PENROSE
Penrose/Documentation
Back to site

Receipts, provenance, and audit

Penrose records enough context to explain what was tested and to detect later drift.

Source archive

Each submitted source is stored under a content-addressed archive with metadata and a SHA-256 identity. Structured and inline claims should retain both the exact submitted payload and the normalized claims accepted by the engine.

Reconstruction receipt

A receipt binds together:

  • claim statement and source span;
  • runnable specification;
  • search cohort and denominator;
  • cost assumptions;
  • data footprint and series Merkle roots;
  • pre-holdout and final verdict context;
  • engine/configuration fingerprint;
  • audit-chain head.

Receipts support integrity and reproduction. They do not prove that a data vendor's underlying values were genuine.

Audit log

Every run emits a hash-chained event stream containing its reproduction envelope, stage transitions, gate outputs, timing, and error context. Audit emission is observability: it must not alter a verdict.

What may be public

A public record may expose normalized claims, verdicts, kill reasons, safe metrics, lineage, hashes, and redistributable source material. It must not expose private papers, licensed data, API keys, holdout values, proprietary code, or sensitive paths.

See Security and privacy before publishing a corpus.

Penrose is a falsification referee for quantitative trading claims. A verdict is evidence about survival under the referee, never a trading instruction.