Memory infrastructure for software.
Preserve verifiable, immutable evidence of what source code existed at a given point in time — and under whose authority.
The software ecosystem evolved faster than its ability to preserve evidence.
AI increases the speed of software production. Code can now be generated, modified, and assembled at machine speed.
But speed does not replace memory.
As software accelerates, the ecosystem’s ability to preserve durable evidence has not kept pace. Modern development relies on layers of tooling, automation, and platforms. Shipping is easier than ever — but answering simple questions later is harder.
When something goes wrong, the questions are always the same:
What source code actually existed at a given moment?
01Who was authorized to publish it?
02Which release was intended?
03What artifacts were claimed to originate from it?
04CodeQuill exists to preserve facts, not narratives.
Evidence preservation and auditability.
What CodeQuill does
- Preserves durable, inspectable records about source code
- Records authority and release intent
- Enables decisions to be reasoned about later
- Provides source-centric provenance references
What it does not
- Prove how software was built
- Guarantee build causality
- Assert correctness or safety of code
- Replace CI systems or artifact signing
- Provide end-to-end supply-chain security
Core primitives.
Seven building blocks that turn source code from an assumption into inspectable, durable evidence.
Claim
Authority becomes explicit
Links a repository to a workspace authority (wallet).
Snapshot
Source becomes a fact
A deterministic, local description of a repository's source state at a commit.
Publish
Evidence is anchored in time
Anchors snapshot identifiers and metadata as immutable records.
Project Release
Coordinated intent
Groups one or more source snapshots into a coherent release.
Attest
Artifact lineage claims
Records a statement that an artifact claims lineage from a published release.
Prove / Verify
Scoped disclosure
Cryptographic proofs that a specific file was included in a preserved source state.
Preserve
Without custody
Encrypted preservation of full source code corresponding to a published snapshot.
Source is evidence,
not intent.
Where evidence matters.
Not every system needs provenance. But when it matters, reconstruction is not enough.
Incident response & audits
When questions arise after an incident, CodeQuill provides durable evidence of what source code existed at specific moments — even if logs, CI systems, or organizations have changed.
DAO governance & releases
DAOs can reference explicit project releases as part of governance decisions, creating a stable, inspectable record of what code was approved or discussed.
Open-source stewardship
Maintainers can preserve authoritative source snapshots and release intent without relying on any single platform as the historical record.
Legal, compliance & preservation
CodeQuill supports preserving source evidence in a way that remains verifiable years later, independent of operational systems.
Research & ecosystem memory
Researchers and ecosystem participants can reference concrete source states instead of reconstructed narratives.
CLI-first, evidence-local.
npm install codequillEvidence is produced locally — on a developer's machine or inside CI runners. The CLI handles claims, snapshots, publishing, attestations, proofs, and preservation.
The web app configures trust and authority, surfaces evidence, and provides public views — but it does not generate evidence itself.
codequill claimcodequill snapshotcodequill publishcodequill attestcodequill provecodequill preserveDesigned to complement, not replace.
Provenance systems are not needed when everything works. They matter when assumptions fail — and CodeQuill is designed to preserve facts under those conditions.
CI systems can be compromised
Build pipelines are trusted by default. When that trust breaks, evidence must exist elsewhere.
01Logs and registries can be altered or lost
Platform logs are ephemeral. Registries can be modified. Provenance needs durable anchoring.
02Platforms and organizations can change over time
Teams restructure, services sunset, access revokes. Evidence should outlive the systems that produced it.
03CodeQuill is not a replacement for artifact signing or CI identity systems. It complements tools like Sigstore by providing a stable, source-centric reference that artifacts can point to.
Artifact Signing
"Who signed this artifact?"
Answers questions about the identity attached to a built artifact. Operates at the output layer of the supply chain.
CodeQuill
"What exact source state and release is this artifact claiming lineage from?"
Answers questions about the source code origin of an artifact. Operates at the input layer — before anything is built or signed.
On-chain infrastructure.
CodeQuill's core primitives are implemented as public, permissionless Ethereum smart contracts. They define how authority, source evidence, project releases, and attestations are recorded — independently of any application layer.
The contracts are intentionally minimal and designed for long-term inspectability.
Authority
On-chain claims that bind a repository to a wallet. Explicit, revocable, and auditable.
Source Evidence
Anchored snapshot identifiers and metadata. Immutable records of what existed and when.
Project Releases
Coordinated groupings of source snapshots into coherent, versioned release units.
Attestations
Recorded claims that artifacts originate from a specific published release.
Shared commitments.
Collaborating with projects that care about long-term integrity, governance, and cultural continuity.
Source is evidence, not intent.
Evidence should outlive systems.
Quiet infrastructure. Preserved facts.