Every .kolm output ships with an HMAC-SHA256 receipt chained to the artifact’s manifest hash and your tenant key. Anchor that receipt to Sigstore, Rekor, Arweave, or Bitcoin OP_RETURN and any third party (an auditor, a counter-party, a judge) can verify offline that this exact model produced this exact output.
A .kolm receipt isn’t a single hash. It’s a chain that ties together the artifact, the call, and the registry, so you can verify provenance end-to-end without trusting our infrastructure.
Signs the manifest, base model GGUF, LoRA, recipes, recall index. Tampering breaks the chain. Verify with kolm verify <artifact>.
Signs the input, output, K-score, timestamp, recall sources. Bound to your tenant key. Cannot be forged without it.
Optional: anchor the chain head to Sigstore Rekor (default), Arweave (permanent), or Bitcoin OP_RETURN (timestamped). Public, tamper-evident, decade-durable.
The receipt format is anchor-agnostic. We default to Sigstore Rekor because it’s free, audited, and operated by the Linux Foundation. But the artifact verifies the same against any of these.
Anchored automatically when kolm sign --anchor=rekor. Public transparency log; merklized; LF-AI-aligned.
Permanent storage with a one-time fee. Useful for receipts that must outlive the company. 200-year storage commitment from the protocol.
32-byte chain head into the most-attacked timestamp service in the world. Pure existence proof. Useful when your audit story needs the strongest available timestamp anchor.
Don’t want a public anchor? Self-hosted Trillian log on your infra. Same merkle proofs, private trust domain. Ships in Enterprise tier.
The verification ritual works offline, against any artifact, any time. No call to our servers; we don’t see the verification request and don’t need to.
# given: a .kolm artifact and a receipt claim $ kolm verify \ --artifact ./contract-clauses-1.2.kolm \ --receipt ./output-2026-05-08.receipt \ --anchor rekor ✓ ring 1 (artifact): manifest hash matches sha256:7f3a… ✓ ring 2 (call): hmac-sha256 valid tenant: org_4xK ✓ ring 3 (anchor): rekor entry 19,283,471 tlog timestamp: 2026-05-08T14:21:09Z ✓ base model: qwen-2.5-3b-instruct sha256:9d1e… ✓ recall sources: 4 chunks, all present index: contracts-prod-v3 ✓ K-score on holdout: 91.4 (gate: ≥85) ✓ evaluator: clause-classifier-eval-v2 sha256:3a72… VERIFIED · this output was produced by this exact artifact at the time anchored to Rekor.
Receipts aren’t for show. The buyers below are the ones we hear from first when the conversation turns to provenance.
Healthcare model risk reviewers, banking SR 11-7 model committees, FDA-path SaMD vendors. Receipts replace screenshots as the audit substrate. The chain is the evidence.
Verifiable inference rollups, data DAOs, prediction markets that pay model authors per call. The receipt is the on-chain bill. Anyone can verify it before paying.
Contract review, due-diligence reports, journalism. The receipt is the chain of custody. A court can verify the artifact-output binding without us being in the loop.
Verification has limits. We list them.
A receipt proves the artifact ran and what it produced. Not that the output is correct; that’s what the K-score and the verifier are for.
We don’t generate a zero-knowledge proof of the inference itself. That’s a separate research direction we’re tracking; today the chain is HMAC-anchored.
Verification needs the .kolm file (or its components). Receipts alone don’t reproduce the output; they prove provenance against the file.
If your AI has to answer to an auditor, a regulator, or a chain, the answer is a receipt. kolm produces one for every call, free, by default.