I built Merkle-chain evidence verification for CMMC compliance — here's why and how

prolixo — Mon, 02 Mar 2026 19:13:45 +0000

This started with a frustrating conversation. A defense contractor friend failed their CMMC Level 2 assessment. Not because they hadn't done the security work — but because when the assessor asked "who last updated this document and when," the answer was effectively "we don't know."
Their evidence was a folder of Word docs labeled things like final_v3_REALLYFINAL.docx. Technically fine content. No way to prove authenticity.
That's what I ended up building Solymus around. Here's the core pattern:

Artifact gets uploaded
SHA-256 hash computed server-side
Hash digest signed with KMS — ECDSA_SHA_256, MessageType=DIGEST (important: if you sign the full payload you'll hit the 4KB limit fast)
Record stored in DynamoDB with the digest and signature
Every night at midnight UTC, an attestation job seals that day's events into a Merkle root
Each artifact gets a public /verify/{id} endpoint — no auth — that returns the hash, signature, and Merkle linkage

One thing that bit me: right after upload, merkle_status is "pending" because the attestation job hasn't run yet. I had to add a callout in the docs explaining this or every user thought something was broken. The KMS signature is valid immediately — Merkle is just the additional daily seal.
Also: watch your DynamoDB Decimals. If you serialize them directly to JSON you'll get type errors in your canonicalization. Convert to int or string first.
Product is live at prolixotech.com if you want to see it running. Happy to dig into any of the implementation.

DEV Community: prolixo

I built Merkle-chain evidence verification for CMMC compliance — here's why and how