Trust Properties
What AIIR proves, what it doesn't, and how to verify everything yourself.
What AIIR proves
| Property | Mechanism | Strength |
|---|---|---|
| Integrity | Content-addressed SHA-256 hash over canonical JSON | Deterministic — same input always produces same hash |
| Tamper evidence | Receipt ID derived from content hash | Any modification breaks verification |
| Declared AI involvement | Heuristic scan of commit metadata (trailers, author, message) | Records what is declared — 48 AI signals, 7 bot patterns |
| Non-repudiation (signed) | Sigstore keyless signing (Fulcio + Rekor transparency log) | OIDC identity binding — proves who signed |
| Build provenance | SLSA provenance + PEP 740 attestations on every PyPI release | Verifiable binding between release artifact and CI build |
What AIIR does not prove
| Gap | Why |
|---|---|
| Undeclared AI use | Copilot inline completions, ChatGPT copy-paste, and agentic sessions leave no commit metadata. AIIR records signals; it doesn't detect hidden use. |
| Code correctness | Receipts record authorship signals, not whether the code is correct or safe. |
| Human review | A receipt shows who committed code, not who reviewed it. |
| Absence of AI | is_ai_authored: false means no signals were detected — not that AI was not
involved. |
| Source provenance (unsigned) | Without Sigstore signing, anyone running aiir on the same commit produces a
valid receipt. Unsigned receipts prove integrity, not provenance. |
Trust tiers
| Tier | What you get | Use when |
|---|---|---|
| Unsigned | Hash integrity — detects modification | Local dev, smoke testing, internal audit |
| Signed | + OIDC identity binding via Sigstore transparency log | CI/CD compliance, SOC 2 evidence, regulatory audit |
| Enveloped | + in-toto Statement v1 wrapper (SLSA-compatible) | SLSA provenance, cross-system verification, EU AI Act |
Verify independently
You don't need to trust AIIR to verify its claims. Every verification step uses public artifacts and standard tools.
Verify a receipt's integrity (offline, no AIIR needed)
- Parse the JSON receipt
- Extract core fields:
{type, schema, version, commit, ai_attestation, provenance} - Serialize as canonical JSON (sorted keys, no whitespace)
- SHA-256 hash the resulting bytes
- Compare against
content_hash
The algorithm is defined in SPEC.md §8 with 25 conformance test vectors.
Verify a Sigstore signature
cosign verify-blob receipt.json \
--bundle receipt.json.sigstore \
--certificate-identity "https://github.com/OWNER/REPO/.github/workflows/aiir.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"Verify PyPI release provenance
gh attestation verify aiir-*.whl --repo invariant-systems-ai/aiirEvery release has PEP 740 attestations via Trusted Publishing (OIDC, no static tokens).
Verify in the browser
Paste any receipt JSON into the browser verifier — client-side only, no upload, no server.
Detection scope
AIIR detects what is declared in git commit metadata:
- 48 AI-tool signals — Copilot, ChatGPT, Claude, Cursor, Amazon Q, Devin, Gemini, GitLab Duo, Tabnine, Aider, and others
- 7 bot patterns — Dependabot, Renovate, Snyk, CodeRabbit, github-actions, gitlab-bot, DeepSource
- Unicode evasion — TR39 confusable resolution (669 mappings, 69 scripts) + NFKC normalization
Not detected: Copilot inline completions (no trailer), ChatGPT copy-paste, agentic sessions (Copilot Chat, Claude Code, Cursor Agent), squash-merged trailers, amended commits.
Full analysis: THREAT_MODEL.md (STRIDE/DREAD).
Proof points
| Claim | Verify |
|---|---|
| 2,016 tests, 100% coverage | CI runs — Python 3.9–3.13 × Ubuntu/macOS/Windows |
| Zero runtime dependencies | pip install aiir && pip show aiir |
| 25 conformance test vectors | schemas/test_vectors.json |
| SLSA provenance on every release | gh attestation verify aiir-*.whl --repo invariant-systems-ai/aiir |
| OpenSSF Scorecard | scorecard.dev |
| CycloneDX SBOM on every release | Latest release → aiir-sbom.cdx.json |
| Self-receipting (dogfood) | for f in .receipts/*.json; do aiir --verify "$f"; done |
| Public threat model | THREAT_MODEL.md — full STRIDE/DREAD analysis |
Supply chain controls
| Control | Mechanism |
|---|---|
| Zero runtime dependencies | Python stdlib only — nothing to compromise |
| Trusted Publishing (OIDC) | Short-lived tokens, no static PyPI API keys |
| SLSA provenance | Build attestation on every wheel and sdist |
| PEP 740 digital attestations | Retrievable via PyPI Integrity API |
| SHA-pinned CI dependencies | All uses: reference full 40-char commit SHAs |
| CycloneDX SBOM | Machine-readable BOM on every GitHub Release |
| Automated scanning | Gitleaks, Bandit, Semgrep, CodeQL, pip-audit |