TrustSignal is evidence integrity infrastructure for signed verification receipts and later verification.
Short description: This index organizes the active TrustSignal documentation set for evaluators, developers, and partner reviewers, with links to lifecycle, API, security, benchmark, and claims-boundary materials.
Audience:
- evaluators
- developers
- partner reviewers
- Partner evaluation overview
- Verification lifecycle
- Security summary
- Security workflows
- GitHub settings checklist
- Benchmark summary
- Claims boundary
- Docs architecture
TrustSignal documentation is written for evaluators and implementers working in workflows where later auditability matters. The main attack surface is not only bad data at intake, but also tampered evidence, provenance loss, artifact substitution, and stale evidence that cannot be verified later.
The canonical lifecycle and trust-boundary diagrams are documented in verification-lifecycle.md.
TrustSignal is evidence integrity infrastructure. It acts as an integrity layer that returns signed verification receipts, verification signals, verifiable provenance metadata, and later verification capability for existing workflow integration.
The documentation set is organized around:
- overview and start-here materials
- core concepts and verification lifecycle
- API and example documents
- security and claims boundary materials
- benchmarks and partner evaluation materials
- reference and archive material
Start with the local developer trial if you want the fastest technical evaluation:
The demo shows artifact hashing, verification, signed verification receipt issuance, later verification, and tampered artifact mismatch detection without external services.
Start here if you want to evaluate the public verification lifecycle quickly:
- Partner evaluation overview
- Evaluator quickstart
- API playground
- OpenAPI contract
- Postman collection
- Postman local environment
Golden path:
- submit a verification request
- receive verification signals plus a signed verification receipt
- retrieve the stored receipt
- run later verification
The evaluator and demo paths are deliberate evaluator paths. They show the verification lifecycle safely before production integration and do not remove production security requirements.
Local development defaults are intentionally constrained and fail closed where production trust assumptions are not satisfied. Production deployment requires explicit authentication, signing configuration, and environment setup.
final/*is retained for historical synthesis, grant context, and reference only.- It should not be treated as the current public product story or API source of truth.
final/01_EXECUTIVE_SUMMARY.mdfinal/02_ARCHITECTURE_AND_BOUNDARIES.mdfinal/03_SECURITY_AND_COMPLIANCE_BASELINE.mdfinal/04_OPERATIONS_AND_SUPPORT.mdfinal/05_API_AND_INTEGRATION_GUIDE.mdfinal/06_PILOT_AND_MARKETPLACE_READINESS.mdfinal/07_SECRET_ROTATION_AND_HISTORY_REMEDIATION.mdfinal/08_STAGING_SECURITY_EVIDENCE_CHECKLIST.mdfinal/09_GITHUB_SUPPORT_PURGE_REQUEST_TEMPLATE.mdfinal/10_INCIDENT_ESCALATION_AND_SLO_BASELINE.mdfinal/11_NSF_GRANT_WHITEPAPER.mdfinal/12_R_AND_D_LOG.mdfinal/13_SOC2_READINESS_KICKOFF.mdfinal/14_VANTA_INTEGRATION_USE_CASE.md
PRODUCTION_GOVERNANCE_TRACKER.mdSECURITY.mdsecurity-summary.mdverification.mdops/monitoring/README.md../PROJECT_PLAN.md../SECURITY.md
legal/privacy-policy.mdlegal/terms-of-service.mdlegal/cookie-policy.mdlegal/pilot-agreement.md
Historical planning, synthesized source-of-truth drafts, and early notebook logs are retained under:
archive/legacy-2026-02-25/
Use archived files for context only, not as current implementation guidance.