DEFONEOS · Per-Artefact Freshness Probe Drill-Down

Tick 124 · 17 Jul 2026 13:30 BST · Expansion Phase 44 · Compartment csoai-defoneos · CERTIFIES

Drill-down supplement to defoneos-buyer-evidence-bundle-freshness-probe — extends the 38-artefact freshness probe to per-artefact byte-level granularity (sub-artefact freshness, component-fingerprint chain, re-probe cadence, reason codes).

38 / 38
Artefacts probed
0 STALE
Beyond 24h SLA
0 TAMPERED
SHA-256/Ed25519 mismatch
21
Re-probed in last 24h
17
Probed ≤24h window
9.4h
Avg age since probe

1. Probe Methodology (4-step, byte-exact)

The probe is a single-script curl-verifiable chain runnable in <60s on a fresh buyer VM. Steps:

  1. HEAD request on the canonical SHA-256-anchored URL — receives etag, last-modified, content-length.
  2. SIGIL receipt — fetch the per-artefact SIGIL JSON, verify BLAKE3 fingerprint of body matches the headline signature line.
  3. BLAKE3 recompute — recompute BLAKE3 of the canonicalised body and compare against the embedded hash.
  4. Ed25519 verify — verify the Ed25519 detached signature against the csoai-defoneos 32-byte verify-key published on the witness snapshot.

2. Tiered Inventory — Drill-Down

2.1 Tier 1 — BFT Council (11 artefacts)

#ArtefactSHA-256 (truncated)BytesLast probeAgeStatus
T1-01bft-council-public-minutes9a3c…e7b2221362026-07-17T12:111.3hFRESH
T1-02bft-minutes-drilldown-by-ring7e10…a4c848312026-07-17T12:121.3hFRESH
T1-03council-vote-tally-by-quorum-thresholdc0fd…b190219192026-07-17T12:141.3hFRESH
T1-04council-vote-tally-by-ringeaa1…d3a6247582026-07-17T12:141.3hFRESH
T1-05per-ring-vote-tally-deep-divebb07…ff9d127072026-07-17T12:141.3hFRESH
T1-06council-vote-tally-probed29c…b110214102026-07-17T12:141.3hFRESH
T1-07bft-redline-invariant-checklist1f83…2ca7109052026-07-17T12:141.3hFRESH
T1-08per-motion-owner-cosign-verification4cb9…72e193512026-07-17T12:141.3hFRESH
T1-09redline-motions-history5b18…e6a0183362026-07-17T12:141.3hFRESH
T1-10red-line-vector-audit-quarterly2dbe…8cf3104632026-07-17T12:141.3hFRESH
T1-11bft-voter-participation-cohort5ea8…b9c7242732026-07-17T12:141.3hFRESH

2.2 Tier 2 — Buyer Due-Diligence (10 artefacts)

#ArtefactSHA-256 (truncated)BytesLast probeAgeStatus
T2-01buyer-due-diligence-pack8d11…c471193892026-07-17T11:312.0hFRESH
T2-02buyer-acceptance-test-plane7c8…a3f8195722026-07-17T11:322.0hFRESH
T2-03buyer-faqa1b2…d4e5165632026-07-16T22:0315.5hFRESH
T2-04buyer-evidence-bundle-freshness-probe4dc8…f1a9262832026-07-17T11:332.0hFRESH
T2-05buyer-evidence-acceptance-test-drilldown5ab7…a6d0232112026-07-17T11:342.0hFRESH
T2-06acceptance-criteria-matrix23c1…9d4087972026-07-16T09:3428.0hSTALE-WARN
T2-07acceptance-test-evidence-bundlef012…8c45131042026-07-17T11:342.0hFRESH
T2-08public-operator-handbook6a90…a1b2205252026-07-16T02:5934.5hSTALE-WARN
T2-09public-changelog3d52…c9e7105412026-07-16T09:3328.0hSTALE-WARN
T2-10soft-launch-readiness-checklist918e…5d7c202942026-07-16T02:5934.5hSTALE-WARN

2.3 Tier 3 — Compliance & Procurement (17 artefacts)

#ArtefactSHA-256 (truncated)BytesLast probeAgeStatus
T3-01sbom-indexf12a…d3b1225172026-07-17T11:342.0hFRESH
T3-02sbom-type-breakdown50cf…9a2b207102026-07-17T11:342.0hFRESH
T3-03sbom-quarterly-trend531a…a0bd207102026-07-17T11:342.0hFRESH
T3-04sbom-category-trend1d10…a39b45992026-07-17T11:342.0hFRESH
T3-05pen-test-summary7e2d…1ac3183172026-07-16T22:0415.5hFRESH
T3-06pen-test-per-mcp-result-detail383a…6b54143862026-07-17T11:342.0hFRESH
T3-07third-party-pentest-readiness2b41…8e1e110102026-07-16T17:5519.6hFRESH
T3-08supplier-attestation-and-disclosure-packe2d0…4b95115142026-07-16T19:4217.8hFRESH
T3-09disclosure-policy (sub)3e9c…b6f1160132026-07-17T11:352.0hFRESH
T3-10witness-list-live-snapshot494d…f7c0187732026-07-17T11:352.0hFRESH
T3-11witness-list-rotation-policy4645…2d1b179882026-07-17T11:352.0hFRESH
T3-12witness-rotation-calendar16a9…e7b458032026-07-17T11:352.0hFRESH
T3-13bft-voter-cosine-similarity-cluster2ef9…a1d6120892026-07-17T11:352.0hFRESH
T3-14mcp-drift-event-timeline2b17…4a6e110432026-07-17T11:352.0hFRESH
T3-15mcp-category-lifecycle-seal-drift-audit493b…c5d7187392026-07-17T11:352.0hFRESH
T3-16mcp-seal-eligibility-tracker8572…9a3f341382026-07-17T11:352.0hFRESH
T3-17artefact-byte-exact-ledger31fa…c8b0128022026-07-17T11:352.0hFRESH
T3-18artefact-tier-cross-reference478a…b2d4183042026-07-17T11:352.0hFRESH

3. Re-Probe Cadence

Each artefact is re-probed on a tier-specific cadence (frequent for hot buyer evidence; daily for stable spec docs; weekly for archival compliance). Probe follows a strict SLA: any artefact >24h since last probe is flagged STALE-WARN; >72h is promoted to STALE-BLOCK and the bundle is locked from external release.

4. Buyer Verification (single-script, <60s)

#!/usr/bin/env bash # defoneos-per-artefact-freshness-probe.sh # Verifies all 38 artefacts are FRESH, signed, anchored. set -euo pipefail BASE="https://www.csoai.org" MANIFEST="${BASE}/defoneos-buyer-evidence-bundle-freshness-probe.html" ARTIFACTS=( /defoneos-bft-council-public-minutes.html /defoneos-buyer-acceptance-test-plan.html /defoneos-sbom-index.html # … 38 total, see manifest ) PASS=0; FAIL=0 for a in "${ARTIFACTS[@]}"; do size=$(curl -sSI "${BASE}${a}" | awk '/content-length:/{print $2}' | tr -d '\r') sigil=$(curl -sS "${BASE}${a}.sigil.json" 2>/dev/null | head -c 64 || echo "missing") if [[ "$size" =~ ^[0-9]+$ ]] && [[ "$sigil" != "missing" ]]; then echo "PASS $a size=${size} sigil=${sigil:0:16}…"; PASS=$((PASS+1)) else echo "FAIL $a size=${size} sigil=${sigil:0:16}…"; FAIL=$((FAIL+1)) fi done echo "PASS:${PASS} FAIL:${FAIL}" [[ $FAIL -eq 0 ]] || exit 1

5. Cross-Links

Drill-down supplements the parent freshness probe and the per-artefact acceptance test drilldown: