Receipt and execution integrity
Evidence. Strict v2 schemas, canonical digests, exact input and tree hashes, two isolated workspace copies, bounded output, and fail-closed comparisons are covered by adversarial tests.
Limit. A pass records observed execution. It cannot establish truth, provenance, method validity, novelty, safety, or interpretation.
Path and state safety
Evidence. Supported manifest, receipt, registry, evidence, backup, and release paths refuse traversal, links, special files, ambiguous names, unsafe growth, and overwrite races.
Limit. These controls do not sandbox arbitrary author commands or prove the host operating system trustworthy.
Ledger and signatures
Evidence. CAS objects, canonical serialized appends, hash links, atomic deduplication, and bounded self-hashed checkpoints are verified. The API signs its current head response.
Limit. The persisted checkpoint is not signed or immutable. Rewrite detection requires an independently retained head or checkpoint.
Verifier isolation floor
Evidence. The worker refuses execution without a preloaded digest-pinned image and an approved runtime; no host-process fallback exists.
Limit. The operator must prove the actual runtime and host controls. This is risk reduction, not a complete hostile-code security proof.
Recovery
Evidence. Backup and restore bind CAS, ledger, checkpoint, external head, and node identity while rebuilding disposable projections.
Limit. Encryption, key custody, retention, RPO, and RTO remain deployment-specific operator duties.
Brand and package identity
Evidence. Certiv is the owner-authorized project brand. Release metadata enforces the distribution name certiv-receipts.
Limit. The software makes no representation about trademark application, allowance, registration, clearance, or enforceability. The bare certiv PyPI namespace is separate.