@atlasent/verify
v0.1.0
Published
Offline verifier for AtlaSent Proof bundles. Recomputes the audit chain, re-checks Ed25519 signatures, and re-hashes payloads against bound proofs — without touching the API.
Maintainers
Readme
@atlasent/verify
Offline verifier for AtlaSent Proof bundles. It recomputes every audit hash, re-walks the hash-linked chain, and re-checks every Ed25519 signature — with zero network calls and zero database access. A passing verification here is identical to the check the API runs, so it's suitable as a third-party / auditor-side integrity gate.
Install
npm i -g @atlasent/verify # or: npx @atlasent/verify ...CLI
# Verify a bundle exported from GET /v1/proofs/export.
# Signatures are checked against the bundle's embedded key registry.
atlasent-verify bundle.json
# Pin trust to a key you obtained out-of-band (e.g. the AtlaSent trust
# center). The bundle's own key claim is then ignored — this is the
# assurance that matters for an audit.
atlasent-verify bundle.json --pubkey @atlasent-audit-key.pemExit code is 0 when every proof verifies, 1 otherwise — and 2 for
usage/IO errors. The summary line reports the key source
(out-of-band pinned key vs bundle-embedded registry).
--pubkey formats
The flag (or the ATLASENT_PUBLIC_KEY_PEM / ATLASENT_AUDIT_PUBLIC_KEY
env var) accepts the key as:
- PEM (
-----BEGIN PUBLIC KEY-----, SPKI), - base64 / base64url of the SPKI DER, or
- base64 / base64url of the raw 32-byte Ed25519 key.
Prefix the value with @ to read it from a file. Passing --pubkey
without a value is an error — the verifier fails closed rather than
silently falling back to the bundle's key.
Library
import { verifyBundle, importPublicKey } from "@atlasent/verify";
const pinnedKey = await importPublicKey(pem); // or raw/SPKI base64
const result = await verifyBundle(bundle, { pinnedKey });
result.status; // "valid" | "invalid"
result.key_source; // "pinned" | "bundle"
result.results; // per-proof checks + failure_reasonsLicense
Apache-2.0
