Proof & Trust
The Proof group lets you record where a model’s inputs come from, attest the formulas a reviewer has checked, and later prove the workbook hasn’t silently drifted — backed by an append-only, tamper-evident ledger.
What the Proof system does
As you build or review a model, ModelxcelPro can record two kinds of evidence: a binding that pins a hardcoded input to an external source (with a SHA-256 snapshot of that source), and a signature in which a reviewer attests a formula or a block of formulas. Both are written to an append-only proof ledger. On save, the ledger is persisted inside the workbook itself — in a hidden CustomXMLPart, so it travels with the file through rename or email — and mirrored to a .mxproof sidecar for fallback and command-line tooling. Because the ledger is a hash chain, any later edit, re-order, or tampering is detectable.
The end-to-end workflow
- Bind sources. Use Bind Source for a single input or Bind Vector for a contiguous row/column. A SHA-256 snapshot of the source is pinned so later drift is detectable.
- Sign reviewed formulas. Use Sign Cell for one cell or Sign Block for a contiguous run sharing one formula. The signature records the formula, who signed, and what they are attesting.
- Check a result. Why This Number shows the proof chain for the selected cell and a per-node trust verdict — without changing anything.
- Verify. Verify Workbook re-reads every bound vector and signed block and records counter-entries for anything that drifted; Verify Ledger recomputes the hash chain to confirm no record was altered or re-ordered.
- Measure coverage. Coverage reports how much of the workbook is bound and signed.
- Certify. Certificate exports a shareable verification artifact (JSON for auditors/tooling, or a branded Excel workbook).
Separately, Replay Proof replays the material changed drivers of an output through Excel and issues a signed certificate explaining the delta.
Where proof data is stored
- The proof ledger — an append-only, hash-chained record stored authoritatively inside the workbook (a hidden
CustomXMLPartthat survives rename and email), and mirrored to a.mxproofsidecar next to the workbook for fallback and CLI tooling. - Certificate exports — JSON or a branded Excel workbook (which you can save as PDF).
.mxreplay— the certificate produced by Replay Proof.
Which cryptography is used where
The proof ledger is a SHA-256 hash chain, and bindings pin a SHA-256 snapshot of the source. The Certificate command exports a SHA-256 self-hashed artifact; Replay Proof produces an Ed25519-signed certificate. License files are signed separately (ES256). “Signed” in the Proof group therefore means a reviewer attestation recorded in the ledger, not an Authenticode signature.
What proof proves — and what it doesn’t
Be precise with reviewers and auditors about what the Proof system establishes.
It proves:
- that a named reviewer attested to a cell or block at the time they signed it;
- that a signed block’s cells all shared one master formula when signed;
- that an input was bound to a specific source with a pinned SHA-256 snapshot;
- that the ledger has not been silently altered or re-ordered (a tamper-evident hash chain);
- that a specific output movement can be reconciled by replaying its changed drivers (Replay Proof).
It does not prove that formulas, assumptions, or outputs are correct; that source data is accurate; that a reviewer had authority or competence (a signature records a name, not a verified identity); or that the model is complete or well-designed. Signing also does not lock cells or prevent future edits — it makes later changes detectable, not impossible.
Feature pages
- Why This Number — read the proof chain and trust verdict for a cell.
- Bind sources — Bind Source and Bind Vector.
- Sign formulas — Sign Cell and Sign Block.
- Verify & coverage — Verify Workbook, Coverage, and Verify Ledger.
- Certificate — export a SHA-256 self-hashed snapshot of the ledger state.
- Replay Proof — an Ed25519-signed, externally verifiable explanation of an output movement.
- Proof settings — source kinds and proof-budget defaults.