The trust corpus
Every Delimit governance verdict is signed via Sigstore keyless and recorded in the public Rekor transparency log. This is the corpus — every entry verifiable without trusting Delimit, GitHub, or the runner that produced it.
5 attestations so far. The list grows with every PR run of the GitHub Action against an enrolled repo.
326f8ebf518592bd·2026-04-25T16:05ZMarketing showcase PR — 23 breaking changes across all 27 detection types, fully tabled, fully signed
0848cba509bffb35·2026-04-25T12:55Z@v1 floating-tag verification — first attestation produced by a consumer pinned to plain @v1 (now resolves to v1.11.3)
c99a3231dee4eaef·2026-04-25T06:14Zv1.11.2 dogfood — workflow binding card + run-URL surface
c9a8a56ab9f0788b·2026-04-25T05:56Zv1.11.1 dogfood — Breaking Changes table now shows ALL breaking changes
10d658b04e8e3bd2·2026-04-25T05:41Zv1.11.0 dogfood — first signed Delimit attestation on a real PR
Verify any entry yourself
Click any attestation above to land on its /att/<id> page. From there you can copy the cosign verify-blob command, download the signed bundle from the workflow run, and run the verification locally — no Delimit account, no API key, no web call to delimit.ai.
The Rekor transparency log is the durable proof. Even if delimit.ai disappears tomorrow, every entry in this corpus remains independently verifiable through Sigstore.