Blog
Development notes and technical writeups
-
2026-05-30
A Year of Hardening
A birthday note looking back at a full security round on Oversight: a 32-bit parser overflow reachable from a malicious bundle on mobile, the Rust registry learning to fail closed on partial writes and mismatched transparency-log leaves, recovery that verifies the log against itself, a non-root container, mobile privacy guards enforced in CI, build provenance manifests, and signing material that no longer lingers on the runners.
-
2026-05-25
A Week of Boring Hardening
Eight days after the last development note, Oversight main has a tighter Rust registry burn-in path: event rows must match their transparency-log leaves, local tlog recovery rejects corrupted records, writes fail closed when the log cannot append, Rust format parity moved forward, and the mobile verifier now has CI privacy guards.
-
2026-05-17
Back at the Desk: Rust Registry Migration Work
After a few sick days, the useful work was not a flashy protocol change. It was the operator path: Compose/Caddy live registry deployment, shared write-side token enforcement, and a Python-to-Rust SQLite migration command that lets the Axum registry inherit real attribution data instead of starting empty.
-
2026-05-11
Shipping From the Road: The Boring Work That Makes Oversight Real
A short development note on pushing mobile release and live registry configuration work while traveling, why I remoted into the desktop that holds the relevant local context, and how boring release discipline keeps a cryptographic protocol honest.
-
2026-05-07
v0.4.10: A Trait for Hardware Keys, and Why P-256
Oversight v0.4.10 lands the seam that hardware-backed keys plug into: a small
KeyProvidertrait abstracting the recipient-side ECDH, theOSGT-HW-P256-v1suite implemented end-to-end in software, and a polymorphic open path that dispatches by container suite id. Why P-256 instead of X25519 (PIV compatibility, not cryptographic preference), why the curve plumbing landed before the PKCS#11 binding, and what is and is not in this release. -
2026-05-04
Development Log: Rust Registry v1, Hybrid Viewer Samples, and Watermark Round Trips
Three stacked Oversight changes move the Rust path forward: the Axum registry now passes the v1 conformance harness, the browser inspector has public hybrid decrypt sample tooling, and Rust format watermark round trips are green after fixes to text layer ordering and image LSB scheduling. What changed, why it matters, and what still is not a v1.0 declaration.
-
2026-04-29
One Verification Core: How the Desktop and Mobile Share Rust
Two paired pushes today. Oversight v0.4.8's new
docs/EMBEDDING.mddocuments the integration contract for downstream consumers: seven verifier-safe crates, four crates intentionally out of scope, the git-plus-tag pin pattern, and the minimum versions per target. Oversight-mobile v0.1.12 switches the Flutter app's Rust deps from sibling-directory path deps to a tag pin against v0.4.8, so a fresh clone of either repo now builds without sibling-checkout choreography. Why path deps were the right call for development and the wrong call for shipping, and what this unblocks for reproducible mobile builds. -
2026-04-26
Mobile beta is live — and the Apple-side gotcha that nearly hid it
The Oversight mobile verifier is on TestFlight as of today, sharing the same Rust verification core as the desktop CLI. Why a provenance protocol needs a phone-shaped surface, how the Flutter + Rust architecture stays bit-identical with the desktop, the iOS-without-a-Mac CI pipeline, and the Info.plist key that quietly hides every build from internal testers if you skip it.
-
2026-04-22
v0.4.7: Registry Federation Conformance Is a Test, Not a Document
Federation is the part of an open protocol that has to be earned. v0.4.7 hardens the registry v1 interop spec against the reference implementation, deletes a phantom endpoint that was never served, pins JSON canonicalization, ships a uniform error envelope, and lands a 32-check conformance harness that runs in-process for CI or against any live operator URL. Why this is the v1.0 acceptance gate, what the harness proves, and what it deliberately does not.
-
2026-04-22
v0.4.6: SIEM Export for Splunk, Sentinel, and Elastic
Registry beacon events now ship in three SIEM-native formats. Splunk HEC envelopes, Elastic Common Schema 8.x documents, and Microsoft Sentinel Log Analytics custom-log rows. Pure formatters, file and stdout sinks, a read-only SQLite iterator, and an HMAC signing helper for the Sentinel Data Collector API. The operator guide is honest about what beacon absence does and does not prove.
-
2026-04-20
v0.4.5: L3 Semantic Watermark Safety and GUI Starter
Semantic watermarks are powerful because they survive reformatting and retyping, and dangerous because they change the recipient's copy. v0.4.5 defaults L3 off for legal, regulatory, technical-spec, source-code, SQL, log, and structured data; requires explicit acknowledgement when enabled; records a canonical_content_hash for dispute resolution; and ships a Tkinter GUI starter on the path to a non-technical user experience.
-
2026-04-20
v0.4.4: Nine Security Findings and the Discipline of Failing Closed
Codex (GPT-5.4) audited the Oversight codebase and found 9 security issues: a TOCTOU race in max_opens, POSIX-only file locking on Windows, silent registry fallbacks, unverified Rekor digests, unsigned registry sidecars, a broken multi-recipient seal, and more. Every fix follows one principle: security mechanisms must fail closed.
-
2026-04-19
Defending Against Watermark Stripping: Content Fingerprints and Error Correction
How Oversight v0.4.3 defends against the VM-strip-export attack with ECC-protected synonym bits (R=7 repetition codes), winnowing content fingerprints, a 5-phase attribution pipeline, and an honest account of the information-theoretic limits from 19 surveyed papers.
-
2026-04-19
Wiring L3 Semantic Watermarks into the Pipeline: From Stub to Production
The L3 semantic watermark existed in semantic.py but was never wired into the main pipeline or CLI. v0.4.2 fixes the stub problem, adds multi-layer Bayesian fusion, partial L2 recovery, 55 expanded format-agnostic mark channels, and per-phase diagnostic output.
-
2026-04-19
Replacing the Custom Merkle Log with Sigstore Rekor v2
Why Oversight v0.5 is migrating from a self-hosted Merkle tree to Sigstore Rekor v2, the DSSE envelope design, the privacy decision to hash recipient keys before logging, and what this means for auditors who want to verify bundles without Oversight code.
-
2026-04-17
Preparing for Post-Quantum: ML-KEM-768 and Hybrid Key Establishment
Oversight's hybrid cipher suite combines X25519 with ML-KEM-768 and Ed25519 with ML-DSA-65 to defend against harvest-now-decrypt-later attacks on sealed documents with long-term sensitivity.
-
2026-04-10
Porting Oversight to Rust: Cross-Language Cryptographic Conformance
Seven Rust crates, 2,934 lines of code, and the pursuit of bit-identical output between Python and Rust implementations. Includes the RFC 6962 Merkle tree conformance bug and a mutex deadlock that Python's GIL had been hiding.
-
2026-03-28
Three Layers of Invisible Watermarking: Surviving Copy-Paste, Reformatting, and the Airgap
A technical walkthrough of Oversight's three watermark layers: zero-width Unicode encoding, trailing whitespace patterns, and a 151-class semantic synonym rotation that survives screenshots and retyping.
-
2026-03-15
Building Oversight: Why I Wrote an Open Protocol for Data Provenance
The motivation for building an open data provenance protocol: why existing solutions (DRM, C2PA, metadata tagging) fall short, and the design principles behind Oversight's sealed container format.