Live/This deployment/Ed25519

This page can prove itself.

Every deploy of this site publishes receipt.json: a manifest of every file, hashed with SHA-256, signed with Ed25519. Your browser can check the signature and the files. No server trust required.

This deploy

Status: Loading
Built at: —
Commit: —
Files covered: —
Manifest SHA-256: —
Public key: —
Signature: —

Fetching receipt.json from this origin.

Spot-check a file

Pick any file from the manifest. Your browser fetches it from this origin, hashes it with SHA-256 and compares the result against the signed manifest.

Method

How verification works.

The build walks the output directory and records the path, size and SHA-256 hash of every file into a manifest.
The manifest is serialised canonically (recursively sorted keys, no whitespace) and signed with an Ed25519 private key that exists only as a deployment secret.
The receipt — manifest, public key, signature — is published next to the site as receipt.json.
You verify: the signature against the canonical manifest bytes, and any file by re-hashing what this origin actually serves. Edit a file and its hash breaks. Re-sign without the key and you cannot.

Scope, stated honestly: this proves the files you receive are exactly what the key holder built and signed. Binding that key to a person is a separate problem — that is what pinning the key in the site source and publishing it out-of-band are for.

# verify from your own machine, against production
git clone https://github.com/chrisconen/dev && cd dev
npm install
npm run verify -- https://chrisconen.dev --deep

Context

The same primitive, pointed at agents.

A build pipeline is just a very boring agent: it acts, it produces artefacts, and you want a record that holds up. AXR applies this exact receipt — canonical record, SHA-256, Ed25519 — to AI agent actions, where the stakes and the regulatory pressure are considerably higher.

Read about AXR AXR on GitHub