step either produces a receipt, or it doesn’t ship. -
- -source_sha256.output_sha256 (what the reader sees).trace_id and publish a trace receipt that links hashes, time, and versioning.shareId (trace, dossier, pack, source).This is the “procurement/audit” checklist, stated plainly.
- -Use the same path your auditors and external reviewers will use.
- -
- Every published output gets a stable share surface keyed by a single shareId.
-
https://infrafabric.io/static/trace/<shareId>
-https://infrafabric.io/static/dossier/<shareId>
-https://infrafabric.io/static/dossier/<shareId>/download
-https://infrafabric.io/static/pack/<shareId>.md
-https://infrafabric.io/static/review/<shareId>.md
-https://infrafabric.io/static/marketing/<shareId>.md
-https://infrafabric.io/static/source/<source_sha256>.pdf
- HTML views exist for sandboxes that load text/html but reject downloads:
- /static/pack/<shareId>, /static/review/<shareId>, /static/marketing/<shareId>.
-
- Note: some constrained “web fetchers” reject downloadable binaries (e.g., .tar.gz) while still loading HTML. That’s why
- HTML views exist for packs and indexes.
-
Download a bundle from the selector, then:
-curl -fsSL -o iftrace.py 'https://infrafabric.io/static/hosted/iftrace.py'
-python3 iftrace.py verify trace_bundle_<id>_standard.tar.gz --expected-sha256 <sha256>- VERIFIED means the hashes match what the receipt declares. QUANTUM READY may be shown when a - post‑quantum signature receipt exists (PQ verification is additive; hash verification still stands). -
-Same mechanism, different third‑party pressure.
- -Third party
-Auditors + enterprise procurement
-They want
-Evidence that controls existed at the right time, in the right scope, with receipts.
-IF.TTT helps by
-Publishing no‑login receipts and offline bundles for disputes and audits.
- B2B SaaS → -Third party
-Regulators + model risk + internal audit
-They want
-Non‑repudiation, dispute workflows, and “show your work” provenance.
-IF.TTT helps by
-Binding outputs to sources and creating a defensible, replayable receipt trail.
- Finance → -Third party
-Compliance + vendors + incident reviewers
-They want
-Clear boundaries: what’s verified, what’s inferred, and what must be reviewed by humans.
-IF.TTT helps by
-Making evidence legible to outsiders while preserving strict, machine‑verifiable receipts.
- Healthcare → -Third party
-Assessors + customers + supply‑chain review
-They want
-Offline‑verifiable bundles and unambiguous chain‑of‑custody.
-IF.TTT helps by
-Providing triage bundles that can be verified without trusted network access.
- Government → -Third party
-Enterprise buyers + incident responders
-They want
-Provable provenance for outputs (“why did it say that?”) without internal access.
-IF.TTT helps by
-Making trace receipts shareable, replayable, and dispute‑friendly.
- AI products → -Third party
-Executives + auditors after an incident
-They want
-To verify AI summaries against raw evidence and keep chain‑of‑custody intact.
-IF.TTT helps by
-Binding “what the system said” to “what the system saw” via receipts and bundles.
- SecOps → -Third party
-Customers + auditors + insurers
-They want
-Proof of change control and traceability that survives contractor handoffs.
-IF.TTT helps by
-Standardizing receipts so handoffs remain verifiable across organizational boundaries.
- Supply chain → -- “VERIFIED” means the hashes on the trace page match the output/source that can be downloaded and hashed independently. It is an - integrity receipt: the bytes match what the trace declares. -
-- “QUANTUM READY” is shown when a post‑quantum signature receipt exists for the trace. It means PQ receipts are present now (for future - audit requirements). PQ verification is additive; the hash receipt remains valid either way. -
-- No. IF.TTT produces verifiable artifacts that can support audits and disputes. Compliance is a broader program: scope, policy, human - review, and governance decisions are still required. -
-
- shareId is the public handle used in URLs. trace_id is the chain‑of‑custody UUID recorded in receipts and
- bundles.
-