# Production Readiness Report v1.0 (Final)

**Subject:** First anchored V101 Content Bundle for `princ_customer_9`
**Date:** 2026-06-02
**Determination:** PROVEN IN OPERATION (scope: one customer, one bundle)
**Version:** 1.0 — Final (frozen)

---

## Strict wording

The H33-CANONICAL-AUTH-v1 chain is **proven in operation for one customer, one bundle.** It is **not** "shipped," **not** "production-ready at scale," **not** "deployed for all customers." The first operational proof exists. Every next customer and every next surface re-earns the same yardstick.

---

## Three claims (the 10-second read)

1. **Identity can be mapped to authority.**
2. **Authority can be replayed from canonical history.**
3. **Evidence can be independently reconstructed.**

---

## Evidence appendix

| Field | Value |
|---|---|
| **Bundle ID** | `d9adcfb0-e0bc-426b-8725-fc12d555692b` |
| **Creator UUID** | `44962d9b-25f5-5622-bd9a-98d5580bb8a2` |
| **Authority ID** | `auth_44962d9b-25f5-5622-bd9a-98d5580bb8a2_v101_export` |
| **Policy ID** | `pol_v101_exporter_v1` |
| **Commitment (SHA3-256, 64 hex)** | `ff770fc838fde707d91f35248946d6928b0a3a999dbd28a2906ce4f0274745e7` |
| **tx_reference (148 hex)** | `ff770fc838fde707d91f35248946d6928b0a3a999dbd28a2906ce4f0274745e7016fb294cb7ddf8073700a2cd13531a352da28068b4921c05839b82b8633547fdd0000019e85bb875107` |
| **Anchor chain** | `h33-substrate-v1` |
| **Authority principal** | `princ_customer_9` |
| **Audience** | `substrate-receipts` |
| **Source JWT jti** | `jti-1780359511-cf79e5f189cb41fd` |
| **Issued at (ms)** | `1780359626000` |
| **Submitted at (ms)** | `1780360120145` |
| **Receipt status** | `anchored` |
| **Bundle retrievable at** | `GET https://app.v101.ai/v101/bundle/d9adcfb0-e0bc-426b-8725-fc12d555692b` |

---

## Deployment commit SHAs

### Auth1 (auth.h33.ai)

| Component | SHA | Subject |
|---|---|---|
| Auth1 deployed | **`2f49d0a`** | Merge MR !3: Auth1 Phase 2 — `POST /api/auth/canonical/token` issuance endpoint |
| Auth1 prior | `489e8a8` | Merge MR !2: Auth1 Phase 1 — asymmetric (EdDSA) signing + JWKS endpoint |

Deployed via systemd `cachee-auth` on `i-0f64d17ee49b88a6f`. Binary built 2026-06-01 02:21 UTC, active since 2026-06-01 20:11 UTC. JWKS live at `https://auth.h33.ai/.well-known/jwks.json` with active kid `kid-eddsa-prod-active-2026-06-01-d31134fbc177`.

### H33 (api.h33.ai, scif-backend)

| Component | SHA | Subject |
|---|---|---|
| H33 deployed | **`99756176c`** | fix(canonical-auth): background JWKS refresh in build_production_validator |
| `ea0f4e9dc` | fix(canonical-auth): block_in_place in PostgresEventLogSource::events_for |
| `403f511c5` | chore(canonical-auth): log message backend-agnostic |
| `1334525d3` | refactor(canonical-auth): H33SubstrateAnchorSink — SK accessors removed, env vars renamed |
| `16f050f42` | feat(canonical-auth): H33SubstrateAnchorSink — chain-agnostic first-proof anchor |
| `5ef818235` | feat(canonical-auth): wire production V101BundleIssueState in server.rs |
| `fa90a9271` | feat(canonical-auth): `h33-sign-canonical-event` CLI + signing module |
| `76d9fc554` | Merge MR !25 — Postgres canonical_auth_events + EventLogSource + seed CLI |
| `1f5c27469` | Merge MR !24 — canonical-auth route mount + auth-before-body |
| `a5d61a696` | Merge MR !22 — canonical-auth public-path exemption |
| `f5f824484` | Merge MR !21 — production wiring (BearerValidator + PolygonZkEvmAnchorSink) |
| `8280f2e8a` | Merge MR !20 — V101 Content Bundle export endpoint |
| `ac8273918` | Merge MR !19 — `issue_and_anchor_receipt` wrapper + AnchorSink trait |
| `e767d0c9e` | Merge MR !18 — JWKS validator + Postgres ApiKeyStore |
| `59e55cdfd` | Merge MR !17 — `issue_receipt` entry point + API-key exchange |
| `6b40719f8` | Merge MR !16 — Bearer middleware + principal mapping + replay enforcement |

Deployed image: `h33-rust:canonical-auth-99756176` on `i-099b8356ab956a480`, behind nginx, port 8080. Anchor backend: `h33-substrate-v1`. All six `H33_SUBSTRATE_*_B64` env vars populated from AWS Secrets Manager `h33/production/canonical-event-signer`.

### V101 (app.v101.ai)

| Component | SHA | Subject |
|---|---|---|
| V101 deployed | **`68034b1`** | V101 Content Bundle endpoint with `CANONICAL_AUTH_REQUIRED=true`, `ANCHOR_HOST=https://api.h33.ai` |

---

## Known limitations (final, v1.0)

These are the constraints under which v1.0 was earned. They are not flaws — they are the explicit boundary of what this proof claims.

1. **Single customer.** Only `princ_customer_9` (eb@h33.ai, customer_id=9) was used. The chain is not yet proven for any other principal.
2. **Single bundle.** Bundle `d9adcfb0-e0bc-426b-8725-fc12d555692b` is the only artifact produced through the full chain. Volume behavior is not yet observed.
3. **No scale validation.** No load testing, no concurrency testing, no throughput claims. Single-request demonstration.
4. **No failover validation.** No disaster recovery drill. No cross-region failover. No database-failover test. No JWKS-source-unreachable test. Recovery characteristics are not yet measured.
5. **`source_jti` replay behavior observed.** The same Bearer (jti `jti-1780359511-cf79e5f189cb41fd`) produced two receipts in this proof cycle — once from the H33-side smoke test, once from the V101-side bundle issuance. The receipts have distinct `commitment_hex`, distinct `submitted_at_ms`, distinct `tx_reference` values, but the same `source_jti`. **Pending policy decision:** declare idempotent OR enforce single-use at the receipt-issuance layer. Surfaced visibly in `receipt.source_jti` so any consumer can detect it.

---

## Execution path (every arrow real, no synthetic step)

```
Real customer (eb@h33.ai, customer_id=9)
  → Auth1 OTP login → legacy HS256 session
  → POST /api/auth/canonical/token → real EdDSA Bearer
     kid=kid-eddsa-prod-active-2026-06-01-d31134fbc177
     sub=princ_customer_9
     iss=https://auth.h33.ai
     aud=substrate-receipts
  → V101 POST /v101/bundle (Authorization: Bearer)
  → V101 → POST https://api.h33.ai/api/v1/h33-auth/v101-bundle-issue
  → JwksValidator verifies signature against deployed JWKS
  → map_subject extracts princ_customer_9
  → require_capability runs replay_until(now) against canonical_auth_events
  → Active grant resolved: auth_44962d9b-…_v101_export
  → pctl_* lookup: pol_v101_exporter_v1 grants export_content_bundle
  → issue_receipt builds IssuedReceipt
  → H33SubstrateAnchorSink.submit → 74-byte H33-74 receipt over commitment
       chain = "h33-substrate-v1"
       tx_reference = 148-hex (commitment ‖ CompactReceipt)
  → AnchoredReceipt returned to V101
  → V101 embeds in manifest.h33_74_receipt → persists to Netlify Blobs
  → V101 returns bundle d9adcfb0-e0bc-426b-8725-fc12d555692b
```

---

## Independent reconstruction inputs

A third party with only the following can verify the proof without H33's help:

- **JWKS:** `https://auth.h33.ai/.well-known/jwks.json` — verifies the Bearer that triggered the chain.
- **Standards reference:** `https://h33.ai/standards/` — defines the H33-CANONICAL-AUTH-v1 chain, the H33-74 receipt format, the substrate signing algorithms.
- **Bundle:** `GET https://app.v101.ai/v101/bundle/d9adcfb0-e0bc-426b-8725-fc12d555692b` — returns the AnchoredReceipt with the same fields shown here.
- **Substrate public keys:** the three PQ public keys (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f) are published in the operator's secret store (`h33/production/canonical-event-signer`, fields `dilithium_pk_b64`, `falcon_pk_b64`, `sphincs_pk_b64`). Independent verifiers receive these via the H33 verifier release.
- **This report:** [REPORT.md](REPORT.md) — Markdown source. [report.pdf](report.pdf) — frozen PDF artifact.

---

## Readiness determination

> **H33-CANONICAL-AUTH-v1: PROVEN IN OPERATION for one customer, one bundle.**

What this proof unlocks: distribution. Conversations with prospects, auditors, insurers, and regulators can now move from "we are building this" to "we ran this; here is the artifact." The framework is reusable: every next customer milestone follows the same nine-section proof format at `/proofs/<proof-id>/`.

What this proof does NOT unlock: any claim of scale, of multi-tenant production readiness, of disaster-recovery readiness, or of any non-V101 surface being operational. Each requires its own proof, earned by the same yardstick.

---

## Version

| Field | Value |
|---|---|
| Report version | **v1.0 (Final)** |
| Frozen | 2026-06-02 |
| Supersedes | None |
| Superseded by | None |

Future operational proofs are published at `/proofs/<proof-id>/` using the structure defined in [`/proofs/proof-template/`](/proofs/proof-template/). This v1.0 is the reference implementation of that structure.

---

*Issued by H33, Inc. — Eric Beans, CEO. Independently reconstructable from the public artifacts listed above.*