CarveTrace

Documentation

The whole product, written down

Every guide CarveTrace ships, organized by what you're trying to do. The canonical source is the GitHub repository ; this page is the index. Specs and references are versioned with the code — open the GitHub link to see the exact text against a tagged release.

See the demo Talk to us

Get oriented

Start here if you have ten minutes and want to understand what CarveTrace is.

What CarveTrace proves

The properties our evidence guarantees, in plain language.

github.com →

Architecture

How the pieces fit together : SDK, chain, TSA, verifier.

github.com →

Threat model

What we defend against and what we explicitly don't.

github.com →

Capabilities inventory

A flat list of what the product does today, per module.

github.com →

AI Act mapping

How CarveTrace evidence maps to specific EU AI Act articles and ISO 42001 controls.

AI Act events overview

The events CarveTrace ships and which AI Act obligation each addresses.

github.com →

Article 12 mapping (record-keeping)

Article 12 subsections → CarveTrace events → verifier checks.

github.com →

Article 12.2(a) — operator identification

How operator-session integrity is established and proved.

github.com →

Article 12.2(c) + 12.4 — biometric matching

Biometric input data + match-traceability evidence.

github.com →

Article 12.3 — retention

Retention policy declaration, enforcement, and proof.

github.com →

Annex IV supplement

The signed, schema-versioned reporting-period summary package.

github.com →

ISO 42001 mapping

CarveTrace evidence → ISO/IEC 42001:2023 controls.

github.com →

Build with CarveTrace

For engineers integrating the SDK or operating the platform.

AI evidence guide

End-to-end walkthrough : instrument, sign, verify.

github.com →

CLI reference

Every carvetrace subcommand with flags and examples.

github.com →

Protocol reference

The wire formats, schema hashes, and canonical encodings.

github.com →

SDK feature matrix

What every SDK + adapter combination supports.

github.com →

Cloud deployment guide

AWS / GCP / Azure / OVHcloud deployment patterns.

github.com →

Auth deployment guide

OIDC / SAML SSO setup, reverse-proxy auth, RBAC.

github.com →

Operate and verify

For SREs, compliance officers, and auditors using the product day-to-day.

Evidence report guide

Generate, customize, and interpret the coverage report.

github.com →

Verifier guide

How to verify a bundle locally, in browser, or via CLI.

github.com →

Cross-implementation harness

How Java ↔ WASM ↔ Python verdict parity is proven in CI.

github.com →

Tamper report guide

What a failed verification looks like and how to read it.

github.com →

Integrity checking

Continuous chain-integrity validation in production.

github.com →

TSA anchoring guide

How RFC 3161 anchoring works and which TSAs to use.

github.com →

TSA cadence configuration

Tuning anchor frequency to your retention + cost profile.

github.com →

QTSP selection

Picking an eIDAS-qualified Trusted Service Provider.

github.com →

Anchor publisher guide

Publishing chain anchors via OpenTimestamps and Bitcoin.

github.com →

Compliance officer workflow

Day-in-the-life walkthrough for a CCO using CarveTrace.

github.com →

Multiparty verification guide

Independent verification by auditor + regulator + customer.

github.com →

Security + posture

For security review and procurement due diligence.

Security overview

Crypto choices, supply chain, ops posture.

github.com →

Security known limitations

Honest accounting of what is and isn't mitigated today.

github.com →

Timestamping model

The trust + threat model behind RFC 3161 + OpenTimestamps.

github.com →

Threat model

Adversaries we defend against ; what we explicitly don't.

github.com →

Security page on this site

Public-facing security posture summary.

on this site →

Don't see what you need?

Drop us a line at contact@carvetrace.com with what you're trying to evaluate. If the answer is in our docs and just isn't surfaced here, we'll add it. If it isn't, we'll write the doc and ship it.