Domain profile · Government

KNOBE Government Profile v1 Non-normative

Based on KNOBE Protocol v1.0 2026-07-01 Guidance, not protocol

This page is non-normative guidance for using KNOBE in public-sector records work. Nothing here changes the protocol. If this document conflicts with the normative specification, the specification governs.

Who this is for.
  • Records managers
  • Archivists
  • FOIA officers
  • Preservation staff
  • 508 compliance officers
  • Agency counsel
  • Data stewards
For records, releases, and adaptations that carry their own provenance, handling terms, and interpretive limits as they move between systems and across administrations. Companion profiles cover education and enterprise use. KNOBE is an independent open protocol; it is not an official standard, product, or endorsed service of any government agency or of UC Davis.
Scope caveat: unclassified systems only. KNOBE is plain-text tooling for unclassified information. Do not use it to mark, carry, or move classified national-security information; that is governed by separate systems and authorities. The privacy_level field declares handling intent; it is not a classification authority and does not substitute for CUI marking, agency policy, or statute.

The record loop this profile documents: a record is sealed at creation; a redaction is sealed as a transform of it; the public release verifies against that lineage.

  1. Recordsealed at creation
  2. Redactionsealed as a transform of it
  3. Releaseverifies against its lineage

Each link is a payload hash: the release names exactly which record and which redaction it came from.

Try it now
Seal a record

Assemble the fields, seal, and download one plain-text file that verifies anywhere. Runs in the browser; nothing is uploaded.

Open Studio Create →

§1Why KNOBE in government

Public-sector records outlive the systems that hold them. A record created in one case-management platform is migrated to another, exported for litigation, released under FOIA, adapted for accessibility, summarized for a briefing, and increasingly ingested by AI tools that compress and recombine it. At each step, the conditions that made the record interpretable travel less reliably than the content: who issued it and under what authority, what it can and cannot be trusted to represent, what was withheld and on what legal basis, and whether it is the version of record or a downstream derivative.

KNOBE addresses this at the artifact layer, without requiring an agency to adopt a new system of record. A .knobe.md file is readable in any text editor, verifiable with a small Python script, and self-describing: it carries attribution, source relations, transformation history, fidelity limits, handling terms, and a hash-sealed integrity check. It is a system of context that rides alongside whatever systems an agency already runs.

Three government problems map directly onto the protocol's fields. Chain of custody and provenance: attribution, parents, and transformation_history record where a record came from and what has been done to it. Release integrity: a redacted FOIA production can reference the unaltered source by hash, a precise, tamper-evident identification of the exact record it declares as its source, checkable whenever that record is produced. Accessibility as legal obligation: Section 508 and WCAG adaptations (alt text, plain-language versions, captions, translations) can be recorded with the adapter's labor visible and the source preserved, rather than circulating as detached copies. KNOBE records who produced an adaptation and how it relates to its source; it does not itself certify that an adaptation meets Section 508 or WCAG, which remains the agency's determination.

§2Recommended field defaults for government use

Recommended field defaults for government use
FieldRecommended defaultNotes
quarantine_status"quarantine"Default for incoming and working material. A records officer or governed system marks trusted after review.
privacy_level"internal"For most working records. See §3 for the full handling map.
identity_status"declared"Correct for v1. Attribution is self-reported; signatures arrive in a later revision.
licenseSee belowU.S. federal works are generally public domain; state, local, and contractor works vary.
content_typeSee belowMatch to the artifact's role in the records lifecycle.
License note. Works of the U.S. federal government are generally not subject to copyright and can be marked "Public domain (U.S. Government work)". State, local, tribal, territorial, and contractor-produced works are governed by their own rules; do not assume public domain. When in doubt, consult the agency's records or legal office.

Recommended content_type values for government artifacts

Recommended content_type values for government artifacts
Artifactcontent_type
Published notice, report, memo, or record of authorityoriginal
Redacted release of an underlying recordadaptation
Summary or briefing derived from recordscompression
Analytic product synthesizing multiple recordssynthesis
FOIA production or release package (multiple items)collection
Annotated exhibit or marked-up primary sourceannotation
Official translation of a public noticetranslation
Accessibility adaptation (alt text, plain-language, captions)adaptation

§3Sensitivity and handling guidance

The protocol's open vocabulary for privacy_level is: public, internal, sensitive, restricted. In government contexts these declare handling intent and travel with the artifact; they do not replace an agency's marking systems or governing authorities.

Sensitivity and handling guidance
ValueHandling meaningExamples
publicReleasable to the public, or already published.Published notice, cleared FOIA release, open dataset, public report.
internalAgency-internal working material; not yet cleared for release.Draft memo, working file, pre-decisional analysis.
sensitiveControlled Unclassified Information (CUI), PII, or law-enforcement sensitive. Handle per governing policy.Record with personal data, investigative material, security-relevant operational detail.
restrictedStatutorily protected, under legal hold, or otherwise not releasable in its current form.Record under litigation hold, sealed material, statutorily exempt content.
CUI note. Controlled Unclassified Information has its own marking framework (32 CFR Part 2002). Setting privacy_level: "sensitive" declares handling intent inside the artifact; it does not apply or replace a CUI marking. Where CUI applies, mark per the framework and reference the governing category in use_conditions.
Classified information. Do not place classified national-security information in a KNOBE. The format is designed for unclassified systems and plain-text portability. Classified material is governed by separate marking, handling, and transmission systems that KNOBE neither implements nor satisfies.

§4Custody and attribution roles

The protocol requires an attribution.sources array with at least one entry. Each source should include author and contribution. Adding a role to each entry makes custody records interoperable across tools. The following roles are recommended for government workflows.

Custody and attribution roles
Role valueMeaning
record_originatorThe office or official that created and originated the record.
records_officerThe records manager who reviewed, certified, or scheduled the record. Typically the party that sets quarantine_status: trusted.
releasing_officialThe official who authorized public release of a record or production.
redacting_officialThe person who applied redactions and identified the governing exemption or authority.
authorizing_authorityThe statute, order, or delegation under which an action was taken. Name it explicitly.
accessibility_adapterA person who produced a Section 508 / WCAG adaptation (alt text, plain-language, captions, translation).
accessibility_reviewerA person who reviewed or approved an adaptation for accuracy and conformance.
ai_assistantAn AI model that contributed to a briefing, summary, or draft. Always "rights_bearing": false. Contribution should state specifically what the model did.
source_recordAn upstream record a derivative draws on. Use parents to link by hash when the source is itself a KNOBE.

§5Fidelity limit templates

The fidelity_limits field tells a recipient what an artifact is fit for and what must not be inferred from it. In records work it makes the difference visible between a redacted release and a complete record, between a briefing and its underlying evidence, and between an AI-assisted summary and verified content.

Template: redacted public release
{
  "fidelity_limits": {
    "represents": "the redacted public version of [record] as released under [authority]",
    "trust_as": "an accurate reproduction of the source record with [category] withheld",
    "do_not_infer": [
      "that redacted passages are absent from the source, they are withheld, not deleted",
      "that this release reflects events after the source record's date",
      "that withheld content implies any particular fact about its subject"
    ]
  }
}
Template: record of authority (published notice, report)
{
  "fidelity_limits": {
    "represents": "the authoritative published version of [notice/report] as issued",
    "trust_as": "the official statement of record as of the created_date",
    "do_not_infer": [
      "that real-time conditions or later corrections are reflected here",
      "that this remains current after a later record supersedes it"
    ]
  }
}
Template: AI-assisted briefing or summary
{
  "fidelity_limits": {
    "represents": "a summary of [records] assisted by AI as described in attribution",
    "trust_as": "a starting point for review, not a substitute for the underlying records",
    "do_not_infer": [
      "that AI-generated statements have been independently verified",
      "that every source record was consulted in full",
      "that the summary captures all legally material detail"
    ]
  }
}

§6Use condition and release templates

The use_conditions field carries the originator's declared terms for how the next person may use the artifact, terms that otherwise get separated from the record as it moves.

Template: public-domain release (U.S. federal work)
{
  "use_conditions": {
    "license": "Public domain (U.S. Government work)",
    "permitted": [
      "republish, quote, and redistribute freely",
      "incorporate into downstream products and tools"
    ],
    "requested_preservations": [
      "preserve the issuing authority and record identifier when republishing",
      "preserve fidelity limits so recipients read the record correctly"
    ]
  }
}
Template: restricted / controlled handling
{
  "use_conditions": {
    "license": "Not for public release",
    "permitted": [
      "internal review and records retention"
    ],
    "requested_preservations": [
      "do not release externally without records-office review and required redaction",
      "preserve the governing authority reference"
    ],
    "consent_note": "Controlled handling. Contains material subject to [CUI category / statute / legal hold]."
  }
}

§7UI label translations

Protocol field names are precise but not always the right language for a records-facing interface. The following translations are recommended for government tools. The protocol field names remain unchanged in the payload; these labels apply only at the display layer.

UI label translations
Protocol fieldRecords-facing labelNotes
quarantine_status: quarantinePending records reviewNeutral workflow language for material not yet certified.
quarantine_status: trustedCertified recordSet by a records officer or governed system after review.
fidelity_limitsWhat this record is and is notOr: "Read-before-relying notes."
use_conditionsHandling and release termsOr: "Release and reuse terms."
transformation_historyCustody and change logOr: "Chain of custody."
parentsSource recordsOr: "Derived from."
privacy_level: sensitiveControlled: handle per policyCUI / PII / law-enforcement sensitive.
privacy_level: restrictedRestricted: not for releaseUnder hold, sealed, or statutorily exempt.
payload_hash: verifiedRecord integrity intactFollow with "Integrity is not the same as accuracy or authority."
payload_hash: failedRecord may have changed, inspectAvoid "tampered"; changes may be legitimate. Prompt review.

§8Worked example: a record and its release

Note. Each example is a separate .knobe.md file. The hashes shown are payload hashes; they prove the structured record is intact, not proof of identity, authority, or approval. Integrity is not truth.

The two examples below form a verifiable release lineage. An internal inspection memo is the record of origin; a FOIA release is a redacted public version that references the source memo by hash. Download both and verify with lens.py. The release declares its source by payload hash. A recipient cannot see the restricted memo, but the reference is precise and tamper-evident: if the source record is ever produced (in litigation, audit, or a later release), anyone can confirm it is the exact record the release named at sealing. The derivation itself is declared by the issuing office, not proven by the hash.

Example 1: Internal record of origin
An internal facility-inspection memo. Carries privacy_level: restricted, quarantine_status: trusted (certified by the originating office), and the hash that the redacted release references as a parent. Contains a personnel section that is withheld downstream.
payload_hash: 472b7c28584bbc178c30fe7c942a6891e8babb5d3f8d32872e1940f3341037bc
Download
Example 2: Redacted FOIA release
A redacted public release of the memo, prepared in response to a FOIA request. Personnel details are withheld under Exemption 6. Carries a redaction record naming the authority and scope, a parents entry referencing the source by hash, and fidelity limits stating that withheld passages are withheld, not deleted.
payload_hash: 1c503fa97dbdaacca370aba6b967d993a061bf3a0f92e01aa007a41947402d64
Download

What the lineage demonstrates

Opening the release's parents array reveals one entry with a payload hash. Verify that hash against the source record above and it matches: the release names that exact record as its source, and no other. The hash proves the identity of the referenced record precisely; the derivation and the faithfulness of reproduced text remain declarations by the issuing office: sealed, attributable, and tamper-evident, but not independently proven. The redaction field records the governing exemption and the scope of what was withheld, so the basis for withholding travels with the release rather than living only in a separate log. The chain (originating office certifies the record, FOIA office redacts and releases) is sealed and checkable without any case-management system, portal, or database. The artifacts carry their own custody.