--- name: c2pa-metadata description: "Embed C2PA (Content Authenticity Initiative) provenance manifests in AI-generated marketing assets (image/video/audio/PDF). Use when: preparing AI-generated ad creative, social images, or video for EU markets to comply with EU AI Act Article 50 (applicable 2 Aug 2026); embedding visible AI-generation disclosure in assets; meeting brand-trust transparency requirements." --- # /digital-marketing-pro:c2pa-metadata — Embed Content Authenticity Provenance ## Purpose Wraps `scripts/embed-c2pa.py` to add a **C2PA (Coalition for Content Provenance and Authenticity) manifest** to any AI-generated marketing asset. The manifest carries a machine-readable provenance trail (who generated it, what generator was used, what prompt produced it, when it was reviewed) plus a visible AI-generation claim in the IPTC digital-source-type vocabulary. This is the technical mechanism brands use to comply with: - **EU AI Act Article 50** (applicable 2 August 2026) — generative-AI marketing content must be marked in a machine-readable format using open, interoperable standards. C2PA is the emerging backbone. Penalty for non-compliance: up to **€15 million or 3% global annual turnover**. - **NY synthetic-performer disclosure law** (effective June 2026) — $1K–$5K per violation, $10K repeat; applies to synthetic influencers and AI-generated endorsements. - **FTC May 2026 endorsement guidance** — covers AI testimonials and synthetic creator content. - **Australia Online Safety Act / UK Online Safety Act** — emerging deepfake disclosure requirements. The resulting asset can be inspected by any C2PA-aware viewer (Adobe Photoshop, Lightroom, Truepic, [contentcredentials.org/verify](https://contentcredentials.org/verify)). ## When to invoke - Right after any AI image / video / audio generation step in the engagement workflow (Part 11 — AI Creative Instructions output) - Before handing a generated asset to the design team for review - As a pre-publish gate in `/digital-marketing-pro:check` for EU-targeted assets - Bulk-applying to a backlog of AI-generated assets before EU AI Act enforcement on 2 Aug 2026 ## Quick examples ```bash # Single asset — image generated by Vertex AI / Nano Banana Pro /digital-marketing-pro:c2pa-metadata \ --input assets/q3-launch-hero.png \ --output assets/signed/q3-launch-hero.png \ --brand "Acme Corp" \ --generator "Vertex AI / Nano Banana Pro" \ --ai-claim ai-generated-content \ --prompt "minimalist product hero shot, soft natural lighting" # Video with human review tracked /digital-marketing-pro:c2pa-metadata \ --input campaigns/launch-video-v3.mp4 \ --output campaigns/signed/launch-video-v3.mp4 \ --brand "Acme Corp" \ --generator "Runway Gen-4" \ --ai-claim ai-generated-content \ --reviewer "Jane Smith" # Human-created image with AI-assisted edits /digital-marketing-pro:c2pa-metadata \ --input assets/founder-headshot-edited.jpg \ --output assets/signed/founder-headshot-edited.jpg \ --brand "Acme Corp" \ --generator "Adobe Generative Fill" \ --ai-claim ai-assisted-edits # Production sign with a real C2PA signing certificate /digital-marketing-pro:c2pa-metadata \ --input assets/q3-launch-hero.png \ --output assets/signed/q3-launch-hero.png \ --brand "Acme Corp" \ --generator "Vertex AI / Nano Banana Pro" \ --ai-claim ai-generated-content \ --signing-cert /secure/c2pa-prod-cert.pem \ --signing-key /secure/c2pa-prod-key.pem ``` ## AI claim values (IPTC digital source type) | Value | When to use | Maps to IPTC URI | |---|---|---| | `ai-generated-content` | Asset fully generated by AI | `algorithmicMedia` | | `ai-assisted-edits` | Human-created + AI-edited (e.g. Generative Fill) | `compositeWithTrainedAlgorithmicMedia` | | `ai-no-substantive-changes` | AI used (e.g. upscaling) but no semantic change | `minorHumanEdits` | The IPTC vocabulary is what EU AI Act regulators reference — using these values rather than ad-hoc strings makes the asset interoperable with the Article 50 enforcement tooling. ## Supported asset formats `.png` · `.jpg/.jpeg` · `.webp` · `.gif` · `.tiff` · `.mp4` · `.mov` · `.webm` · `.mp3` · `.wav` · `.pdf` ## Signing certificate Production C2PA signatures require a certificate from a CAI-recognized signing authority. The script will use one if you pass `--signing-cert` and `--signing-key`. If you omit them, the script generates a **self-signed 90-day dev certificate** for development testing only — a self-signed asset will verify as "signature present but signer not in trust list" at [contentcredentials.org/verify](https://contentcredentials.org/verify). For production deployment: 1. Obtain a C2PA-compatible signing certificate from a CAI-recognized authority (Adobe, Truepic, Numbers Protocol, Microsoft Azure Confidential Ledger). 2. Store the cert + key securely (do NOT commit to git; use an environment-variable path or secret store). 3. Pass `--signing-cert` and `--signing-key` on every production invocation. Reference: [opensource.contentauthenticity.org/docs/manifest/signing-manifests/](https://opensource.contentauthenticity.org/docs/manifest/signing-manifests/) ## Python dependencies - `c2pa-python>=0.5.0` — auto-installed on first run via `pip install` - `cryptography` — only needed for the dev self-signed cert path; auto-installed if missing Both are part of the plugin's **Full mode** (~50 MB) — see `pip install -r scripts/requirements.txt` in the README. ## Output The script prints a JSON status report to stdout: ```json { "status": "success", "input": "assets/q3-launch-hero.png", "output": "assets/signed/q3-launch-hero.png", "size_bytes": 482371, "brand": "Acme Corp", "generator": "Vertex AI / Nano Banana Pro", "ai_claim": "ai-generated-content", "created": "2026-05-16T10:30:00+00:00", "manifest_assertions": ["c2pa.actions", "stds.schema-org.CreativeWork"], "using_dev_cert": false, "verify_url": "https://contentcredentials.org/verify" } ``` ## Integration with the engagement workflow In a full 12-part engagement, this skill plugs in at **Part 11 — AI Creative Instructions output**. After a creative brief is rendered as an actual asset (in SocialForge or a manual creative process), the resulting file passes through `c2pa-metadata` before being checked in to `engagements//11-creative-briefs/signed/`. The `/digital-marketing-pro:check` pre-publish gate should also verify that all AI-generated assets in an EU-targeted campaign carry a C2PA manifest. v3.4 adds this verification to the EU jurisdiction rule pack in `skills/context-engine/compliance-rules.md`. ## Related - `/digital-marketing-pro:check` — pre-publish quality gate (now verifies C2PA manifest on AI assets for EU campaigns) - `skills/context-engine/compliance-rules.md` — EU AI Act Article 50 rule pack - `skills/influencer-creator/ftc-compliance.md` — FTC May 2026 endorsement guidance - [C2PA spec v1.3](https://c2pa.org/specifications/specifications/1.3/index.html) - [Content Authenticity Initiative](https://contentauthenticity.org/)