@veritasacta/verify
Unified offline verifier for signed machine-decision artifacts. Network-effect mechanics built in.
Apache-2.0 · Ed25519 + VOPRF · Offline · Sigil-verified canonical release · Auto-onboarding · MCP proxy · Sidecar daemon
Receipt format: ScopeBlind emits Veritas Acta receipts. Legacy ScopeBlind receipts remain verifiable, but Acta v0.1 is the canonical format going forward. Spec:
@veritasacta/protocol· IETF: draft-farley-acta-signed-receipts.
# Install
npm install -g @veritasacta/verify
# Or
brew install veritasacta/verify/veritasacta-verify
# Prove canonical release
npx @veritasacta/verify --self-check
# Zero-config onboarding (auto-detects framework)
npx @veritasacta/verify init
# Verify any receipt format
npx @veritasacta/verify receipt.json --key <pubkey>Part of the Veritas Acta protocol for machine-decision evidence.
What it verifies
| Mode | Input | Conformance tier |
|---|---|---|
| Ed25519 receipt | Signed decision receipts (v1, v2, Passport envelope) | T1 |
| Ed25519 + AIP-0002 | Selective-disclosure receipts with _commitments |
T2 |
| Ed25519 + attestation | Receipts with attestation_mode or anchor_uri |
T3 |
| VOPRF token | Anonymous credential tokens (RFC 9497, BRASS wire format). Full Schnorr DLEQ verification for both πI (issuer) and πC (client). | T4 |
| Knowledge Unit | Multi-model deliberation bundles (draft-farley-acta-knowledge-units-00) | varies |
| Audit bundle | Multiple receipts with embedded signing keys | varies |
| Gate receipt / bundle | ScopeBlind Gate receipt tuples (scopeblind.gate.*) and signed-manifest scopeblind.gate.evidence-bundle/2 exports with semantic and exact chain checks |
T1 |
| Legate governed receipt | Desktop runtime receipts (scopeblind.legate.governed.*) with determining-rule attribution and mandate-digest binding |
T1 |
| Legate proof pack | Position-blind adherence records (scopeblind.legate.proof-pack.v1): held/blocked by rule, order-path shadow evidence, bound to mandate digest + signed-book provenance + receipt Merkle root. Ed25519 + optional hybrid ML-DSA-65 |
T1 |
Subcommands
The CLI is a dispatcher: one binary, eight modes.
verify # verify a single file (default)
verify init # zero-config onboarding, auto-detects framework
verify proxy --target "..." # transparent MCP proxy, signs every tool call
verify daemon # unix-socket sidecar, language-agnostic signing API
verify prompt <file> # verify provenance of a CLAUDE.md / SKILL.md / system prompt
verify chain explore <r.json> # walk a receipt chain to its root, validate every hash link
verify --replay-chain ... # bulk verification with chain-linkage check
verify --self-check # prove this binary is the canonical release
verify --attest # emit a shareable canonical attestationPrompt provenance
Closes the supply-chain vector where an attacker modifies CLAUDE.md, SKILLS.md, or a system prompt between authoring time and agent runtime.
# Against a Veritas Acta receipt asserting the prompt hash
verify prompt SKILL.md --prompt-receipt prompt-receipt.json
# Against a Sigstore bundle (DSSE + in-toto statement)
verify prompt CLAUDE.md --sigstore-bundle bundle.json
# Fast path: caller knows the expected hash
verify prompt SKILL.md --expected-hash <sha256-hex>Chain exploration
Walks the previousReceiptHash chain from a chain tip back to its root, validating every link's SHA-256.
verify chain explore ./receipts/tip.json
# → ASCII tree, depth, links_broken, warnings
verify chain explore ./receipts/tip.json --search-dir ./audit/ --max-depth 200 --jsonScopeBlind Gate receipts
Verifies the receipt tuples emitted by the ScopeBlind Gate (the pre-trade mandate gate): single decisions, batch decisions and their exact signed legs, PM co-sign approvals, execution fills, held-remainder states, and issuer-signed mandate delegations. Version 2 evidence bundles add a gate-signed completeness manifest that enumerates every exported digest. Tuples sign the SHA-256 of the deep-key-sorted payload; the Ed25519 signature covers the digest bytes and verifies against the verification_key carried in the tuple.
verify gate-receipt.json # auto-detected tuple
verify gate-bundle.json # schemas, exact links, and signed manifest checked
verify gate-receipt.json --key <gate-pubkey> # pin the expected signer
verify gate-bundle.json --key <gate-pubkey> # pin the bundle trust anchor
verify samples/sample-gate-bundle.json # try it (deterministic demo keys)A VALID result proves cryptographic authenticity, payload integrity, recognized-schema validity, exact parent-child consistency, fail-closed partial-fill handling, and that the signed manifest exactly covers the records in the export. It does NOT prove the risk inputs were correct, that a demo fill came from an independent production custodian, or that records outside the manifest's declared history scope do not exist. Verification keys travel inside the records, so pin the expected gate signer with --key for identity assurance. Crypto and chain failures are reported separately ([crypto] vs [chain]): a record can be individually authentic while its semantic or cross-record relationship is invalid.
Legacy scopeblind.gate.evidence-bundle/1 files are detected but fail closed because they do not contain a signed completeness manifest. Re-export them as /2.
Pre-built sandbox profiles
ecosystem/profiles/ ships sandboxing profiles (Cedar policy + nono capabilities + README) for common agent runtimes — Claude Code, Cursor, Codex, Gemini CLI, OpenClaw. Compose with sb-runtime --ring 3 --policy ./policy.cedar + nono run --caps ./nono-capabilities.yaml.
Verification properties
- Offline. No network contacted unless
--jwks <url>is explicitly passed. - Tamper-evident. Exit 1 is proven tampering; exit 2 is undecidable (malformed, missing key, unsupported algorithm).
- No vendor trust. Only Ed25519 (RFC 8032) and JCS (RFC 8785) in the verification path.
- Self-verifying.
--self-checkcryptographically proves the installed verifier (24 source files) matches the canonical release. - Algorithm-agile. Hybrid PQ (
ed25519+ml-dsa-65) recognized and verified (v0.9+). - Zero telemetry. The verifier never phones home.
Quick start: frictionless onboarding
$ cd my-agent-project
$ npx @veritasacta/verify init
[Sigil ASCII art]
sigil: 956f2e88
✓ Veritas Acta initialized
Directory: ./.veritasacta
Kid: project:956f2e8895fd
Framework: crewai (python)
Next steps:
Install: pip install veritasacta-crewai
Wrap your agent with the adapter as shown in the adapter README.
Verify:
npx @veritasacta/verify .veritasacta/receipts/*.json --key 956f2e88...Init auto-detects your framework from package.json / pyproject.toml / requirements.txt across 13 supported frameworks (Claude Code, Claude Agent SDK, Google ADK, CrewAI, Pydantic AI, AutoGen, Smolagents, LangChain JS/Python, LangGraph JS/Python, OpenAI Agents SDK, Vercel AI SDK).
Universal MCP proxy — zero code changes
$ verify proxy --target "node my-mcp-server.js"
[veritasacta proxy] rcpt_1 signed (web_search) kid=project:956f2e8895fd
[veritasacta proxy] rcpt_2 signed (read_file) kid=project:956f2e8895fd
...Wraps any MCP server with signing. No changes in the server. No changes in the agent. Every tools/call gets a chain-linked Ed25519 receipt.
Sidecar daemon — language-agnostic signing
Run once; any process in the same user context signs receipts by POST.
$ verify daemon &
# Any language, any process:
$ curl --unix-socket /tmp/veritasacta-$UID.sock -X POST http://_/sign \
-d '{"tool":"web_search","args":{"q":"..."},"decision":"allow"}'
{ "payload": {...}, "signature": {"alg":"EdDSA","kid":"...","sig":"..."} }One daemon, N agents, zero SDK embedding.
Canonical attestation — network-effect mechanics
Every user who runs --self-check can emit a canonical attestation — a signed JSON artifact proving they ran the canonical unmodified verifier. Publish wherever (GitHub README, status page, SBOM, Rekor).
$ verify --attest --attest-org "Acme Corp" --output attestation.jsonOutput:
{
"payload": {
"type": "veritasacta:verifier-attestation",
"sigil_fingerprint": "6391ae72",
"sigil_name": "Quiet Orchard",
"canonical": true,
"attester_org": "Acme Corp",
"issued_at": "2026-04-19T...",
"expires_at": "2026-04-26T...",
"attester_kid": "attester:..."
},
"signature": { "alg": "EdDSA", ... },
"verification": { "attester_pubkey": "..." }
}Offline. User-signed. Counterfeit forks produce attestations marked canonical: false — detectable across the network.
Verification receipts
$ verify receipt.json --key <pubkey> --emit-verification-receiptProduces a signed "the canonical verifier checked this receipt and it was valid" artifact. Anchor in Sigstore Rekor, publish in SBOMs, attach to compliance reports.
Enterprise features
| Flag | Purpose |
|---|---|
--pin-sigil <hex> |
Require the installed Sigil fingerprint to match (supply-chain enforcement) |
--audit-log <file> |
Append every verification event to a chain-hashed JSONL log |
--audit-report |
Render an HTML audit report (self-contained, auditor-ready) |
--fips |
Enforce FIPS-approved algorithms only |
--strict |
Disable all deprecated fallbacks |
--tier N |
Require minimum conformance tier (1-5) |
--replay-chain <file> |
Bulk-verify a JSONL chain with parallel workers |
--diff <other> |
Structural diff between two receipts |
Live-context verification (Sigil claim 2)
$ verify receipt.json \
--require-context clock:±5s \
--require-context sensor:temp<18Gates verification on live context (NTP, sensors, feeds). Predicate fails → verification fails. Operationalizes patent #5 claim 2.
Algorithms supported
Ed25519/EdDSA(RFC 8032)voprf-p256-sha256(RFC 9497, structural; full DLEQ extraction in progress)- Hybrid PQ recognized:
ed25519+ml-dsa-65,ed25519+dilithium3(v0.6+)
Conformance tiers
| Tier | Requirements |
|---|---|
| T1 Basic | Ed25519 + JCS + chain linkage |
| T2 Disclosure | T1 + AIP-0002 selective disclosure |
| T3 Attestation | T2 + attestation_mode + anchor_uri |
| T4 Privacy | T3 + VOPRF + holder_binding |
| T5 Full | T4 + ZK compliance proofs (v1.0+) |
Each verification surfaces the tier achieved. Implementations earn tier badges for their READMEs.
Framework adapters
| Framework | Package | Language |
|---|---|---|
| Claude Code (MCP hooks) | protect-mcp |
JS |
| Google ADK | protect-mcp-adk |
Python |
| LangChain | @veritasacta/langchain / veritasacta-langchain |
JS / Python |
| LangGraph | @veritasacta/langgraph / veritasacta-langgraph |
JS / Python |
| CrewAI | veritasacta-crewai |
Python |
| Pydantic AI | veritasacta-pydantic-ai |
Python |
| AutoGen | veritasacta-autogen |
Python |
| Smolagents | veritasacta-smolagents |
Python |
| OpenAI Agents SDK | @veritasacta/openai-agents |
JS / Python |
| Vercel AI SDK | @veritasacta/vercel-ai |
JS |
| Any MCP server | verify proxy --target "<cmd>" |
language-agnostic |
| Anything else | verify daemon + HTTP POST |
language-agnostic |
SDK
Tiny language-agnostic signing helpers for custom integrations:
npm install @veritasacta/sdk
pip install veritasacta-sdkimport { Signer } from '@veritasacta/sdk';
const signer = Signer.fromKeyFile('.veritasacta/attester.json');
const receipt = signer.signDecision({ tool: 'x', args: {}, decision: 'allow' });Release names (Sigil brand convention)
Every release gets a unique deterministic name from its cryptographic fingerprint. Current release: Quiet Orchard (6391ae72). Full registry at veritasacta.com/sigils. See ecosystem/RELEASE-NAMING.md for the derivation.
Ecosystem artifacts
The ecosystem/ directory ships:
- GitHub Action (
ecosystem/github-action/) — drop-in CI step - Claude Code plugin (
ecosystem/claude-code-plugin/) — one-click Claude Code install - Homebrew tap (
ecosystem/homebrew-tap/) —brew install veritasacta-verify - Registry worker (
ecosystem/registry-worker/) — public implementations registry (registry.veritasacta.com) - Badge worker (
ecosystem/badge-worker/) — shields.io-compatible badges (verify.veritasacta.com/badge/*) - Interop leaderboard (
ecosystem/interop-leaderboard/) — weekly cross-implementation CI - Language SDKs (
ecosystem/sdk-js/,ecosystem/sdk-py/) — tiny signing helpers - Framework adapters (
ecosystem/adapters/*) — LangChain, CrewAI, OpenAI Agents, Vercel AI, Smolagents, Pydantic AI, AutoGen, LangGraph - Design docs (
ecosystem/rollback/,ecosystem/supervisor/,ecosystem/reputation/,ecosystem/dashboard/,ecosystem/browser-extension/,ecosystem/ebpf-observer/,ecosystem/cosign-compat/,ecosystem/CONFORMANCE-CERTIFICATION.md)
See ecosystem/README.md for the full map.
Relationship to the Veritas Acta stack
- Protocol: veritasacta.com — open IETF drafts, AIP specs, Apache-2.0.
- Verifier: this package. Open, offline, fully user-controlled.
- Managed issuance (commercial): scopeblind.com — managed receipt infrastructure + VOPRF issuance API.
Open verifier + closed issuer. The verifier is always free. The commercial product is the managed service.
Supply chain
v0.5.0 is published with:
npm publish --provenance— Sigstore-attested supply chain- Sigil commitment covering 24 source files
- Minimum dependency tree: only
@veritasacta/artifacts(+ transitively@noble/curves,@noble/hashes)
Verify your installation:
npm audit signatures # Sigstore attestation
verify --self-check # matches canonical Sigil
verify --pin-sigil <fingerprint> # enforce a specific releaseSpecifications
- draft-farley-acta-signed-receipts-03
- draft-farley-acta-knowledge-units-00
- AIP-0001 (receipt format + ASCII-only JCS)
- AIP-0002 (selective disclosure)
- AIP-0003 (holder binding)
- RFC 8032, 8785, 9497, 9380, 7517, 7638
Documentation
- CHANGELOG.md — release history
- THREAT-MODEL.md — what the verifier protects against and what it doesn't
- SECURITY.md — disclosure policy + supported versions
- ERRORS.md — complete error-code registry
- ecosystem/RELEASE-NAMING.md — Sigil naming convention
License
Apache-2.0.
Patent-adjacent; covered by the Apache-2.0 patent grant (§3). See PATENTS.md.