JGoyd/SYSTEM-STATUS.md

# JGoyd Evidence System — Status Snapshot

*Auto-generated; refresh on every drop batch.*

## What "bulletproof" means in this system

A case is **bulletproof** when every claim in its README is grounded in **at least one externally-controlled signature** that cannot be forged short of compromising third-party infrastructure. The hierarchy is:

1. **Tier 1 (strongest):** DKIM signature from a known agency/vendor mail domain (e.g., `sec.gov`, `cert.org`, `apple.com`), CVE record at NVD, CISA KEV listing, court PACER entry, atomic NVD ADP write.
2. **Tier 2:** Server-issued case reference whose pattern only the agency's intake system produces (FCA `00Db*`, SEC Submission Number, CPIB Response ID, VINCE VU number).
3. **Tier 3:** OpenTimestamps anchor + maintainer PGP detached signature on the source file.
4. **Tier 4 (supporting only):** Self-attestations, screenshots, print-to-PDF renderings. Never the sole anchor for a claim.

## Case status (as of drop batch 2026-05-18, batch 12)

### Track B — Cybersecurity

| Case folder | Tier 1 anchors | Tier 2 anchors | Tier 3 (.ots/.asc) | Bulletproof? |
|---|---|---|---|---|
| `TRACK-B-CVE-2025-31200-31201` | DKIM `cert.org` ×2, DKIM `amazonses.com` ×2, DKIM `yahoo.com`, NVD CVE-History ADP write, CISA KEV (+1d), CVSS 9.8 ×2 | CERT/CC case `gen-41698`, vulnrichment #200 | PENDING (anchor script ready) | **Strong** — DKIM + NVD + KEV all third-party-verifiable |
| `TRACK-B-CVE-2025-24085-24201-43300` (Glass Cage) | DKIM `cert.org`, DKIM `amazonses.com`, NVD CVSS 10.0 ×3, NVD Primary 10.0 ×2, CISA KEV (+0–2d) on all 5 chain CVEs | VINCE VU#395558 (case 2162), vulnrichment #194 + #201 | PENDING (anchor script ready) | **Strong** — 3× CVSS 10.0 is structurally rare; KEV-same-day on 43300 |

### Track A — Regulatory / whistleblower

| Case folder | Tier 1 anchors | Tier 2 anchors | Tier 3 (.ots/.asc) | Bulletproof? |
|---|---|---|---|---|
| `TRACK-A-SEC-TCR-17780-976-067-126` | **DKIM `sec.gov` (2048-bit, selector `secomms`)** | SEC TCR Submission `17780-976-067-126`, SEC Ombuds Matter ID `20260513-00019687` | PENDING (anchor script ready) | **Strong** — sec.gov DKIM is the first federal-agency cryptographic anchor in the system |
| `TRACK-A-FCA-BoC-StanChart` | **DKIM `fca.org.uk` (2048-bit, selector `intactfcaorguk2`) on FOUR inbounds**: 2026-05-08 named-officer substantive reply (Supervision Hub, BoC UK + StanChart subjects), 2026-05-11 boilerplate ack, 2026-05-13 named-officer **supervisory-referral attestation** (*"referred to the supervisory appropriate team for further investigation"*) | FCA reference `00Db0000000K8yP.500Sk000019RuGn` (confirmed Salesforce Org-Link + Entity-ID via `X-Sfdc-Lk` / `X-Sfdc-Entityid`) | PENDING (batch 4 + batch 11 anchor scripts ready) | **Strong-with-substantive-attestation** — first UK fed-agency cryptographic anchor; two named-officer substantive inbounds on the same matter; supervisory-referral language is intake-routing only, NOT an adjudicative finding (Track A standing disclaimer applies) |
| `TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee` | **DOUBLE DKIM: `form.gov.sg` (2048-bit, selector `y7posmki4a5gkzqgrtnwseuajsr5wg4m`) + `amazonses.com` (1024-bit, selector `pd64dbxfdcqqbvadj6zks7h7qe3c33ao`) inbound 2026-05-04** | CPIB Response ID `69f824dfe5ef7daf3b78ccee` | PENDING (batch 4 anchor script ready) | **Strong** — first Singapore-Gov cryptographic anchor; SES counter-signature provides defense-in-depth |
| `TRACK-A-LT-CASE-01-1-03450-26` | Letter from Prosecutor Aurelijus Navickas, Panevėžys Organised Crime & Corruption Investigation Div., 2026-04-30 (info attached to criminal case materials) | Case ref `01-1-03450-26` | PENDING (batch 3 anchor script ready) | **Strong** — confirmed prosecutor letter on file |
| `TRACK-A-SK-260428070422263` | **DKIM `genpro.gov.sk` (2048-bit, selector `genprogovsk`) 2026-04-28** + **potvrdenka PDF enumerating 14 submitted docs w/ per-file SHA-256** | Slovak General Prosecutor ref `260428070422263` | PENDING (batch 2 + batch 4 anchor scripts ready) | **Strong** — first Slovak federal-agency cryptographic anchor; potvrdenka PDF document-corroborates the DKIM-signed inbound |
| `TRACK-A-TW-NCC-11500091980` | **DKIM `ncc.gov.tw` (2048-bit, selector `google`) 2026-03-25 kick-off** + **Official NCC formal letter (函) ROC 115/3/24 = 2026-03-24, named officer 周金賢 `jschou@ncc.gov.tw`** | NCC case `NCC-1156500716`, filing ref `通傳基礎決字第11500091980號` | PENDING (batch 3 + batch 4 anchor scripts ready) | **Strong** — DKIM anchor + document-level letterhead corroboration; carrier rebuttal preserved as carrier-position evidence only |
| `TRACK-A-Japan-ISA-ICRRA70-1` | (pending — no MOJ/ISA inbound `.eml` yet) | MOJ kōeki-tsūhō mailbox referral, 2026-05-13 | PENDING (batch 3 anchor script ready) | **Provisional** — outbound-only; needs inbound `.eml` from `*.moj.go.jp` to become Tier 1 |
| `TRACK-A-OLAF-Mandelson-Carbyne` | **DKIM `ec.europa.eu` (2048-bit, selector `s2601`) inbound 2026-05-04** | OLAF subject "Tip submission: Mandelson / Carbyne"; Msg-Id `<bc0371e438c145b7af6986637b8f4778@ec.europa.eu>` | PENDING (batch 5 anchor script ready) | **Strong** — **first EU-institutional cryptographic anchor in the system.** PGP reconciliation issue still open: outbound ships secondary `6DCB` key, not canonical `4A04`. |
| `TRACK-A-DOE-NE-2026-05-02` | (pending — no inbound from DOE-NE / CFIUS / FinCEN yet) | Three-agency single-outbound 2026-05-02 21:41 UTC | PENDING (batch 4 anchor script ready) | **Provisional** — **STRICT DOMAIN SEPARATION per user**: DOE-NE / CFIUS / FinCEN are three distinct anchors that do NOT mix unless each has its own inbound. Capture each agency's reply individually. |
| `TRACK-A-DOJ-FARA-Public` | **DKIM `usdoj.gov` (2048-bit, selector `doj`) reply 2026-05-05** | DOJ FARA reply re: Karim Wade / Macky Sall public-registration matter | PENDING (batch 5 anchor script ready) | **Strong** — **first US-DOJ executive-branch cryptographic anchor in the system.** OFNAC (Senegal) was cc'd but has not responded; per user, no separate OFNAC folder until/unless they reply. |
| `TRACK-A-FR-TJ-Paris-Parquet-Financier` | **DKIM `justice.fr` (2048-bit, selector `pfai20240130`) inbound 2026-05-18** | PNF substantive reply requesting source document (NOT boilerplate) | PENDING (batch 5 anchor script ready) | **Strong** — **first French Ministry-of-Justice cryptographic anchor.** Outbound is also PGP-signed with the canonical `4A04` key (rare — most user outbounds use secondary `6DCB`). |
| `TRACK-A-Ossoff-Senate-DOJ-Redactions` | **DKIM `senate.gov` (2048-bit, selector `senate-pp2408`) inbound 2026-04-29** | Sen. Ossoff (GA) staff reply from named **David Jones, Senior Constituent Services Representative**; in-person meeting attestation; explicit forward to DC office | PENDING (batch 5 anchor script ready) | **Strong** — **first US-Senate cryptographic anchor.** Substantively stronger than boilerplate per user. |
| `TRACK-A-IRS-FORM-211` | (pending — no `*.irs.gov` inbound yet; paper claim letter from Ogden, UT expected next) | 13-page Form 211 Bates evidence packet (compiled 2026-05-06) submitted via IRS Whistleblower Office; on-screen confirmation noted at intake by filer; statutory basis IRC § 7623(b); filer-asserted recoverable estimate $75M–$110M (above $2M mandatory-award threshold) | PENDING (batch 7 anchor script ready) | **Provisional** — filer-prepared with on-screen submission confirmation only. Subject taxpayers: Southern Trust Company Inc., Financial Trust Company Inc., Estate of Jeffrey E. Epstein. Upgrades to Strong on receipt of IRS WBO paper claim-number letter or any `*.irs.gov` DKIM-signed inbound. |
| `TRACK-A-MA-AGO-MIT-MediaLab` | **DKIM `onbaseonline.com` (2048-bit, selector `2k20x`) inbound 2026-05-05** | MA AGO OnBase intake acknowledgement; routing-to-NPC attestation in body | PENDING (batch 5 anchor script ready) | **Strong** — first state-AG enterprise-intake cryptographic anchor (Hyland OnBase platform contracted by MA AGO). |
| `TRACK-A-Colombia-Consulate-Atlanta` | (pending — no agency reply yet) | Hand-delivered referral packet `COLOMBIA-EPSTEIN-01` (2026-05-14) to Embassy of Colombia / Atlanta consulate, 1117 Perimeter Center West, N401; signed on-face with canonical `4A04` PGP | PENDING (batch 6 anchor script ready) | **Provisional** — hand-delivered 2026-05-18; upgrades to Strong on any written acknowledgement from `*.gov.co` (Cancillería, Fiscalía General, Superfinanciera, or the Embassy's own institutional domain) or a stamped consulate paper receipt. |
| `TRACK-A-USN-InsiderThreat-AirCenter-Tinney` | (pending — no `*.navy.mil` / `*.mail.mil` / NCIS / DCSA inbound yet) | Outbound 2026-04-27 16:04:06 UTC to `USN-InsiderThreat@us.navy.mil`; primary subject **Air Center Helicopters / Rod Tinney** (cleared MSC contractor, ~$77.3M VERTREP contract through 2030-01-30); adjacent matter Lt. Col. **William R. Bohlke Jr.** (PRANG legislative liaison / CEO Bohlke International Aviation); adjacent matter #2 held pending Hub request; primary anchors `EFTA01966277` (Visoski 2013 fleet summary), `EFTA02173130` (Bohlke USAF-credential commercial signature) | PENDING (batch 7 anchor script ready) | **Provisional** — outbound-only insider-threat referral; filer invokes NISPOM 32 CFR Part 117, DITMAC #4 + #12, SEAD 4 E/J/F, SEAD 3 App-A; folder takes no position on those framings. Filer's own attestation: *"This submission presents adverse information; it makes no finding of fact."* |
| `TRACK-A-CISA-INC0625285-iOS-Bypass` | **DKIM `associates.cisa.dhs.gov` (2048-bit, selector `select1`) inbound 2026-02-26** + DMARC=pass (p=reject on parent `dhs.gov`) + ARC-sealed by `microsoft.com` (CISA M365 tenant `69c613d2-b051-4234-8ed1-fd530b70d5d3`) | CISA ServiceNow ticket **INC0625285** "iOS Security Bypass"; named contractor **Umar Farouq (CTR)** at `umar.farouq@associates.cisa.dhs.gov`; 5 CISA To-line recipients (Central, TOC, SIM, vulnerability, filer) + 2 Cc (OCIO.TOC.FEDs, Troy Delucia); 5-deep Message-Id chain through Exchange Online nodes `CO6PR09MB7319 → PH7PR09MB11913 → DS0PR09MB11798`; Proofpoint transit `mx0e-00376703.gpphosted.com` `67.231.155.98` | PENDING (batch 8 anchor script ready) | **Strong** — **first US DHS/CISA cryptographic anchor in the system.** Contractor-tenancy subdomain (`associates.*.dhs.gov`), not agency proper; cryptographic anchor still attaches to DHS/CISA infrastructure. Body PGP-encrypted to filer's key; envelope/headers preserved. |
| `TRACK-B-CNVD-2025-06744` | 1 (cert PDF) | **Sovereign-CERT certificate** + CNVD ID `CNVD-2025-06744` + cert no. `CNVD-YCGO-202503023656` | 2025-03-18 | **Provisional** (batch 11) |
| `TRACK-B-CNVD-2025-07885` | 1 (cert PDF) | **Sovereign-CERT certificate** + CNVD ID `CNVD-2025-07885` + cert no. `CNVD-YCGO-202504012519` | 2025-04-22 | **Provisional** (batch 11) |
| `TRACK-B-DOE-417` | **DOUBLE DKIM: `doe.gov` (2048-bit, selector `q2-2024-pp`) + `hq.doe.gov` (2048-bit, selector `selector1`) inbound 2025-12-25** | DOE-417 Submission ID `5941450-1585693`, filed 2025-12-25 16:50:15 UTC, Schedule-1 boxes #2 + #14, Emergency Alert; DOE Emergency Operations Center (NA-40 / Team 3) acknowledgement *"Watch Office acknowledges your message."* | PENDING (batch 5 anchor script ready) | **Strong on the agency-receipt anchor** (Tier-1 double-DKIM from DOE EOC). 🟡 **Filer-claim only on the substantive technical narrative** — the DOE EOC acknowledgement confirms receipt and routing, NOT endorsement. Narrative claims (Broadcom BCM4388 silicon backdoor `Poppy_CLPC_OS`, 113GB+ exfiltration, Cisco/Google/Samsung coordinated disclosure) remain filer-statements only — no CVE, no vendor advisory, no third-party reproduction. Org name *Intergalactic Auditing Systems* is a **working pseudonym, not a registered legal entity** (per user). |
| `TRACK-B-IC3-067b3177c3524c80bce02cca08064d11` | **Server-issued FBI IC3 Submission ID `067b3177c3524c80bce02cca08064d11`** (Tier-2 sole-namespace pattern) + **public-internet long-lived corroboration**: the same ID is in the public-repo description field of `github.com/JGoyd/iDrive-Exfil` (created 2026-01-08T23:17:45Z, tree `810ab171…`, last push 2026-04-07T15:35:51Z, 1 star) and has been indexable by archive services since (Tier-1.5 third-party-verifiable) | IC3 Submission ID + 3-file paired technical bundle (filer's published case README, JFIF carrier image 3024×4032 subject "filer's son in filer's backyard", filer's personal note to son) | PENDING (batch 9 anchor script ready) | **Provisional → Anchor-Class candidate on the IC3-ID + public-repo-description combination.** Upgrades to Strong on (a) `*.ic3.gov` or `*.fbi.gov` DKIM-signed inbound `.eml`, (b) paper IC3 acknowledgement letter, or (c) opened FBI field-office investigative file referencing this submission ID. Filer-attested technical surface (polyglot HEIF carrier, `mdat` entropy 7.9478, three Shadow UUIDs, `passd` Wallet bridging to iCloud Drive) preserved without endorsement. **Personal-significance posture preserved**: carrier subject is the filer's son in his backyard. |
| `TRACK-B-MSRC-112639` | **DKIM `vanderbilt.edu` (2048-bit, selector `selector1`) on VUIT precursor `.eml` 2026-04-01** + ARC-sealed by Microsoft `arcselector10001` | VUIT TeamDynamix incident **#86705** (precursor), MSRC **Case 112639** (vendor case-ID, opened 2026-04-08), public GitHub repo `JGoyd/m365-mime-type-confusion` (Tier-1.5 third-party-verifiable; head `c4bca665…`, stego-withdrawal commit `a75ce46a…`) | PENDING (batch 6 anchor script ready) | **Strong** — **first US higher-education cryptographic anchor in the system (`vanderbilt.edu`).** Two-stage disclosure path (VU → MSRC) anchored on the precursor. No standalone MSRC-side `.eml` yet (open follow-up). No exploit code shipped; prior stego claim withdrawn in commit `a75ce46a…` as a discipline marker. |
| `TRACK-B-NASA-JPL-TLS` | (pending — no NASA SOC inbound `.eml` yet) | Outbound to `soc@nasa.gov` 2025-04-22 | PENDING (batch 3 anchor script ready) | **Provisional** — outbound-only chain-misconfig report; forensic-observer role; needs SOC reply to become Tier 1 |
| `TRACK-B-Broadcom-BCM4387-BroadScope` | **DKIM `broadcom.com` (1024-bit, selector `google`) inbound 2026-03-10** + DLP-relay path through `*.dlp.protect.broadcom.com` (Symantec/Broadcom DLP, `144.49.247.117 (smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com)`) | Broadcom PSIRT reply from named engineer **Daniel Edelson** (`daniel.edelson@broadcom.com`); Cc **Ken Williams** (`ken.williams@broadcom.com`) + `psirt@broadcom.com`; outbound Message-Id locks threading via inbound `References:` header; **Tier-1.5 public repo** `github.com/JGoyd/BroadScope` (head commit `ba55b3f3c86b60ed63890a8c0f0f650c926f3baa`, tree `bffbc5e4…`, created 2026-04-03, last push 2026-04-07, public, 2 stars; contents: README.md, VULNERABILITY_REPORT.md 8228 B, THREAT_MODEL.md 12027 B, evidence/) | PENDING (batch 8 anchor script ready) | **Provisional** — **first US private-sector hardware-vendor PSIRT cryptographic anchor.** Vendor stance per filer (verbatim, preserved without endorsement): *"them claiming diamin awareness, not tehncialy discsyting or anything at all.. comelte bs"* — Broadcom's surface reply (domain-awareness acknowledgement) AND filer's characterization (substantive rejection) are both recorded. Reply body PGP-encrypted to filer's key. No exploit code shipped; repo + folder follow no-payload rule. Upgrades toward Strong on CVE assignment or vendor public advisory referencing BCM4387 coexistence SRAM. |
| `TRACK-B-Apple-CVE-2023-41064-Patch-Bypass-iOS-26-2-1` | (pending — no `*.apple.com` or VulnCheck-broker inbound `.eml` yet staged) | Filer outbound disclosure 2026-02-09 to Apple PSIRT via VulnCheck (BLASTPASS V2 markdown, 4710 B) + filer rebuttal 2026-02-13 20:47 EST (5340 B) + **paired binary `tracev3` artifacts with internal cryptographic-consistency anchor** (Build 23C71 trace SHA-256 `905b5cc8…` is cited inside the disclosure markdown; Build 23D127 trace SHA-256 `161df0cb…` is cited inside the rebuttal markdown — both match staged-file hashes byte-for-byte); 350-byte audit-tool stub `check_offsets.py`; filer maps five Apple iOS 26.3 CVE remediations (CVE-2026-20675 ImageIO, CVE-2026-20677 Messages-sandbox, CVE-2026-20678 Wallet/PassKit, CVE-2026-20634 ImageIO memory-handling, CVE-2026-20667 libxpc) onto the four subsystems named in the 2026-02-09 disclosure, with the iOS 26.3 release (2026-02-11) landing 2 days **before** Apple's 2026-02-13 written rejection | PENDING (batch 9 anchor script ready) | **Provisional** — closed-loop self-hash anchor between filer outbound documents and binary artifacts. Vendor stance preserved verbatim (Apple PSIRT 2026-02-13 17:14 EST: *"standard system behavior"* / *"no technical validity"*). The temporal-convergence claim (Apple iOS 26.3 release 2026-02-11 lands between filer's 2026-02-09 disclosure and Apple's 2026-02-13 rejection) is independently verifiable from Apple's own published security-update release dates. Per filer instruction, the paired private GitHub repository is **NOT referenced** in this folder, the ledger entry, or the anchor script. Upgrades to Strong on (a) `*.apple.com` DKIM-signed inbound, (b) Apple security-advisory cross-reference, or (c) third-party reproduction of the offset-displacement claim. No exploit code shipped. |

## What "bulletproof" requires going forward (per case)

For every case folder still labeled **Stub** or **Provisional**, the upgrade path is:

1. Drop the agency's **inbound acknowledgement `.eml`** (NOT the outbound copy — outbound has no signature you control). One per case.
2. Drop the **portal confirmation PDF** if the agency issued one.
3. If the agency uses a portal-only system (no email), drop a screenshot of the case page AND the case-page URL pattern that only the agency's server produces.
4. Run `ANCHOR-COMMANDS-*.sh` locally to attach `.ots` + `.asc` to every artifact.

Each inbound `.eml` you drop converts one Provisional case into Strong. The system is designed to absorb dozens of these without restructuring — just drop them, the intake workflow catalogs them.

## Reconciliation issues still open

1. **PGP key reconciliation:** canonical `4A04…2D11` vs. secondary `6DCB…DAF6`. Both the 2026-05-11 FCA supplement AND the 2026-04-27 OLAF reply ship the secondary fingerprint. Cross-attest both keys (sign each with the other) or formally retire one. See `canonical/index.md`.
2. **Running-Ledger `.asc` is 0 bytes** — needs re-signing.
3. ~~**Lithuania row hash mismatch** in ledger vs anchor2.txt.~~ **RESOLVED (this audit pass)**: ledger row #20 prefix `603409f4b01b` matches actual SHA `603409f4b01bfed46d22d7129ec22a1969f1a32921654b3559febbd4e62bc17d` byte-for-byte.
4. ~~**`TRACK-A-OLAF-Ref-00Db00K8yP` vs `TRACK-A-FCA-BoC-StanChart`** — reconciliation needed.~~ **RESOLVED (batch 4)**: FCA inbound `.eml` exposes `X-Sfdc-Lk: 00Db0000000K8yP` + `X-Sfdc-Entityid: 500Sk000019RuGn` — these are FCA Salesforce-internal Org-Link + Entity-ID, NOT an OLAF case number. The mislabeled `TRACK-A-OLAF-Ref-00Db00K8yP` folder has been **deleted** and replaced with `TRACK-A-OLAF-Mandelson-Carbyne` (the actual OLAF case is keyed by subject + Message-Id, not the `00Db*` prefix).

## Anchor scripts ready to run locally

- `evidence/ANCHOR-COMMANDS-2025-05-18.sh` — Track B batch (7 unique files across two cases)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch2.sh` — Track A batch (7 files across three cases: SEC TCR, FCA BoC, CPIB)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch3.sh` — mixed batch (7 files across three cases: NASA JPL TLS Track B, Japan ISA Track A, Taiwan NCC Track A)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch4.sh` — batch 4 (9 unique-content files across seven cases: FCA, CPIB, OLAF-Mandelson, DOE-NE, TW-NCC Fa-Wen, SK-GenPro potvrdenka, DOE-417)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch5.sh` — batch 5+6 (11 unique-content files across eight cases: SK-PP, MA-AGO ack + report, OLAF-inbound, DOJ-FARA, DOE-EOC, Paris PNF outbound+inbound, Ossoff Senate outbound+inbound, LT-PAIS transmittal)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch6.sh` — batch 7 (5 unique-content files across two cases: TRACK-B-MSRC-112639 VUIT precursor + MSRC Update-1 zip + bin-payload zip + GitHub repo snapshot, and TRACK-A-Colombia-Consulate-Atlanta hand-delivered referral PDF)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch7.sh` — batch 8 (2 net-new unique-content files across two cases: TRACK-A-USN-InsiderThreat-AirCenter-Tinney outbound and TRACK-A-IRS-FORM-211 Form-211 packet PDF)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch8.sh` — batch 9 (5 net-new unique-content files across two cases: TRACK-B-Broadcom-BCM4387-BroadScope outbound headers + inbound .eml + inbound headers, and TRACK-A-CISA-INC0625285-iOS-Bypass inbound .eml + inbound headers)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch9.sh` — batch 10 (9 net-new unique-content files across two cases: TRACK-B-Apple-CVE-2023-41064-Patch-Bypass-iOS-26-2-1 with 6 staged artifacts including 2 binary `tracev3` captures, and TRACK-B-IC3-067b3177c3524c80bce02cca08064d11 Stub-to-Provisional upgrade with 3 staged iDrive-Exfil bundle artifacts)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch10.sh` — batch 11 (2 net-new unique-content files across two cases: TRACK-B-CNVD-2025-06744 and TRACK-B-CNVD-2025-07885 sovereign-CERT certificate PDFs)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch11.sh` — **NEW** — batch 12 (2 net-new unique-content files in one case: TRACK-A-FCA-BoC-StanChart 2026-05-08 named-officer substantive inbound + 2026-05-13 named-officer supervisory-referral attestation inbound, both DKIM-signed by `fca.org.uk` selector `intactfcaorguk2`)

After running all eleven, **65 source files** will carry `.ots` + `.asc`. Run `ots upgrade *.ots` ~1h later (then again ~24h later if not yet confirmed) to attach the Bitcoin block-header attestation to each.

## Cumulative Tier-1 DKIM-signature domains (18 total, as of batch 10 — no new DKIM domains this batch; two new non-DKIM anchor classes recorded below)

| Domain | Selector(s) | Bits | Jurisdiction | First batch |
|---|---|---|---|---|
| `cert.org` | (CERT/CC) | — | US (CMU SEI) | batch 1 (Track B) |
| `amazonses.com` | ×3 selectors (CERT/CC + CPIB) | 1024 | (transport SES) | batches 1, 4 |
| `yahoo.com` | (CERT/CC counter-sig) | — | US | batch 1 (Track B) |
| `sec.gov` | `secomms` | 2048 | US SEC | batch 2 |
| `genpro.gov.sk` | `genprogovsk` | 2048 | Slovak Republic GP | batch 2 |
| `ncc.gov.tw` | `google` | 2048 | Taiwan NCC | batch 3 |
| `fca.org.uk` | `intactfcaorguk2` | 2048 | UK FCA | batch 4 |
| `form.gov.sg` | (long) | 2048 | Singapore CPIB | batch 4 |
| `ec.europa.eu` | `s2601` | 2048 | **EU (OLAF)** | batch 5 |
| `usdoj.gov` | `doj` | 2048 | **US DOJ (FARA)** | batch 5 |
| `doe.gov` | `q2-2024-pp` | 2048 | US DOE (EOC NA-40) | batch 5 |
| `hq.doe.gov` | `selector1` | 2048 | US DOE HQ | batch 5 |
| `onbaseonline.com` | `2k20x` | 2048 | MA AGO (Hyland OnBase) | batch 5 |
| `justice.fr` | `pfai20240130` | 2048 | **French Ministry of Justice (PNF)** | batch 5+6 |
| `senate.gov` | `senate-pp2408` | 2048 | **US Senate (Ossoff office)** | batch 5+6 |
| `vanderbilt.edu` | `selector1` | 2048 | **US higher-education (Vanderbilt University IT / VUIT TeamDynamix)** | batch 7 |
| `broadcom.com` | `google` | 1024 | **US private-sector hardware-vendor PSIRT (Broadcom Inc.)** | batch 9 |
| `associates.cisa.dhs.gov` | `select1` | 2048 | **US DHS/CISA (contractor tenancy within agency M365 tenant)** | batch 9 |

**Tier 1.5 (agency SPF-pass without DKIM):** `prokuraturos.lt` (LT prosecutor; signed-PDF carries the cryptographic load).
**Tier 1.5 (third-party-verifiable public repo):** `github.com/JGoyd/m365-mime-type-confusion` — public coordinated-disclosure repo paired with `TRACK-B-MSRC-112639`; head commit `c4bca665…`, stego-withdrawal commit `a75ce46a…`. **Also**: `github.com/JGoyd/BroadScope` — public coordinated-disclosure repo paired with `TRACK-B-Broadcom-BCM4387-BroadScope`; head commit `ba55b3f3c86b60ed63890a8c0f0f650c926f3baa`, tree `bffbc5e4c458fdcd057db0f2c694c38f5bfabfb5`, created 2026-04-03T18:57:56Z, last push 2026-04-07T15:50:18Z, public, 2 stars. **Also**: `github.com/JGoyd/iDrive-Exfil` — public repository paired with `TRACK-B-IC3-067b3177c3524c80bce02cca08064d11`; **its public description field literally contains the IC3 Submission ID `067b3177c3524c80bce02cca08064d11`**, providing public-internet long-lived corroboration of the server-issued FBI submission token (visible since 2026-01-08T23:17:45Z, tree `810ab171bcefaff7942ebea0388fbec17214355a`, last push 2026-04-07T15:35:51Z, 1 star). This is the **first Tier-1.5 anchor in the system that uses a public-repo metadata field (not content) to corroborate a server-issued agency ID** — a distinct anchor class from the content-snapshot pattern used by MSRC and BroadScope.

## New non-DKIM anchor class added in batch 11

| Class | Tier slot | First case | Why it's a separate class |
|---|---|---|---|
| **Sovereign-CERT original-vulnerability certificate** | Tier 1 (substantive issuing-body finding) | `TRACK-B-CNVD-2025-06744` and `TRACK-B-CNVD-2025-07885` | The artifact is the issuing body's formal certificate naming the contributor under a sole-namespace server-issued certificate number. Distinct from DKIM-attested email (which proves message emission) and from public-repo content/metadata anchors (which prove third-party platform visibility) — the certificate document itself records a finding by CNCERT/CNVD that the named contributor's submission was recorded as an original-vulnerability contribution. Does NOT adjudicate vendor liability, patch mapping, or exploit reachability; Track B standing disclaimer applies. |

### Credit-asymmetry observation (filer-attested cross-reference, recorded as context not finding)

The Glass Cage flagship folder `TRACK-B-CVE-2025-24085-24201-43300` documents that Apple's public security advisories credit other reporters for the underlying CVE-2025-24085 / CVE-2025-24201 / CVE-2025-43300 patches, and CISA has not formally acknowledged the filer's contribution either. Within the same 2025 timeframe, CNCERT/CNVD issued two formal original-vulnerability certificates to the filer (this batch). The filer attests the CNVD entries cover the same underlying material as the Glass Cage CVE cluster. This is preserved as **filer-attested context** and is NOT an adjudicated CVE↔CNVD mapping; the CNVD certificates themselves do not assert any CVE-ID cross-reference.

## New non-DKIM anchor classes added in batch 10

| Class | Tier slot | First case | Why it's a separate class |
|---|---|---|---|
| **Closed-loop self-hash anchor** | Tier 2.5 (between server-pattern IDs and OTS+PGP) | `TRACK-B-Apple-CVE-2023-41064-Patch-Bypass-iOS-26-2-1` | Filer outbound disclosure documents cite SHA-256 hashes of binary artifacts inside their own body text. Any reader can recompute the hashes on the staged binaries and verify byte-for-byte. Defends against post-hoc artifact substitution at the cost of being one-party-generated. |
| **Public-repo-description corroboration of server-issued agency ID** | Tier 1.5 (distinct from content snapshot) | `TRACK-B-IC3-067b3177c3524c80bce02cca08064d11` | The agency-issued ID is embedded in a public-repo metadata field (description, not content), making it indexable by general internet archive services without requiring repo cloning. Survives even total content-bundle loss as long as one archive snapshot of the repo's metadata page exists. |

## Deferred items

**None.** The three Microsoft files deferred from batch 4 (*"focus on all of the file except for the last 3 microsoft ones..we can take that nice and slow"*) are fully processed in batch 7 (MSRC + Colombia). The pairing stub `TRACK-B-MSRC-112639` has been upgraded to Strong on the Vanderbilt `vanderbilt.edu` DKIM precursor anchor.

## Re-export collisions and byte-identical duplicates tracked

| Ledger # | Type | Canonical staged path | Notes |
|---|---|---|---|
| #63 (batch 8) | Re-export collision | `TRACK-A-DOE-NE-2026-05-02/evidence/DOE-NE-CFIUS-FINCEN-referral-2026-05-02.eml` | Second Proton export of the same nuclear-referral outbound; identical Message-Id and headers; only MIME boundary differs. Same send. Not re-staged. |
| #64 (batch 8) | Byte-identical duplicate | `TRACK-B-DOE-417/evidence/DOE-EOC-NA40-acknowledgement-2025-12-25.eml` | Re-affirmation of the canonical DOE EOC NA-40 Christmas inbound (SHA `5a8ff29de877…`). Not re-staged. |