Provenance & Standards
How the archive earns its credibility
How a US campus alert gets from a 911 dispatcher’s console into this archive, and the rules that govern every step.
Pipeline
How a case enters the archive
- DiscoveryA new incident is identified via official alert archives, branded X/Twitter handles, student newspapers, local TV coverage, Clery Annual Security Reports, or after-action reviews. Both fresh and historical cases are eligible.
- VerificationDate, institution, location, casualty counts, and timeline are cross-checked against at least two independent sources before any JSON is written. Building names, street names, and timezones are confirmed against the institution's own materials.
- AuthorshipThe case file is composed: alert text reproduced verbatim from the strongest available source, every claim in the context and summary fields paired with an inline source link, every alert tagged with its channel, type, and an honest isVerbatimConfirmed flag.
- ValidationEvery file passes through scripts/validate-cases.mjs, which enforces schema integrity, character-count parity, chronological ordering, slug uniqueness, and ISO date formatting. Cases failing any required rule are rejected before merge.
- PublicationOn merge to main, the static site rebuilds and the case is live at a permanent URL. The full JSON remains in the open repository so any reader can audit the underlying data.
Editorial standards
Non-negotiable rules
Five rules govern every case in this archive. They are reproduced verbatim from the project's editorial guide and any case that violates one is corrected or removed.
- 01Preserve all typos.“shots fire” stays as “shots fire.” Typos are authenticity markers.
- 02Every annotation must be specific to that message.Never generic observations.
- 03Confidence ratings must be honest.HIGH = verbatim from official source. MEDIUM = from reliable secondary. LOW = partial/reconstructed.
- 04Prefer SMS versions over email versions when both exist.SMS reflects the constraint environment.
- 05Alert timestamps must be chronologically ordered.Sequence 1 before sequence 2 before sequence 3. An alert cannot precede the incident it describes. The validator enforces this.
Data collection
Every case in this archive originates from publicly available sources. No case is fabricated, extrapolated, or composited from multiple incidents. Each case documents a single incident at a single institution with one or more alert messages reproduced verbatim from their original source.
Sources include official university alert archives, institutional social media accounts (primarily Twitter/X), student newspaper reporting, local media coverage, Clery Act Annual Security Reports, and after-action reviews. Source attribution is recorded at the alert level and the case level.
Verbatim fidelity
Our goal is to capture every alert in its exact, original wording. When that wording is confirmed from a primary source, it is reproduced exactly as sent: typos, grammatical errors, inconsistent capitalization, and formatting oddities are all preserved because they constitute evidence. When UNLV sent “shots fire” instead of “shots fired” during the December 2023 shooting, that typo was not an error to correct. It was an authenticity marker documenting the extreme urgency of composition under crisis conditions.
Cleaning up alert text would destroy the evidence of how humans actually communicate when lives are at stake.
Not every case has reached that bar yet. Where the exact transmitted text has not been recovered, the alert is reconstructed from reporting and clearly labeled as such, with an honest confidence rating, and tracking down and verifying the true verbatim wording is continuous, ongoing work.
Confidence ratings
Every case is assigned a confidence rating reflecting the reliability of its source material:
isVerbatimConfirmed flag is set to false for these alerts and they render in italics with a dashed left border.The Clery Act framework
The Clery Act (20 U.S.C. § 1092(f)) and its implementing regulations (34 CFR § 668.46) require all Title IV institutions to issue two distinct types of alerts:
Emergency Notifications (§ 668.46(g))
Required for any significant emergency or dangerous situation involving an immediate threat to health or safety on campus. Can be targeted to specific segments of the campus community. Must be issued “without delay” unless doing so would compromise efforts to contain the emergency.
Timely Warnings (§ 668.46(e))
Required for Clery Act crimes that pose a continuing threat to students and employees. Must reach the entire campus community. Crimes covered include murder, sexual assault, robbery, aggravated assault, burglary, motor vehicle theft, and arson.
Each case is classified under one of these categories, plus “advisory” for non-Clery discretionary notifications, “missing-student” for HEOA 2008 cases, and “test” for drills. Classification is based on incident type and apparent institutional intent, not on whether the institution correctly identified the legal obligation.
The distinction matters when reading across cases: the two categories carry different legal expectations. An emergency notification must go out “without delay” once an immediate threat is confirmed, while a timely warning follows a crime report on a slower, report-driven clock. Message timing, audience, and content therefore should not be pooled across categories as if they answered the same obligation; every case page and the search filters carry the category label so readers can keep them apart.
Annotations
Every alert message includes analytical annotations: observations about language choices, timing, channel selection, compliance implications, or comparison to other cases. Annotations must be specific to the individual message, not generic observations about the incident. An annotation like “Uses Run-Hide-Fight protocol language” is acceptable only if accompanied by specifics: which formulation, how it compares to the standard, what it reveals about the institution's approach.
Validation
All cases are validated before publication against a strict rule set:
- Valid JSON structure with all required fields present
- No duplicate case IDs or URL slugs
- At least one alert message per case
- At least one source per case
- Sequential alert numbering, chronologically consistent
- Character counts match verbatim text length
- Valid ISO 8601 timestamps with timezone offsets
- Two-letter state codes
- Slug format compliance (lowercase alphanumeric with hyphens)
Cases that fail validation on any required field are rejected. Cases with warnings (short headlines, missing annotations, character-count mismatches within tolerance) are flagged for review but not blocked.
Message Anatomy analysis
Beyond the verbatim record, every confirmed first-burst alert is coded for the six evidence-based elements of an effective warning message: the source (who is sending it), the hazard (what the threat is), the location (where it is), the guidance (the protective action to take), the time (when the message applies), and the impact (what the hazard could do). The core five come from public-warning science, including the work of Mileti and Sorensen, the CDC Crisis and Emergency Risk Communication framework, and FEMA IPAWS and WEA content guidance; the sixth, impact, was added on the recommendation of Dr. Jeannette Sutton, one of the field's foremost warning researchers, whose work on the content of Wireless Emergency Alerts informs the Impact definition used here (her research program and practitioner resources are introduced on the Message Anatomy page).
The coding is not keyword matching. Each alert is read in full and judged, element by element, by 25 independent Claude Opus 4.8 passes, each recording a verdict and a written justification. The headline result for an element is the majority vote across those 25 passes. A further arbitrator pass then reviews all 25 reads and writes a final one-to-two sentence synthesis for each element.
This is exploratory research. The codings are AI-generated and are not human-reviewed, so they should be read as systematic AI judgments with visible reasoning rather than validated ground truth. The analysis is shown interactively on the Message Anatomy page and is included in the data exports: the consensus and arbitrator assessment are folded into the “Everything” export on each coded case's first alert row, and the full element-coded dataset (consensus, per-element vote counts, and all 25 per-pass reads) is downloadable on its own.
Growing the archive: who adds new cases and policies
As of July 2026, growing the archive (researching and writing new cases, researching and writing new campus alert-and-warning policies, upgrading reconstructed alerts to verbatim, and fact-checking what is already published) is owned by Claude Sonnet 5. Sonnet 5 works the same pipeline described above (Discovery → Verification → Authorship → Validation → Publication), typically running several parallel research agents per session, each gated by scripts/validate-cases.mjs and scripts/validate-policies.mjs before anything is committed.
OpenAI Codex, a separate non-Claude agent, contributes to this same effort in small bounded batches under CODEX.md and docs/codex-work-packets/. Codex proposes its batches as pull requests; Claude Sonnet 5 reviews and merges them, holding Codex’s work to the identical validator-enforced quality bar as its own.
The analytics layer: Findings
The cross-corpus analysis published on the Findings page is owned by Claude Fable 5, a newer Anthropic model than the ones that compile the corpus. The division of labor is deliberate and disclosed: content growth (researching and writing new cases and policies) is led by Claude Sonnet 5, who also reviews and merges the batches OpenAI Codex contributes; Claude Opus 4.8 produced the per-alert message-element coding; Fable 5 designed and maintains the computation layer that reads across all of it, and authored the interpretation.
The discipline that makes this checkable: every statistic on those pages (the claims, the stat blocks, the charts) is computed at build time from the live case files by a single engine (lib/analytics.ts, in the public repository), and each finding publishes four things beside its headline claim: the plain-English inclusion rule and n; the computation steps; the honest limits, including how the corpus’s selection bias affects that specific number; and the evidence: case links chosen by stated deterministic rules, never hand-picked, with the complete slug list in findings.json. Statistical conventions: median is the middle value of the sorted list (mean of the two middle values for even counts); quartiles are Tukey hinges, the medians of the sorted list’s lower and upper halves; minute values round half-up before formatting; free-text resolution values are normalized by published pattern rules (any resolution containing “hoax” or “swat” groups as confirmed-hoax, and so on) before resolution-based statistics are computed. These conventions were themselves pinned by independent replication: before publishing, separate auditor runs re-derived every figure from the raw data using only the published method text.
The same standard applies as everywhere else on this site: the analysis is AI-generated and not human-reviewed. It is presented so that a skeptical reader never has to take a conclusion on faith: recompute any figure from the raw data export and it should match; if it does not, the finding is wrong and the maintainer wants to know.
Institutional diversity
The archive aims for coverage across every institution type and region, and all cases are treated and weighted equally. Some institution types (community colleges, HBCUs, tribal colleges, institutions in US territories, small liberal arts colleges) are systematically underrepresented in public archives due to archival practices, not crime rates. Gaps in coverage are tracked and reported. If an institution type or geographic region is missing from this archive, that is a gap in the public record, not an indicator of safety.
Data schema
The complete data schema is defined in TypeScript and enforced at build time. Key structures:
CaseStudy {
id: string // YYYY-MM-DD-institution-slug
slug: string // URL-safe routing slug
institution: Institution // name, state, type, alertSystem
incident: Incident // date, type, cleryCategory, headline, summary
alerts: Alert[] // verbatim messages with annotations
sources: Source[] // attributed provenance
confidence: high | medium | low
tags: string[]
}Export field reference
The downloadable exports flatten the case files into tables. The default research export is at the alert grain: one row per alert message, with case-level fields repeated on every row.
Alert grain (one row per alert message)
- caseId
- Stable case identifier (YYYY-MM-DD-institution-slug).
- date
- Incident date, YYYY-MM-DD.
- institution
- Full official institution name.
- shortName
- Common abbreviation, e.g. UNLV.
- state
- Two-letter state or territory code.
- institutionType
- Institution category (public-r1, hbcu, community-college, …).
- incidentType
- Incident classification (active-shooter, bomb-threat, …).
- cleryCategory
- Clery classification: emergency-notification, timely-warning, or advisory.
- resolution
- How the incident resolved, where recorded.
- headline
- The case's editorial headline.
- alertSequence
- 1-based order of this message within the case.
- alertType
- initial, update, all-clear, follow-up, or correction.
- channel
- Delivery channel (sms, email, twitter-x, sirens, …).
- timestamp
- ISO 8601 carrying the campus UTC offset; the local fields are the campus wall-clock reading.
- timestampApprox
- Honest prose fallback when no exact send time is known.
- verbatimText
- The exact alert text, typos preserved.
- isVerbatimConfirmed
- TRUE = confirmed exact wording from the cited source; FALSE = reconstruction from coverage.
- characterCount
- Exact length of verbatimText.
- alertSourceDescription
- Short label for where this alert's text came from.
- alertSourceUrl
- Direct URL to the source of this alert's text.
- caseConfidence
- Case-level confidence rating: high, medium, or low.
- caseUrl
- Permanent URL of the case page in this archive.
“Everything” adds
- alertAnnotations
- The archive's editorial annotations for that message, joined with " | " in flat formats; JSON exports carry the full array.
- incidentSummary
- The case's 2-4 sentence summary.
- incidentOutcome
- Outcome of the incident, where recorded.
- responseTimeMinutes
- Minutes from incident start to first alert.
- context
- The case's narrative context.
- keyFindings
- The case's key analytical findings.
- tags
- Freeform case tags.
- alertSystemName
- The institution's branded alert system, e.g. RebelSAFE.
- alertPlatform
- Underlying vendor platform, where known.
- enrollment
- Approximate enrollment, where recorded.
- allSources
- Every case-level source with title and URL.
- dateAdded
- Date the case entered the archive.
- lastUpdated
- Date the case was last revised.
Dataset wrapper & integrity notes
The full-dataset download at /data/cases.json wraps the case records in a small envelope: generatedAt (ISO build timestamp), version (the dataset version, e.g. 2026.07), source (the site URL), count (number of cases), license (reuse terms), and cases[] (the full canonical case objects). Per-case canonical records (byte-for-byte copies of the repository files) live at /data/case/<slug>.json. A machine-readable codebook documenting every export column lives at /codebook.json.
Confidence semantics, in one line each: high = verbatim from an official source; medium = reliable secondary sourcing; low = substantially reconstructed.
CSV only: cells beginning with =, +, @, or a tab are prefixed with a single quote (') to prevent spreadsheet formula injection. JSON artifacts are never altered.
Flat formats (CSV, Excel, HTML, PDF) pipe-join multi-value fields such as annotations; JSON exports preserve the underlying arrays.
How to cite
Every case page carries a “Cite this case” card with a plain citation, a copyable BibTeX entry, and a download of the case's canonical JSON record. To cite the whole archive, use the versioned citation on the Dataset page, which also carries every download and the license. Note that the alert text itself remains the work of the issuing institution; this archive is a secondary source, so where the original wording matters, cite the institutional source recorded on the alert as well.
For mission and funding context, see the about page.