# SPARTAN Review Pack v0.1 — Demo Packet **Demo artifact only.** This packet was generated on 2026-05-18 from SPARTAN's tracked synthetic sample capsule and a `pack_mode: demo` engagement input. It contains no real secrets, no customer data, and no proprietary source. Do not treat it as customer evidence. ## What this packet is A SPARTAN Review Pack v0.1 — a recipient-attachable closeout bundle. The two files that matter to a recipient are: - `review-pack.zip` — the deterministic wrapper archive. - `review-pack.zip.sha256` — its mandatory external SHA-256 sidecar. The other files in this folder are the build outputs (`ENGAGEMENT.json`, `PACK_MANIFEST.json`, `review-pack.md`, `review-pack.html`, `report.html`, `findings.sarif`, `findings-summary.csv`, `evidence.tar.gz`, `verify-output.txt`, `README_VERIFY_THIS_PACK.md`) plus this README and `VERIFY_TRANSCRIPT.txt`. ## How to verify it Place `review-pack.zip` and `review-pack.zip.sha256` in the same directory and run any one of: ``` spartan review-pack verify review-pack.zip --sha256 review-pack.zip.sha256 ``` ``` spartan-verify review-pack.zip --sha256 review-pack.zip.sha256 ``` Exit `0` is `VERIFY_PASS`, `1` is `VERIFY_FAIL`, `2` is a usage or IO error. The structured JSON result (`spartan.review_pack_verify_output.v0.1`) is printed to stdout. Verification is **offline-capable** and **fail-closed**. It makes **no Higgs AI server call at verify time**, needs no account, and needs no hosted dashboard. All three verifiers used for this packet — the in-repo verifier, the standalone `@higgs-ai/spartan-verify` CLI, and the Offline Verification Kit — returned `VERIFY_PASS`; see `VERIFY_TRANSCRIPT.txt`. ## What VERIFY_PASS means `VERIFY_PASS` means all of the following held for the local files checked: the `.sha256` sidecar matched the `review-pack.zip` bytes; the ZIP passed safety checks before extraction; `PACK_MANIFEST.json` schema and entry hashes matched; `ENGAGEMENT.json` validated; the embedded Capsule v0.1 verified; and the generated assets re-derived byte-identically. ## What VERIFY_PASS does NOT mean - It is **not a signature.** The `.sha256` sidecar and the manifest hashes are integrity checks, not signatures. An attacker who can replace both `review-pack.zip` and `review-pack.zip.sha256` can create a matching pair. - It is **not origin proof.** It does not prove who created the pack, or that it came from any specific operator or organization. - It is **not a certification**, not compliance approval, and not deploy approval. - It does **not** prove the target code is safe and does **not** prove all vulnerabilities were found. - It is not replay-bearing and is not evidence of hermetic execution. ## Status This is a **demo artifact** built from synthetic sample inputs for internal and design-partner review. Review Pack v0.1 is intentionally unsigned. Signing and origin proof are a separate, future, explicit decision and are not part of this packet.