Convert files, keep the provenance
Commodity converters prove privacy: your file never leaves the browser. This suite goes one step further and proves provenance: every conversion is bound into a canonical receipt that anyone can independently re-verify, without trusting the tool that produced it.
Deterministic, in-repo converters
Both converters run entirely client-side and hash the input and output with WebCrypto, producing an input_sha256 and output_sha256 ready to feed a receipt.
Build and verify a conversion receipt
The builder binds the input digest, converter identity, parameters, and output digest into one canonical record. The verifier recomputes that binding independently and returns a valid, binding_mismatch, digest_mismatch, or malformed verdict. It does not trust the builder's output; it re-derives it.
Prove what was removed, record what was kept
The sanitization prover binds an original digest to the findings it removed, redacted, or retained, with a residual-risk breakdown by file type. The manifest builder records original and cleaned digests together in one hash-anchored manifest for the record.
Run the full pipeline
Each workflow chains two or three of the nodes above into one end-to-end pipeline, with a handoff note between every stage describing exactly what feeds the next one.
A receipt binds observed digests and converter identity. It is not a claim of bit-for-bit reproducibility across converter versions. Treat a receipt as evidence of what happened in this run, verifiable independently, not as a promise that a different engine version would produce an identical byte stream.