Signed Briefs

Provenance you can re-verify, not just trust.

Trust & E-E-A-T infrastructure for AI-assisted research.

Why this exists

AI-assisted research is only as trustworthy as the sources behind it. Every brief Kitalpha Finance publishes is accompanied by a Signed Brief receipt: a cryptographic record of what was written, which model wrote it, and exactly which sources it relied on — signed at the moment of generation and independently re-verifiable by anyone, forever.

This is experience, expertise, authoritativeness and trustworthiness (E-E-A-T) expressed as infrastructure rather than a marketing claim. You do not have to take our word for it — you can check the maths.

What a receipt attests

  • Content hash — a SHA-256 fingerprint of the brief text, so any later edit is detectable.
  • Model identity — the model id and version that generated the brief.
  • Sources — every cited URL, with the HTTP status and timestamp recorded at signing time.
  • Generation time — when the brief was produced.

These facts are serialized canonically and signed with an Ed25519 key. The public half is published at /.well-known/kitalpha-provenance.json; the private half exists only as a Worker secret and never touches the repository or the browser.

Two refusals that keep it honest

  1. Refuse to sign. If any cited source does not return HTTP 200 at generation time, the brief is not signed at all. A receipt can never vouch for a source that was already broken.
  2. Refuse to verify. Each ledger page re-fetches every cited source live on every view. If a source has since gone dark, the page will not display “Verified” — even though the signature itself remains cryptographically valid.

Verify one yourself

Open any /ledger/<id> page. It will re-check the signature against the published key and re-test every source link in real time. The published key:

49326fb2fc3e4361a67037bea7bc64aeb8819c38ea169c560089222e719a2c62

Content Credentials on charts

Chart images are additionally signed with C2PA Content Credentials (the Content Authenticity standard) so their origin travels with the file. At launch these use a local signing certificate; at scale this is swapped for a publicly trusted certificate (e.g. DigiCert) without changing the pipeline.

On the EU AI Act

This system is designed in the spirit of Article 50 of the EU AI Act — the transparency obligations for AI-generated content, which apply from 2 August 2026. We adopt verifiable, machine-readable provenance because it is good practice and good for readers.

This is trust infrastructure and general information only. It is not a legal-compliance claim, and we make no representation that it satisfies any specific obligation under the EU AI Act or any other law. It is not legal advice.