Hello, verified world

If you're reading this, you just received an HTML page that traveled through a verified TLS 1.3 stack from Amazon DynamoDB to a 130 KB static ARM64 binary, and back to your browser. The same binary runs on AWS Lambda and AWS App Runner with identical bytes — verified caps don't care which host wakes them up.

The bytes you're reading right now were stored in DynamoDB as the html attribute of the row with partition key slug = "hello-world". To deliver them to you the binary:

1. Opened a TCP socket to dynamodb.us-east-1.amazonaws.com:443
2. Performed a TLS 1.3 handshake using verified caps: X25519 key exchange, HKDF key derivation, AES-128-GCM record encryption.
3. Built a SigV4-signed GetItem request via the aws_dynamodb_getitem_request verified cap.
4. Sealed the request as a TLS application_data record using tls13_record_seal.
5. Read the encrypted reply from the socket, decrypted it with tls13_record_open, used the http_response_complete framer to know when the response was fully received, parsed the JSON via json_extract_dynamodb_string_attr, returned the html bytes — which is what you're reading.

No BearSSL, no OpenSSL, no boto3 anywhere in the binary. Every byte over the wire produced by a cap that ships with a published-vector test oracle and went through six install gates. The patent claim made of bytes.