signed at the source.
verify any bundle is really ours.

1. verify a bundle

2. what this proves (and what it doesn't)

• authenticity — a bundle that hashes into the signed registry was published by FatCousin Labs Inc.. a modified or rehosted copy will not match.
• integrity — the registry binds the build commit, timestamp, and a hash of every bundle into one ed25519 signature. change one byte and verification fails.
• ownership — the signed, timestamped registry is evidence the code originated here. it is the basis for a takedown or legal claim if someone rehosts the bundles as their own.
• no tracking — this is signing, not surveillance. it does not phone home, fingerprint you, or report who runs a copy. enforcement is legal, never telemetric — consistent with the manifesto.

3. how to check independently

you do not have to trust this page. the public key is committed in the open-source trust anchor, and the signed registry is a static file:

• registry — /tool-bundles/provenance.json
• scheme — sign fc-provenance|v1|ed25519|sha256|<build>|<builtAt>|<count>|<registrySha256> where registrySha256 is the sha-256 of the sorted [slug, jsSha256, cssSha256] table.
• any ed25519 verifier (openssl, libsodium, WebCrypto) will validate the signature against the published public key.

this content is proprietary and not licensed for reuse — see /aup. the signature exists so that fact is provable, not decorative.

4. related

• /formats — native .fc-* files + the .fc-key signing format for your own exports
• /forensics/verify — verify a signed .fc-case investigation record
• /manifesto — the local-first, no-upload contract