Skip to content

Docs · Public ledger

Public ledger.

Available · Runs locally

Ledgerful publishes its own development change ledger as a redacted, signed, browser-verifiable bundle at /ledger.

What it is

Ledgerful's own development change ledger, published as a redacted, cryptographically verifiable static bundle at /ledger. Every entry carries a real Ed25519 signature from the engine's commit hook.

What it proves

Each entry's Ed25519 signature verifies against the entry's public key using WebCrypto in the browser — no backend call, no CLI install needed.

What it does not prove

The order or set of entries (chain continuity — future) or the identity behind the key (out-of-band fingerprint comparison required).

Honest ceiling:the public ledger proves each entry's signature. It does not prove the order or set of entries (chain continuity) or the identity behind the signing key. Out-of-band fingerprint comparison is required before treating a key as authentic.

The allowlist

Only these fields are published:

Author identity is a pseudonym. The author_pseudonym field is computed as HMAC-SHA256 over the author identity using a local secret key. The same author always produces the same pseudonym, so attribution patterns are correlatable, but the real identity is not recoverable from the bundle.

Redactions: file paths, entity names, author email, author name, commit messages beyond the published summary and reason, argv, environment variables, hostnames, machine identifiers, and internal ticket or PR numbers are removed. Email addresses and sign-off lines inside summary or reason are kept byte-exact in the bundle (editing them would break Ed25519 signatures) and masked at display time in the web UI. Entries with third-party PII in signed text are excluded from the bundle entirely.

How to verify

You can verify entries without installing Ledgerful.

  1. Open the on-site verifier at /ledger and click Verify all signatures.
  2. Open the offline verifier at /ledger/verifier.html (opens in new tab) — it works from file:// with no network.
  3. Or use the CLI fallback: run ledgerful verify --signatures against a local repo that has the ledger bundle.

No data is sent anywhere

The public ledger is generated locally by running ledgerful ledger export-provenance and committing the output. No data is sent to any server. The publishing helper is disabled by default and must be explicitly enabled.

Sample bundle: the files in public/ledger/ are produced by scripts/generate-public-ledger-sample.mjs, which runs the real engine export against the Ledgerful engine repo and then applies the allowlist and redactions.

Real publishing cron: once the engine-side ledger export-public command and bot signing key are in place, the production cron will run the same command in your own environment and commit the result.

Publishing cron

The publishing cron ships disabled. It is opt-in only, default off.

The web helper script scripts/publish-public-ledger.mjs ships disabled. Enable it with the environment variable LEDGERFUL_PUBLISH_LEDGER_ENABLED=1. It runs in your own environment, not a hosted service. The web sample remains unsigned at the manifest level; per-entry Ed25519 signatures are real and verifiable.

Trust model warning

Treat the public ledger as a signed sample, not a trust anchor.

manifest.pub originated from the same machine. The verifying key in this bundle came from the same environment that generated the ledger. A compromised machine could replace both the ledger data and the signing key, producing a convincing but fraudulent bundle.

Out-of-band verification required: to close that gap, the receiver must verify the public key against a trusted out-of-band copy of the Ed25519 fingerprint — for example, a key fingerprint shared over a separate secure channel, or a copy stored in a location independent of the machine that generated the bundle. Without this step, the signature proves internal consistency but not the authenticity of the signing key itself.