Manifest receipt

Locked & verifiable.

A pre-registered claim, anchored to a SHA-256 hash before the run. Anyone can re-derive it from the canonical bytes below.

SHA-2566d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c
Registered2026-05-15T19:07:35.159Z
Independent timestampRFC 3161 · 2026-07-11T22:19:21Z · timestamp.sigstore.dev (anchored after commit; earlier existence rests on the registry signature alone) · token
Transparency lognot yet in a public log (record predates full-manifest storage; RFC 3161 token only)
Kindcommitted before 2026-07-11 — not validated at commit time; re-verify offline with a reference implementation
Submitted by@falsify.dev
Manifest preview
version: "prml/0.1"
claim_id: "01971234-0000-7200-8002-000000000002"
created_at: "2026-05-15T18:55:00Z"
metric: "external_contributor_count"
metric_args:
  resolve_at: "2026-05-22T23:59:00Z"
  source: "github.com/studio-11-co/falsify issues+PRs with label rfc-v0.2, excluding author sk8ordie84 and studio-11-co members"
comparator: ">="
threshold: 3
dataset:
  id: "prml-v0.2-rfc-text"
  hash: "60b15080d0cc5882ca33047fa1374426e9bd11bb4b63adb606d4d60f9b0a3dff"
  uri: "https://github.com/studio-11-co…
Note (2026-07-11): records committed before this date stored only a 500-byte preview, so this page cannot prove the full manifest. Re-verify offline against the original file.
README badge
PRML locked[![PRML locked](https://registry.falsify.dev/badge/6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c.svg)](https://registry.falsify.dev/6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c)
Verify in CI
- uses: studio-11-co/prml-verify-action@v2 with: mode: verdict expected-hash: 6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98cgithub.com/studio-11-co/prml-verify-action →

share on x →

Verify this hash yourself

Paste your manifest YAML. The canonical hash must match 6d85e0c3d3af…. This runs the registry's own canonicalization module (canonical.js) in your browser; for verification that does not trust this registry at all, use any of the four reference implementations offline.

Verify the independent timestamp (RFC 3161, offline)

The token countersigns this manifest hash with the timestamp authority's key, so the time claim no longer rests on this registry. Verify with OpenSSL 3 (LibreSSL, the macOS default, cannot check the ESS extension):

curl -sO https://registry.falsify.dev/6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c.tsr
curl -s https://timestamp.sigstore.dev/api/v1/timestamp/certchain -o chain.pem
awk 'split_after==1{n++;split_after=0} /END CERTIFICATE/{split_after=1} {print > ("tsa-" n ".pem")}' n=0 chain.pem
openssl ts -verify -digest 6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c \
  -in 6d85e0c3d3af.tsr -CAfile tsa-1.pem -untrusted tsa-0.pem

Expected output: Verification: OK.

What this receipt proves — and what it does not

PRML v0.2 is a frozen RFC (comment window closed 2026-05-22) — spec.falsify.dev/v0.2-rfc. Editor: spec.falsify.dev/editor.