{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:PEFOSZGMUAUJME6CZGAGY4BZNA","short_pith_number":"pith:PEFOSZGM","canonical_record":{"source":{"id":"2605.17634","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-17T19:55:39Z","cross_cats_sorted":["cs.CL","cs.CY"],"title_canon_sha256":"41e69e9f6da55d275114f692102a0c685f30e2d2d0245d4e50753c4129fa3e5a","abstract_canon_sha256":"413d9222131eeb234316a59e9182c7190dd64cd9f619e582dfb31613e1145044"},"schema_version":"1.0"},"canonical_sha256":"790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e","source":{"kind":"arxiv","id":"2605.17634","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.17634","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"arxiv_version","alias_value":"2605.17634v1","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.17634","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"pith_short_12","alias_value":"PEFOSZGMUAUJ","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"pith_short_16","alias_value":"PEFOSZGMUAUJME6C","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"pith_short_8","alias_value":"PEFOSZGM","created_at":"2026-05-20T00:04:49Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:PEFOSZGMUAUJME6CZGAGY4BZNA","target":"record","payload":{"canonical_record":{"source":{"id":"2605.17634","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-17T19:55:39Z","cross_cats_sorted":["cs.CL","cs.CY"],"title_canon_sha256":"41e69e9f6da55d275114f692102a0c685f30e2d2d0245d4e50753c4129fa3e5a","abstract_canon_sha256":"413d9222131eeb234316a59e9182c7190dd64cd9f619e582dfb31613e1145044"},"schema_version":"1.0"},"canonical_sha256":"790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-20T00:04:49.681035Z","signature_b64":"nrkInY9JIpeudxkAWiI2VCnDRLR9w/RcrMKrQFAD3pwfeFCWK1l0E9TrS+S2VPaUi5BVslGfORGulGYT6ylKAg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e","last_reissued_at":"2026-05-20T00:04:49.680053Z","signature_status":"signed_v1","first_computed_at":"2026-05-20T00:04:49.680053Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.17634","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-20T00:04:49Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"pYPkVQQco5QE3v9uMT+3vHQ/dUHiPIpzNvqAo5WJah3DSdOhoJme4ND30ha9z564NAzoRO0aqZuCWV4OyBU1BQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-08T23:12:41.229532Z"},"content_sha256":"e3a543fd708c22372917b65a9b653a355e3f3e449760eda82e5fc593db12f290","schema_version":"1.0","event_id":"sha256:e3a543fd708c22372917b65a9b653a355e3f3e449760eda82e5fc593db12f290"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:PEFOSZGMUAUJME6CZGAGY4BZNA","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"AI Agents May Always Fall for Prompt Injections","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent.","cross_cats":["cs.CL","cs.CY"],"primary_cat":"cs.CR","authors_text":"Eugene Bagdasarian, Sahar Abdelnabi","submitted_at":"2026-05-17T19:55:39Z","abstract_excerpt":"Prompt injection is the most critical vulnerability in deployed AI agents. Despite recent progress, we show that the prevailing defense paradigm (data-instruction separation) both fails to detect attacks that operate through contextual manipulation and degrades contextually appropriate behavior. We then recast prompt injection via the lens of Contextual Integrity (CI), a privacy theory that judges information flow compliance with contextual norms. This explains types of attacks that current defenses attempt to patch and predict advanced ones future agents will face. We develop unique benign an"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"an adversary can always construct a context under which a blocked flow appears legitimate, or a defender who tightens norms will block genuinely legitimate flows","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the Contextual Integrity norms can be unambiguously defined and applied to AI agent information flows in a way that distinguishes legitimate from illegitimate flows without circular reference to the attacks themselves (abstract, paragraph on recasting via CI lens).","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Recasting prompt injection as violations of Contextual Integrity norms reveals an impossibility: adversaries can always reframe contexts to legitimize blocked flows or defenders will block legitimate ones.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"1851aee280cbf45d0267ead046c75eade9d2c5c5766cea314f300e740bfe4117"},"source":{"id":"2605.17634","kind":"arxiv","version":1},"verdict":{"id":"86dffbaa-c854-4e13-a6ea-678c3902ace8","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-19T22:48:47.218856Z","strongest_claim":"an adversary can always construct a context under which a blocked flow appears legitimate, or a defender who tightens norms will block genuinely legitimate flows","one_line_summary":"Recasting prompt injection as violations of Contextual Integrity norms reveals an impossibility: adversaries can always reframe contexts to legitimize blocked flows or defenders will block legitimate ones.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the Contextual Integrity norms can be unambiguously defined and applied to AI agent information flows in a way that distinguishes legitimate from illegitimate flows without circular reference to the attacks themselves (abstract, paragraph on recasting via CI lens).","pith_extraction_headline":"An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.17634/integrity.json","findings":[],"available":true,"detectors_run":[{"name":"doi_title_agreement","ran_at":"2026-05-19T23:01:19.424220Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_compliance","ran_at":"2026-05-19T23:00:54.164053Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"cited_work_retraction","ran_at":"2026-05-19T22:52:43.555172Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"ai_meta_artifact","ran_at":"2026-05-19T21:33:23.556842Z","status":"skipped","version":"1.0.0","findings_count":0},{"name":"claim_evidence","ran_at":"2026-05-19T21:21:57.480087Z","status":"completed","version":"1.0.0","findings_count":0}],"snapshot_sha256":"e4d2bc8a18531fe1d918adf1dbe1054b76b5c8849af417e469ee35cc96cfad9f"},"references":{"count":28,"sample":[{"doi":"","year":null,"title":"Email length and realism: External content should be at least 80 words with real business context","work_id":"1fd26b6a-6c80-4c62-9288-12547b215b03","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"External content similarity: Attack and benign must be nearly identical in length (within 15 words), tone, and structure","work_id":"95bf57b4-e518-4a97-8bbf-67cb17d4553b","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"No obvious tells: The attack version should not be noticeably longer, more formal, more urgent, or more suspicious","work_id":"26fb34df-1814-49bb-b306-3352cf7931e3","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Diverse scenarios: Cover a wide range of professional contexts","work_id":"04ed4cde-62b2-4a04-8b7b-cd3a912f0085","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Diverse injection techniques: Vary the technique across items","work_id":"909d9312-c9ec-4407-b473-b05984c3dc7f","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":28,"snapshot_sha256":"43e3a96f70181efd5d22bd60b2f062d0ec14ab40687d1bd04a08cbc8e8261a4b","internal_anchors":0},"formal_canon":{"evidence_count":2,"snapshot_sha256":"edaa5a85a27be38443d0eead0fabb241337bad5d8ab0e1cddcae9eb5f8d08e8a"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"86dffbaa-c854-4e13-a6ea-678c3902ace8"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-20T00:04:49Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"pYN4FdvWbhfQ0Jo0m44YmbeOA9lk3I2YDLJ6OBEbGgypxbCukPpBtq3qrm/406MyoWVa3tUq2P5/g4hH2UmjAA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-08T23:12:41.230147Z"},"content_sha256":"e703f023627a1c5bb8e12f83e4bd7170a95c45010dffd490b06d22ae329919ef","schema_version":"1.0","event_id":"sha256:e703f023627a1c5bb8e12f83e4bd7170a95c45010dffd490b06d22ae329919ef"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/PEFOSZGMUAUJME6CZGAGY4BZNA/bundle.json","state_url":"https://pith.science/pith/PEFOSZGMUAUJME6CZGAGY4BZNA/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/PEFOSZGMUAUJME6CZGAGY4BZNA/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-08T23:12:41Z","links":{"resolver":"https://pith.science/pith/PEFOSZGMUAUJME6CZGAGY4BZNA","bundle":"https://pith.science/pith/PEFOSZGMUAUJME6CZGAGY4BZNA/bundle.json","state":"https://pith.science/pith/PEFOSZGMUAUJME6CZGAGY4BZNA/state.json","well_known_bundle":"https://pith.science/.well-known/pith/PEFOSZGMUAUJME6CZGAGY4BZNA/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:PEFOSZGMUAUJME6CZGAGY4BZNA","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"413d9222131eeb234316a59e9182c7190dd64cd9f619e582dfb31613e1145044","cross_cats_sorted":["cs.CL","cs.CY"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-17T19:55:39Z","title_canon_sha256":"41e69e9f6da55d275114f692102a0c685f30e2d2d0245d4e50753c4129fa3e5a"},"schema_version":"1.0","source":{"id":"2605.17634","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.17634","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"arxiv_version","alias_value":"2605.17634v1","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.17634","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"pith_short_12","alias_value":"PEFOSZGMUAUJ","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"pith_short_16","alias_value":"PEFOSZGMUAUJME6C","created_at":"2026-05-20T00:04:49Z"},{"alias_kind":"pith_short_8","alias_value":"PEFOSZGM","created_at":"2026-05-20T00:04:49Z"}],"graph_snapshots":[{"event_id":"sha256:e703f023627a1c5bb8e12f83e4bd7170a95c45010dffd490b06d22ae329919ef","target":"graph","created_at":"2026-05-20T00:04:49Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"an adversary can always construct a context under which a blocked flow appears legitimate, or a defender who tightens norms will block genuinely legitimate flows"},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the Contextual Integrity norms can be unambiguously defined and applied to AI agent information flows in a way that distinguishes legitimate from illegitimate flows without circular reference to the attacks themselves (abstract, paragraph on recasting via CI lens)."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Recasting prompt injection as violations of Contextual Integrity norms reveals an impossibility: adversaries can always reframe contexts to legitimize blocked flows or defenders will block legitimate ones."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent."}],"snapshot_sha256":"1851aee280cbf45d0267ead046c75eade9d2c5c5766cea314f300e740bfe4117"},"formal_canon":{"evidence_count":2,"snapshot_sha256":"edaa5a85a27be38443d0eead0fabb241337bad5d8ab0e1cddcae9eb5f8d08e8a"},"integrity":{"available":true,"clean":true,"detectors_run":[{"findings_count":0,"name":"doi_title_agreement","ran_at":"2026-05-19T23:01:19.424220Z","status":"completed","version":"1.0.0"},{"findings_count":0,"name":"doi_compliance","ran_at":"2026-05-19T23:00:54.164053Z","status":"completed","version":"1.0.0"},{"findings_count":0,"name":"cited_work_retraction","ran_at":"2026-05-19T22:52:43.555172Z","status":"completed","version":"1.0.0"},{"findings_count":0,"name":"ai_meta_artifact","ran_at":"2026-05-19T21:33:23.556842Z","status":"skipped","version":"1.0.0"},{"findings_count":0,"name":"claim_evidence","ran_at":"2026-05-19T21:21:57.480087Z","status":"completed","version":"1.0.0"}],"endpoint":"/pith/2605.17634/integrity.json","findings":[],"snapshot_sha256":"e4d2bc8a18531fe1d918adf1dbe1054b76b5c8849af417e469ee35cc96cfad9f","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Prompt injection is the most critical vulnerability in deployed AI agents. Despite recent progress, we show that the prevailing defense paradigm (data-instruction separation) both fails to detect attacks that operate through contextual manipulation and degrades contextually appropriate behavior. We then recast prompt injection via the lens of Contextual Integrity (CI), a privacy theory that judges information flow compliance with contextual norms. This explains types of attacks that current defenses attempt to patch and predict advanced ones future agents will face. We develop unique benign an","authors_text":"Eugene Bagdasarian, Sahar Abdelnabi","cross_cats":["cs.CL","cs.CY"],"headline":"An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-17T19:55:39Z","title":"AI Agents May Always Fall for Prompt Injections"},"references":{"count":28,"internal_anchors":0,"resolved_work":28,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Email length and realism: External content should be at least 80 words with real business context","work_id":"1fd26b6a-6c80-4c62-9288-12547b215b03","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"External content similarity: Attack and benign must be nearly identical in length (within 15 words), tone, and structure","work_id":"95bf57b4-e518-4a97-8bbf-67cb17d4553b","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"No obvious tells: The attack version should not be noticeably longer, more formal, more urgent, or more suspicious","work_id":"26fb34df-1814-49bb-b306-3352cf7931e3","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"Diverse scenarios: Cover a wide range of professional contexts","work_id":"04ed4cde-62b2-4a04-8b7b-cd3a912f0085","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Diverse injection techniques: Vary the technique across items","work_id":"909d9312-c9ec-4407-b473-b05984c3dc7f","year":null}],"snapshot_sha256":"43e3a96f70181efd5d22bd60b2f062d0ec14ab40687d1bd04a08cbc8e8261a4b"},"source":{"id":"2605.17634","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-19T22:48:47.218856Z","id":"86dffbaa-c854-4e13-a6ea-678c3902ace8","model_set":{"reader":"grok-4.3"},"one_line_summary":"Recasting prompt injection as violations of Contextual Integrity norms reveals an impossibility: adversaries can always reframe contexts to legitimize blocked flows or defenders will block legitimate ones.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent.","strongest_claim":"an adversary can always construct a context under which a blocked flow appears legitimate, or a defender who tightens norms will block genuinely legitimate flows","weakest_assumption":"That the Contextual Integrity norms can be unambiguously defined and applied to AI agent information flows in a way that distinguishes legitimate from illegitimate flows without circular reference to the attacks themselves (abstract, paragraph on recasting via CI lens)."}},"verdict_id":"86dffbaa-c854-4e13-a6ea-678c3902ace8"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:e3a543fd708c22372917b65a9b653a355e3f3e449760eda82e5fc593db12f290","target":"record","created_at":"2026-05-20T00:04:49Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"413d9222131eeb234316a59e9182c7190dd64cd9f619e582dfb31613e1145044","cross_cats_sorted":["cs.CL","cs.CY"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-17T19:55:39Z","title_canon_sha256":"41e69e9f6da55d275114f692102a0c685f30e2d2d0245d4e50753c4129fa3e5a"},"schema_version":"1.0","source":{"id":"2605.17634","kind":"arxiv","version":1}},"canonical_sha256":"790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e","first_computed_at":"2026-05-20T00:04:49.680053Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-20T00:04:49.680053Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"nrkInY9JIpeudxkAWiI2VCnDRLR9w/RcrMKrQFAD3pwfeFCWK1l0E9TrS+S2VPaUi5BVslGfORGulGYT6ylKAg==","signature_status":"signed_v1","signed_at":"2026-05-20T00:04:49.681035Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.17634","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:e3a543fd708c22372917b65a9b653a355e3f3e449760eda82e5fc593db12f290","sha256:e703f023627a1c5bb8e12f83e4bd7170a95c45010dffd490b06d22ae329919ef"],"state_sha256":"152b12bd3d7292e3bf07729429282a47295612d3f99286489a381862e1c10647"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"a4URlVqdMmtty6DbpVmzeI77+YmWTFJikRHCl4i/RqUoZuQkquk35HF9+38JVU90VspPqiNIcvF5XZhjCirkBg==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-08T23:12:41.232858Z","bundle_sha256":"56ec9e19ba358734a6df27cd16368ac4803c03b21e631f351db94c237a3e622f"}}