Standalone, dependency-light verifier for CloakLLM audit artifacts -- verify hash chains, Ed25519 signatures, key provenance, RFC 3161 timestamps, and compliance reports WITHOUT the full SDK or trusting CloakLLM's code.
Project description
cloakllm-verifier
Independently verify CloakLLM audit artifacts — without the PII-detection stack, and without trusting CloakLLM's code.
CloakLLM's whole pitch is compliance you can verify, not compliance you're asked to believe. This is the tool that makes that literal: an auditor, regulator, or CI pipeline installs cloakllm-verifier and checks the artifacts themselves.
It reuses CloakLLM's own verification code (single source of truth — no reimplementation, no drift) but pulls only the cryptography extras — no spaCy, no NLP models. A lean install for people who need to check, not produce.
pip install cloakllm-verifier # Python; crypto deps only, no spaCy
npm install cloakllm-verifier # JavaScript; zero deps beyond cloakllm (see js/README.md)
This repo ships two packages from one source of truth: the Python package at the root and the JavaScript package under js/. Both expose the same CLI (cloakllm-verify) and the same checks, with byte-comparable --json output.
CLI
cloakllm-verify audit ./cloakllm_audit # hash-chain integrity
cloakllm-verify timestamp ./cloakllm_audit # offline RFC 3161 checkpoint tokens
cloakllm-verify keys cert.json --manifest m.json # KeyManifest provenance + revocation
cloakllm-verify report report.json ./cloakllm_audit # re-validate a compliance report
cloakllm-verify all ./cloakllm_audit # everything, one exit code
cloakllm-verify audit ./cloakllm_audit --json # machine-readable (CI)
Exit code 0 = verified, 1 = failed/invalid. Output is ASCII-only.
Python API
from cloakllm_verifier import verify_audit, verify_timestamps, verify_all
r = verify_all("./cloakllm_audit")
assert r["ok"], r # {ok, audit: {...}, timestamps: {...}}
What it checks
- Hash-chain integrity — recomputes every SHA-256 link from the canonical JSON; any tampered, reordered, deleted, or relinked entry fails.
- RFC 3161 trusted timestamps — offline-verifies every
chain_checkpointtoken (proving the chain existed no later than the TSA's time); reports the earliest provable time. - KeyManifest provenance + revocation — verifies a signed certificate against its published KeyManifest (signature, key-id binding, validity window, manifest-hash integrity, offline-root signature when claimed) and checks it against a root-signed RevocationList.
- Compliance-report re-validation — independently re-verifies the audit chain a report describes and rejects any report that claims a verified chain or a COMPLIANT verdict over a log that does not actually verify. It does not trust the report's own claims.
What a passing result does — and does NOT — prove
Be precise about the guarantees (an auditor needs to know the edges):
auditproves integrity + internal consistency of the entries present — every SHA-256 link recomputes and chains cleanly. It does not prove:- Completeness. A hash chain is anchored at its genesis, not its head, so removing entries from the end (tail truncation) leaves a still-valid prefix. Detecting truncation needs an external head anchor — an RFC 3161 checkpoint over the final
entry_hash(timestamp), which binds "the chain was at least this long at time T". - Authenticity. The chain is a keyless SHA-256 construction: anyone who can write the log can recompute a self-consistent one. Authenticity comes from the Ed25519 attestation (
keys) — a signed certificate whose key provenance you verify against a published KeyManifest.
- Completeness. A hash chain is anchored at its genesis, not its head, so removing entries from the end (tail truncation) leaves a still-valid prefix. Detecting truncation needs an external head anchor — an RFC 3161 checkpoint over the final
keyswithout--manifestonly checks the certificate's signature against the key embedded in the certificate — it does not establish who owns that key. Pass--manifestfor real provenance; the CLI marks signature-only resultsUNVERIFIED, not "verified".reportre-verifies the chain and checks the report's claims for internal consistency against it; it is not a cryptographic binding of that exact report to that exact log beyond an entry-count sanity check.
Known limitation: cross-SDK whole-number floats
A hashed floating-point field that happens to be a whole number (e.g. a timing metric of exactly 0.0 or 5.0) serializes as 5.0 in Python but 5 in JavaScript, so a chain written by one SDK can be reported as tampered by the other SDK's verifier. This is a false-negative that fails safe (a genuine chain is flagged for investigation; a forged chain never passes), it is intermittent, and it predates this package. A proper fix is an RFC 8785-style number-canonicalization migration (a hash-semantics change, tracked for a future release). Workaround today: verify a chain with the same-language verifier that produced it.
Why a separate package
So an auditor's install is minimal and its purpose is unambiguous — it's a verifier, not the PII middleware. The verification logic lives in cloakllm (reused here), so the two can never drift.
MIT · part of CloakLLM
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cloakllm_verifier-0.12.0.tar.gz.
File metadata
- Download URL: cloakllm_verifier-0.12.0.tar.gz
- Upload date:
- Size: 16.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
688917d2a6a5fb0583525cee0a90db3c61f3057082d18b0b3aeff717bbe60ec4
|
|
| MD5 |
3328b81e3a6316999480e90997754eb1
|
|
| BLAKE2b-256 |
fc590d6294c5d35d4f2a6d883cdddbf521d0578e1eb06b35343698ee2eb6b3e7
|
Provenance
The following attestation bundles were made for cloakllm_verifier-0.12.0.tar.gz:
Publisher:
publish.yml on cloakllm/cloakllm-verifier
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cloakllm_verifier-0.12.0.tar.gz -
Subject digest:
688917d2a6a5fb0583525cee0a90db3c61f3057082d18b0b3aeff717bbe60ec4 - Sigstore transparency entry: 2044771316
- Sigstore integration time:
-
Permalink:
cloakllm/cloakllm-verifier@401d3420be5863eac98cfeda8185c4f3576c7d34 -
Branch / Tag:
refs/tags/v0.12.0 - Owner: https://github.com/cloakllm
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@401d3420be5863eac98cfeda8185c4f3576c7d34 -
Trigger Event:
push
-
Statement type:
File details
Details for the file cloakllm_verifier-0.12.0-py3-none-any.whl.
File metadata
- Download URL: cloakllm_verifier-0.12.0-py3-none-any.whl
- Upload date:
- Size: 12.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2ca4fcd92a1a75629082bd5f9a082d1f9eea5edff0630ad601e0ee879e91a589
|
|
| MD5 |
57f442d513cbee84e3e37714c449754a
|
|
| BLAKE2b-256 |
a88840af14a437a71e36c9f7226c178316fe841dd431a2af00bf742ad51fa49d
|
Provenance
The following attestation bundles were made for cloakllm_verifier-0.12.0-py3-none-any.whl:
Publisher:
publish.yml on cloakllm/cloakllm-verifier
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cloakllm_verifier-0.12.0-py3-none-any.whl -
Subject digest:
2ca4fcd92a1a75629082bd5f9a082d1f9eea5edff0630ad601e0ee879e91a589 - Sigstore transparency entry: 2044771384
- Sigstore integration time:
-
Permalink:
cloakllm/cloakllm-verifier@401d3420be5863eac98cfeda8185c4f3576c7d34 -
Branch / Tag:
refs/tags/v0.12.0 - Owner: https://github.com/cloakllm
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@401d3420be5863eac98cfeda8185c4f3576c7d34 -
Trigger Event:
push
-
Statement type: