ProofTrail distinguishes between repository-generated summaries and strong release-grade proof.
The repository may generate:
These outputs help humans inspect release state, but they must not be marketed as cryptographically strong proof unless a verifiable signing workflow exists.
Public release notes and docs must say one of these two things:
Never blur the line between the two.