evidence, status, and gaps

Trust what you can inspect. Record what is still missing.

This page is the current trust inventory for Certiv Core 1.1. It distinguishes published evidence from internal testing, operator responsibilities, and work that has not been independently assessed.

current evidence register

Published

Exact release artifacts

Wheel, exact Git source archive, normalized source distribution, dependency lock, checksums, SBOM, build receipt, and release index.

Inspect release set

Published

Executable self-receipt

Author-local checks for core invariants, with pinned source inputs, exact expectations, duplicate runs, and explicit limits.

Inspect self-receipt

Published

Security model

Local execution warning, fail-closed verifier floor, readiness contract, threat model, and vulnerability reporting channel.

Review security

Tested, not certified

Accessibility status

Semantic and keyboard foundations plus automated release gates; no independent audit, WCAG conformance claim, VPAT, or ACR.

Review accessibility

Not published

Independent security assessment

No third-party penetration-test or independent code-audit report is represented by the current release.

Read the threat model

Not claimed

Compliance attestations

No SOC 2, ISO 27001, FedRAMP, HIPAA, or other organizational compliance certification is claimed.

Read procurement facts

public-site boundary

Certiv.org is not the control plane.

The public deployment serves static pages, schemas, examples, and release files. It does not offer product accounts, uploads, receipt custody, managed execution, billing, or an application database.

If an organization deploys the API or worker, that operator owns authentication, authorization, isolation, keys, logging, privacy, retention, availability, backups, and incident response.

Institutional adoption still requires local diligence.

Review the exact release, threat-model your deployment, validate accessibility with your users, settle governance and legal duties, and commission independent assessment when your risk or procurement process requires it.