diff --git a/.github/actions/setup-python-pip/action.yml b/.github/actions/setup-python-pip/action.yml
index 9224a87..2f8f833 100644
--- a/.github/actions/setup-python-pip/action.yml
+++ b/.github/actions/setup-python-pip/action.yml
@@ -14,7 +14,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # was `@v6`
       with:
         python-version: ${{ inputs.python-version }}
         check-latest: ${{ inputs.check-latest == 'true' }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ad09edf..468ffda 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - name: Resolve pinned intentproof-spec revision
         id: spec_pin
@@ -36,7 +36,7 @@ jobs:
               f.write(f"sha={c}\n")
           PY
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
@@ -52,7 +52,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - name: Resolve pinned intentproof-spec revision
         id: spec_pin
@@ -67,14 +67,14 @@ jobs:
               f.write(f"sha={c}\n")
           PY
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
           fetch-depth: 0
           path: intentproof-spec
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # was `@v6`
         with:
           node-version-file: intentproof-spec/.nvmrc
           cache: npm
@@ -87,7 +87,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - name: Resolve pinned intentproof-spec revision
         id: spec_pin
@@ -102,7 +102,7 @@ jobs:
               f.write(f"sha={c}\n")
           PY
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
@@ -125,7 +125,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - uses: ./.github/actions/setup-python-pip
         with:
@@ -163,7 +163,7 @@ jobs:
             python-version: "3.14"
             check-latest: false
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - name: Resolve pinned intentproof-spec revision
         id: spec_pin
@@ -178,7 +178,7 @@ jobs:
               f.write(f"sha={c}\n")
           PY
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
diff --git a/.github/workflows/conformance-attestation.yml b/.github/workflows/conformance-attestation.yml
index dfca944..683ba64 100644
--- a/.github/workflows/conformance-attestation.yml
+++ b/.github/workflows/conformance-attestation.yml
@@ -27,7 +27,7 @@ jobs:
       PUBLISH_CONFORMANCE_ROOT: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master') && github.actor != 'github-actions[bot]' && github.actor != 'intentproof-cert-bot[bot]' }}
     steps:
       - name: Checkout SDK repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           persist-credentials: false
 
@@ -45,7 +45,7 @@ jobs:
           PY
 
       - name: Checkout intentproof-spec
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
@@ -82,7 +82,7 @@ jobs:
         run: tox run -e static,cov
 
       - name: Set up Node.js for spec oracle
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # was `@v6`
         with:
           node-version-file: intentproof-spec/.nvmrc
           cache: npm
@@ -109,7 +109,7 @@ jobs:
         run: npm run validate:conformance-certificate
 
       - name: Upload conformance report and certificate
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # was `@v7`
         with:
           name: conformance-artifacts
           path: |
@@ -120,7 +120,7 @@ jobs:
       - name: Mint cert-bot installation token
         id: cert_bot_token
         if: ${{ env.PUBLISH_CONFORMANCE_ROOT == 'true' }}
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547  # was `@v1`
         with:
           app-id: ${{ vars.INTENTPROOF_CERT_BOT_ID }}
           private-key: ${{ secrets.INTENTPROOF_CERT_BOT_PRIVATE_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 015a4e6..3d397ab 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Verify required CI checks passed on release SHA
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # was `@v8`
         with:
           script: |
             const requiredExact = ["no-handwritten-model-types", "hardening", "intentproof-spec", "spec-golden-parity"];
@@ -70,7 +70,7 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - name: Resolve pinned intentproof-spec revision
         id: spec_pin
@@ -85,7 +85,7 @@ jobs:
               f.write(f"sha={c}\n")
           PY
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
@@ -129,6 +129,6 @@ jobs:
         run: python -m build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # was `release/v1`
         with:
           packages-dir: dist/
diff --git a/.github/workflows/spec-conformance.yml b/.github/workflows/spec-conformance.yml
index 637fa8f..0975de0 100644
--- a/.github/workflows/spec-conformance.yml
+++ b/.github/workflows/spec-conformance.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout SDK repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
 
       - name: Resolve pinned intentproof-spec revision
         id: spec_pin
@@ -41,7 +41,7 @@ jobs:
           PY
 
       - name: Checkout intentproof-spec
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
         with:
           repository: IntentProof/intentproof-spec
           ref: ${{ steps.spec_pin.outputs.sha }}
@@ -62,7 +62,7 @@ jobs:
         run: tox run -e static,cov
 
       - name: Set up Node.js for spec oracle
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # was `@v6`
         with:
           node-version-file: intentproof-spec/.nvmrc
           cache: npm
@@ -81,7 +81,7 @@ jobs:
           cp intentproof-spec/conformance-report.json conformance-report.json
 
       - name: Upload conformance report artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # was `@v7`
         with:
           name: conformance-report-python
           path: conformance-report.json
diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml
new file mode 100644
index 0000000..db9e03a
--- /dev/null
+++ b/.github/workflows/typos.yml
@@ -0,0 +1,25 @@
+name: Typos
+
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: typos-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  typos:
+    name: Spell check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # was `@v6`
+
+      - name: Run typos
+        uses: crate-ci/typos@5374cbf686e897b15713110e233094e2874de7ef  # was `@v1`
diff --git a/.typos.toml b/.typos.toml
new file mode 100644
index 0000000..d171e11
--- /dev/null
+++ b/.typos.toml
@@ -0,0 +1,9 @@
+# Typos — https://github.com/crate-ci/typos
+# CI: .github/workflows/typos.yml
+
+[files]
+extend-exclude = ["package-lock.json"]
+
+[default.extend-words]
+# Placeholder Stripe-style IDs; tokenizer can flag “SAMPL” inside “…SAMPLE…”.
+SAMPL = "SAMPL"