feat(partner-built): add certnode-provenance — compliance layer for finance agents (FRE 902(13)/(14), EU AI Act Article 50)

[srbryant86]

What this adds

A new partner-built plugin at plugins/partner-built/certnode-provenance/ that wraps any of the 10 named finance
agents with cryptographic provenance signing. Every output — pitch deck, IC memo, earnings note, KYC screening
decision, valuation report — carries a public verify URL + three-layer timestamp chain designed for FRE
902(13)/(14) self-authenticating digital evidence and EU AI Act Article 50 disclosure.

Why it matters

The 10 named agents produce regulator-, LP-, and client-facing output:

Agent	Output	Regulatory exposure
Pitch builder	Branded decks to clients	SEC/FINRA on advertised claims
Earnings reviewer	Published analyst notes	FINRA Rule 2241 recordkeeping
Statement auditor	LP statement reviews	Auditor + LP discovery
KYC screener	Document parsing + flagging	BSA/AML FinCEN audit
IC memo (PE)	Investment committee memos	Discoverable in fund litigation
Model builder	DCF / LBO / 3-statement	"Did the AI build this, when, with what inputs?"
Valuation reviewer	GP package valuations	LP advisory committee audit

Internal logging doesn't satisfy these. Receipts do.

What's in the plugin

plugins/partner-built/certnode-provenance/
├── .claude-plugin/plugin.json # manifest
├── .mcp.json # MCP server config
├── README.md # install + framing + privacy patterns
├── skills/
│ └── sign-output/
│ └── SKILL.md # the wrapper skill spec
└── commands/
└── sign-with-provenance.md # /sign-with-provenance slash command

Auto-configures @certnode/mcp-server (already published, v1.2.2+) so the integration works out of the box once
CERTNODE_API_KEY is set.

How a customer uses it

After install:

// Wrap any finance-agent deliver step
import { CertNode } from '@certnode/sdk'

const cert = new CertNode({ apiKey: process.env.CERTNODE_API_KEY! })
const signed = await cert.signAIOutput({
  output: pitchDeckContent,
  model: 'claude-opus-4-7',
  provider: 'anthropic',
})

// signed.receiptId — store with the deliverable in CRM / DMS
// signed.verifyUrl — give to client / LP / regulator

Free tier: 100 signings/month, no card required. Metered pricing above ($0.01 → $0.002 on volume tiers).

Three-layer timestamp chain

Receipt carries three independent timestamps so the proof survives if any single party (CertNode, the RFC 3161 TSA,
 OpenTimestamps) goes away:

1. ES256 JWS signature over content hash + metadata
2. RFC 3161 timestamp from an independent Time Stamp Authority
3. Bitcoin OpenTimestamps anchor committing to a Bitcoin block (confirms within 1–2 hours)

All standards-based and verifiable by an opposing expert without trusting CertNode.

Compliance framing

The plugin documentation uses "designed for FRE 902(13)/(14)" framing throughout — no unqualified
"court-admissible" claims. No court has ruled on a CertNode receipt specifically; the underlying primitives (RFC
3161, ES256, JWS, OpenTimestamps) are well-precedented. The defensive argument is independent verifiability of open
 standards.

For HIPAA / privileged / sensitive workflows: privacy-preserving pattern is documented — hash content client-side
before signing so CertNode never sees raw PHI / PII / privileged content. Receipt becomes a binding ledger entry;
raw content stays in the customer's infrastructure under their controls.

Relationship to existing partner plugins

Sibling to lseg (market data) and spglobal (research data) under partner-built/:

- LSEG / S&P Global: data into finance agents
- CertNode: provenance on the output of finance agents

Non-overlapping. The full "in → process → out" loop is now covered by partners.

License

Apache 2.0 (matches the repo).

Affiliation note

CertNode is not affiliated with or endorsed by Anthropic. This is a community-proposed partner integration. The
README + plugin metadata are explicit on this.

Validation

scripts/check.py passes locally (81 files validated, 0 issues). Plugin manifest validates per the partner-built
schema. Tested locally; signing call hits production certnode.io/api/v1/provenance/sign and returns valid receipts.
 Public verify endpoint confirms three-layer chain. SDK @certnode/sdk@2.1.0 and verify-only @certnode/verify@2.0.0
both published on npm registry.

About CertNode

CertNode is a cryptographic-provenance API for AI outputs + chargeback evidence + refund-abuse detection.
https://certnode.io. Three-layer timestamp chain (ES256 + RFC 3161 + Bitcoin OpenTimestamps). Built for FRE
902(13)/(14) self-authenticating digital evidence + EU AI Act Article 50 disclosure.

For procurement / enterprise terms / SOC 2 evidence (in-flight): contact@certnode.io.

---
Happy to revise framing, scope, or naming if any of this is off-key for the partner-built directory's curation
standards. Open to feedback.