Initial metadata
Browser, crawler, and search discovery.
<meta> · <link>
A practical system for making generated HTML artifacts discoverable, shareable, attributable, reviewable, and—when needed—cryptographically verifiable.
Tag accumulation is not a trust strategy. Each layer serves a different audience and survives a different sharing context.
Browser, crawler, and search discovery.
<meta> · <link>
Rich cards in messaging and social platforms.
Open Graph
Machine-readable identity and relationships.
Schema.org JSON-LD
Human-readable source, date, review, and status evidence.
UI + source ledger
Signed assertions and tamper detection.
C2PA + PROV-O
This profile covers discovery, social previews, publication lifecycle, rights, visual integration, and an optional C2PA association.
<meta charset="utf-8">
<meta
name="viewport"
content="width=device-width, initial-scale=1, viewport-fit=cover"
>
<title>Modern HTML Provenance for Shared SPAs · Example Research</title>
<meta name="description"
content="A practical architecture for metadata, source attribution,
AI disclosure, versioning, and verifiable provenance.">
<!-- Responsibility and production -->
<meta name="author" content="Example Organization">
<meta name="generator" content="Artifact Generator 3.2.0">
<!-- Stable identity and rights -->
<link rel="canonical"
href="https://example.com/research/html-provenance">
<link rel="license"
href="https://example.com/licenses/content-license">
<!-- Open Graph -->
<meta property="og:title"
content="Modern HTML Provenance for Shared SPAs">
<meta property="og:type" content="article">
<meta property="og:url"
content="https://example.com/research/html-provenance">
<meta property="og:image"
content="https://example.com/assets/share.png">
<meta property="og:image:width" content="1200">
<meta property="og:image:height" content="630">
<meta property="og:image:alt"
content="Layered provenance architecture for shared SPAs.">
<!-- Optional signed provenance -->
<link rel="c2pa-manifest"
href="/provenance/artifact.c2pa"
type="application/c2pa">
The author should be the responsible person or organization. The generating system belongs in generator metadata.
Do not update dateModified on every deployment. Only change it when the content materially changes.
Serve the image over HTTPS without authentication, cookies, or client-side generation.
Model the publisher, webpage, article, and primary media as distinct nodes. Keep detailed event lineage in a sidecar instead of overloading search-oriented JSON-LD.
{
"@context": "https://schema.org",
"@graph": [
{
"@type": "Organization",
"@id": "https://example.com/#publisher",
"name": "Example Organization"
},
{
"@type": "WebPage",
"@id": "https://example.com/report",
"mainEntity": {
"@id": "https://example.com/report#article"
}
},
{
"@type": "TechArticle",
"@id": "https://example.com/report#article",
"headline": "Modern HTML Provenance",
"datePublished": "2026-07-18T17:00:00-04:00",
"dateModified": "2026-07-18T18:30:00-04:00",
"version": "2026.07.18.1",
"creativeWorkStatus": "Published",
"author": { "@id": "https://example.com/#publisher" },
"publisher": { "@id": "https://example.com/#publisher" },
"isBasedOn": [{ "@type": "CreativeWork", "url": "https://spec.c2pa.org/" }],
"citation": [{ "@type": "CreativeWork", "url": "https://ogp.me/" }],
"sdPublisher": { "@id": "https://example.com/#publisher" },
"sdDatePublished": "2026-07-18"
}
]
}
isBasedOn for derivationcitation for referencessdPublisher for the structured representationW3C PROV-O is the better fit when the artifact must explain retrieval, transformation, review, revision, and responsibility across a generation workflow.
A report, source, prompt package, dataset, intermediate result, or immutable revision.
Retrieval, synthesis, transformation, human review, approval, signing, or publication.
A person, organization, model service, build pipeline, or software agent.
| Relationship | Use it for | Example |
|---|---|---|
wasGeneratedBy |
Connect an artifact to the generation activity. | Report revision → synthesis run. |
used |
Record an input consumed by an activity. | Research run → standards documents. |
wasAttributedTo |
Assign responsibility. | Published artifact → accountable organization. |
wasRevisionOf |
Connect immutable versions. | v1.1 → v1.0. |
hadPrimarySource |
Identify authoritative evidence. | Implementation guidance → governing specification. |
wasQuotedFrom |
Track exact quotations. | Claim block → quoted section. |
HTML metadata is editable. C2PA binds a signed manifest to the final artifact bytes so consumers can detect post-signing changes.
Use rel="c2pa-manifest" to reference a signed manifest.
External association avoids embedding a large Base64 payload in the document.
Produce the page, source ledger, JSON-LD, and visible provenance UI.
Run minification, bundling, edge injection, and production hardening first.
Create the C2PA manifest against the exact final document bytes.
Fetch the public response and verify the signed assertion after delivery.
Capture model type, model identifier, generation method, and degree of human oversight.
Do not expose system prompts, private source contents, internal endpoints, or authentication material.
Generated diagrams and share cards should carry their own provenance, not only inherit the page record.
A mutable canonical entry point is useful for sharing. An immutable revision is essential for auditability and exact citation.
Human-friendly sharing, search indexing, and the current publication state.
Historical verification, exact citations, reproducibility, and stable signed bytes.
Publish a new version and connect it with wasRevisionOf.
Make status visible to people and machine-readable in structured metadata.
The evidence for a prior revision must remain inspectable after the latest pointer moves.
Most generated research SPAs should start at Level 2. High-impact architecture, compliance, policy, and executive artifacts should move toward Levels 3 or 4.
Unique title, description, canonical URL, Open Graph, share image, language, dates, and basic JSON-LD.
Visible provenance, version, status, AI disclosure, source ledger, human review, claim anchors, and license.
Normalized provenance object, build identity, source digests, reviewer roles, PROV-O, and automated validation.
C2PA signing, trusted signer identity, deployed-byte verification, timestamping, and immutable storage.
Dates, source counts, version identifiers, review status, and attribution should not be independently hard-coded across the page.
interface ArtifactProvenance {
schemaVersion: "1.0";
artifact: {
id: string;
canonicalUrl: string;
revisionUrl?: string;
title: string;
description: string;
language: string;
contentType: "text/html";
version: string;
status: "draft" | "reviewed" | "published" | "superseded";
};
responsibility: {
creator: ProvenanceParty;
publisher: ProvenanceParty;
reviewers: ProvenanceParty[];
};
generation: {
generatedAt: string;
generatorName: string;
generatorVersion?: string;
method: "human" | "human-assisted" | "ai-assisted" | "ai-generated";
modelProvider?: string;
modelName?: string;
modelVersion?: string;
humanOversight: "none" | "sampled" | "reviewed" | "approved";
policyVersion?: string;
};
lifecycle: {
createdAt: string;
publishedAt?: string;
modifiedAt: string;
supersedes?: string;
supersededBy?: string;
};
sources: ProvenanceSource[];
claims?: Array<{
id: string;
selector: string;
sourceIds: string[];
confidence?: "high" | "medium" | "low";
notes?: string;
}>;
rights: {
licenseUrl?: string;
copyrightHolder?: string;
copyrightYear?: number;
usageInfoUrl?: string;
};
integrity: {
contentDigest?: string;
digestAlgorithm?: "sha-256" | "sha-384" | "sha-512";
c2paManifestUrl?: string;
signer?: string;
signedAt?: string;
verificationUrl?: string;
};
build: {
buildId: string;
sourceCommit?: string;
environment?: "development" | "preview" | "production";
};
}
Title, description, canonical, dates, and rights.
Share title, preview image, URL, locale, and article lifecycle.
Entities, relationships, sources, publisher, and publication status.
Generated time, review status, version, sources, license, and verification.
A trustworthy report is more than index.html.
Preserve the metadata, evidence, source ledger, and verification material that explain the document.
artifact/
├── index.html
├── assets/
│ └── share-card.2026.07.18.1.png
├── metadata/
│ ├── artifact.json
│ ├── schema.jsonld
│ └── provenance.jsonld
├── sources/
│ └── source-ledger.json
├── provenance/
│ └── artifact.2026.07.18.1.c2pa
└── verification/
└── checksums.txt
Most breakdowns happen when identity, freshness, responsibility, and evidence are treated as decorative metadata rather than release criteria.
| Anti-pattern | Failure | Remediation |
|---|---|---|
| One title and share image for the SPA | Every route looks identical when shared. | Generate route-specific initial metadata. |
| AI model listed as author | Accountability becomes ambiguous. | Use the responsible person or organization as author; record the model separately. |
| Generated date without modified date | Consumers cannot judge freshness. | Track created, published, modified, and review dates independently. |
| Modified date changes on every deploy | Creates false freshness. | Update only for meaningful content changes. |
| Raw private prompts in public metadata | Leaks internal instructions or sensitive context. | Store digests or redacted summaries. |
| Source list without claim mapping | Evidence is hard to audit. | Attach major claims to source IDs and selectors. |
| Signing before transformation | The deployed HTML fails verification. | Sign the final production bytes and verify after delivery. |
| Unsigned “verified” badge | Trust signal is self-asserted. | Link the badge to a real verification record. |
Metadata disappears in screenshots and is invisible to most readers. Significant artifacts should include a human-readable trust panel.
Generated as a single-file research handbook. Machine-readable metadata and human-readable provenance are embedded in the same artifact.
These are the governing or broadly adopted specifications behind the recommendations in this handbook.