Most code review processes produce one artifact: a merged PR. Someone approved it. The review presumably happened. But if an auditor asks you to prove that the AI-generated function in your auth service passed your risk policy — that the model was on your allowlist, that the risk score was below threshold, that a human actually approved it — what do you hand them?
A closed PR is not evidence of the above. It is evidence that someone clicked "Approve." The model identity, the risk state at merge time, whether the reviewer read the AI context or just the diff — none of that is in the PR.
This is the gap that machine-verifiable AI code certificates close.
The Problem Is Structural
When you merge AI-generated code today, you lose the generation context permanently. The commit records the diff. Git blame records the author. Nothing records which model generated it, what the prompt was, what the risk score was at insertion, or whether the human reviewer actually engaged with the full AI context.
Post-merge, you're reconstructing from memory and process documentation. That reconstruction will not survive a security audit. It certainly won't survive an EU AI Act compliance review, where Article 12 requires records of AI system outputs to be kept for a period appropriate to the purpose.
What an Indemnity Certificate Actually Contains
LineageLens's indemnity system issues certificates at three scopes: per-record, per-PR, and per-release. The evaluation runs against your workspace's active IndemnityPolicy.
A policy has five configurable rules:
class PolicyRules(BaseModel):
max_risk_score: int = Field(default=70, ge=0, le=100)
require_license_clean: bool = Field(default=False)
require_human_review: bool = Field(default=False)
allowed_models: list[str] = Field(default_factory=list)
unknown_review_pass: bool = Field(default=False)
cert_ttl_days: int = Field(default=90, ge=1, le=3650)
When you call POST /indemnity/certificate with scope=pr and scope_ref=PR-442, the service fetches every provenance record tagged pr:PR-442, evaluates each one against all five rules, and either issues a certificate or returns a structured list of reasons why eligibility failed.
The evaluation is explicit:
# Risk check
if record.risk_score is not None and record.risk_score > max_risk:
eligible = False
reasons.append(
f"Record {uid}: risk score {record.risk_score} exceeds policy maximum {max_risk}."
)
# Model allowlist check
if allowed_models and record.model_name:
if record.model_name not in allowed_models:
eligible = False
reasons.append(
f"Record {uid}: model '{record.model_name}' is not in the policy allowed-models list."
)
Notice what this requires: the model name must be captured at generation time. The risk score must have been computed at insertion. Human review status must exist in ReviewQueue. If any of these are missing, the certificate either fails or the unknown_review_pass escape hatch applies — your choice, policy-level.
The Cryptographic Layer
When eligibility passes, the system builds a canonical attestation statement and signs it with Ed25519:
def sign_attestation(statement: dict) -> SignedAttestation:
private_key = _load_private_key()
canonical = json.dumps(statement, sort_keys=True, default=str).encode()
sig_bytes = private_key.sign(canonical)
return SignedAttestation(
statement=statement,
signature=sig_bytes.hex(),
public_key_id=_get_public_key_id(private_key),
)
The sort_keys=True ensures canonical key ordering regardless of Python dict insertion order — without this, semantically identical statements could produce different byte sequences and fail verification. The corresponding public key is available unauthenticated at GET /attestations/{public_ref}/verify, so any third party can verify the certificate without workspace credentials.
The attestation also includes prev_hash — the record_hash of the most recent hash-chained provenance record in the workspace. This anchors the certificate to the workspace's provenance history at the moment of issuance. You cannot retroactively alter the provenance records that supported it without breaking the chain.
What Ineligibility Looks Like
An ineligible evaluation is equally useful. The system issues an unsigned certificate with a structured reasons list:
{
"eligibility": "ineligible",
"reasons": [
"Record abc-123: risk score 84 exceeds policy maximum 70.",
"Record def-456: model 'gpt-4o-mini' is not in the policy allowed-models list.",
"Record ghi-789: human-review status is 'pending' — policy requires 'approved'."
]
}
This is a machine-generated record of exactly which AI code insertions failed your policy and why — before the code shipped.
The Connection to Capture Quality
None of this works without the provenance capture layer. If a record has model_name = null because the insertion went through a path LineageLens couldn't proxy, the model allowlist check cannot run. If risk_score is null, the risk check cannot run. The certificate is only as strong as the capture underneath it.
This is the compounding argument for installing early: every day of uncaptured AI code is a day of records that cannot support a certificate.
LineageLens is open source and free to install. The indemnity endpoint is part of the Plus/Max tier backend. The deeper cryptographic design walkthrough covers why Ed25519 over HMAC, the key derivation fallback, and where the policy gate should actually live.
What does your team produce as evidence when AI-generated code goes to production? And would it survive a structured audit?
Top comments (0)