{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:LCHNSRQU5TKTEV3OKB5FGMZGTU","short_pith_number":"pith:LCHNSRQU","canonical_record":{"source":{"id":"2605.13138","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-05-13T08:05:14Z","cross_cats_sorted":["cs.CR","cs.LG"],"title_canon_sha256":"125a2503ddd8afa917efefeac7f6305df6d59d240ac648052088ac83ef698c0e","abstract_canon_sha256":"83003c56734c5fd8487d9151a3f7d87b5801d0694f464d65ac7a554701021518"},"schema_version":"1.0"},"canonical_sha256":"588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458","source":{"kind":"arxiv","id":"2605.13138","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13138","created_at":"2026-05-18T03:08:57Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13138v1","created_at":"2026-05-18T03:08:57Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13138","created_at":"2026-05-18T03:08:57Z"},{"alias_kind":"pith_short_12","alias_value":"LCHNSRQU5TKT","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"LCHNSRQU5TKTEV3O","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"LCHNSRQU","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:LCHNSRQU5TKTEV3OKB5FGMZGTU","target":"record","payload":{"canonical_record":{"source":{"id":"2605.13138","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-05-13T08:05:14Z","cross_cats_sorted":["cs.CR","cs.LG"],"title_canon_sha256":"125a2503ddd8afa917efefeac7f6305df6d59d240ac648052088ac83ef698c0e","abstract_canon_sha256":"83003c56734c5fd8487d9151a3f7d87b5801d0694f464d65ac7a554701021518"},"schema_version":"1.0"},"canonical_sha256":"588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T03:08:57.533054Z","signature_b64":"L2XgU9UghwPeL5923Zg/OTQITejnBn2MPJExapfnZ+XZ1qFTIWaftHrknFM0XB4f0nP+ZotJr1GHCLkBX+VPDQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458","last_reissued_at":"2026-05-18T03:08:57.532235Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T03:08:57.532235Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.13138","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T03:08:57Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"jtJ2hISLElTC24dNqVPrrbN5sC6uVvdG4P7BWXqnH+pEqgeBTQOvd5FPGJiZZXc5751XTBxuhc5P6OY+NFpkAg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-23T17:53:03.543097Z"},"content_sha256":"fc7e57b2401258185089336ce719b842f9fefd0c34c2bbdd479a804927dafb35","schema_version":"1.0","event_id":"sha256:fc7e57b2401258185089336ce719b842f9fefd0c34c2bbdd479a804927dafb35"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:LCHNSRQU5TKTEV3OKB5FGMZGTU","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Code-Centric Detection of Vulnerability-Fixing Commits: A Unified Benchmark and Empirical Study","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone.","cross_cats":["cs.CR","cs.LG"],"primary_cat":"cs.SE","authors_text":"Felix M\\\"achtle, Joseph Bienh\\\"uls, Kristoffer Hempel, Nils Loose, Thomas Eisenbarth","submitted_at":"2026-05-13T08:05:14Z","abstract_excerpt":"Automated detection of vulnerability-fixing commits (VFCs) is critical for timely security patch deployment, as advisory databases lag patch releases by a median of 25 days and many fixes never receive advisories. We present a comprehensive evaluation of code language model based VFC detection through a unified framework consolidating over 20 fragmented datasets spanning more than 180000 commits. Across over 180 experiments with fine-tuned models from 125 M to 14 B parameters, we find no evidence that models acquire transferable security-relevant code understanding from code changes alone. Whe"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"We find no evidence that models acquire transferable security-relevant code understanding from code changes alone. When commit messages are available, they dominate model attention, and when removed, an attribution analysis shows that enriching diffs with additional intra-procedural semantic context does not shift model attention toward the code changes.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The consolidated datasets from prior sources contain accurate, unbiased labels for vulnerability-fixing commits and that the chosen evaluation splits (random, group-stratified, temporal) reflect realistic deployment conditions without unmeasured distributional shifts.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Code language models show no transferable security understanding from code diffs alone, rely on commit messages, miss over 93% of fixes at 0.5% false positive rate, and suffer large drops under group or temporal splits.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"25a1be96350817c713baecf030316abf00b64d86c8d8547d77c3207058b2a9b0"},"source":{"id":"2605.13138","kind":"arxiv","version":1},"verdict":{"id":"2516d9de-f028-4b7e-ab9a-2d88ca47ed50","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T18:35:52.994809Z","strongest_claim":"We find no evidence that models acquire transferable security-relevant code understanding from code changes alone. When commit messages are available, they dominate model attention, and when removed, an attribution analysis shows that enriching diffs with additional intra-procedural semantic context does not shift model attention toward the code changes.","one_line_summary":"Code language models show no transferable security understanding from code diffs alone, rely on commit messages, miss over 93% of fixes at 0.5% false positive rate, and suffer large drops under group or temporal splits.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The consolidated datasets from prior sources contain accurate, unbiased labels for vulnerability-fixing commits and that the chosen evaluation splits (random, group-stratified, temporal) reflect realistic deployment conditions without unmeasured distributional shifts.","pith_extraction_headline":"Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone."},"references":{"count":69,"sample":[{"doi":"10.1145/3663533.3664036","year":2024,"title":"Jafar Akhoundali, Sajad Rahim Nouri, Kristian F. D. Rietveld, and Olga Gady- atskaya. 2024. MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository Discovery. InProceedin","work_id":"d795933f-251b-448c-b3cd-51621a1f7c8a","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2022,"title":"Dos and Don’ts of Machine Learning in Computer Security","work_id":"03ad60b9-20e3-4f7e-8d3f-e984a2958cba","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"10.1145/3475960","year":2021,"title":"Guru Prasad Bhandari, Amara Naseer, and Leon Moonen. 2021. CVEfixes: automated collection of vulnerabilities and their fixes from open-source software. InPROMISE ’21: 17th International Conference on ","work_id":"ed6551bc-10bb-4663-9e7a-65eb97dc084f","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Max Brunsfeld. [n.d.]. Tree-sitter. https://github.com/tree-sitter/tree-sitter","work_id":"e32d1502-15d0-4f40-af79-04cac2c105d7","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Tianyu Chen, Lin Li, Taotao Qian, Jingyi Liu, Wei Yang, Ding Li, Guangtai Liang, Qianxiang Wang, and Tao Xie. 2024. CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Res","work_id":"d04f0819-a582-4763-907e-aff185777919","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":69,"snapshot_sha256":"ba7a3ee75425b8a23c392ca1b79f358ea73f07777683b77ea192f59b8b0d5c53","internal_anchors":3},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"2516d9de-f028-4b7e-ab9a-2d88ca47ed50"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T03:08:57Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"39UDnrRrB4iL2hO23P+MMAz0bs8ufF7bKjCVKET7d6vfBe5aSJ0PCscpsRYgdPyiDqjA/JvNtNm4F3z5PRnTBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-23T17:53:03.543758Z"},"content_sha256":"b77331973dc4ab6cdd0a48df836210f4e800620e6dfc0ed28ecab099223d3467","schema_version":"1.0","event_id":"sha256:b77331973dc4ab6cdd0a48df836210f4e800620e6dfc0ed28ecab099223d3467"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU/bundle.json","state_url":"https://pith.science/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-23T17:53:03Z","links":{"resolver":"https://pith.science/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU","bundle":"https://pith.science/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU/bundle.json","state":"https://pith.science/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU/state.json","well_known_bundle":"https://pith.science/.well-known/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:LCHNSRQU5TKTEV3OKB5FGMZGTU","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"83003c56734c5fd8487d9151a3f7d87b5801d0694f464d65ac7a554701021518","cross_cats_sorted":["cs.CR","cs.LG"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-05-13T08:05:14Z","title_canon_sha256":"125a2503ddd8afa917efefeac7f6305df6d59d240ac648052088ac83ef698c0e"},"schema_version":"1.0","source":{"id":"2605.13138","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13138","created_at":"2026-05-18T03:08:57Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13138v1","created_at":"2026-05-18T03:08:57Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13138","created_at":"2026-05-18T03:08:57Z"},{"alias_kind":"pith_short_12","alias_value":"LCHNSRQU5TKT","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"LCHNSRQU5TKTEV3O","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"LCHNSRQU","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:b77331973dc4ab6cdd0a48df836210f4e800620e6dfc0ed28ecab099223d3467","target":"graph","created_at":"2026-05-18T03:08:57Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"We find no evidence that models acquire transferable security-relevant code understanding from code changes alone. When commit messages are available, they dominate model attention, and when removed, an attribution analysis shows that enriching diffs with additional intra-procedural semantic context does not shift model attention toward the code changes."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"The consolidated datasets from prior sources contain accurate, unbiased labels for vulnerability-fixing commits and that the chosen evaluation splits (random, group-stratified, temporal) reflect realistic deployment conditions without unmeasured distributional shifts."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Code language models show no transferable security understanding from code diffs alone, rely on commit messages, miss over 93% of fixes at 0.5% false positive rate, and suffer large drops under group or temporal splits."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone."}],"snapshot_sha256":"25a1be96350817c713baecf030316abf00b64d86c8d8547d77c3207058b2a9b0"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Automated detection of vulnerability-fixing commits (VFCs) is critical for timely security patch deployment, as advisory databases lag patch releases by a median of 25 days and many fixes never receive advisories. We present a comprehensive evaluation of code language model based VFC detection through a unified framework consolidating over 20 fragmented datasets spanning more than 180000 commits. Across over 180 experiments with fine-tuned models from 125 M to 14 B parameters, we find no evidence that models acquire transferable security-relevant code understanding from code changes alone. Whe","authors_text":"Felix M\\\"achtle, Joseph Bienh\\\"uls, Kristoffer Hempel, Nils Loose, Thomas Eisenbarth","cross_cats":["cs.CR","cs.LG"],"headline":"Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-05-13T08:05:14Z","title":"Code-Centric Detection of Vulnerability-Fixing Commits: A Unified Benchmark and Empirical Study"},"references":{"count":69,"internal_anchors":3,"resolved_work":69,"sample":[{"cited_arxiv_id":"","doi":"10.1145/3663533.3664036","is_internal_anchor":false,"ref_index":1,"title":"Jafar Akhoundali, Sajad Rahim Nouri, Kristian F. D. Rietveld, and Olga Gady- atskaya. 2024. MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository Discovery. InProceedin","work_id":"d795933f-251b-448c-b3cd-51621a1f7c8a","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Dos and Don’ts of Machine Learning in Computer Security","work_id":"03ad60b9-20e3-4f7e-8d3f-e984a2958cba","year":2022},{"cited_arxiv_id":"","doi":"10.1145/3475960","is_internal_anchor":false,"ref_index":3,"title":"Guru Prasad Bhandari, Amara Naseer, and Leon Moonen. 2021. CVEfixes: automated collection of vulnerabilities and their fixes from open-source software. InPROMISE ’21: 17th International Conference on ","work_id":"ed6551bc-10bb-4663-9e7a-65eb97dc084f","year":2021},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"Max Brunsfeld. [n.d.]. Tree-sitter. https://github.com/tree-sitter/tree-sitter","work_id":"e32d1502-15d0-4f40-af79-04cac2c105d7","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Tianyu Chen, Lin Li, Taotao Qian, Jingyi Liu, Wei Yang, Ding Li, Guangtai Liang, Qianxiang Wang, and Tao Xie. 2024. CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Res","work_id":"d04f0819-a582-4763-907e-aff185777919","year":2024}],"snapshot_sha256":"ba7a3ee75425b8a23c392ca1b79f358ea73f07777683b77ea192f59b8b0d5c53"},"source":{"id":"2605.13138","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-14T18:35:52.994809Z","id":"2516d9de-f028-4b7e-ab9a-2d88ca47ed50","model_set":{"reader":"grok-4.3"},"one_line_summary":"Code language models show no transferable security understanding from code diffs alone, rely on commit messages, miss over 93% of fixes at 0.5% false positive rate, and suffer large drops under group or temporal splits.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone.","strongest_claim":"We find no evidence that models acquire transferable security-relevant code understanding from code changes alone. When commit messages are available, they dominate model attention, and when removed, an attribution analysis shows that enriching diffs with additional intra-procedural semantic context does not shift model attention toward the code changes.","weakest_assumption":"The consolidated datasets from prior sources contain accurate, unbiased labels for vulnerability-fixing commits and that the chosen evaluation splits (random, group-stratified, temporal) reflect realistic deployment conditions without unmeasured distributional shifts."}},"verdict_id":"2516d9de-f028-4b7e-ab9a-2d88ca47ed50"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:fc7e57b2401258185089336ce719b842f9fefd0c34c2bbdd479a804927dafb35","target":"record","created_at":"2026-05-18T03:08:57Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"83003c56734c5fd8487d9151a3f7d87b5801d0694f464d65ac7a554701021518","cross_cats_sorted":["cs.CR","cs.LG"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-05-13T08:05:14Z","title_canon_sha256":"125a2503ddd8afa917efefeac7f6305df6d59d240ac648052088ac83ef698c0e"},"schema_version":"1.0","source":{"id":"2605.13138","kind":"arxiv","version":1}},"canonical_sha256":"588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458","first_computed_at":"2026-05-18T03:08:57.532235Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T03:08:57.532235Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"L2XgU9UghwPeL5923Zg/OTQITejnBn2MPJExapfnZ+XZ1qFTIWaftHrknFM0XB4f0nP+ZotJr1GHCLkBX+VPDQ==","signature_status":"signed_v1","signed_at":"2026-05-18T03:08:57.533054Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.13138","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:fc7e57b2401258185089336ce719b842f9fefd0c34c2bbdd479a804927dafb35","sha256:b77331973dc4ab6cdd0a48df836210f4e800620e6dfc0ed28ecab099223d3467"],"state_sha256":"0f06fd121c53cf96947be449ad6afd160c125a9b433c47d78dc8348147156158"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"S77Cispv/qSAFYsq8p8U8FCh84tMVsKLfH4VaDa9QQqFkMwcr2m5OW0uyQyEhzJYPm5Oyhl3zDH/o7fwvLFMCw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-23T17:53:03.546426Z","bundle_sha256":"86429a1ab3aca7780be3a8148c45fe1e0328bae757e03ffcd3c830803411e796"}}