The problem I kept seeing: defense contractors would spend months preparing for a CMMC assessment — policies, screenshots, control mappings, the whole thing — and then the C3PAO would ask who last modified a document and when. No audit trail. Assessment over. About 15–30% of first-time CMMC assessments fail. I'd guess a big chunk of those aren't failing because the security controls aren't in place. They're failing because there's no way to prove the evidence is authentic. So I built Solymus. Every artifact you upload gets SHA-256 hashed, signed with KMS (ECDSA_SHA_256 — signing the digest, not the payload, because of the 4KB limit), and sealed into a daily Merkle chain. Each artifact gets a public /verify/{id} endpoint — no auth required — so the assessor can check it themselves. One thing worth knowing: right after upload, merkle_status shows "pending". It upgrades to "linked" after midnight UTC when the attestation job runs. The KMS signature is valid immediately — Merkle is the additional daily seal. Took me a while to realize I needed to document that clearly or people assumed it was broken. Free tier at prolixotech.com. Happy to go into the crypto implementation if anyone's curious.