Every signed compliance report carries enough metadata to be reproduced and re-verified by an independent reviewer.
attestation.signature — HMAC-SHA256 over the canonical report body. Verify via GET https://api.bitpoort.com/v1/verify/<content_hash> (public, no auth).attestation.reproducibility.git_commit — the exact code commit that generated the report.attestation.reproducibility.alembic_head — the schema migration head at generation time.attestation.reproducibility.eval_baseline — 97.5% tool selection accuracy across Haiku/4o-mini/Sonnet, 0 invariant violations, 188 regression tests passing.data_provenance — sanctions / mixer / entity-registry row counts pinned at the moment of report generation, so re-running against a later DB snapshot is auditable.