Cryptographic Signatures

Cryptographic Signatures

Commitment Radar uses hashes to make interpretations replayable and auditable. These hashes do not assert truth or correctness. They assert integrity and repeatability under a fixed lens + ruleset.

Artifact hash

• artifact_hash = sha256(raw artifact_text bytes)
• No normalization is applied.
• Used to tie interpretation results to the exact text observed.

Signature hash

The runtime computes a signature hash over:

• artifact_hash
• artifact_type
• lens_id + lens_version
• ruleset_id + ruleset_version

Replay uses this signature to retrieve identical assumption records.

Producer hash

If producer metadata is provided, it is canonicalized and hashed to produce producer_hash. Producer metadata never influences interpretation.

Declared provenance (optional HMAC)

For enterprise integrations, declared producer metadata can be signed with HMAC:

• Signature is computed over canonical JSON
• Valid signatures upgrade trust_level to verified
• Trust level never changes interpretation behavior