Trustless Submission Status · Phase C

✓ Package Integrity

✓ Independent Replay

• Signature Verification Not Applicable for this case (pre-L9.1)

✓ Evidence Package Included

✓ Responsibility Chain Present

✓ Lineage Present

✓ Vendor Independence

VerdictReviewable

A regulator should never need to understand H33 to verify H33 evidence. The verdict above answers one question: can I trust this package? Drill into findings + raw evidence below — see [ Findings ] · [ Verifier runbook ].

Regulator workflow · the four steps

1Open submissionsubmission.tar.gz · 8 files including the embedded evidence package
2Verify packageRun h33-independent-canonical-replay — confirm state_id byte-identical
3Review findingsfinding_report.json — the assertion the regulator is investigating, with evidence_refs
4Drill into evidenceWalk decision/asset/loss/claim lineage from the canonical event log

Evidence Binder · Reality Gap Case File · auto-generated

What changed without authorization?

Reality Gap Investigation #001 — Authority Drift

Investigation typeReality Gap Investigation·Primary buyerAuditor · CISO · Internal Audit

Case ID

reality-gap-001

Investigation type

Reality Gap Investigation

Total gaps detected

Shadow Authority

Undocumented Delegation

Policy Bypass

Responsibility Drift

Principals in graph

Policy states at T

Decisions at T

Tenant

tenant_reality_gap_demo_44962d9b-25f5-5622-bd9a-98d5580bb8a2

Tenant root

princ_root_reality_gap_demo_44962d9b-25f5-5622-bd9a-98d5580bb8a2

Replay state_id

be6074479ff9c19cf646fd4791af77fd6286fc424c70858df1189a061a2376b7

Replay T (ms)

1790000000000

Binder Tabs · click to drill in

Show decision lineage

What happened, in causal order

Tab 3

Show responsibility chain

Responsibility ≠ Liability

Tab 4

Show asset lineage

Asset ≠ Responsibility

Tab 5

Show model influence

Influence ≠ Causation

Tab 6

Reproduce decision

Reproducibility ≠ Justification

Export evidence package

Institutional Memory ≠ Legal Truth

Tab 9 · Phase C

Review findings

What the evidence demonstrates

Tab 10 · Phase C

If H33 disappears mid-review

Package still verifies. Without us.

Tab 11 · Showcase

Ask The Evidence

Natural-language queries over signed evidence

Three Confidence Scores · honest, not aspirational

Reconstruction Confidence

65 / 100

Verification Confidence

Pre-L9.1 EvidenceNot Applicable for this case

Reproducibility Confidence

0 / 100

About this case

This investigation reconstructs four classes of reality gap on the gap-demo tenant — divergences between the policy chain and recorded reality. Authority graph + policy chain at replay T disagree across Shadow Authority, Undocumented Delegation, Policy Bypass, and Responsibility Drift. The case asks one question: what changed without authorization? It does not assert intent. It does not assert liability. It surfaces structural disagreements that an auditor or CISO would want to investigate next, with the canonical events that demonstrate each one.

Tab 1 · Verify evidence

Verify the evidence — independently, without H33

Replay at target T produces state_id be6074479ff9c19cf646fd4791af77fd6286fc424c70858df1189a061a2376b7 byte-identically. Confirm by running the verifier binary against the exported package (see Tab 8).

state_id at T	be6074479ff9c19cf646fd4791af77fd6286fc424c70858df1189a061a2376b7
Replay verdict	Valid
Replay confidence	65 / 100
Verification confidence	Pre-L9.1 Evidence · Not Applicable for this case

Verified ≠ True.Verification proves integrity. Not correctness.

Tab 2 · Show decision lineage

Decision lineage — what happened, in causal order

       1780000000400  decision_bypass_001
      actor:      princ_alice_treasury
      capability: approve_transfer
      outcome:    approved
      policy:     pol_NONEXISTENT_alpha:1
      model:      model_demo_v1:1
      parents:    []

       1780000000410  decision_bypass_002
      actor:      princ_bob_underwriter
      capability: approve_credit
      outcome:    approved
      policy:     pol_NONEXISTENT_beta:1
      model:      model_demo_v1:1
      parents:    []

       1780000000500  decision_drift_001
      actor:      princ_alice_treasury
      capability: approve_transfer
      outcome:    approved
      policy:     pol_demo_treasury:1
      model:      model_demo_v1:1
      parents:    []

       1780000000510  decision_drift_002
      actor:      princ_bob_underwriter
      capability: approve_credit
      outcome:    approved
      policy:     pol_demo_underwriting:1
      model:      model_demo_v1:1
      parents:    []

       1780000000520  decision_drift_003
      actor:      princ_alice_treasury
      capability: approve_transfer
      outcome:    approved
      policy:     pol_demo_treasury:1
      model:      model_demo_v1:1
      parents:    []

Lineage shows what happened, not whether it was right.

Tab 3 · Show responsibility chain

Responsibility chain — bound at decision time

Chain on the primary decision (—):

primary_decision_id not specified in the descriptor.

Responsibility ≠ Liability.Naming a principal in the chain establishes a structural role at decision time; liability is a court / regulator determination.

Tab 4 · Show asset lineage

Asset lineage — Asset → Decisions → Loss → Claim

asset_id not specified in this case descriptor.

Asset ≠ Responsibility.The walk shows what touched the asset. Ownership is a legal status; responsibility is structural fact.

Tab 5 · Show model influence

Model influence — why the model produced the score it produced

primary_decision_id not specified.

Influence ≠ Causation.The chain establishes that the model's score depended on these features; it does NOT establish that those were the right features or that the threshold was fair.

Tab 6 · Reproduce decision

Reproduce decision — measured confidence, not aspirational

Reproducibility confidence: 0 / 100. Five components × 20 points each. See #167 Decision Reproducibility for the rubric.

Reproducibility ≠ Justification.The chain runs again the same way. That's not the same as saying it should have.

Tab 7 · Show reality gaps

Reality gaps — what changed without authorization?

12 gaps detected

3 Shadow Authority
4 Undocumented Delegation
2 Policy Bypass
3 Responsibility Drift

Policy ≠ Reality.The report names structural disagreements between policy and recorded reality. It does NOT name fault, intent, or correctness.

Tab 8 · Export evidence package

Export the evidence package — and verify it without H33

The evidence package bundles the canonical event log, the case summary, and a verification runbook. No H33 access required at any step.

events.json	The signed canonical AuthEvent log for this tenant
manifest.json	tenant_id · tenant_root · target T · expected state_id · expected verdict
public_keys.json	Per-principal PQ public-key bundles (L9.1; empty for pre-L9.1 cases)
signatures.json	Per-event full PQ signature archive (L9.1; empty for pre-L9.1 cases)
case_summary.json	Three-confidence scores at export time + case metadata
verifier_runbook.md	Step-by-step runbook for independent verification

How to verify independently (regulator runbook)

Download the evidence package (button below).
Build the verifier: cargo build --release --bin h33-independent-canonical-replay from the open-source scif-backend repo.

Extract the tarball, then run:

h33-independent-canonical-replay \
    --events-file events.json \
    --manifest-file manifest.json \
    --verbose

Confirm the binary's reported state_id matches be6074479ff9c19cf646fd4791af77fd6286fc424c70858df1189a061a2376b7.
For cases under L9.1, add --public-keys-file public_keys.json --signatures-file signatures.json --verify-signatures. Pre-L9.1 cases (verification = Not Applicable) skip this step.

⬇ Download submission.tar.gz (8.2 KB) · the canonical Phase C artifact · 8 entries including the embedded evidence_package.tar.gz

⬇ Or download evidence-package.tar.gz alone (4.2 KB) — the component, not the full submission

Phase C submission carries 8 entries: case_summary · verification_report · reconstruction_report · lineage_report · responsibility_report · finding_report · evidence_package.tar.gz · verifier_runbook. The submission is what a regulator opens; the evidence package is the substrate it cites.

Institutional Memory ≠ Legal Truth.The package preserves structural memory. Legal truth — verdicts, judgments, damages — remains the courts' determination.

Findings · what the evidence demonstrates

Findings — not raw evidence, the assertions the evidence supports

Regulators investigate FINDINGS — not raw evidence. Each finding below carries a claim, the evidence that supports it, the responsibility chain it implicates, the lineage it walks, and a status (open / investigating / substantiated / dismissed).

finding_reality-gap-001_shadow_authority_detected_3highopen

Shadow Authority Detected detected on tenant tenant_reality_gap_demo_44962d9b-25f5-5622-bd9a-98d5580bb8a2. 3 unauthorized path(s) reconstructed from canonical events at replay T. Authority graph diverges from the policy chain — the activity exists structurally, but no legitimate grant authorizes it.

Evidencereality_gap_report:shadow_authority_detected
unauthorized authority paths = 3

ResponsibilitySupervisor chain missing

LineageAuthority delegation policy violated
authority_graph

finding_reality-gap-001_undocumented_delegation_4highopen

Undocumented Delegation detected on tenant tenant_reality_gap_demo_44962d9b-25f5-5622-bd9a-98d5580bb8a2. 4 unauthorized path(s) reconstructed from canonical events at replay T. Authority graph diverges from the policy chain — the activity exists structurally, but no legitimate grant authorizes it.

Evidencereality_gap_report:undocumented_delegation
undocumented delegation edges = 4

ResponsibilityDelegator authority unestablished

LineageDelegation chain attenuation broken
delegation_graph

finding_reality-gap-001_policy_bypass_2highopen

Policy Bypass detected on tenant tenant_reality_gap_demo_44962d9b-25f5-5622-bd9a-98d5580bb8a2. 2 unauthorized path(s) reconstructed from canonical events at replay T. Authority graph diverges from the policy chain — the activity exists structurally, but no legitimate grant authorizes it.

Evidencereality_gap_report:policy_bypass
decisions taken outside policy = 2

ResponsibilityActor capability not in active_grants at T

LineageCapability outside policy scope
policy_chain

finding_reality-gap-001_responsibility_drift_3highopen

Responsibility Drift detected on tenant tenant_reality_gap_demo_44962d9b-25f5-5622-bd9a-98d5580bb8a2. 3 unauthorized path(s) reconstructed from canonical events at replay T. Authority graph diverges from the policy chain — the activity exists structurally, but no legitimate grant authorizes it.

Evidencereality_gap_report:responsibility_drift
responsibility chains naming unknown principals = 3

ResponsibilityPrincipal in chain not present in tenant graph

LineageResponsibility timestamp predates principal grant
responsibility_chain

Asset ≠ Responsibility. Responsibility ≠ Liability. A finding's status is structural — what the evidence demonstrates — not a legal verdict. Liability is determined by courts and regulators.

Killer demo · the package was already in your possession

What happens if H33 disappears before you finish reviewing?

Imagine: this submission was delivered to your office. You begin review. Mid-review, H33 disappears — vendor failure, dissolution, sanctions, supply-chain compromise, whatever. The reviewing regulator has no live H33 channel, no support phone, no auth endpoint. The package on disk is all that remains.

✓
Package still verifies.
h33-independent-canonical-replay is a standalone binary built from the open-source scif-backend repo. No DB. No SCIF. No network. The reported state_id matches be6074479ff9c19cf646fd4791af77fd6286fc424c70858df1189a061a2376b7 byte-identically.
✓
Responsibility still reconstructs.
responsibility_report.json was derived from canonical events and ships inside submission.tar.gz. The chain at decision time is permanently recoverable.
✓
Lineage still reconstructs.
lineage_report.json walks Decision → Asset → Loss → Claim directly on the events. Reproducible without any vendor surface.
✓
Verdict still reproducible.
finding_report.json carries the claim + evidence_refs + responsibility_refs + lineage_refs. Every reference walks back to a signed canonical event in the embedded package.

Distinct from #12 (vendor dies) and #184 (customer dies) — here the package was already in the regulator's possession when H33 disappeared, and the entire review still completes. The category claim Phase C earns: a regulator can consume H33 evidence without H33.

Tab 11 · Ask The Evidence · showcase

Ask The Evidence — natural-language queries over signed evidence

The search architecture that ties the corpus together: Ask The Evidence → Search Twin → Replay Engine.

ask> Who approved this?

→ Look in responsibility_chain.approving_authority on the primary decision.

ask> Who could have approved this?

→ Filter active_grants at decision T by the required capability.

ask> What policy governed this?

→ Decision.policy_version_ref. Amendments after-the-fact don't apply.

ask> What changed after approval?

→ Walk the event timeline post-decision: PolicyAmend, ModelRegister, Loss, Claim, Consequence, Dissolution.

ask> Who retained responsibility?

→ Decision.responsibility_chain — recorded at decision time, permanently recoverable.

ask> Were there reality gaps?

→ show_reality_gap_report(tenant) returns the four-class breakdown (Shadow Authority / Undocumented Delegation / Policy Bypass / Responsibility Drift).

ask> What evidence survives?

→ The canonical event log. Replayable byte-identically without H33 and without the dissolved firm.

Ask The Evidence is a translator. The verifier is the truth.The LLM never decides authority / responsibility / verification — those come from replay and signed indexes.

Page generated by h33-evidence-case-generator from case_descriptor.json. Reproducible: same descriptor + same database state = same case file.