AttestLayer

Program lane

HUMAN-01 — Human approval and change evidence

HUMAN-01 packets record human approvals around changes, releases, exceptions, freezes, and break-glass actions. The lane is for change-management and platform-operations teams that want a reviewer-friendly record of who approved what and when.

Evidence profileRecord-onlyVerifier-friendlyNot a certification

A program lane is a packet structure and an evidence-expectation profile. It is not a certification, audit opinion, or legal/regulatory approval.

Where HUMAN-01 fits

Change management

Production changes, releases, or freezes that need an approval record.

Break-glass actions

Emergency or exception actions that need a verified record.

Platform operations

Platform teams documenting human approvals across multiple environments.

Reviewer requests

Auditors or buyers asking for change/approval evidence in a standard format.

What the HUMAN-01 packet records

Approver record

Who approved the change or action, and their authority reference.

Action context

What changed, in what environment, and the affected scope.

Time and signal

When the approval was given and through what signal.

Verification path

Binder, manifest, signed receipt, hash trail, offline verifier.

What HUMAN-01 does not do

  • does not certify the underlying compliance, security, or legal state
  • does not promise buyer, regulator, insurer, PSP, or auditor acceptance
  • does not opine on the truthfulness of submitted records
  • does not replace audit, regulatory, legal, or insurance review

Request Program review See illustrative case examples

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.