Skip to main content

Standalone offline verifier for AlgoVoi selective-disclosure audit bundles. Auditor-runnable, no AlgoVoi infrastructure trust required.

Project description

algovoi-audit-verifier

test License: MIT Python

Standalone reference verifier for AlgoVoi selective-disclosure audit bundles. Designed to run on an external auditor's machine without trusting AlgoVoi's infrastructure, transport, or any single attestation surface.


Two ways to verify

1. Hosted endpoint (zero install)

Live at verify.algovoi.co.uk. POST your bundle, get back a structured verification report. Stateless, no bundle is retained.

curl -X POST -H 'Content-Type: application/json' \
    --data-binary @your-bundle.json \
    https://verify.algovoi.co.uk/verify

Optional signature verification: pass the shared signing key in the X-Audit-Bundle-Key header.

Response is JSON with all_passed: bool, fatal: [...], and a checks: [...] array. HTTP 200 = all checks passed or optional-skipped; 422 = one or more checks failed; 400/413 = malformed or too-large request.

OpenAPI docs at verify.algovoi.co.uk/docs.

2. Offline (auditor's machine, no network round-trip)

pip install algovoi-audit-verifier

# Generate a synthetic signed bundle (no real bundle needed)
algovoi-verify-demo > demo_bundle.json   # or: python demo_audit_bundle.py

# Verify it
algovoi-verify demo_bundle.json \
    --signing-key 'demo-key-not-for-production-use'

Or run the HTTP server locally (same code path as verify.algovoi.co.uk):

pip install 'algovoi-audit-verifier[server]'
algovoi-verify-server
# POST bundles to http://localhost:8000/verify

Expected output ends with Verdict: PASS. If you don't see that, your rfc8785 install is wrong or you're on Python < 3.10 — fix that before trusting any verdict on a real bundle from AlgoVoi.


What this is for

When AlgoVoi compliance hands you a JSON bundle in response to a selective-disclosure request, this script lets you confirm — locally and offline — that the bundle's claims are tamper-evident, internally consistent, and were genuinely emitted by AlgoVoi.

Eight independent attestation surfaces:

# Check What it detects
1 per_row_content_hash Per-row tamper of any disclosed field
2 continuity Fabricated gap, reorder, or row deletion
3 selection_criteria_match Substantive misrepresentation (returned rows don't match the filter)
4 bundle_signature Bundle modified after signing, OR wrong signing key
5 off_vm_anchor Mismatch between bundle's claim and Object-Locked manifest
6 aggregate.same_chain Multiple bundles span different chains (operator error)
7 aggregate.overlap_consistency Same chain row disclosed differently to different audiences
8 aggregate.monotonic_head Write-once chain regressed (never legitimate)

See AUDITOR-RUNBOOK.md for the full verification recipe, examples, and failure-mode guide.


Repository layout

.
├── verify_audit_bundle.py      Reference verifier CLI
├── demo_audit_bundle.py         Synthetic bundle generator (toolchain smoke test)
├── audit-bundle.schema.json     Formal JSON Schema 2020-12 for the bundle envelope
├── AUDITOR-RUNBOOK.md          Full auditor-facing runbook
├── tests/                       pytest suite (56 cases, exercises all 4 chains end-to-end)
└── README.md                    This file

Install + run from source

git clone https://github.com/chopmob-cloud/algovoi-audit-verifier
cd algovoi-audit-verifier
pip install rfc8785

# Optional: also install jsonschema for structural pre-flight
pip install jsonschema

# Optional: install pytest if you want to run the test suite
pip install pytest pytest-asyncio
pytest tests/   # 56 tests, ~1 second

The verifier itself is pure Python stdlib + rfc8785 (RFC 8785 JSON Canonicalization). Nothing else is required.


Trust model

The verifier deliberately does NOT depend on:

  • Network access (works air-gapped)
  • AlgoVoi infrastructure (no API calls)
  • AWS credentials (the off-VM anchor cross-check works against locally-downloaded manifest files; the script also emits the recommended aws s3api head-object command for you to run separately if you have bucket-read access)
  • Any AlgoVoi codebase imports

This means: if you can pip install rfc8785 and run a Python script, you can verify a bundle without contacting AlgoVoi at all. The whole verification recipe is reproducible in any language; this script is one reference implementation. Ports to Go / TypeScript / Rust are welcome — the audit-bundle.schema.json is the machine-readable source of truth for the envelope format.


Supported bundle versions

chain_format_version Status Verifier handles
1 current yes
2+ reserved for future breaking changes no — verifier fails fatally with "pull a fresh verifier"

If you encounter a bundle whose version this verifier doesn't recognise, pull the latest from this repo. If the latest still fails, escalate to AlgoVoi compliance.


Conformance to the canonicalisation discipline

This verifier consumes receipts pinned to canon_version: jcs-rfc8785-v1 (or jcs-rfc8785-v2 under the strictly-additive PQC-aware discipline). The pin selects which canonicalisation rule the verifier applies at receipt-bytes verification time. A receipt without a recognised canon_version pin is treated as opaque; the verifier fails closed rather than guessing the rule.

The substrate discipline is defined at docs.algovoi.co.uk/canonicalisation-substrate (v1) and docs.algovoi.co.uk/canonicalisation-substrate-v2 (v2, PQC-aware additive successor).

Substrate adopters

AlgoVoi is recorded in the Substrate Adopters Registry as the substrate author. Parties anchoring their own services or specifications to canon_version: jcs-rfc8785-v1 (or v2) are recorded in the registry via the submission process. AlgoVoi validates submissions against the artefact's canonical bytes and adds qualifying entries.


License

MIT — see LICENSE.


Reporting issues

Open an issue on this repo for verifier bugs, schema clarifications, or auditor-facing documentation gaps. For questions about specific bundles you've received, contact AlgoVoi compliance directly.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

algovoi_audit_verifier-0.1.1.tar.gz (31.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

algovoi_audit_verifier-0.1.1-py3-none-any.whl (22.8 kB view details)

Uploaded Python 3

File details

Details for the file algovoi_audit_verifier-0.1.1.tar.gz.

File metadata

  • Download URL: algovoi_audit_verifier-0.1.1.tar.gz
  • Upload date:
  • Size: 31.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for algovoi_audit_verifier-0.1.1.tar.gz
Algorithm Hash digest
SHA256 08220eacf6ab0f96afba552c092dd673775eea8fd4d8ecef868b191bb13c703f
MD5 372041f8f24c539771853e6d9da3813a
BLAKE2b-256 063fa0ee19ae570a78ca44e1d1cb31689c0e001c0ad1c49dc31cc321dd911cfc

See more details on using hashes here.

File details

Details for the file algovoi_audit_verifier-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for algovoi_audit_verifier-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 8912673c38d2e629acd080f0bdc7194b7c06533f52f9e2d48ffc61c083aca2d5
MD5 6481d6ac5ab3c0b30301b4c47bf7dad8
BLAKE2b-256 f85d77d35a8335c0ecc2c6a19cc4af848a620b06164f60a802545ea250f0aed2

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page