Skip to main content

Standalone offline verifier for AlgoVoi selective-disclosure audit bundles. Auditor-runnable, no AlgoVoi infrastructure trust required.

Project description

algovoi-audit-verifier

test License: Apache 2.0 Python

Standalone reference verifier for AlgoVoi selective-disclosure audit bundles. Designed to run on an external auditor's machine without trusting AlgoVoi's infrastructure, transport, or any single attestation surface.


Two ways to verify

1. Hosted endpoint (zero install)

Live at verify.algovoi.co.uk. POST your bundle, get back a structured verification report. Stateless, no bundle is retained.

curl -X POST -H 'Content-Type: application/json' \
    --data-binary @your-bundle.json \
    https://verify.algovoi.co.uk/verify

Optional signature verification: pass the shared signing key in the X-Audit-Bundle-Key header.

Response is JSON with all_passed: bool, fatal: [...], and a checks: [...] array. HTTP 200 = all checks passed or optional-skipped; 422 = one or more checks failed; 400/413 = malformed or too-large request.

OpenAPI docs at verify.algovoi.co.uk/docs.

2. Offline (auditor's machine, no network round-trip)

pip install algovoi-audit-verifier

# Generate a synthetic signed bundle (no real bundle needed)
algovoi-verify-demo > demo_bundle.json   # or: python demo_audit_bundle.py

# Verify it
algovoi-verify demo_bundle.json \
    --signing-key 'demo-key-not-for-production-use'

Or run the HTTP server locally (same code path as verify.algovoi.co.uk):

pip install 'algovoi-audit-verifier[server]'
algovoi-verify-server
# POST bundles to http://localhost:8000/verify

Expected output ends with Verdict: PASS. If you don't see that, your rfc8785 install is wrong or you're on Python < 3.10 — fix that before trusting any verdict on a real bundle from AlgoVoi.


What this is for

When AlgoVoi compliance hands you a JSON bundle in response to a selective-disclosure request, this script lets you confirm — locally and offline — that the bundle's claims are tamper-evident, internally consistent, and were genuinely emitted by AlgoVoi.

Eight independent attestation surfaces:

# Check What it detects
1 per_row_content_hash Per-row tamper of any disclosed field
2 continuity Fabricated gap, reorder, or row deletion
3 selection_criteria_match Substantive misrepresentation (returned rows don't match the filter)
4 bundle_signature Bundle modified after signing, OR wrong signing key
5 off_vm_anchor Mismatch between bundle's claim and Object-Locked manifest
6 aggregate.same_chain Multiple bundles span different chains (operator error)
7 aggregate.overlap_consistency Same chain row disclosed differently to different audiences
8 aggregate.monotonic_head Write-once chain regressed (never legitimate)

See AUDITOR-RUNBOOK.md for the full verification recipe, examples, and failure-mode guide.


Repository layout

.
├── verify_audit_bundle.py      Reference verifier CLI
├── demo_audit_bundle.py         Synthetic bundle generator (toolchain smoke test)
├── audit-bundle.schema.json     Formal JSON Schema 2020-12 for the bundle envelope
├── AUDITOR-RUNBOOK.md          Full auditor-facing runbook
├── tests/                       pytest suite (56 cases, exercises all 4 chains end-to-end)
└── README.md                    This file

Install + run from source

git clone https://github.com/chopmob-cloud/algovoi-audit-verifier
cd algovoi-audit-verifier
pip install rfc8785

# Optional: also install jsonschema for structural pre-flight
pip install jsonschema

# Optional: install pytest if you want to run the test suite
pip install pytest pytest-asyncio
pytest tests/   # 56 tests, ~1 second

The verifier itself is pure Python stdlib + rfc8785 (RFC 8785 JSON Canonicalization). Nothing else is required.


Trust model

The verifier deliberately does NOT depend on:

  • Network access (works air-gapped)
  • AlgoVoi infrastructure (no API calls)
  • AWS credentials (the off-VM anchor cross-check works against locally-downloaded manifest files; the script also emits the recommended aws s3api head-object command for you to run separately if you have bucket-read access)
  • Any AlgoVoi codebase imports

This means: if you can pip install rfc8785 and run a Python script, you can verify a bundle without contacting AlgoVoi at all. The whole verification recipe is reproducible in any language; this script is one reference implementation. Ports to Go / TypeScript / Rust are welcome — the audit-bundle.schema.json is the machine-readable source of truth for the envelope format.


Supported bundle versions

chain_format_version Status Verifier handles
1 current yes
2+ reserved for future breaking changes no — verifier fails fatally with "pull a fresh verifier"

If you encounter a bundle whose version this verifier doesn't recognise, pull the latest from this repo. If the latest still fails, escalate to AlgoVoi compliance.


Conformance to the canonicalisation discipline

This verifier consumes receipts pinned to canon_version: jcs-rfc8785-v1 (or jcs-rfc8785-v2 under the strictly-additive PQC-aware discipline). The pin selects which canonicalisation rule the verifier applies at receipt-bytes verification time. A receipt without a recognised canon_version pin is treated as opaque; the verifier fails closed rather than guessing the rule.

The substrate discipline is defined at docs.algovoi.co.uk/canonicalisation-substrate (v1) and docs.algovoi.co.uk/canonicalisation-substrate-v2 (v2, PQC-aware additive successor).

Substrate adopters

AlgoVoi is recorded in the Substrate Adopters Registry as the substrate author. Parties anchoring their own services or specifications to canon_version: jcs-rfc8785-v1 (or v2) are recorded in the registry via the submission process. AlgoVoi validates submissions against the artefact's canonical bytes and adds qualifying entries.


License

Apache 2.0. See LICENSE.


Reporting issues

Open an issue on this repo for verifier bugs, schema clarifications, or auditor-facing documentation gaps. For questions about specific bundles you've received, contact AlgoVoi compliance directly.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

algovoi_audit_verifier-0.1.2.tar.gz (34.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

algovoi_audit_verifier-0.1.2-py3-none-any.whl (26.1 kB view details)

Uploaded Python 3

File details

Details for the file algovoi_audit_verifier-0.1.2.tar.gz.

File metadata

  • Download URL: algovoi_audit_verifier-0.1.2.tar.gz
  • Upload date:
  • Size: 34.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for algovoi_audit_verifier-0.1.2.tar.gz
Algorithm Hash digest
SHA256 23990b757f4294b2a8411118728cca7d901025772419dfa46f8272f1e5d1cb24
MD5 a3d9446264c90451160f1fb8c1d041c0
BLAKE2b-256 11f99eb311500ad20f8dcafa0053350fb3537e35f3e67f105c708c9465d5b1a2

See more details on using hashes here.

File details

Details for the file algovoi_audit_verifier-0.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for algovoi_audit_verifier-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 c1d9733eaa75d82a79fab371a8e5203be47af17edd9bea5fc5122f6572935a55
MD5 af347fa125632005ea63ddc2c0b22a12
BLAKE2b-256 eda65c7bec1f2444c228ed62f1f23dd653b57e2f4addf8b49ebb559aac782758

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page