01Purpose
The proofs at /proofs/ are H33's claims. This kit is the means by which a third party — an independent security team, an auditor, a researcher, a security tools vendor — can verify those claims and publish their own attestation. It is structured so the verifier can work entirely with public artifacts for most steps; H33 coordinates direct database access only for the determinism reproductions in Steps 6 and 7.
If the verifier finishes the guide and the values check, the H33 claims are confirmed. If a value fails to check, that is a finding — and we will publish it. Negative findings are part of the kit's purpose.
02What's in the kit
03The eight steps (at a glance)
Fetch the bundle
Public GET to app.v101.ai. Confirm bundle_id, schema, anchor chain, tx_reference length.
Verify the SHA3-256 commitment
Recompute SHA3-256 over the canonical JSON of the IssuedReceipt. Compare to commitment_hex from the bundle.
Verify Auth1 published the EdDSA public key
Fetch JWKS from auth.h33.ai/.well-known/jwks.json. Confirm the active kid is present and well-formed.
(Optional) Verify a fresh Bearer's signature
Obtain a Bearer via OTP login. Verify the EdDSA signature against the JWKS public key. Confirm claims shape.
Decompose the 74-byte H33-74 receipt
Decode 148-hex into 32-byte signing_message + 42-byte CompactReceipt. Confirm version, verified_at_ms, algorithm_flag.
Verify Regulator Replay determinism
Run the reconstruction harness against the canonical event log at T = 1780359626000. Expect state_id 96a29047…be4a.
Verify Multi-Tenant Isolation
Run the isolation harness. Expect distinct state_ids for tenants A and B, and ProvenanceBroken on the injection attack.
Publish your findings
Fill in the attestation template, sign it with your standard mechanism, send to H33, publish on your own surface.
04Who this kit is for
Cryptography or security teams that validate vendor claims professionally. In order of fit for the first-proof's specific claims (post-quantum signing, deterministic replay, canonical event log):
- Entrust — PQ-cryptography product organization; will recognize the H33-74 receipt structure and the three-PQ algorithm choice immediately.
- Thales — HSM and key management organization; will recognize the operator hygiene around
h33/production/canonical-event-signer. - Accenture Security — security architecture practice with the bandwidth to do a thorough end-to-end verification within a normal engagement window.
- An independent researcher — a cryptography or distributed-systems researcher with publication standing and no vendor incentive. Particularly useful for verifying the determinism claim (Step 6) and the provenance invariant (Step 7).
- TRM Labs, Cohesity, Sigstore, KPMG Cayman, or others — fit depends on the engagement scope.
We will support any verifier; we will not solicit any specific one. The verifier's independence is the credibility of their attestation.
05How H33 will support the verification
| Step | H33 provides | Verifier provides |
|---|---|---|
| 1, 2, 3, 5 | Public artifacts (all URLs in artifact-manifest.json) | Time + cryptographic tooling (standard libs) |
| 4 | Coordination of a fresh Bearer via the OTP login flow (or a structural test customer Bearer for full automation) | An email + ~2 min for OTP receipt |
| 6, 7 | Read-only access to canonical_auth_events for the relevant tenants via tunneled connection or one-time export | The scif-backend source at the named SHA + a postgres-capable environment |
| 8 | Publication of the verifier's signed attestation, with attribution, on this page | The signed attestation |
06What this kit does NOT cover
- Scale validation. The kit verifies the single-decision chain. Scale belongs to Proof #5.
- Failover validation. The kit verifies normal operation. Failover belongs to Proof #6.
- Disaster recovery. The kit verifies live state. DR belongs to Proof #7.
- Source-code audit. The kit verifies that the runtime behavior matches published claims. A source-code audit is a separate engagement.
- Cryptographic strength of the underlying primitives. The kit assumes NIST-standardized algorithms (FIPS 203/204/205, RFC 8032 EdDSA, SHA3) are sound. That's a separate research question.
07License and authorship
Kit content (this page, the guide, the manifest, the template) released under CC-BY 4.0. Attribution: "Verification kit by H33, Inc., 2026."
Verifier attestations remain the verifier's authorship. H33 will link to attestations with the verifier's identity and methodology. Negative findings are published unchanged. H33 will respond with the fix or the gap; we will not argue.
08Published verifications
No external verifications have been published yet. When the first verifier completes the kit and publishes a signed attestation, it will be listed here.
Open the guide, work through the steps, sign the attestation, send it to the H33 contact in the manifest. We will respond. We will publish.
Issued by H33, Inc. · Eric Beans, CEO · 2026-06-02
This kit accompanies the published proofs at /proofs/. The proofs are the claim; this kit is the means by which any third party verifies the claim independently.