{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2025:K5RN43FMGDESN5B5UASIRR6C3W","short_pith_number":"pith:K5RN43FM","canonical_record":{"source":{"id":"2510.09023","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.LG","submitted_at":"2025-10-10T05:51:04Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"b174234e6403764ed3fc1a0c33e209a434fec54ea215d443cfe73f4c4e31d5f1","abstract_canon_sha256":"5489c59026daf924dd2a56d570d092f4274c87bdfd22204cabcaa3d10fac6a9b"},"schema_version":"1.0"},"canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","source":{"kind":"arxiv","id":"2510.09023","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2510.09023","created_at":"2026-05-17T23:38:46Z"},{"alias_kind":"arxiv_version","alias_value":"2510.09023v1","created_at":"2026-05-17T23:38:46Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2510.09023","created_at":"2026-05-17T23:38:46Z"},{"alias_kind":"pith_short_12","alias_value":"K5RN43FMGDES","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"K5RN43FMGDESN5B5","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"K5RN43FM","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2025:K5RN43FMGDESN5B5UASIRR6C3W","target":"record","payload":{"canonical_record":{"source":{"id":"2510.09023","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.LG","submitted_at":"2025-10-10T05:51:04Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"b174234e6403764ed3fc1a0c33e209a434fec54ea215d443cfe73f4c4e31d5f1","abstract_canon_sha256":"5489c59026daf924dd2a56d570d092f4274c87bdfd22204cabcaa3d10fac6a9b"},"schema_version":"1.0"},"canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:46.921480Z","signature_b64":"tM0u33PEhJ01VxLFx6+5Rcq+PlipfVvkvHk0PN/fcQNnx1ka9foC/edbEylKbApYk8aM+VHpZZPBYb2vWXFuBQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","last_reissued_at":"2026-05-17T23:38:46.920915Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:46.920915Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2510.09023","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:38:46Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"6GO4Jvz+xPOUndbMGGFKdL/IJ2PzgC1At1r7G+j8fSil2wxUGBtdOOa5XGvHNlBRHNAvltM5sASJHfpDOddhBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-26T06:36:10.902070Z"},"content_sha256":"4723ddfc5e38d97b3fedbfc5fc36c73715ba4afdbc2a7ad237bef8457d1b7c4f","schema_version":"1.0","event_id":"sha256:4723ddfc5e38d97b3fedbfc5fc36c73715ba4afdbc2a7ad237bef8457d1b7c4f"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2025:K5RN43FMGDESN5B5UASIRR6C3W","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","cross_cats":["cs.CR"],"primary_cat":"cs.LG","authors_text":"Abhradeep Thakurta, Andreas Terzis, Chawin Sitawarin, Florian Tram\\`er, Harsh Chaudhari, Ilia Shumailov, Jamie Hayes, Juliette Pluto, Kai Yuanqing Xiao, Michael Ilie, Milad Nasr, Nicholas Carlini, Sander V. Schulhoff, Shuang Song","submitted_at":"2025-10-10T05:51:04Z","abstract_excerpt":"How should we evaluate the robustness of language model defenses? Current defenses against jailbreaks and prompt injections (which aim to prevent an attacker from eliciting harmful knowledge or remotely triggering malicious actions, respectively) are typically evaluated either against a static set of harmful attack strings, or against computationally weak optimization methods that were not designed with the defense in mind. We argue that this evaluation process is flawed.\n  Instead, we should evaluate defenses against adaptive attackers who explicitly modify their attack strategy to counter a "},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"By systematically tuning and scaling general optimization techniques—gradient descent, reinforcement learning, random search, and human-guided exploration—we bypass 12 recent defenses with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the adaptive optimization methods described fairly represent realistic attacker capabilities and were not over-optimized post-hoc against the specific defenses tested.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Adaptive attackers using optimization techniques bypass 12 recent LLM defenses with >90% success, showing that prior robustness claims relied on weak evaluations.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"f4d55d408b9954bb878422ccc94f9b6e2d92e74c9b5e175eb9e741b59636a3df"},"source":{"id":"2510.09023","kind":"arxiv","version":1},"verdict":{"id":"f1650265-2183-46eb-a304-e05000de6ba4","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T18:50:13.936733Z","strongest_claim":"By systematically tuning and scaling general optimization techniques—gradient descent, reinforcement learning, random search, and human-guided exploration—we bypass 12 recent defenses with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates.","one_line_summary":"Adaptive attackers using optimization techniques bypass 12 recent LLM defenses with >90% success, showing that prior robustness claims relied on weak evaluations.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the adaptive optimization methods described fairly represent realistic attacker capabilities and were not over-optimized post-hoc against the specific defenses tested.","pith_extraction_headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success."},"references":{"count":12,"sample":[{"doi":"10.18653/v1/n19-1423","year":2025,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","ref_index":1,"cited_arxiv_id":"2406.13352","is_internal_anchor":true},{"doi":"10.1109/sp61157.2025.00250","year":2024,"title":"Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection","work_id":"7a8cfce1-ada7-4a7a-8516-6f16b1bd077b","ref_index":2,"cited_arxiv_id":"2302.12173","is_internal_anchor":true},{"doi":"10.18653/v1/2023.emnlp-main.302","year":2025,"title":"Ignore Previous Prompt: Attack Techniques For Language Models","work_id":"a7c5b6ec-3407-4330-96c8-3fc58e7d410b","ref_index":3,"cited_arxiv_id":"2211.09527","is_internal_anchor":true},{"doi":"","year":2024,"title":"Similarly to prior works, we use this benchmark to evaluate the jailbreak defenses","work_id":"459882c5-9f63-47ac-b062-ac78206a2cd6","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"We follow Chen et al","work_id":"d280f17e-a86a-4fe4-b595-85a965b6e448","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":12,"snapshot_sha256":"cf9b9dcc6a4624e279a063637d1a6395e5f212d40b023db1a25918951711192e","internal_anchors":3},"formal_canon":{"evidence_count":2,"snapshot_sha256":"341f2de6d9ceaa6ade6492896677f504454f37ea7d6c9b1f8ffc3d462bea0d6c"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"f1650265-2183-46eb-a304-e05000de6ba4"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:38:46Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"/jKAq98Pe+Dc/dtH+76+W/Al+COqC8QOsBxJZXkhALCZlUROrdB9DosueYLuXVHsSVdZvxGW2DSJBCT3bzL8DQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-26T06:36:10.902773Z"},"content_sha256":"b19b65b14d90bc6186e060c1b61e3d164a77d1fe5599e7f061412379948d49d5","schema_version":"1.0","event_id":"sha256:b19b65b14d90bc6186e060c1b61e3d164a77d1fe5599e7f061412379948d49d5"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/bundle.json","state_url":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/K5RN43FMGDESN5B5UASIRR6C3W/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-26T06:36:10Z","links":{"resolver":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W","bundle":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/bundle.json","state":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/state.json","well_known_bundle":"https://pith.science/.well-known/pith/K5RN43FMGDESN5B5UASIRR6C3W/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:K5RN43FMGDESN5B5UASIRR6C3W","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"5489c59026daf924dd2a56d570d092f4274c87bdfd22204cabcaa3d10fac6a9b","cross_cats_sorted":["cs.CR"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.LG","submitted_at":"2025-10-10T05:51:04Z","title_canon_sha256":"b174234e6403764ed3fc1a0c33e209a434fec54ea215d443cfe73f4c4e31d5f1"},"schema_version":"1.0","source":{"id":"2510.09023","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2510.09023","created_at":"2026-05-17T23:38:46Z"},{"alias_kind":"arxiv_version","alias_value":"2510.09023v1","created_at":"2026-05-17T23:38:46Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2510.09023","created_at":"2026-05-17T23:38:46Z"},{"alias_kind":"pith_short_12","alias_value":"K5RN43FMGDES","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"K5RN43FMGDESN5B5","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"K5RN43FM","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:b19b65b14d90bc6186e060c1b61e3d164a77d1fe5599e7f061412379948d49d5","target":"graph","created_at":"2026-05-17T23:38:46Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"By systematically tuning and scaling general optimization techniques—gradient descent, reinforcement learning, random search, and human-guided exploration—we bypass 12 recent defenses with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the adaptive optimization methods described fairly represent realistic attacker capabilities and were not over-optimized post-hoc against the specific defenses tested."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Adaptive attackers using optimization techniques bypass 12 recent LLM defenses with >90% success, showing that prior robustness claims relied on weak evaluations."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success."}],"snapshot_sha256":"f4d55d408b9954bb878422ccc94f9b6e2d92e74c9b5e175eb9e741b59636a3df"},"formal_canon":{"evidence_count":2,"snapshot_sha256":"341f2de6d9ceaa6ade6492896677f504454f37ea7d6c9b1f8ffc3d462bea0d6c"},"paper":{"abstract_excerpt":"How should we evaluate the robustness of language model defenses? Current defenses against jailbreaks and prompt injections (which aim to prevent an attacker from eliciting harmful knowledge or remotely triggering malicious actions, respectively) are typically evaluated either against a static set of harmful attack strings, or against computationally weak optimization methods that were not designed with the defense in mind. We argue that this evaluation process is flawed.\n  Instead, we should evaluate defenses against adaptive attackers who explicitly modify their attack strategy to counter a ","authors_text":"Abhradeep Thakurta, Andreas Terzis, Chawin Sitawarin, Florian Tram\\`er, Harsh Chaudhari, Ilia Shumailov, Jamie Hayes, Juliette Pluto, Kai Yuanqing Xiao, Michael Ilie, Milad Nasr, Nicholas Carlini, Sander V. Schulhoff, Shuang Song","cross_cats":["cs.CR"],"headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.LG","submitted_at":"2025-10-10T05:51:04Z","title":"The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections"},"references":{"count":12,"internal_anchors":3,"resolved_work":12,"sample":[{"cited_arxiv_id":"2406.13352","doi":"10.18653/v1/n19-1423","is_internal_anchor":true,"ref_index":1,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","year":2025},{"cited_arxiv_id":"2302.12173","doi":"10.1109/sp61157.2025.00250","is_internal_anchor":true,"ref_index":2,"title":"Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection","work_id":"7a8cfce1-ada7-4a7a-8516-6f16b1bd077b","year":2024},{"cited_arxiv_id":"2211.09527","doi":"10.18653/v1/2023.emnlp-main.302","is_internal_anchor":true,"ref_index":3,"title":"Ignore Previous Prompt: Attack Techniques For Language Models","work_id":"a7c5b6ec-3407-4330-96c8-3fc58e7d410b","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"Similarly to prior works, we use this benchmark to evaluate the jailbreak defenses","work_id":"459882c5-9f63-47ac-b062-ac78206a2cd6","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"We follow Chen et al","work_id":"d280f17e-a86a-4fe4-b595-85a965b6e448","year":2023}],"snapshot_sha256":"cf9b9dcc6a4624e279a063637d1a6395e5f212d40b023db1a25918951711192e"},"source":{"id":"2510.09023","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-16T18:50:13.936733Z","id":"f1650265-2183-46eb-a304-e05000de6ba4","model_set":{"reader":"grok-4.3"},"one_line_summary":"Adaptive attackers using optimization techniques bypass 12 recent LLM defenses with >90% success, showing that prior robustness claims relied on weak evaluations.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","strongest_claim":"By systematically tuning and scaling general optimization techniques—gradient descent, reinforcement learning, random search, and human-guided exploration—we bypass 12 recent defenses with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates.","weakest_assumption":"That the adaptive optimization methods described fairly represent realistic attacker capabilities and were not over-optimized post-hoc against the specific defenses tested."}},"verdict_id":"f1650265-2183-46eb-a304-e05000de6ba4"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:4723ddfc5e38d97b3fedbfc5fc36c73715ba4afdbc2a7ad237bef8457d1b7c4f","target":"record","created_at":"2026-05-17T23:38:46Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"5489c59026daf924dd2a56d570d092f4274c87bdfd22204cabcaa3d10fac6a9b","cross_cats_sorted":["cs.CR"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.LG","submitted_at":"2025-10-10T05:51:04Z","title_canon_sha256":"b174234e6403764ed3fc1a0c33e209a434fec54ea215d443cfe73f4c4e31d5f1"},"schema_version":"1.0","source":{"id":"2510.09023","kind":"arxiv","version":1}},"canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","first_computed_at":"2026-05-17T23:38:46.920915Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:38:46.920915Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"tM0u33PEhJ01VxLFx6+5Rcq+PlipfVvkvHk0PN/fcQNnx1ka9foC/edbEylKbApYk8aM+VHpZZPBYb2vWXFuBQ==","signature_status":"signed_v1","signed_at":"2026-05-17T23:38:46.921480Z","signed_message":"canonical_sha256_bytes"},"source_id":"2510.09023","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:4723ddfc5e38d97b3fedbfc5fc36c73715ba4afdbc2a7ad237bef8457d1b7c4f","sha256:b19b65b14d90bc6186e060c1b61e3d164a77d1fe5599e7f061412379948d49d5"],"state_sha256":"2980a14ed02e95155771ac6679809cccdb510c5e42e6c3173e943c7775d7a6e8"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"fJu0T78mSz1cusyO8w1yoqOcUMGHiNxugdHhpeBMPcrwd4P8r5fWJB7l2j0FiK6GIcmAHtBomiyY+Hi1ZgIXCA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-26T06:36:10.906198Z","bundle_sha256":"fbbb5c128ddb469171db8e5d88844c52c54cb5b7314cdecb6cf0f6ff2fc9453c"}}