Tampering Detection Matrix
This matrix groups every WALK_* tampering code emitted by the current standalone verifier source into audit categories. When the verifier prints one of these codes, treat the export as untrusted until the failure is explained.
The verifier also prints non-coded FAILED: messages for missing files, malformed manifests, public-key resolution failures, unsigned checkpoints, checkpoint digest mismatches, and TSA receipt failures. Those are verification failures too. They are not WALK_* tampering codes, but you should preserve the output and follow the same incident-response path.
Chain Integrity Failure
These failures mean the exported event chain no longer recomputes or orders correctly.
| Error code | Audit meaning | What you should do next |
|---|---|---|
WALK_RECORD_HASH_MISMATCH | An event’s hash no longer matches its content. Someone modified the audit log, or the export was corrupted after signing. | Preserve the original files and stderr. Re-run from a clean download. If it repeats, escalate as an audit-integrity incident and contact security@keelapi.com. |
WALK_PREV_HASH_DISCONTINUITY | The chain link between two events is broken. Someone deleted events, inserted events, reordered events, or supplied an incomplete chain segment inside the exported window. | Request a fresh export with include_chain_entries=true. If the same window fails again, escalate and request bracket checkpoints around the affected time range. |
WALK_SEQUENCE_INVERSION | Event ordering was tampered with, or a sequence field is malformed. The verifier cannot trust the event order in the bundle. | Treat the chain walk as failed. Request a fresh export. Escalate if the same sequence break appears in the fresh export. |
Signature Verification Failure
These failures mean a signed lifecycle artifact no longer verifies under the expected public material.
| Error code | Audit meaning | What you should do next |
|---|---|---|
WALK_CLOSURE_SIGNATURE_INVALID | The closure record’s cryptographic signature failed. Either the closure record was tampered with, required signed fields are missing, or the signing key is not the one in the public manifest. | Confirm you used the correct public key manifest for the environment. Re-run with --key-manifest-url https://api.keelapi.com/v1/compliance/keys or a pinned manifest. Escalate if it repeats. |
Lifecycle Consistency Failure
These failures mean the signed closure evidence disagrees with provider, client, or dispatch evidence in the lifecycle record.
| Error code | Audit meaning | What you should do next |
|---|---|---|
WALK_CLOSURE_DIGEST_MISMATCH | The closure record claims one provider/client response digest, but the actual chain entry shows a different digest. It can also mean a closure digest-semantics field is not the expected verifier value. The provider response, client delivery evidence, or signed closure metadata was modified. | Preserve the output and affected permit_id. Request a fresh export for that permit’s time window. Escalate as a permit-lifecycle evidence failure if the mismatch repeats. |
WALK_CLOSURE_DISPATCH_DIGEST_MISMATCH | The closure record’s dispatch digest does not match the Phase A binding. Someone modified the request body bytes evidence for the request sent to the provider, or the closure was signed over the wrong dispatch digest. | Preserve the affected permit_id and output. Request a fresh export and the permit binding record for the same execution. Escalate as a request-dispatch evidence failure if it repeats. |
Evidence Omission Detected
Auditors and insurers often treat missing evidence differently from contradictory evidence. This category calls out absence, omission, or suppression of required lifecycle evidence as its own review path.
| Error code | Audit meaning | What you should do next |
|---|---|---|
WALK_CLOSURE_DIGEST_MISSING | The closure claims the request completed normally but is missing required provider-response or client-delivery evidence. | Request a fresh export with chain entries. If the evidence is still absent, treat the permit closure as unverifiable and escalate to your Keel admin and Keel Security. |
Format / Schema Failure
These failures mean the verifier cannot safely interpret the chain or closure format.
| Error code | Audit meaning | What you should do next |
|---|---|---|
WALK_UNKNOWN_CHAIN_FORMAT | The export uses a chain format the verifier does not recognize. Either upgrade the verifier or treat the export as untrusted. | Confirm your verifier version. Re-run with the current verifier distribution. If it still fails, ask Keel for the export schema and do not rely on the bundle until the format is supported. |
WALK_UNKNOWN_CLOSURE_FORMAT | The closure record uses an unrecognized format version. The verifier cannot interpret its signed payload or digest references. | Upgrade the verifier first. If the current verifier still does not recognize the format, do not rely on closure verification for this export and contact security@keelapi.com. |
Escalation packet
When you contact Keel Security, include:
- the export ID and requested time window;
- the exact verifier command;
- the verifier version or commit;
- the public key manifest source;
- SHA-256 hashes of the bundle and manifests;
- stdout and stderr exactly as printed;
- the affected
event_idorpermit_id, if the verifier printed one.
Do not send PHI, PCI data, or customer confidential prompt/response content unless your incident-response process and contract explicitly allow it. The verifier output is usually enough for first triage.