Skip to content

Audit lineage

Miombo binds calculated outputs to canonical JSON manifests. Each manifest is hashed with SHA-256, signed using ECDSA P-256 and stored with a pointer to the preceding manifest when it supersedes an earlier result.

Manifest controls

  • Canonical serialization produces deterministic bytes for identical inputs.
  • The SHA-256 digest is the manifest's stable identifier.
  • The signature binds the canonical bytes to a published signing key.
  • The methodology name, version and methodology-pack reference are part of the signed body.
  • Restatements append a new manifest and retain the preceding reference; signed history is not rewritten.

Verification surface

The public API provides:

EndpointPurpose
GET https://api.miombolabs.com/audit/manifest/{hash}Retrieve the manifest, canonical bytes and signature.
GET https://api.miombolabs.com/audit/manifest/{hash}/verifyRun server-side signature and key-window verification.
GET https://api.miombolabs.com/audit/manifest/{hash}/chainWalk the append-only predecessor chain.
GET https://api.miombolabs.com/audit/keys.pemRetrieve active and retired public verification keys.
GET https://api.miombolabs.com/audit/methodology/{name}/{version}Retrieve the registered methodology record.

Assurance boundary

Cryptographic verification establishes that the canonical content has not changed and was signed by the identified key. It does not independently establish that an upstream observation was complete, correctly geolocated or fit for a particular decision. Those controls remain part of evidence review and assurance scope.

Versioned methodology documentation for Miombo Nature Risk Intelligence.