Skip to main content

Standalone, dependency-light verifier for CloakLLM audit artifacts -- verify hash chains, Ed25519 signatures, key provenance, RFC 3161 timestamps, and compliance reports WITHOUT the full SDK or trusting CloakLLM's code.

Project description

cloakllm-verifier

Independently verify CloakLLM audit artifacts — without the PII-detection stack, and without trusting CloakLLM's code.

CloakLLM's whole pitch is compliance you can verify, not compliance you're asked to believe. This is the tool that makes that literal: an auditor, regulator, or CI pipeline installs cloakllm-verifier and checks the artifacts themselves.

It reuses CloakLLM's own verification code (single source of truth — no reimplementation, no drift) but pulls only the cryptography extras — no spaCy, no NLP models. A lean install for people who need to check, not produce.

pip install cloakllm-verifier      # Python; crypto deps only, no spaCy
npm install cloakllm-verifier      # JavaScript; zero deps beyond cloakllm (see js/README.md)

This repo ships two packages from one source of truth: the Python package at the root and the JavaScript package under js/. Both expose the same CLI (cloakllm-verify) and the same checks, with byte-comparable --json output.

CLI

cloakllm-verify audit      ./cloakllm_audit                 # hash-chain integrity
cloakllm-verify timestamp  ./cloakllm_audit                 # offline RFC 3161 checkpoint tokens
cloakllm-verify keys       cert.json --manifest m.json      # KeyManifest provenance + revocation
cloakllm-verify report     report.json ./cloakllm_audit     # re-validate a compliance report
cloakllm-verify all        ./cloakllm_audit                 # everything, one exit code
cloakllm-verify audit ./cloakllm_audit --json               # machine-readable (CI)

Exit code 0 = verified, 1 = failed/invalid. Output is ASCII-only.

Python API

from cloakllm_verifier import verify_audit, verify_timestamps, verify_all

r = verify_all("./cloakllm_audit")
assert r["ok"], r          # {ok, audit: {...}, timestamps: {...}}

What it checks

  • Hash-chain integrity — recomputes every SHA-256 link from the canonical JSON; any tampered, reordered, deleted, or relinked entry fails.
  • RFC 3161 trusted timestamps — offline-verifies every chain_checkpoint token (proving the chain existed no later than the TSA's time); reports the earliest provable time.
  • KeyManifest provenance + revocation — verifies a signed certificate against its published KeyManifest (signature, key-id binding, validity window, manifest-hash integrity, offline-root signature when claimed) and checks it against a root-signed RevocationList.
  • Compliance-report re-validation — independently re-verifies the audit chain a report describes and rejects any report that claims a verified chain or a COMPLIANT verdict over a log that does not actually verify. It does not trust the report's own claims.

What a passing result does — and does NOT — prove

Be precise about the guarantees (an auditor needs to know the edges):

  • audit proves integrity + internal consistency of the entries present — every SHA-256 link recomputes and chains cleanly. It does not prove:
    • Completeness. A hash chain is anchored at its genesis, not its head, so removing entries from the end (tail truncation) leaves a still-valid prefix. Detecting truncation needs an external head anchor — an RFC 3161 checkpoint over the final entry_hash (timestamp), which binds "the chain was at least this long at time T".
    • Authenticity. The chain is a keyless SHA-256 construction: anyone who can write the log can recompute a self-consistent one. Authenticity comes from the Ed25519 attestation (keys) — a signed certificate whose key provenance you verify against a published KeyManifest.
  • keys without --manifest only checks the certificate's signature against the key embedded in the certificate — it does not establish who owns that key. Pass --manifest for real provenance; the CLI marks signature-only results UNVERIFIED, not "verified".
  • report re-verifies the chain and checks the report's claims for internal consistency against it; it is not a cryptographic binding of that exact report to that exact log beyond an entry-count sanity check.

Known limitation: cross-SDK whole-number floats

A hashed floating-point field that happens to be a whole number (e.g. a timing metric of exactly 0.0 or 5.0) serializes as 5.0 in Python but 5 in JavaScript, so a chain written by one SDK can be reported as tampered by the other SDK's verifier. This is a false-negative that fails safe (a genuine chain is flagged for investigation; a forged chain never passes), it is intermittent, and it predates this package. A proper fix is an RFC 8785-style number-canonicalization migration (a hash-semantics change, tracked for a future release). Workaround today: verify a chain with the same-language verifier that produced it.

Why a separate package

So an auditor's install is minimal and its purpose is unambiguous — it's a verifier, not the PII middleware. The verification logic lives in cloakllm (reused here), so the two can never drift.

MIT · part of CloakLLM

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cloakllm_verifier-0.12.0.tar.gz (16.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cloakllm_verifier-0.12.0-py3-none-any.whl (12.6 kB view details)

Uploaded Python 3

File details

Details for the file cloakllm_verifier-0.12.0.tar.gz.

File metadata

  • Download URL: cloakllm_verifier-0.12.0.tar.gz
  • Upload date:
  • Size: 16.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cloakllm_verifier-0.12.0.tar.gz
Algorithm Hash digest
SHA256 688917d2a6a5fb0583525cee0a90db3c61f3057082d18b0b3aeff717bbe60ec4
MD5 3328b81e3a6316999480e90997754eb1
BLAKE2b-256 fc590d6294c5d35d4f2a6d883cdddbf521d0578e1eb06b35343698ee2eb6b3e7

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloakllm_verifier-0.12.0.tar.gz:

Publisher: publish.yml on cloakllm/cloakllm-verifier

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cloakllm_verifier-0.12.0-py3-none-any.whl.

File metadata

File hashes

Hashes for cloakllm_verifier-0.12.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2ca4fcd92a1a75629082bd5f9a082d1f9eea5edff0630ad601e0ee879e91a589
MD5 57f442d513cbee84e3e37714c449754a
BLAKE2b-256 a88840af14a437a71e36c9f7226c178316fe841dd431a2af00bf742ad51fa49d

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloakllm_verifier-0.12.0-py3-none-any.whl:

Publisher: publish.yml on cloakllm/cloakllm-verifier

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page