Skip to content

Replay Proof

Explain a specific output movement by replaying the changed drivers that produced it, and export a cryptographically signed, independently verifiable certificate of that explanation.

What it does

For a selected numeric output, Replay Proof traces the changed drivers that feed it, applies them to a temporary replay workbook, recalculates, and measures each driver’s contribution to the observed delta — then writes a certificate explaining the movement.

Steps

  1. Select the single numeric output cell whose movement you want to explain.
  2. ModelXcel Pro → Proof → Replay Proof.
  3. Review the explanation and ranked drivers, then export the certificate.

Proof status

The certificate reports how completely the movement was reconciled:

  • Exact — every reachable changed driver was replayed and the residual is within tolerance.
  • Exact with residual — all reachable drivers were replayed but a small residual remains (or the coverage-target rule was satisfied).
  • Approximate (fallback) — the proof budget did not cover all reachable drivers.
  • Timed out — replay hit the configured time limit.
  • No movement — the output did not move beyond numeric tolerance.

Driver budget and coverage thresholds come from Proof settings.

The signed certificate

Replay Proof writes a bare .mxreplay certificate (JSON) and an .mxreplay.signed envelope. The envelope is Ed25519-signed (BouncyCastle) over the canonical certificate JSON plus envelope metadata (version, key id, signing time, signer), and embeds the public key and signature. The signing keypair is created on first use in %AppData%\ModelxcelPro\keys\ and sealed with Windows DPAPI (current user).

Independently verifiable — offline, without the workbook

The .mxreplay.signed envelope can be verified by a third party using the standalone Node verify-replay tool (no npm dependencies — Node’s built-in crypto only) or the bundled C# verifier, without access to the original workbooks. The bare .mxreplay file is not Ed25519-signed (it carries only a SHA-256 self-hash) — the .mxreplay.signed envelope is the externally verifiable artifact.

What the verifier does — and doesn’t — establish

The verifier confirms the signed envelope’s bytes are intact and that the signature matches the public key embedded in the envelope. It does not establish that the embedded public key belongs to a trusted organization or person, does not prove the certificate’s claims correspond to a workbook on disk, and does not check revocation — those are organization-trust and revocation concerns outside the verifier’s scope.

Limitations

Every Replay Proof certificate carries this notice verbatim:

Replay Proof limitations notice

“Replay Proof reconciles the reported output movement by replaying identified changed drivers under the configured proof settings. It does not guarantee that the workbook, model design, formulas, assumptions, source data, or business conclusions are complete, appropriate, or accurate.”

In short: it proves that a specific output delta can be reconciled from its replayed drivers — not that the model is correct. Large models, volatile functions, and external links are flagged as warnings, and the proof status (Exact vs Approximate) tells you how complete the reconciliation was. See What proof proves — and what it doesn’t.