Attestations
Every delimit wrap invocation and every Delimit GitHub Action run emits a signed, replayable record of what changed. This is the productized output — the thing you hand to an auditor.
New: per-PR Sigstore attestations from the GitHub Action
Every PR run of delimit-ai/delimit-action now emits a Sigstore keyless-signed attestation, recorded in the public Rekor transparency log. The PR comment links directly to a verifiable delimit.ai/att/<id> permalink that any reviewer can inspect without trusting the runner. Add id-token: writeto your workflow permissions; the rest is automatic.
What is an attestation?
An attestation is a structured JSON bundle with a cryptographic signature, emitted once per wrapped AI-assisted command. It captures the wrapped command, the git state before and after, the files that changed, the governance gates that ran, any policy violations, and a signature over the whole thing. The schema is delimit.attestation.v1.
Attestations are HMAC-SHA256 signed locally with a per-install key at ~/.delimit/wrap-hmac.key. Each attestation gets an ID of the form att_xxx (first 16 chars of the SHA-256 of the canonical bundle) and is persisted to ~/.delimit/attestations/<id>.json.
Anatomy of an attestation
{
"id": "att_7d556843c84fb881",
"bundle": {
"schema": "delimit.attestation.v1",
"kind": "merge_attestation",
"wrapped_command": "claude -p \"add a nullability check to User.email\"",
"before_head": "52ff636f5e84eb70e30be20deb72b69a4118daf7",
"after_head": "a7bf9e12c4fa5e2b18d3c7f0b9e4a2d5f8c1e6a3",
"started_at": "2026-04-23T02:08:39.417Z",
"completed_at":"2026-04-23T02:08:39.442Z",
"wrapped_exit": 0,
"changed_files": ["app/models/user.ts"],
"governance": {
"gates": [
{ "name": "diff", "files": 1 },
{ "name": "test_smoke", "runner": "npm test", "exit": 0 }
],
"violations": [],
"advisory": true
},
"delimit_wrap_version": "1.1.0"
},
"signature": "e98a9304ba184ade0ecea67bd73961c4d507fe89db3ce70470774ca3a45ce8ee",
"signature_alg": "HMAC-SHA256"
}Notice what is NOT here: the prompt text, the model's raw response, the source code. The attestation captures the fact of what happened (plus the git diff pointer and governance results), not the content. This is the same posture as a Sigstore signature on a build artifact.
Attestation kinds
merge_attestationdefaultSuccessful wrap. Wrapped command exited on its own (exit code preserved). Lint, diff, and test gates ran. Governance violations, if any, are listed in bundle.governance.violations. Exit code matches the wrapped command unless --enforce was set and a gate failed (in which case wrap exits 2).
liability_incidentkill switch firedThe wrapped command exceeded --max-time and was SIGKILL'd. The attestation includes a kill_switch object with the elapsed time, the signal, and a cross-model handoff suggestion — a ready-to-run command that re-wraps the same prompt against an alternate producer.
{
"id": "att_2d25f919221a3b05",
"bundle": {
"schema": "delimit.attestation.v1",
"kind": "liability_incident",
"wrapped_command": "claude -p \"refactor the auth middleware\"",
"wrapped_exit": 137,
"kill_switch": {
"kind": "timeout",
"max_time_seconds": 60,
"signal": "SIGKILL",
"handoff_suggestion": {
"kill_source": "claude",
"handoff_target": "codex",
"suggested_command": "delimit wrap -- codex -p \"refactor the auth middleware\"",
"alternates": ["codex", "gemini", "cursor"]
}
}
},
"signature": "..."
}Verifying a signature
Each attestation is self-verifying with the per-install HMAC key. The signature covers the canonical JSON-serialized bundle object (keys sorted). To verify:
python3 -c "
import hmac, hashlib, json
att = json.load(open('~/.delimit/attestations/att_xxx.json'.replace('~', '$HOME')))
key = open('$HOME/.delimit/wrap-hmac.key','rb').read()
canon = json.dumps(att['bundle'], sort_keys=True)
expected = hmac.new(key, canon.encode(), hashlib.sha256).hexdigest()
print('verified' if expected == att['signature'] else 'TAMPERED')
"For team-scale deployments (coming in Pro), the HMAC key rotates to a managed secret so team members verify against a shared key. Sigstore keyless signing now ships for PR attestations from the GitHub Action — see the callout at the top of this page. Local delimit wrap attestations remain HMAC-signed for offline use.
Replay URLs
Every attestation gets a canonical replay URL: https://delimit.ai/att/<att_id>. In free mode the URL is a reference — attestations remain local. Pro users opt into cloud upload, which publishes the trust page and JSON feed at the URL so teammates and procurement buyers can inspect the record.
Use delimit trust-page -o ./trust to render an offline-viewable static HTML page + JSON Feed 1.1 from a directory of attestations — deploy wherever you want (GitHub Pages, S3, Vercel, your own infra).
AI-SBOM: attestations as a bill of materials
delimit ai-sbom aggregates a directory of attestations into a CycloneDX 1.6 bill of materials with AI-specific fields. Detected model vendors become components; tool-call surface, policy gate counts, and violation counts become metadata properties. The result is the SBOM format enterprise procurement already accepts, extended with the AI surface it now asks about.
delimit ai-sbom -o ./ai-sbom.json # attestations scanned: 47 # models detected: 4 (anthropic/claude, openai/gpt, google/gemini, cursor/cursor-agent) # total gates run: 187 # total violations: 3
Telemetry & privacy
Attestations stay local by default. Nothing leaves your machine unless you supply your own Supabase credentials (see the Telemetry section of the README). Data scope when cloud sync is enabled is metadata only: tool name, timestamp, status, model ID, session ID, trace IDs. No source code, no prompts, no model responses.
Kill switch: DELIMIT_DISABLE_CLOUD_SYNC=1 forces all sync operations to no-op even if credentials are configured.