Provenance Docs
A commit-integrated documentation framework for AI-piloted software development. The federal government has no standard for documenting who did what when AI assists the build. We built one.
| Repositories using this framework | 13 |
| Commits documented with human/AI attribution | 500+ |
| External tooling required | git (already everywhere) |
| Framework overhead per repo | 2 markdown files |
The Problem
AI broke the attribution chain
The USPTO requires human inventors on patents. DFARS 252.227-7014 requires identification of privately-developed vs government-funded software. NIST SP 800-218 requires provenance tracking for software components. EO 14028 mandates supply chain transparency.
None of these frameworks address AI-generated code. When a developer accepts AI output into a codebase, the IP boundary, the security audit trail, and the inventorship record all break.
Every federal contractor using AI is creating undocumented supply chain inputs right now.
The Solution: Two Documents
Timeline of Invention (TOI)
A dated, commit-linked record with a mandatory "AI Role" field on every entry. Documents what the human directed versus what the AI generated — at commit time, not months later.
Date — when the work shipped
What — concrete deliverable
Why — business or technical driver
Commit — git hash for traceability
AI Role — what AI generated vs what human directed and verified
Proof — link to artifact or test output
The "AI Role" field is the critical innovation. It forces the developer to articulate the human/AI boundary on every entry.
Proof of Artifacts (POA)
Architecture diagrams, build metrics, screenshots, and exact verification commands proving the software is real, runs, and does what the TOI claims.
Any reviewer can clone the repo, run the commands, and confirm. This is not documentation — it is a reproducibility contract.
No Word documents. No slide decks. Verifiable evidence in the repository alongside the code.
Live Proof
13 repositories, all public, all using this framework
cochranblock — production site, 18MB binary
provenance-docs — this framework's whitepaper and spec
ghost-fabric — edge intelligence over LoRa mesh
kova — AI augment engine
pixel-forge — on-device diffusion models
pocket-server — phone-as-web-server
approuter — reverse proxy
oakilydokily — client site
illbethejudgeofthat — pro se case builder
whyyoulying — DoD fraud detection
exopack — test framework
rogue-repo — app store + payment engine
wowasticker — behavioral scoring app
Every repo contains TIMELINE_OF_INVENTION.md and PROOF_OF_ARTIFACTS.md. Click any link and verify.
Federal Acquisition Mapping
CDRL integration
DI-IPSC-81435 (Software Design Description) → POA Architecture section
DI-IPSC-81438 (Software Product Specification) → POA Build Output section
DI-MGMT-81466 (Engineering Change Proposal) → TOI entries
DI-IPSC-81441 (Software Test Report) → POA How to Verify section
TOI and POA replace or augment existing CDRLs — no new paperwork categories needed.
Compliance coverage
DFARS 252.227-7014 — "AI Role" field documents the private/government development boundary
EO 14028 — treats AI output as a supply chain input requiring provenance
NIST SP 800-218 (SSDF) — extends provenance tracking to AI-generated components
SBOM (NTIA) — POA serves as an AI-aware extension to the Software Bill of Materials
One framework, four compliance requirements addressed.
Who Built This
The Cochran Block, LLC
Michael Cochran — Army veteran (17C Cyber Operations, 35Q start at JCAC 2013). 13 years defense and enterprise. USCYBERCOM J38 dev lead for a Congressional NDAA-directed offensive cyber operations study.
SDVOSB pending. SAM.gov registered. Maryland eMMA vendor.
This framework was not designed in a lab. It was built by a developer who needed to prove that his AI-assisted code was human-directed — and discovered that no standard existed to do so.
Read the full whitepaper →