@adriane-ai/verify
v1.14.0
Published
Offline, independent verifier for an Adriane Certificate of Execution — re-checks the Ed25519 signature, walks the attestation chain, AND re-derives the run from the capsule alone. `npx @adriane-ai/verify capsule.json`.
Downloads
912
Readme
@adriane-ai/verify
Offline, independent verifier for an Adriane Certificate of Execution — the signed audit-export
bundle (GET /runs/:id/audit-export). It re-checks everything from the capsule alone: no control
plane, no trust in the issuer.
npx @adriane-ai/verify capsule.json
# pin the signing key you obtained out-of-band (recommended):
npx @adriane-ai/verify capsule.json --key <base64-spki-public-key>Three independent checks:
- signature — Ed25519 over
sha256(bundle − signature)against the embedded key. - chain — the approval attestation chain is hash-linked and every signature is valid.
- replay — the run is re-derived on the OSS engine from the embedded
{ graph, entryState, journal }and must reach the same attested decisions. Don't trust us — re-run it yourself.
Exit code 0 when everything that applies passes, 1 otherwise.
Trust anchor. Without
--key, the signature is verified against the key inside the capsule — a forger could re-sign a doctored capsule with their own key. Pass--keywith a key you trust (published by the issuer) to pin it.
Library use:
import { verifyCapsule } from "@adriane-ai/verify";
const result = await verifyCapsule(capsule, { expectedPublicKey });
// → { signatureValid, keyPinned, chainValid, replayValid, reproducible, ok, notes }The replay leg needs the native engine (@adriane-ai/napi, pulled transitively) for your platform.
