Skip to content
Pangolin Scale

Provability

Pangolin’s audit trail does not ask you to take “tamper-evident” on trust. The widget below is a real verifier over a sealed change-order bundle — the hashing is genuine SHA-256 run in your browser, and the verdict is the production VerificationReport.

What you’ll see

Section titled “What you’ll see”

A sealed plan of five dispatches flows top to bottom — it forks where two steps run in parallel and merges again. Above it sits the live verdict, split into two independent axes:

  • Tamper axistamper-detecting vs tamper-evident, decided by the anchor.
  • Time axisasserted vs tsa-attested, decided by whether an RFC-3161 timestamp is attached.

A checklist mirrors what the real pangolin verify CLI prints: chain · root · signature · anchor · time.

What to try

Section titled “What to try”
  1. Pick a domain — the Domain row reskins the sealed plan into a denied-claim appeal, an immigration filing, a reconciliation exception, a vendor-bid evaluation, or a loan-servicing action. The data changes; the mechanism — and everything below — does not.
  2. Tamper a sealed field — hit a preset (e.g. Alter the agreed price), or select a card and edit its payload. That step’s hash diverges and the break ripples downstream.
  3. Flip the anchor tier — on LocalAnchor the strongest honest claim is tamper-detecting; on S3 Object Lock it becomes tamper-evident. The claim moves the instant you switch — nothing else changes.
  4. Re-seal as the attacker — after tampering, try to re-seal the bundle. On the local tier the attacker rewrites the root and gets away with it; on WORM the frozen anchored root no longer matches, and it fails.

Why it behaves that way

Section titled “Why it behaves that way”
  • The tier decides the ceiling. On LocalAnchor the root lives in the same store as the log, so it can only ever claim tamper-detecting. On S3 Object Lock the root is external and immutable, earning tamper-evident — see Audit & guarantee tiers.
  • Re-sealing is the proof. The local tier rewrites its own root, so a determined attacker wins; the WORM tier cannot, so verification fails with root-mismatch. That gap is the difference between the two claims.

To verify a real exported bundle, see Export & verify an audit bundle.