Verification
The bytes in your browser come from this commit.
Current build
Every page on tracemute.com renders the short commit SHA in its footer. The source repository is private, so this is your reference handle for the exact build running in your browser — not a clickable link.
What you can verify without source access: that no file leaves your browser and that the bundle on disk matches what we publish. Open DevTools → Network tab on this site, drop a 100 MB photo into /clean, watch nothing upload. Then compare the SHA-256 of every bundle file against the manifest above.
The plan for v1 is bit-identical reproducible builds:
two clean builds at the same commit on the same Node version produce byte-equal
dist/ output. The manifest will be signed so its
integrity can be checked independent of the host.
Status today
- ✓ Footer SHA renders on every page. Same SHA across all routes confirms a single canonical build.
- ✓ Bit-identical reproducible build verified locally: two consecutive
pnpm buildpasses produce a byte-equal manifest. - ⏳ SHA-256 manifest of every bundle published with each release. Generated locally; needs the prod deploy hook.
- ⏳ Signed manifest so the published hashes can be verified independent of tracemute.com.
- ⏳ Independent third-party audit. Source-under-NDA access available for reviewers; report will be published verbatim.
Verify the manifest today
# In your browser DevTools → Network tab, pick any JS bundle:
# Response → copy the bytes → sha256sum
# Compare against the matching entry in /SHA256SUMS.txt
curl -s https://tracemute.com/SHA256SUMS.txt | grep
Hash mismatch between what your browser loaded and what the manifest says? Email
security@tracemute.com — we treat build divergence
as a security incident.