Verification Guide

How to Independently Verify AOS Evidence

This guide explains how researchers, developers, auditors, and the public can independently verify all claims made in this repository.

2-Minute Verification

Verify core evidence in ~2 minutes:

# 1. Clone the repository
git clone https://github.com/genesalvatore/aos-evidence.com.git
cd aos-evidence.com

# 2. Fetch all tags
git fetch --tags --force

# 3. Check the canonical tag for Feb 6 evidence release
git show --no-patch evidence-2026-02-06

# 4. Verify signed tag (if available)
git verify-tag evidence-2026-02-06  # Optional: only if tag is GPG-signed

# 5. Check the  primary commit for Feb 5 audit
git show d534af9

# 6. Verify repository integrity
git fsck --full --strict

# 7. Hash key evidence documents
# Record these hashes from THIS tag/commit and compare across mirrors/archives

# macOS/Linux:
shasum -a 256 chatgpt_security_audit_feb_5_2026/CHATGPT_AUDIT_REPORT.md
shasum -a 256 chatgpt_security_audit_feb_5_2026/WHAT_WE_BUILT_FEB_5_2026.md
shasum -a 256 chatgpt_security_audit_feb_5_2026/THREAT_MODEL_V1.md

# Windows (PowerShell):
# Get-FileHash chatgpt_security_audit_feb_5_2026/CHATGPT_AUDIT_REPORT.md -Algorithm SHA256
# Get-FileHash chatgpt_security_audit_feb_5_2026/WHAT_WE_BUILT_FEB_5_2026.md -Algorithm SHA256
# Get-FileHash chatgpt_security_audit_feb_5_2026/THREAT_MODEL_V1.md -Algorithm SHA256

Reproducibility (when bypass tests are published, target: Feb 15):

# Run bypass test suite at this exact tag
git checkout evidence-2026-02-06
npm install
npm run test:bypass

# Hash the test output for verification (most mechanically verifiable)
npm run test:bypass 2>&1 | tee BYPASS_RUN_OUTPUT.txt | shasum -a 256

# Optional 4th document: when available, also hash bypass test results
# shasum -a 256 BYPASS_TEST_RESULTS_evidence-2026-02-06.txt

Deep verification (1-2 hours):

What Git Proves (and what it doesn't)

✅ Verifiable via Git

  1. Integrity - Git stores content by hash; change the content → hash changes
  2. History - Commits form a parent-linked chain (tampering becomes detectable)
  3. Reproducibility - Anyone can clone and re-run tests against the same commit
  4. Authenticity (when signed) - GPG/S/MIME signatures prove who signed a tag/commit
  5. Hosting metadata - Git hosting platforms like GitHub record push/hosting timestamps alongside Git's author/committer dates

⚠️ Git Limitations

  1. Availability - Repos can be deleted if nobody mirrors them (we encourage mirrors/archives)
  2. Claims outside the repo - Anything not anchored to a commit/tag is not evidence
  3. Author/committer dates - Both are stored inside the commit object and can be set by the author/committer. Use signed tags/commits and independent mirrors/archives, plus hosting "pushed/observed" timestamps, for stronger timeline confidence

❌ Non-Verifiable (Trust Required)

  1. Internal conversations - Private discussions before documentation
  2. Development timeline - Work not committed to public repos
  3. Patent full details - Confidential until USPTO publication
  4. Private audit discussions - Conversations with ChatGPT

We document what CAN be verified. We're transparent about what CANNOT.

Verification Steps

1. Timeline Verification

Verify key dates are consistent across all documents:

# Check when each document mentions key dates
grep -r "January 10, 2026" .
grep -r "January 21, 2026" .
grep -r "February 5, 2026" .

# Verify Git commits match claimed dates
git log --all --since="2026-02-01" --until="2026-02-10" --format='%ai %h %s'

Expected results:

Red flags:

2. Cross-Reference External Sources

Verify industry timeline:

Jan 21, 2026 announcements - Check:

How to verify:

# Use web archives for permanent records
# Wayback Machine: https://web.archive.org/

# Search for industry announcements
# Check: anthropic.com/news, openai.com/blog, deepmind.google/blog

If industry announced BEFORE Jan 21:

If industry announced AFTER Jan 21:

3. Technical Claim Verification

Verify vulnerability catalog accuracy:

  1. Review THREAT_MODEL_V1.md

    • Check 36 vulnerabilities are listed
    • Verify each has: description, severity, fix, verification

  2. Cross-reference CHATGPT_AUDIT_REPORT.md

    • Same 36 vulnerabilities mentioned?
    • Consistent severity assessments?
    • Consistent fix descriptions?

  3. When reference code published (Feb 15):

    • Run bypass tests
    • Verify fixes actually work
    • Confirm security guarantees
# When tests published:
npm run test:bypass

# Expected: 15/15 tests pass
# If tests fail: our security claims are questionable

4. Git History Audit

Check for suspicious activity:

# View complete commit history
git log --all --graph --decorate --oneline

# Check for amended commits (potential backdating)
git log --walk-reflogs

# Verify author consistency
git log --format='%ai %ae %s'

# Check for force pushes (compare against archived/mirrored refs)
git ls-remote --heads origin main
# Compare with prior archived references (Wayback, signed tags, mirrors)

Note: Git alone can't prove a remote was never force-pushed unless you have independent references (signed tags, mirrors, archived hashes).

Red flags:

Green flags:

5. Document Consistency Check

Verify all documents tell the same story:

Key claims to verify across docs:

Claim WHAT_WE_BUILT CHATGPT_AUDIT THREAT_MODEL
Patent filed Jan 10 ✅ Check ✅ Check ✅ Check
Industry convergence Jan 21 ✅ Check ✅ Check ✅ Check
36 vulnerabilities found ✅ Check ✅ Check ✅ Check
5 audit passes ✅ Check ✅ Check ✅ Check
Production approved ✅ Check ✅ Check ✅ Check

How to check:

# Search for specific claims across all documents
find . -name "*.md" -exec grep -l "36 vulnerabilities" {} \;
find . -name "*.md" -exec grep -l "January 10, 2026" {} \;
find . -name "*.md" -exec grep -l "production" {} \;

If inconsistencies found:

6. External Validator Verification

Verify ChatGPT's involvement:

What we claim:

How to verify:

If OpenAI/validators respond:

7. Patent Priority Verification

After USPTO publication (18 months from Jan 10, 2026):

Check patent office records:

# USPTO PAIR (Public Patent Application Information Retrieval)
# https://portal.uspto.gov/pair/PublicPair

# Search for:
Inventor: Eugene Christopher Salvatore
Filing Date: January 10, 2026

Verify:

If patents NOT filed by Jan 10:

Falsifiability Tests

Test 1: Backdating Check

Hypothesis: Git commits were backdated to create false timeline

How to test:

# View author and committer timestamps
git log --format='%ai %ci' 

# %ai = author date (set by author/committer)
# %ci = committer date (set by author/committer)

Note: %ai and %ci come from the commit object. For platform-recorded timing, compare with GitHub's "pushed/observed" timestamps (visible in GitHub UI) and third-party archives.

Pass: Realistic timestamp progression
Fail: Suspicious patterns or backdating detected

Test 2: Industry Timeline Check

Hypothesis: Industry announced constitutional AI before AOS filing

How to test:

  1. Check Anthropic announcements before Jan 21, 2026
  2. Check OpenAI announcements before Jan 21, 2026
  3. Check Google announcements before Jan 21, 2026
  4. Use web archives for permanent record

Pass: No major announcements before Jan 21
Fail: Industry announced before our claimed priority

Test 3: Technical Reproducibility

Hypothesis: Security guarantees are not actually achievable

How to test (when code published):

# Run bypass test suite
npm run test:bypass

# Try to bypass constitutional gate
# - Path traversal attacks
# - Symlink escapes
# - Network bypasses
# - TOCTOU attacks

Pass: All bypass tests fail (system is secure)
Fail: Bypass tests succeed (security claims false)

Test 4: Cross-Reference Consistency

Hypothesis: Documents contradict each other on key facts

How to test:

# Extract all dates mentioned
grep -roh "[A-Z][a-z]* [0-9][0-9]*, [0-9][0-9][0-9][0-9]" . | sort | uniq

# Extract all vulnerability counts
grep -ro "[0-9]+ vulnerabilities" .

# Extract all participant names
grep -ro "ChatGPT\|OpenAI\|Anthropic\|Claude\|Silas" . | sort | uniq -c

Pass: Consistent facts across all documents
Fail: Major contradictions found

Common Questions

"How do I know Git timestamps are real?"

Answer: Git commits include author and committer dates (set by author/committer)

Git hosting platforms also record push/hosting metadata. For strongest verification:

"How do I know ChatGPT actually approved this?"

Answer: You can't know for certain, but:

  1. We published full audit transcript
  2. OpenAI (or anyone) could publicly dispute these claims. We can't compel confirmation; that's why we publish reproducible artifacts and make claims falsifiable
  3. Technical content is sophisticated (hard to fake)
  4. Claims are specific and falsifiable

Trust requires some faith, but we minimize it.

"How do I know the patent was actually filed?"

Answer: USPTO public records (after 18 months)

This is why we set a falsifiable claim.

"What if you delete the repo later?"

Answer: Once cloned/mirrored/archived, history is hard to erase and silent changes become detectable

That's why we're careful about what we publish.

Tools and Resources

Git Verification Tools

# View full commit details
git log --format=fuller

# Check commit integrity
git fsck --full

# Verify cryptographic signatures (if GPG signed)
git verify-commit <hash>
git verify-tag <tag>

External Resources

Web Archives:

Patent Databases:

Industry Announcements:

Reporting Issues

Found an Error?

If you find inconsistencies, please report:

Email: [Available Feb 12, 2026]
GitHub Issues: [This repo]
Public disclosure: Encouraged

We commit to:

  1. Acknowledge all valid critiques
  2. Correct errors publicly
  3. Update documents with corrections noted
  4. Never delete evidence (only append corrections)

Verification Checklist

Complete verification includes:

Time required: 1-2 hours for thorough verification

Remember: We designed this repository to BE verifiable. If you can't verify our claims, we failed our mission.

Questions? Found issues? Contact us or open a GitHub issue.

Last updated: February 6, 2026
Part of: aos-evidence.com
License: CC BY 4.0

💙⚖️🛡️