reyes-source-protection — Signal + SIM-swap compromise of a leak channel

what this proves

• every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (7/7).
• every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.
• the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.

primary engines locked to this fixture

• ios-signal-artifact-forensic-extractor
• android-signal-database-forensic-extractor
• signal-desktop-artifact-forensic-extractor
• sim-swap-artifact-forensic-detector
• google-account-activity-export-forensic-deep-analyzer
• casb-oauth-token-abuse-detector
• google-takeout-forensic-parser

build the case binder

one click runs all primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.

download the synthetic evidence

MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. Compare your local runs against the published goldens.

built deterministically from scripts/fixtures/build-reyes-source-protection.mjs. seed: reyes-source-protection:v1.

methodology

source protection investigations work backward from the burn event. establish the SIM swap timestamp first — the Signal registration transfer artifact anchors the 4-hour window before the source was identified. Google account activity surfaces the foreign session during the swap; the CASB OAuth audit shows whether a rogue app grant pre-dated or post-dated the swap. reconstruct the full access chain before notifying anyone. read the full journalist source protection guide →

after the playbook

export findings from each primary engine, then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timeline across the SIM swap window, Signal re-registration, and OAuth grant events — still zero upload.