Bluefield
Tamper-evident web data
Bluefield makes scraped data tamper-evident: every result is signed (Ed25519) over a SHA-256 content hash, so any later modification breaks verification. Run `npx bluefields verify` and a single changed byte fails the check — you always know whether the data is exactly what was fetched.
What is tamper-evident web data?
Tamper-evident web data carries a cryptographic seal that breaks if the content is altered after capture. It does not prevent edits — it makes any edit detectable, so you can trust that verified data is unchanged since it was fetched.
- Tamper-evidence
- A property where any modification after capture is detectable via a broken signature.
- Content hash (SHA-256)
- A fingerprint of the content; the signature is computed over it.
- Ed25519 signature
- The public-key signature over the manifest, made with a key in AWS KMS.
Bluefield capabilities
| Capability | Detail |
|---|---|
| Signed content hash | SHA-256 of the content, sealed by an Ed25519 signature |
| Offline verification | `npx bluefields verify` checks integrity with the published key |
| Change detection | Watch mode flags meaningful changes to a monitored page |
| Per-result coverage | Every live scrape result is signed |
| Self-host | Same tamper-evidence in your own deployment |
Frequently asked questions
- How does it detect tampering?
- The signature is computed over a SHA-256 hash of the content. If even one byte changes afterward, the recomputed hash no longer matches the signed one and verification fails.
- What is covered by the hash?
- The extracted content plus the canonical manifest fields (URL, fetch time, status, headers hash). Verification confirms both the content and that metadata are unaltered.
- Is the signing key public?
- The public key is published so anyone can verify offline. The private key is held in AWS KMS and never leaves it.