The missing provenance layer for AI-assisted code · Open source · Apache 2.0

AIIR — AI Integrity Receipts

Name: AIIR
Author: Invariant Systems

Your team uses AI to write code. In six months, an auditor, a customer, or a regulator will ask: which commits involved AI, and can you prove the disclosure wasn't changed after the fact? AIIR generates tamper-evident receipts for every AI-assisted commit — deterministic, locally verifiable, no account required.

Install AIIR → Open Demo →

pip install aiir
aiir --pretty
aiir --verify .aiir/receipts.jsonl

Latest: v1.3.0 · Python 3.9+ ·

Receipts are deterministic: the same commit metadata produces the same receipt.

Verification does not require trusting AIIR or a hosted service. Receipts are plain JSON you can check locally, in CI, or offline.

AIIR does not attempt to prove hidden AI usage. It makes declared AI involvement verifiable and tamper-evident, and can optionally enrich that record with signals.

Dogfooded in public: this repo receipts itself on every push to main. Follow ongoing work in the release log or changelog.

Generate → Verify anywhere → Add CI when needed

1 Generate a deterministic receipt

$ aiir --pretty
┌─ Receipt: g1-a3f8b2c1d4e5...
│  Commit:  c4dec85630
│  AI:      YES (copilot)
│  Hash:    sha256:7f3a8b...
└──────────────────────────────

2 Verify independently

$ aiir --verify .aiir/receipts.jsonl
✅ Receipt g1-a3f8b2c1... VALID
   Hash matches. 0 tampering detected.
   Receipt core is intact.

3 Add CI signing when you need it

# .github/workflows/aiir.yml
- uses: invariant-systems-ai/aiir@a54fe440a2be18fe51ad30149f1bbab944d578e5 # v1
  with:
    output-dir: .receipts/
# → signed receipts uploaded as artifacts

Try the browser verifier → — paste any JSON receipt, verification runs client-side. No upload. No account.

What AIIR Does and Does Not Do

What it does

AIIR records declared AI involvement in a commit and produces a deterministic receipt that can be verified locally, in CI, in the browser, or offline.

What it does not do

AIIR does not attempt to prove hidden AI usage. Detection signals are optional enrichment, not the authoritative source of truth.

How it works

Declare AI involvement

Use commit trailers, bot metadata, or editor and assistant workflows that carry AI context into commit metadata.

AIIR generates a deterministic receipt

AIIR records the declared AI context and creates a content-addressed receipt for the commit with stable hashes and receipt IDs.

Verify anywhere

Verify locally in the CLI, in the browser, or later in CI. Change any core field and the receipt breaks. No central service is required to check it.

Why not just commit trailers or git notes?

You could record AI involvement with Co-authored-by trailers, git notes, or ADRs — and AIIR is compatible with that mindset. The difference:

Structured, machine-verifiable — receipts have a deterministic content hash. Change one byte and verification fails.
Consistent across surfaces — the same format works in CLI, editor, CI, and AI assistants instead of ad-hoc free text.
Optional signing — add Sigstore signatures in CI for cryptographic non-repudiation when you need stronger evidence.

Trailers and notes are the baseline. AIIR makes that baseline verifiable.

A real receipt

This is a sample receipt. Real receipts are deterministic for the same commit metadata; the page rotates demo values for presentation only.

┌─ Receipt: g1-a3f8b2c1d4e5f6a7...
│  Commit:  c4dec8563023
│  Subject: feat: add auth middleware
│  Author:  Jane Dev <jane@example.com>
│  Files:   4 changed
│  AI:      YES (message_match:co-authored-by: copilot)
│  Hash:    sha256:7f3a8b...
│  Time:    2026-03-07T09:48:59Z
│  Signed:  optional (CI / release)
└──────────────────────────────────────────

Who it's for

💻

Developers

pip install aiir — generate and verify declared AI provenance per commit in one repository. Takes 30 seconds. Works offline. No account required.

Quick start →

🔒

Security & Release Owners

Tamper-evident commit proof with SHA-256 hashing, optional Sigstore signing, and structured JSONL output for release checks, incident review, and durable audit trails.

Security posture →

🏢

Teams & CI

GitHub Action and GitLab CI for automated receipts on every push. Keep receipts in your repo or artifact store, export JSONL for your own tooling, and add policy gates without sending code to a third-party service.

See integrations →

One Kernel, Multiple Trust Layers

Everything in AIIR hangs off one core: receipts plus verification. Assurance features and integrations sit around the same receipt format instead of redefining the product.

Kernel

Receipts + verification

The product identity: deterministic proof for declared AI involvement

Deterministic receipt generation
Canonical JSON + SHA-256 hashing
Stable receipt IDs
Independent local and offline verification
Append-only JSONL ledger
Deterministic CBOR envelope (RFC 8949)

Install AIIR →

Assurance

Trust amplifiers

Optional when you need stronger release or policy evidence

Sigstore keyless signing in CI
Policy presets for stricter gates
Release verification + VSA emission
Published release-evidence verification
GitHub Action + GitLab CI templates

See assurance →

Adapters

Surfaces around the kernel

Multiple ways to emit and verify the same receipt format

CLI + VS Code extension
GitHub Action + GitLab CI
MCP server + local automation
Browser verifier for shareable proof checks
Optional signal enrichment

See integrations →

Detection is enrichment, not proof of hidden AI usage. The kernel remains the same: declared AI involvement, recorded as a deterministic receipt and verified independently.

Fits Into the Supply-Chain Tools You Already Use

AIIR is not pitched as a replacement for your attestation, provenance, or policy stack. The practical move is narrower: emit an AIIR receipt at the source boundary, then carry it into the systems you already trust to orchestrate, query, and enforce evidence.

Witness-style attestors

Emit an AIIR receipt as one more verifiable artifact in an existing attestation pipeline.

Witness attestor note →

GUAC-style provenance graphs

Make AIIR receipts queryable as source provenance metadata without redefining the graph model.

GUAC ingestor note →

Policy engines and protected paths

Require a valid AIIR receipt only where repository policy says declared AI involvement needs proof.

In-toto policy input note →

Start with the full adapter lane at /ecosystem. It links the implementation notes, the public spec, the predicate reference, and the verifier into one public story.

Built for trust

Numbers you can verify. Every stat maps to a public CI run or an open-source file you can audit.

Dependencies

2214

Tests passing

100%

Coverage (stmt + branch)

Public checks on main push

Last reviewed: 2026-03-31 · Release Health → · Live dashboard →

Zero runtime dependencies — no supply chain to compromise. The entire codebase is open and auditable — roughly 9,200 lines of core logic.

Public threat model — full STRIDE/DREAD analysis with concrete mitigations. Read it →

Adversarial testing — every release goes through structured attack rounds: fuzzing, path traversal, homoglyph evasion, TOCTOU races.

41 public checks, 3 required gates — Python 3.9–3.13 on Ubuntu, Windows, macOS. The latest main push fans out across CI, Quality, Security, CodeQL, ClusterFuzzLite, Sync, Scorecard, and receipt automation. Branch protection requires ci-ok, quality-ok, and security-ok before merge.

Reference deployment

AIIR proves AIIR on every push

The main branch is the reference deployment. Every push runs AIIR against AIIR, verifies the archive, backfills deterministic CBOR sidecars when the archive is incomplete, and publishes JSON, CBOR, and Sigstore evidence to the receipts branch.

Self-receipting

If AIIR cannot generate a valid receipt for AIIR, the workflow fails before that claim can ship.

Dual-encoding archive

The public archive keeps JSON and canonical CBOR side by side so downstream verifiers can test both wire formats against the same content hash.

Public evidence

Receipts are pushed to a dedicated branch instead of staying hidden in ephemeral CI artifacts, so anyone can inspect the proof trail.

Dogfood workflow → Receipts branch →

Multiple operator surfaces, one receipt format

Start with the CLI, then add the surface that matches how your team works. Every path emits the same content-addressed receipt.

💻 CLI

pip install aiir — the zero-dependency CLI path. Receipt commits, verify locally, and keep the first workflow simple.

🧩 VS Code Extension

The local-first operator surface for one repo. Record the current commit, inspect receipts, and carry AI tool context directly from the editor. Install from Marketplace →

⚙️ CI/CD

GitHub Action, GitLab component, and templates for the rest. Add repeatable pipeline receipts and optional Sigstore signing when you need stronger release evidence.

🤖 AI assistants via MCP

Let Copilot, Claude, Cursor, Continue, Cline, Windsurf, or another MCP client call the same local AIIR install. Assistant workflow, same receipt format.

See all integrations → including Azure Pipelines, Bitbucket, CircleCI, Jenkins, and policy engines.

Quick start

# CLI — receipt your last commit
pip install aiir
aiir --pretty

# Receipt a whole PR branch
aiir --range origin/main..HEAD --pretty

# Sign receipts with Sigstore
aiir --sign --output .receipts/

# GitHub Action (CI gate — signing on by default)
uses: invariant-systems-ai/aiir@a54fe440a2be18fe51ad30149f1bbab944d578e5 # v1

# GitLab CI/CD component
include:
  - component: gitlab.com/invariant-systems/aiir/receipt@1

Full documentation →

Evidence levels, from declared signals to signed release proof

AIIR is easiest to adopt when teams are explicit about what each workflow proves. Not every repository needs the strongest evidence on day one, but every level should be named honestly.

Declared commit evidence

AIIR normalizes commit trailers, bot authors, and message patterns to record declared AI involvement from existing history.

Active editor context

The VS Code extension records which AI tools were running when a receipt was generated, adding direct editor-side context instead of relying only on commit metadata.

Deterministic editor provenance

When AIIR directly observes edits in the editor, it can attach deterministic file-level provenance instead of a heuristic-only summary.

Sigstore-signed CI evidence

CI receipts can be signed and published with workflow identity plus transparency-log evidence for stronger release and audit workflows.

See Docs → for the full evidence model and Verify → for the separate verification tiers.

Why this matters

AI tools are now part of ordinary development. Copilot, ChatGPT, Claude, Cursor, and others all feed into git commit, but the durable record is still usually thin: a trailer, a bot author, or nothing.

Teams usually start here for practical reasons first: better local provenance, clearer release history, and a repeatable way to verify what was declared. Customer review, internal policy, and regulation including the EU AI Act are part of the backdrop, but they are not the only reason to adopt AIIR.

Sooner or later someone asks: "Which commits involved AI tools, and what can you actually prove from the record?"

AIIR answers that question for every commit with declared AI markers. One command. Zero runtime dependencies. Apache 2.0.

See how AIIR compares to other provenance formats in the landscape overview, or review the conformance guide to build your own verifier.

What AIIR records — and what remains outside scope:

Records: Commits with declared AI markers — Co-authored-by: Copilot, Generated-by: trailers, bot authors like dependabot, and 40+ known AI-tool signals in git metadata.
Does not prove: Silent copy-paste from ChatGPT, Copilot inline completions with no trailer, squash merges that strip markers, or amended commits that remove signals.

Signal enrichment is heuristic. Receipts prove what was declared, not what was silently used. See the threat model.

Standards-readiness

AIIR is a vendor-led open specification on a transparent standards track. We score ourselves weekly across five categories and publish the result here. The goal: a receipt format rigorous enough for IETF, CNCF, or NIST adoption.

Last reviewed: 2026-03-31 · Summary refreshed for v1.3.0 public surfaces

72.2

/ 100 composite score

3 / 5

Green categories

Open P0s

✅ Reliability — 4.5 / 5
2214 tests, 100% coverage, adversarial corpus, and post-release smoke tests. Gap: independent external implementation.

🟡 Interoperability — 3.8 / 5
Machine-readable conformance manifest published; conformance profiles + test vectors live, with JS and Rust verifier coverage. Gap: external verifier. Implementers registry →

✅ Consistency — 4.0 / 5
Canonical metric sources, encoder interop vectors, and "Last verified" dates are published. SPEC_GOVERNANCE.md published — change control, compat policy, extension registry.

🔴 Governance — 2.2 / 5
Apache 2.0 + public governance doc + contributor ladder. Gap: neutral IP home (CNCF Sandbox or IETF contribution); multi-org steering.

🔴 Adoption — 1.7 / 5
AIIR uses AIIR (dogfooding). Seeking external pilots. Add your org to the registry →

Full scorecard + 90-day gap roadmap → · Release Health → · Spec Governance →

AIIR is complementary to SLSA, in-toto, SPDX, and CycloneDX — not a replacement. Goal: de facto adoption now, formal standards-track readiness over time.

Stay in the loop

Need help or want to engage?

Bug reports

File reproducible product bugs in the public tracker so fixes, regressions, and workarounds stay visible.

Open a GitHub issue →

Questions and ideas

Use discussions for implementation questions, rollout feedback, and community conversation around AIIR.

Join the discussion →

Security reports

Do not post vulnerabilities publicly. Use the coordinated disclosure path with our published policy and response target.

View security reporting options →

Company

Invariant Systems, Inc. is a Delaware C-Corp building verifiable computing infrastructure for AI systems.

noah@invariantsystems.io