Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993), Prong 1 says expert methodology should be “testable, and ideally tested by someone other than the proponent.” For software-driven forensic schedule analysis, that is a real exposure. If the expert wrote the engine, and wrote the reference implementation, and wrote the test fixtures, the expert has tested their own work. Nobody else has.

It is not a fatal exposure. Software-based forensic methods clear Daubert every day. But when opposing counsel is competent, “who else has tested this?” is the first question. The answer cannot be “nobody yet.”

Critical Path Partners has shipped infrastructure that closes this gap in three layers. None of it is theoretical. All three are live, public, and verifiable today by anyone with a laptop. This post walks through what each layer does, what it proves, and what it still does not prove.

The principle

A forensic methodology is only as defensible as the audit a stranger can run against it without your help. Everything below is designed to be run by someone who has never spoken with us.

Layer 1 — Public Continuous Integration

The verification suite runs on every commit, on hardware we do not control

What it is
GitHub Actions runs the full verification suite on every push to the cpp-cpm-engine repository. The matrix covers nine OS × Node combinations: Ubuntu, macOS, and Windows runners; Node 18, 20, and 22. The suite includes 43 unit tests, 83 cross-validation cases, plus DCMA-14 and AACE 29R-03 compliance checks. The whole world can watch the runs at github.com/danafitkowski/cpp-cpm-engine/actions/workflows/verify.yml.
Why it answers Prong 1
The runners are owned and operated by GitHub. We do not select them, we do not provision them, we do not have shell access to them. When the suite passes on GitHub’s Ubuntu runner, that is an independent machine reaching the same numbers our local laptop reaches. The cross-environment agreement is the test.
Why it answers tampering concerns
The workflow file lives in the same repository. Every change to it is in the git log. A reviewer can read the workflow, read the test file, read the engine, and confirm that the suite is not weakening itself between commits. If a future commit relaxes a tolerance or removes a test, the diff is visible. There is no private branch where verification runs differently.
How an opposing expert verifies
Open the Actions tab. Click any run. Read the log. Compare the witness JSON to the one cited in the expert disclosure. If the run URL matches and the witness hashes match, the build that produced the disclosure is the same build the public can see.

Layer 2 — Sigstore Attestation on the Public Transparency Log

The witness file is cryptographically signed by the workflow itself, on a public log nobody can edit

What it is
When the verification workflow succeeds, it emits a witness JSON containing the engine SHA-256, the test counts, the timestamps, and the cross-validation outputs. The workflow then signs that witness using GitHub OIDC and Sigstore’s cosign tooling. The signature and certificate are recorded on Rekor, Sigstore’s public transparency log at rekor.sigstore.dev.
Why it answers Prong 1
The signer is the workflow, not a human. The signature certificate carries the workflow path, the repository name, the commit SHA, and the trigger event. Any third party can re-derive the signing identity from the certificate and confirm it matches the public workflow definition. The expert cannot sign in their own name to vouch for results; the build system signs, with its identity preserved.
Why Rekor matters
Rekor is append-only. Once a signature is recorded, it cannot be edited or removed without breaking the log’s Merkle-tree integrity, and that integrity is itself publicly verifiable. An expert who later wants to revise history cannot delete an attestation that does not match the revision. The log holds the record.
How an opposing expert verifies
Install cosign. Run cosign verify-blob --certificate-identity-regexp ... --certificate-oidc-issuer https://token.actions.githubusercontent.com witness.json. The command returns the workflow path, the commit SHA, the run ID, and a success status. If the witness has been tampered with after signing, verification fails. If the certificate identity does not match the published workflow, verification fails.

Layer 3 — One-Command Local Reproduction

Any third party can clone the repo and produce a bit-identical witness on their own hardware

What it is
Two commands: git clone https://github.com/danafitkowski/cpp-cpm-engine followed by npm run verify. The script runs the same suite the CI runs. It emits a local witness JSON. The third party can then diff their local witness against the CI witness file. Matching SHA-256s and matching test counts equal mechanical reproduction.
Why dependency posture matters
The engine has zero runtime npm dependencies. A dependency that is renamed, removed, or compromised cannot break reproduction six months from now. The verifier needs Node 18+ and Python 3.10+, both freely available, both long-lived. Reproduction is roughly 90 seconds end-to-end on a 2023-era laptop.
Why it answers Prong 1 differently than CI
CI tests the build on GitHub’s hardware. Local reproduction tests it on the third party’s own hardware. The two are different threat models. CI defeats “the expert is lying about their local results.” Local reproduction defeats “the expert is lying about the CI configuration.” Both checks together leave no room to fake the result.
How an opposing expert verifies
Clone, install Node 18+, run npm run verify, open the resulting witness JSON, and compare the engine SHA-256 plus per-test outputs against the CI witness. If they match, the build is reproducible on independent hardware. If they do not match, the discrepancy is the story.

Cross-Examination Walk-Through

Picture the exhibit on the screen: the engine version, the topology hash, the CI run URL. Opposing counsel rises.

Opposing counsel
“Mr. Expert, the engine that produced this analysis — you wrote it, correct?”
Expert
“The engine is open source under the MIT license. The development was led by Critical Path Partners. Yes.”
Opposing counsel
“And the tests that verify the engine — you wrote those too?”
Expert
“The unit tests were authored by CPP. The verification posture is separate. The verification posture is that anyone in the world can audit the engine, audit the tests, run the suite on their own machine, and confirm the numbers. The disclosure cites a GitHub Actions run that executed on hardware CPP does not own and cannot modify, with a Sigstore signature on a public transparency log that CPP cannot edit, and a one-command reproduction path your own technical witness can run in ninety seconds. The verification is not that CPP says the engine is correct. The verification is that the engine is open to inspection by anyone who wants to look.”
Opposing counsel
“Has anyone other than you actually run this verification?”
Expert
“The CI system runs it on every commit on three operating systems and three Node versions. The run linked in the disclosure is one of those public runs. The signing identity on Rekor is the GitHub workflow itself, not me. As to additional human verification — the engine is published precisely so opposing experts and independent peer reviewers can do exactly that, and the path is documented in DAUBERT.md §3.1 of the repository.”

The point of the layered posture is that the expert does not have to ask the court to take their word. The expert points to the public log and steps back.

What This Does Not Close

Mechanical reproduction is not peer review. Daubert Prong 2 wants “subjected to peer review and publication.” That is a different bar, and the three layers above do not meet it on their own.

What the layers establish:

What still requires work:

None of those are vapor. They are scheduled. The three layers shipped today are the floor, not the ceiling.

Honest scoping

Layer 1 plus Layer 2 plus Layer 3 satisfy Prong 1 (“testable, and ideally tested”). They do not satisfy Prong 2 (“peer-reviewed and published”) on their own. The expert who cites this posture should distinguish the two prongs explicitly in disclosure and on the stand.

Where to Read the Detail

The canonical write-up lives in the engine repository at DAUBERT.md §3.1. It records the round-7 hardening that produced the public CI, the Sigstore attestation, and the local-reproduction path. The engine itself is MIT-licensed and lives at github.com/danafitkowski/cpp-cpm-engine.

The bar should rise. Forensic-schedule software vendors who cannot say “here is the build the expert disclosed, here is the public log that signed it, here is the command your witness can run in ninety seconds” should be asked why not. The standard is reachable. We have shipped it. Others can adopt it.

Building this verification posture into your own claim?

If you are a forensic scheduler or a law firm interested in this verification posture — whether you want to use the open-source engine directly or have CPP run the analysis with the disclosure-ready audit trail attached — reach us at hello@criticalpathpartners.ca.

Talk to CPP →
Related: The Forensic Record Should Render the Same in 10 Years · Forensic Delay Analysis Explained · Why Static DCMA Reports Are Costing You Money