Tamper-evident evidence bundles for AI outputs
Project description
AELITIUM
Provable AI outputs.
AELITIUM turns AI outputs into tamper-evident evidence bundles that can be verified anywhere, on any machine.
It allows engineers to prove what a model actually said — even long after the original system is gone.
Why this exists
AI outputs are usually stored in logs or databases.
Those records can be edited, overwritten, selectively deleted, or disputed later.
When AI outputs influence decisions — finance, healthcare, support automation, legal workflows — teams eventually face the question:
"Can you prove what the model actually said?"
AELITIUM provides a deterministic, cryptographic evidence bundle that allows anyone to verify the output independently.
How it works
AI output (JSON)
↓
aelitium-ai pack ← deterministic SHA-256 hash + manifest
↓
evidence bundle ← canonical JSON + ai_manifest.json
↓
aelitium-ai verify ← STATUS=VALID / STATUS=INVALID
The bundle contains a canonicalized payload, a deterministic SHA-256 hash, and a manifest with schema, timestamp, and canonicalization method. Anyone with the bundle can verify its integrity — no network required.
5-minute demo
Pack an AI output into an evidence bundle:
aelitium-ai pack --input examples/ai_output_min.json --out ./evidence
# STATUS=OK rc=0
# AI_HASH_SHA256=8b647717b14ad030fe8a641a9dcd63202e70aca170071d96040908e8354ef842
Verify the bundle:
aelitium-ai verify --out ./evidence
# STATUS=VALID rc=0
# AI_HASH_SHA256=8b647717b14ad030fe8a641a9dcd63202e70aca170071d96040908e8354ef842
Detect tampering:
# modify anything in ./evidence/ai_canonical.json or ai_manifest.json, then:
aelitium-ai verify --out ./evidence
# STATUS=INVALID rc=2 reason=HASH_MISMATCH
All commands accept --json for structured output.
Quick start
git clone https://github.com/aelitium-dev/aelitium-v3.git
cd aelitium-v3
python3 -m venv .venv && source .venv/bin/activate
pip install -e .
aelitium-ai pack --input examples/ai_output_min.json --out ./evidence
aelitium-ai verify --out ./evidence
Or run without installing (from project root):
python3 -m engine.ai_cli pack --input examples/ai_output_min.json --out ./evidence
python3 -m engine.ai_cli verify --out ./evidence
Reproducibility
AELITIUM is designed to be deterministic. The same AI output always produces the same hash, on any machine.
Run the full reproducibility check from a clean environment:
bash scripts/verify_repro.sh
This script creates a fresh virtual environment, installs the project, runs the test suite, packs the example twice, and confirms the resulting hashes match.
=== RESULT: PASS ===
AI_HASH_SHA256=8b647717...
All tests also pass on two independent machines (A + B) with identical hashes.
CLI reference
aelitium-ai (P2 — AI integrity)
| Command | Description |
|---|---|
validate --input <file> |
Validate against ai_output_v1 schema |
canonicalize --input <file> |
Print deterministic hash |
pack --input <file> --out <dir> |
Generate canonical JSON + manifest |
verify --out <dir> |
Verify integrity of a pack output dir |
verify-receipt --receipt <file> --pubkey <file> |
Verify Ed25519 authority receipt offline |
Exit codes: 0 = success, 2 = failure. Designed for CI/CD pipelines.
Documentation
- Why AELITIUM — problem statement, positioning, and what this is for
- Architecture — canonicalization pipeline, evidence bundle, module map
- Security model — threats addressed, guarantees, limitations
- Trust boundary — what AELITIUM proves and what it does not
- 5-minute demo — full walkthrough with expected output
- Python integration — drop-in helper + FastAPI example
- Engine contract — bundle schema and guarantees
Design principles
- Deterministic — same input always produces the same hash, on any machine
- Offline-first — verification never requires network access
- Fail-closed — any verification error returns
rc=2; no silent failures - Auditable — every pack includes a manifest with schema, timestamp, and hash
- Pipeline-friendly — all output parseable (
STATUS=,AI_HASH_SHA256=,--json)
Trust boundary
AELITIUM provides tamper-evidence, not truth guarantees.
What AELITIUM proves:
- the bundle contents have not changed since packing
- the canonicalized payload matches the recorded hash
What AELITIUM does not prove:
- that the model output was correct or safe
- that the system that packed the bundle was trustworthy
- that the model actually produced the output
Stronger provenance — signing authorities, hardware-backed keys — is the direction of P3. See TRUST_BOUNDARY.md for the full analysis.
License
Apache-2.0. See LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aelitium-0.2.0.tar.gz.
File metadata
- Download URL: aelitium-0.2.0.tar.gz
- Upload date:
- Size: 20.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1daea582a661052ebac181bd5115d39a9f86b881beab7f9f7fa4a944ee5e1cc0
|
|
| MD5 |
52f7ab666bfa9adc8b11a1476eaba69f
|
|
| BLAKE2b-256 |
d382aac4daf4123b586ab3470a548f86520e3bd1974c9a00485625df95b343b7
|
File details
Details for the file aelitium-0.2.0-py3-none-any.whl.
File metadata
- Download URL: aelitium-0.2.0-py3-none-any.whl
- Upload date:
- Size: 16.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0949bb909c77ba9f5778a3a55c76d0be6eaa2bdc01ee8ca91cf282564615a146
|
|
| MD5 |
63d5ada0c46c4f8797f905898ff74491
|
|
| BLAKE2b-256 |
ee8820711da1d29ec892dd2b301f89a1a35823caf0b9a25e8bab2eee868526d2
|
