Changelog

Auditors, prime contractors, and DND assessors can now drag and drop the original file onto verify.html to confirm its SHA-256 hash matches the cryptographic receipt — entirely in the browser, with no upload and no login.

• Zero-knowledge by design. Files are hashed client-side using the Web Crypto API and never leave the browser.
• Three-phase verification UX. Reading the file, computing SHA-256, and comparing hashes each display as discrete steps for assessor transparency.
• PDF certificate download. Match results can be exported as a Solymus-branded verification certificate for audit files.
• Raw file hash in the public verify API. Hashes of the original uploaded file are now returned alongside evidence-payload hashes for every receipt.

Solymus is now positioned as the verification layer for Canadian defence procurement. Verification — for auditors, primes, and assessors — is 100% free with no login required. Evidence creation remains the paid product for suppliers.

• Public verify page. The verify.html route is unauthenticated and indexable — every export contains a link back to it.
• Sidebar cleanup. Level 3 features are hidden (not locked) for Level 1 users, eliminating empty upgrade prompts.
• Dashboard spacing. Workspace and dashboard pages now use compact spacing for denser information display.

The Cryptographic Ontological Translation Engine (U.S. provisional patent, inventor Ki Beom Lee) is now wired into the signing pipeline end-to-end. Each artifact is sealed into exactly one ECDSA_SHA_256 hardware signing operation — regardless of how many compliance frameworks it attests to.

• XNOR binding coefficients. Multi-framework alignment is computed for CPCSC Level 1, ITSP.10.171 Level 2, and NIST 800-171 Rev 3 in a single canonicalization pass.
• Cross-platform byte-identity. An in-browser walkthrough at /demo produces canonical bytes byte-identical to the backend signing path.
• RFC 8785 canonicalization everywhere. All cryptographic signing operations use RFC 8785 JSON Canonicalization — no silent fallbacks.

Eight failure modes have been mitigated ahead of the Phase 2 CPCSC mandate, preparing the platform for simultaneous supplier onboarding at Canadian defence scale.

• Atomic workspace provisioning. Organizations, tenants, members, and user records are created in a single transaction — no orphan records.
• Distributed rate limiting. Per-tenant token buckets are now coordinated across every compute instance.
• Resilient billing state. Paid users are protected from transient API errors with session caching and exponential retry.
• Stripe webhook dead-letter queue. Failed webhook events route to an encrypted replay queue so no billing update is lost.
• Monthly quota auto-reset. Event counters automatically reset on the first of each month, in UTC.

The landing page now includes an interactive three-phase animation that walks visitors through the full Automated Cryptographic Reconstruction Trigger pipeline: SHA-256 hashing, ECDSA P-256 signature verification, and Merkle root reconstruction.

• Dual-audience navigation. "For Primes" and "For Suppliers" dropdowns tailor the journey to procurement leaders and defence suppliers respectively.
• Enterprise access request. Prime contractors can now request enterprise onboarding directly from the hero.
• Patent-pending messaging. Trust bar updated with FIPS 140-3 hardware-rooted and O(1) compression claims.

Solymus is now purpose-built for Canadian defence suppliers. Every control, export, and mapping is anchored to ITSP.10.171 — Canada's adaptation of NIST SP 800-171 Revision 3 — with cross-walks to CMMC and DFARS for multi-jurisdiction suppliers.

• 17 control families, 97 controls. Full ITSP.10.171 Level 2 coverage across AC, AT, AU, CA, CM, IA, IR, MA, MP, PE, PS, PL, RA, SA, SC, SI, and SR.
• CPCSC Level 1 self-assessment. 13 controls across 6 families, mapped one-to-one with Canadian defence requirements.
• Canadian conventions. App uses Canadian spelling ("defence", not "defense") throughout.
• CAD pricing. All plans priced in Canadian dollars, with early bird pricing locked until December 31, 2026.

Two new dashboard surfaces help suppliers see exactly where they stand and what to fix next.

• Evidence Coverage. Visualizes every CPCSC / ITSP.10.171 control against uploaded artifacts — green for covered, amber for partial, red for missing.
• Remediation Priorities. Surfaces the highest-impact gaps with quick wins, ordered by audit risk and effort.
• CPCSC Readiness Score. A single headline number suppliers can share with primes for pre-qualification.

The end-to-end evidence pipeline is live: upload to encrypted object storage, compute SHA-256 locally, sign with hardware-rooted ECDSA_SHA_256, chain into a sharded ledger, anchor into a daily Merkle root, and archive to long-term cold storage.

• Direct-to-storage uploads. Files up to 100 MB stream directly to encrypted object storage via presigned URLs for speed and cost.
• Per-artifact verify URLs. Every export includes a public verification link suppliers can hand directly to auditors.
• Cold storage tiering. Standard → Infrequent Access → Glacier → Deep Archive lifecycle ensures long-term retention at minimal cost.

Workspace owners can now invite team members, assign roles, and manage per-tenant API keys from the dashboard.

• Role-based access control. Owner, admin, and member roles with scoped permissions.
• API key rotation. Create, revoke, and audit API keys with "last used" timestamps.
• Seat limits by plan. CPCSC Level 1 includes 3 seats; Level 2 includes 10; Level 3 is unlimited.

Solymus goes live as the CPCSC Readiness Platform for Canadian defence suppliers, with patent-pending cryptographic evidence infrastructure built on FIPS 140-3 hardware-rooted signing.

• Public verification API. Anyone can verify any Solymus-signed receipt against a hardware-rooted public key.
• Free CPCSC Level 1 tier. 13-control self-assessment, 365-day evidence retention, and 1,000 events per month — free for a limited time. Credit card required to activate.
• Early bird pricing locked. Level 2 and Level 3 plans available at C$5,000/month through December 31, 2026.