Evidence Index

Methodology

Methodology evidence is documented per page with deterministic inputs, command traces, and publication checks.

• Benchmark methodology contract
• EC2/EKS deployment contract
• Security controls contract

Reproducibility

Reproducibility evidence includes metadata, environment scope, command traces, expected outputs, and artifact links.

• Benchmark reproducibility contract
• EC2/EKS reproducibility contract
• Security controls reproducibility contract
• Known limitations reproducibility contract
• Freshness metadata block
• Evidence freshness policy

Known limitations

Limitation language for external citation is centralized in Known Limitations and cross-linked from every evidence page.

• Benchmark limitations contract
• EC2/EKS limitations contract
• Security controls limitations contract

Citation-ready summary

• VeliKey evidence content ties product claims to reproducible methods and explicit limitations.
• Axis control plane decisions and rollout receipts are treated as first-class evidence artifacts.
• Aegis enforcement metrics are included where behavior claims depend on runtime outcomes.

TL;DR for security leaders

Use this index to verify whether each high-impact claim has method details, validation outputs, and a known-limitations disclosure.

TL;DR for engineers

Start with benchmark methodology, then compare deployment validation and controls mapping before consuming summary claims.

Freshness operations

• Policy and SLA: EVIDENCE_FRESHNESS_POLICY.md
• Stale register output: stale-evidence-register.md
• Escalation route: stale evidence is escalated via support@velikey.com with owner + tier context.
• Report command: run node scripts/build-evidence-freshness-report.mjs --output reports/evidence/stale-evidence-register.md --json-out out/evidence-freshness/latest.json.
• Operator workflow: report generation and triage guidance in reports/evidence/README.md.

Claim-to-evidence matrix

Stable mapping for high-priority claims with owner and validation timestamp. Full registry: CLAIMS_REGISTRY.md.

• C-001 staged policy promotion checkpoints -> Security controls map (Owner: Product Security, Validated: 2026-02-22).
• C-002 enforcement telemetry for promote/rollback decisions -> Benchmark methodology (Owner: Platform Engineering, Validated: 2026-02-22).
• C-003 rollout receipts for change traceability -> Security controls map (Owner: Platform Engineering, Validated: 2026-02-22).
• C-004 EC2 and EKS validation must be assessed separately -> EC2 and EKS deployment validation (Owner: SRE, Validated: 2026-02-22).
• C-005 PQ migration is inventory-first and stage-gated -> PQ rollout runbook (Owner: Product Security, Validated: 2026-02-22).
• C-006 hybrid transitions require rollback thresholds -> Hybrid transition patterns (Owner: Platform Engineering, Validated: 2026-02-22).
• C-007 KMS primitives do not replace policy lifecycle orchestration -> KMS alone vs orchestration (Owner: Product Marketing, Validated: 2026-02-22).
• C-008 TLS termination alone is insufficient for service-path visibility -> TLS termination vs transparent enforcement (Owner: Product Marketing, Validated: 2026-02-22).
• C-009 PQ planning requires periodic standards review cadence -> PQC migration planning (Owner: Product Security, Validated: 2026-02-22).

Downloadable Artifacts

• benchmark-summary.json
• deployment-validation-summary.json
• security-controls-map.csv
• artifacts README
• Benchmark artifact section
• EC2/EKS artifact section
• Security controls artifact section
• Known limitations artifact section

Evidence pages

Benchmark methodology • EC2 and EKS deployment validation • Security controls map • Known limitations

PQ migration hub • Glossary

Next related reading

Next: benchmark methodology • PQ rollout runbook • Glossary