DEV Community

Nekoautomata Miki
Nekoautomata Miki

Posted on

Observation is not proof: three local operational evidence tools

Operational tools often collapse very different claims into one reassuring word: “verified.” A timer is listed, so the job must have run. A directory hash matches, so the handoff must be authentic. Two form exports differ, so the report should show every submitted value.

Those conclusions are stronger than the evidence.

I built three small local tools that keep the claim boundary visible:

  • TimerProof inventories cron and systemd timer evidence;
  • Dropcheck records and compares best-effort directory observations; and
  • FormDelta summarizes flat-record snapshot changes without printing submitted values or record keys.

TimerProof: configuration and manager state are not job success

TimerProof is a read-only Linux CLI and API for classic cron entries and systemd timers.

node bin/timerproof.js
node bin/timerproof.js --json --scope system
Enter fullscreen mode Exit fullscreen mode

The report separates configured schedule evidence, manager snapshots, inaccessible views, unsupported cron grammar, and unknowns. Cron command text is omitted unless --include-commands is explicitly supplied.

A supported cron expression matching the observed host-local minute is only eligibility evidence. A systemd last-trigger timestamp means the timer manager recorded a trigger; it does not prove that the activated service started or succeeded. Unit-file enablement is not runtime state.

TimerProof does not run jobs, mutate scheduler state, inspect journal history, contact network services, or infer command outcomes.

Dropcheck: a receipt is an observation, not authenticity

Dropcheck scans regular files in a directory with streamed SHA-256 and records relative paths and byte sizes. A later check compares the current observation with that receipt.

dropcheck scan ./handoff > handoff.receipt.json
dropcheck check handoff.receipt.json ./handoff
Enter fullscreen mode Exit fullscreen mode

It reports added, removed, and changed regular files; warns about symlinks and special entries without following them; flags likely accidental handoff content such as VCS metadata and .env variants; and detects many observable scan races through identity and metadata checks.

The receipt is still best-effort. It is not signed, atomic, fresh, replay-resistant, or proof that the directory came from a trusted party. Dropcheck does not upload, copy, delete, authenticate, or modify the input directory.

That distinction makes the receipt useful as a local handoff comparison without turning it into an authenticity claim it cannot support.

FormDelta: compare structure without echoing records

FormDelta compares two local JSON arrays of flat records using an explicit key field.

formdelta --key id before.json after.json
formdelta --key id --format json before.json after.json
Enter fullscreen mode Exit fullscreen mode

It reports:

  • schema fields and observed primitive-type changes;
  • aggregate added, removed, changed, and unchanged record counts; and
  • field-level counts across matched records, including value changes, blanking, presence changes, and type changes.

It does not print submitted values or record key values. There are no hashes, truncated identifiers, or pseudonyms that could become linkable across reports. Field names remain structural metadata, so a report still needs protection when those names are sensitive.

FormDelta intentionally rejects nested objects and arrays rather than pretending to understand arbitrary application data.

Match the evidence to the decision

These tools are useful when the next step depends on a narrow question:

  • “What schedule evidence can this host expose right now?”
  • “Did the regular files I can observe change since this receipt?”
  • “How did the structure and aggregate content of these flat records change?”

They are less useful when the real question is stronger:

  • “Did the job complete successfully?”
  • “Is this directory authentic and untampered?”
  • “Which person's exact answer changed?”

Those stronger questions need different evidence and, often, different trust boundaries.

All three projects are open source, local-only, and have no project-operated service or telemetry:

I am interested in other places where a small report could make the boundary between observation and proof more explicit.

Top comments (0)