Two Precision Levels of Verification
Every H33 replay artifact carries a verdict. Two verdict classes are normative: STRUCTURALLY_VALID and FULLY_REPLAYABLE. Each answers a different question, requires a different artifact set, and serves a different audience. Pay for the verification depth your audit actually needs.
Did this replay bundle hold its structural invariants?
The verdict ceiling for a replay bundle alone. Proves the governance graph holds its structural invariants: transcript-version consistency, no orphan parent references, no cycles, no cross-tenant contamination within a lineage, required lineage for state-transition nodes, deterministic graph root, deterministic Merkle root over stored canonical_hash values.
Were the receipts that produced this graph cryptographically authentic?
The verdict ceiling for a replay bundle paired with its receipts archive. Adds two foundational cryptographic checks on top of Level 1: every receipt's canonical_hash recomputes from its canonical fields, and every receipt's three-family post-quantum signature verifies against the public key resolved from its signer_key_id.
When to use which level
| Use case | Required level |
|---|---|
| Continuous CI of replay state | STRUCTURALLY_VALID |
| Internal compliance dashboards | STRUCTURALLY_VALID |
| Regulator first-look or quarterly review | STRUCTURALLY_VALID |
| Public verifier playground (default) | STRUCTURALLY_VALID |
| Regulator full audit | FULLY_REPLAYABLE |
| Post-incident forensics | FULLY_REPLAYABLE |
| Legal discovery | FULLY_REPLAYABLE |
| Public verifier playground (archive attached) | FULLY_REPLAYABLE |
The NOT_PERFORMED contract
A v0.2 bundle without a receipts archive cannot reach FULLY_REPLAYABLE. The verifier surfaces the checks it could not perform with stable reason codes — never silently treats them as passed. Operators read the JSON output and never mistake "absent from violations" for "passed."
What this looks like in the CLI
The verifier's JSON output groups checks into three explicit arrays. checks_passed, checks_failed, checks_not_performed. An auditor reading the JSON never confuses "absent from violations" for "passed."
"VALID"
{
"code": "HATS-V-CHECK-001",
"reason": "REQUIRES_RECEIPT_PAYLOAD",
"detail": "Bundle format v0.2 stores canonical_hash but not the receipt-level canonical fields required to recompute it. Awaiting paired receipts archive."
}
{
"code": "HATS-V-CHECK-007",
"reason": "REQUIRES_RECEIPT_PAYLOAD",
"detail": "Bundle format v0.2 stores signer_key_id but not the signature bytes; verify_signature() cannot be called. Awaiting paired receipts archive."
}
The same bundle paired with its receipts archive elevates the verdict ceiling and clears those two skipped checks.
"FULLY_REPLAYABLE"
"FULLY_REPLAYABLE"
Backward compatibility
Existing h33-replay-bundle-v0.2 bundles remain fully usable for Level 1 verification. No producer needs to upgrade. Customers that want Level 2 verdicts attach a paired h33-receipts-archive-v0.1 file alongside the existing bundle. The bundle format itself does not change.
Verifiers MUST refuse to elevate a v0.2 bundle to FULLY_REPLAYABLE in the absence of a paired archive, regardless of caller intent. The verdict ceiling is governed by the artifacts presented, not by the requester.
Closing
Two verdict classes. One open-source verifier. The precision matches the audit.