Exact release artifacts
Wheel, exact Git source archive, normalized source distribution, dependency lock, checksums, SBOM, build receipt, and release index.
evidence, status, and gaps
This page is the current trust inventory for Certiv Core 1.1. It distinguishes published evidence from internal testing, operator responsibilities, and work that has not been independently assessed.
current evidence register
Wheel, exact Git source archive, normalized source distribution, dependency lock, checksums, SBOM, build receipt, and release index.
Author-local checks for core invariants, with pinned source inputs, exact expectations, duplicate runs, and explicit limits.
Local execution warning, fail-closed verifier floor, readiness contract, threat model, and vulnerability reporting channel.
Semantic and keyboard foundations plus automated release gates; no independent audit, WCAG conformance claim, VPAT, or ACR.
No third-party penetration-test or independent code-audit report is represented by the current release.
No SOC 2, ISO 27001, FedRAMP, HIPAA, or other organizational compliance certification is claimed.
public-site boundary
The public deployment serves static pages, schemas, examples, and release files. It does not offer product accounts, uploads, receipt custody, managed execution, billing, or an application database.
If an organization deploys the API or worker, that operator owns authentication, authorization, isolation, keys, logging, privacy, retention, availability, backups, and incident response.
Review the exact release, threat-model your deployment, validate accessibility with your users, settle governance and legal duties, and commission independent assessment when your risk or procurement process requires it.