·Scope

What Satsignal proves — and what it doesn’t.

A Satsignal proof establishes four things: integrity, timing, inclusion, and commitment. It does not establish truth, authorship by itself, legal compliance, or completeness — unless the relevant claim was precommitted in the manifest. This page is the canonical scope statement, written so a lawyer, auditor, regulator, or procurement reviewer can rely on it without holding an account. The verifier’s “what this verifies” panel and the terms state the same scope, on purpose.

01What a proof establishes

Integrity. Timing. Inclusion. Commitment.

Each is a verifiable claim about the fingerprint that was anchored — not about you, the bytes, or the world.

Integrity
The bytes that produced the fingerprint match the bytes anyone re-hashes from the original later. If a single byte changed, the fingerprint changes and the proof fails.
Timing
Whoever submitted the anchor held this exact fingerprint by the timestamp of its on-chain transaction. Nobody, including Satsignal, can edit, delete, or backdate that on-chain entry afterwards.
Inclusion
For manifest, merkle-row, and sealed-row proofs, a revealed item was inside the anchored set. The bundle ships every leaf needed for a third party to derive the inclusion path independently.
Commitment
If the anchor was made before some claimed event, whoever submitted it had bound themselves to that fingerprint before the event resolved. That is the basis for sealed bids, pre-registered evaluations, and policy-snapshot proofs.
02What a proof does not establish

Not truth. Not authorship. Not legal compliance.

A valid proof says someone held this fingerprint by this time. It does not, by itself, prove any of the following — and Satsignal will not claim otherwise on your behalf.

  • Not authorship. Whoever held the fingerprint at anchor time is not necessarily the author. A bad actor who obtains a payload can anchor it; the proof shows custody-at-anchor-time, not creation.
  • Not truth. The payload’s claims may be factually wrong, fabricated, or misleading. A proof binds the bytes; it does not certify what they mean.
  • Not pre-existence. A proof shows someone held the fingerprint by anchor time. It does not show the underlying content existed before that time.
  • Not byte-possession. A proof shows the anchorer knew the fingerprint by anchor time — a hash alone suffices to anchor, and the file’s bytes never reach Satsignal. It does not, on its own, prove the anchorer possessed those bytes; that follows only when they later produce bytes whose SHA-256 matches.
  • Not hash-secrecy — for a Standard proof. A Standard proof is publicly resolvable by the file’s SHA-256. Anyone who holds (or can reconstruct) the exact file bytes can compute that SHA-256 and ask the auth-free, CORS-open /lookup_hash endpoint — from any website, no account — whether Satsignal anchored it; a hit returns the proof’s existence, its anchor timestamp, and the on-chain txid. So a proof does not keep secret that a file was anchored once someone knows its hash. If the existence of the anchor is itself sensitive — a source document, a privileged draft, an unrevealed bid — choose Sealed mode: sealed anchors commit to a salted value and are excluded from /lookup_hash by design, so even confirm-by-hash stays private.
  • Not legal compliance. A proof is not, by itself, eIDAS-qualified evidence, an e-signature, FRE 901/902 self-authentication, EU AI Act compliance, FINRA recordkeeping, or any other regulatory determination. Whether a proof is sufficient evidence for any particular legal, regulatory, or commercial purpose is a judgement you and your advisers make — not a determination Satsignal makes for you.
  • Not completeness. A proof establishes the things that were anchored. It does not, by default, prove that everything that should have been anchored was. Completeness is only chain-backed when the run scope and capture policy were precommitted — see the next section.
03The “unless precommitted” line

You can prove more — if you precommit to it.

The shape of a Satsignal proof is wider than the four claims above when the manifest precommits the additional claim. The canonical schema (satsignal.provenance.v1) has typed slots for run_scope (the intended boundary of the run), capture_policy (what events must be captured and anchored), and policy_snapshot_digest (a hash of the active policy / config / model identifiers). When those land before the run begins, the resulting proof can establish that the declared capture policy was followed for that scope — not just that some events were anchored.

Without a precommitted scope and policy, no after-the-fact claim about completeness has chain backing. This is the load-bearing line for agent-run evidence: a useful proof of agent behavior requires the agent to bind its own scope before acting, not after the audit asks. See the canonical model § 02 for the typed slots (run_scope, capture_policy, policy_snapshot_digest) that carry these precommitments.

04The line in practice

Three places the limits matter.

These are compressed restatements of the “honest limits” sections on the use-case pages; follow the links for the full version.

Pre-registered research — defeatable by spread

A single folder of pre-registered candidates is defeatable. A lab can pre-register a hundred designs across a hundred folder slugs and publish only the winner. The proof shows what was pre-registered in this folder; it does not show what else the same actor pre-registered elsewhere. See AI safety research § honest limits.

Litigation evidence — not self-authentication

A proof is not a substitute for the FRE 901 / 902 analysis any court will run on motion. It is corroborating evidence about timing and integrity of bytes; it does not, by itself, establish chain of custody, authorship, or admissibility. See Litigation evidence § honest limits.

Regulated evidence — not the whole compliance posture

Whether you are EU AI Act, FINRA, or OMB M-26-04 compliant depends on your full controls posture — risk assessment, governance, monitoring, response — not on whether you anchored individual artefacts. Anchoring is one durable piece of that posture, not the posture itself. See Regulated evidence § honest limits.

05Where this is authoritative

The scope is restated, on purpose.

The verifier’s “what this verifies” panel and the terms § 02 are the canonical statements of scope. The lead paragraph above restates the same claims — in this page’s words — so this page cannot read as a stronger claim than the verifier itself makes. Verification is independent of us: the bundle’s integrity re-checks fully offline, and its on-chain anchor can be confirmed on any public Bitcoin SV block explorer or your own node, with or without Satsignal — see the trust page for what we keep, what we don’t, and how an outside auditor can satisfy themselves without holding an account.