Every retrieved passage carries an HMAC receipt over its source URI, content hash, and retrieval timestamp. The compiled .kolm only grounds answers in passages whose chain verifies. The citation isn’t asserted; it’s proved. When legal asks who said what, the receipt is the answer.
Today’s RAG stacks return passages but cannot prove which passage actually drove the answer, or whether the retrieved text matches the source-of-record at the time of retrieval. Discovery, FOIA requests, and SR 11-7 audits all hit the same wall: the chain from question to citation is asserted, not verifiable.
Production RAG citations point to documents that have changed or moved since retrieval. The answer references a paragraph the source no longer contains.
Model claims a passage supports the answer when the passage is topically related but does not actually entail it. Auditors call this a fabricated source.
Reconstructing a single answer’s retrieval lineage from a vector store + LLM logs is manual. The receipt chain reduces this to one CLI call.
A .kolm compiled for enterprise search packages the embedding model, the corpus manifest, and the answering recipe as one signed artifact. The runtime won’t emit a grounded answer unless every cited passage’s receipt verifies first.
Every passage carries HMAC over (source_uri, sha256(content), retrieved_at). The receipt secret is held by the tenant; the runtime verifies without phoning home.
The decoder reads passages through a grounding constraint: tokens not supported by a verified passage trigger a refusal token. Hallucinated citations cannot ship.
Given the receipt and the corpus snapshot CID, kolm verify --query <id> reconstructs the exact retrieval window, in any order, without the model running. Auditors verify in seconds.
The query receipt is canonical JSON, signed, byte-stable across hosts. Drop two receipts next to each other and diff tells you what changed.
# ask the compiled artifact $ kolm run kb-policy-q.kolm "what is our PHI retention window?" answer PHI is retained for 6 years from the last encounter date (Policy 4.2.3). cites 3 passages, all verified # inspect the receipt $ kolm receipt last --json { "query_id": "q_01HXK7N3...", "artifact_cid": "cidv1:sha256:8a3f...", "passages": [ { "source_uri": "s3://kb/policies/2026-Q1/phi-retention.pdf#p7", "content_sha256": "9b1c...", "retrieved_at": "2026-05-15T03:14:22Z", "receipt_hmac": "f3e2..." }, { /* 2 more, redacted */ } ], "grounding": { "constrained": true, "refusal_token_seen": false }, "signature": "cidv1:sha256:7d09..." } # auditor verifies, offline, no model $ kolm verify --receipt q_01HXK7N3.json --corpus-cid cidv1:sha256:c2b1... ??/span> all 3 passage receipts verify ??/span> grounding constraint matches passages ??/span> signature OK over canonical receipt body
You keep your existing vector store and your existing document pipeline. The .kolm wraps both with a signed manifest, a constrained decoder, and a receipt emitter. The corpus snapshot becomes a CID; the answers become diffable.
Internal IT, HR, compliance. Answers cite policy sections by source URI; renewed every quarter, the corpus CID rolls forward atomically.
Legal e-discovery, FOIA response, regulatory inquiries. Every retrieved passage’s receipt is admissible as a chain-of-custody artifact.
SRE runbooks, hardware service manuals, drug references in clinical workflows. Off-line and signed, so the answer is the same whether you’re online or in a SCIF.
A .kolm compiled for enterprise search ships the receipt chain in the same file as the model. There is no separate audit log to keep in sync; there is no separate verification service to scale.