Satsignal conformance — overview
This is the public-facing entry point for the Satsignal conformance suite. It is the canonical "is X conformant?" reference for third-party verifiers, adapters, and standards-adjacency reviewers.
The vector set, offline-verifier asserted test, legacy-bundle backward-compat suite, and no-payload-upload invariant landed in Phase 5 of the 2026-05-20 hardening sprint and gate every PR via .github/workflows/conformance.yml. The per-adapter golden conformance job is seeded as of 2026-05-20 with the first adapter manifest — tests/vectors/adapters/satsignal-action/v01.json, the typed-authority shape emitted by Steleet/satsignal-action@v0.3.0's provenance: 'true' mode and first anchored on-chain at txid 915c86cbfcf9e0b9…. scripts/run_vectors.py walks the tests/vectors/adapters/ subtree and pins each golden's manifest_sha256; drift here means the adapter has changed its emit shape (or the schema has shifted in a way that breaks a previously- anchored manifest) — a deliberate-decision boundary, not a casual edit. Other adapters land here as they ship a typed-authority emit shape.
What conformance covers
A claim of conformance to satsignal.provenance.v1 means:
- The canonical manifest validates against the published JSON Schema at
docs/notary_spec/provenance-v1.schema.json. - The canonical bytes are produced by SCJ-v1 (Satsignal Canonical JSON v1 — NFC + code-point key sort; not RFC 8785, see
/spec-mbnt) of the manifest. - Unknown top-level fields are rejected. Vendor or custom payloads go inside an explicit top-level
extensionsobject, which the verifier MAY hash and preserve but MUST label "not interpreted by Satsignal." - The bundle (
.mbnt) carries the canonical manifest verbatim alongside the chain reference. - Backward-compatible: every
.mbntproduced under v1.0 continues to validate under every v1.x release.
Versioning policy
| Change kind | Allowed under | New schema: literal? |
|---|---|---|
| Add an optional field | v1.x minor | No |
| Rename / re-type / remove a field | v2.0 major | Yes (satsignal.provenance.v2) |
| Tighten an existing validator | v1.x minor | No |
| Loosen an existing validator | v2.0 major | Yes |
| Add a vendor / custom extension | v1.x minor (inside extensions) | No |
The full policy doc lives at docs/notary_spec/versioning.md. The rule above is the stable v1 contract.
Test vector layout
See tests/vectors/README.md for the directory tree and how to add a vector. Each canonical-manifest vector ships a sibling .expected.json recording the expected manifest_sha256 so vectors are byte-exact reproducible.
CI gating
.github/workflows/conformance.yml runs the stdlib schema, invariant, and vector tests on every PR + push to main.
Stdlib schema / validator / invariant tests:
scripts/test_provenance.py— canonical-manifest accept/reject rules.scripts/test_validators_contract.py— shared validator surface.scripts/test_proof_set_schema.py— standard-mode proof_set v2.scripts/test_proof_set_sealed_schema.py— sealed-mode proof_set v2.scripts/test_sealed_no_plaintext_session_id.py— sealed-mode plaintext session-label leak invariant.scripts/check_no_adhoc_validators.py— validator centralization.scripts/check_no_adhoc_alias.py— alias-table single-source.scripts/check_no_payload_upload.py— outbound boundary stays payload-free (no customer bytes leave the process).
Vector-driven provenance-v1 conformance:
scripts/run_vectors.py— walkstests/vectors/provenance-v1/{valid,invalid}/, asserts each input either canonicalizes to its frozenmanifest_sha256(valid) or raises an error containing the pinned needle (invalid).scripts/test_offline_verifier.py— re-validates every valid vector with sockets blocked, proving the validator path never touches the network.scripts/test_legacy_bundles.py— re-verifies frozen.mbntbundles fromtests/vectors/legacy-bundles/: the schema validator accepts the historical doc, the canonicalizer reproduces the original bytes, and the 40-hex truncation matches thedoc_hash_expectedthat rode in OP_RETURN.
Remaining (Phase-5 deferred):
- Per-adapter golden conformance — assert each adapter (langchain / mcp / otel / action / blob / webhook / langfuse) projects equivalent inputs to byte-identical
satsignal.provenance.v1packets. Pending typed-authority emit shapes in the adapter repos.
What conformance does not cover
A conformant proof shows what satsignal.provenance.v1 actually proves: integrity, timing, inclusion, and commitment. It does not prove truth, authorship by itself, legal compliance, or completeness — unless the relevant claim was precommitted in the manifest. See /what-it-proves.html (the public claims-and-limits page).
Cross-references
docs/notary_spec/provenance-v1.md— normative schema spec.docs/notary_spec/provenance-v1.schema.json— JSON Schema.tests/vectors/— vector tree..github/workflows/conformance.yml— CI runner.
Questions about this specification? Email hello@satsignal.cloud.