4QAttest
The cryptographic system of record. Tamper-evident, PQC-signed, regulator-shareable.
A SHA-256 hash chain with RFC 6962 inclusion + consistency proofs, every entry signed with ML-DSA-87, optionally anchored to dual RFC 3161 TSAs. The only artifact that defends a director in deposition.
PQC-signed Merkle ledger
ML-DSA-87 (FIPS 204) on every leaf. SHA-256 + RFC 6962 hash chain. Inclusion + consistency proofs queryable from the public verifier.
Forward-secure epoch keys
Per-epoch signing keys with NIST SP 800-57 lifecycle: expires_utc, rotated_from_key_id, full provenance trail.
Dual-TSA anchoring
Optional RFC 3161 anchoring against two independent TSAs (e.g. freetsa.org + DigiCert) for non-repudiation evidence external to your tenant.
Auditor-shareable bundles
Signed JSON or PDF/A-3b evidence packs with embedded ledger segment, Merkle inclusion proofs, and TSA tokens. Open in any verifier.
SDK + CLI
Python (sync + async), TypeScript, and Go bindings. `4q attest verify packet.json` ✅ in 2s offline.
WORM by contract
Ledger entries are never deleted. Retention applies only to scanning findings (configurable RETENTION_DAYS). Meets SEC 17a-4(f), SOX §802, FINRA 4511.