Current proof

Abizor installed from the public wheel and verified a proof bundle.

This proof shows the public install path working outside the Abizor source checkout. A fresh virtual environment installed the public wheel, ran abizor ci-proof against a fixture repository, generated Change Record artifacts, and verified the bundle with abizor verify-proof. The refreshed proof bundle records evaluator identity and content-addressed evidence refs.

Date2026-06-10

Installpublic wheel

Verifierverify-proof

Canonical truthevent log

What was verified

Clean install, CI proof, Change Record, and local verification.

A fresh Python virtual environment was created outside the Abizor source checkout.

The public wheel artifact was copied to a runner-temp style path, installed from that local file, and recorded through ABIZOR_PUBLIC_WHEEL_PATH plus ABIZOR_PUBLIC_WHEEL_URL.

The installed package imported from the virtual environment, exposed ci-proof and verify-proof, and ran the proof loop on a temporary Git repository fixture.

The generated manifest recorded evaluator abizor-ci-proof, evaluator schema 1, Abizor package 0.1.0, and the current public wheel hash.

Public install boundary

The install path no longer needs source repository access.

The public wheel URL is https://abizor.dev/downloads/abizor-0.1.0-py3-none-any.whl.

The proof test uses the committed wheel artifact for deterministic CI. Deployment smoke separately verifies that the same wheel is served from abizor.dev/downloads/.

Generated artifacts

The installed CLI produced the proof bundle.

Event logabizor-events.json

Manifestabizor-artifacts.json

Change Record JSONabizor-change-record.json

Change Record Markdownabizor-change-record.md

Public wheel URLhttps://abizor.dev/downloads/abizor-0.1.0-py3-none-any.whl

Public wheel SHA-256aa08b7f8850bdf140b142824d62ee9a2211c0d0ffe1eb2f3ba5a9b511c059622

Evidence refs

The proof bundle records stable content-addressed refs.

Event log: sha256:7aab0a6518eddf8e4152375e4e3f4afac43300c175c550ff8b5977d97e608c3c

Manifest: sha256:06324de0f44f4d753e1b66c1513b42c47cb271737efc4b4a63d180c20b81898d

Change Record JSON: sha256:bd34647db655569e0941204b58447aded5588055fb23e4f14f0f2ecc568506ce

Change Record Markdown: sha256:dd209e6b93c185991665f4fb0c4bc5ba6823b83d13390b21e307372b92b794fc

These refs are simple local SHA-256 refs, not signatures, SLSA, in-toto, a transparency log, or hosted attestation.

Output

The installed verifier accepted the generated bundle.

verified: event log, manifest, and Change Record artifacts match

Boundary

What this proof does not claim.

This proof did not create, merge, or deploy code.

It did not use live GitHub API behavior, a hosted app, hosted API, dashboard, billing flow, or GitHub App.

It does not claim PyPI distribution, hosted customer access, compliance, security-audit, regulated-enterprise, or production-deployment coverage.

Canonical truth remains the generated Abizor event log. The Change Record, manifest, proof report, and this public page are projections or evidence over that event log.