A CI verdict can be correct and still leave behind a broken audit trail. For example: the workflow_run.json captured as evidence has a head_sha that does not match the commit the build actually ran on. Tests passed, the merge button unlocked, the deployment shipped. The verdict was right; the bundle is fabricable. A reviewer who needs the lineage from the deployed binary back to the source SHA cannot get it. Most CI tooling does not check for this. The verdict is the contract; the audit trail is whatever happened to land alongside it. evidence-gate is a small Python library that names this surface. It reads files your pipeline already captured, then asks a different question: is the trail behind this verdict complete enough to trust? It does not run CI jobs, fetch from GitHub, validate claim semantics, or decide whether the build itself was right. Its only job is the meta-verdict. ## The strongest pattern is timestamp recomputation Evidence has a time boundary.…