26382a7ac6
CI / Test (macos-latest) (push) Waiting to run
CI / Test (ubuntu-latest) (push) Waiting to run
CI / Test (windows-latest) (push) Waiting to run
CI / Clippy (push) Waiting to run
CI / Build (no embeddings / no ORT) (push) Waiting to run
CI / Format (push) Waiting to run
CI / Cookbook (Node) (push) Waiting to run
CI / Pi Extension (Node) (push) Waiting to run
CI / Rust SDK (lean-ctx-client) (push) Waiting to run
CI / Embed SDK (lean-ctx-sdk) (push) Waiting to run
CI / Python SDK (leanctx) (push) Waiting to run
CI / Hermes Plugin (Python) (push) Waiting to run
CI / SDK Conformance Matrix (push) Waiting to run
CI / Coverage (push) Waiting to run
CI / cargo-deny (push) Waiting to run
CI / Adversarial Safety (push) Waiting to run
CodeQL / Analyze (javascript-typescript) (push) Waiting to run
JetBrains Plugin / Actionlint (push) Waiting to run
CI / Benchmarks (push) Waiting to run
CI / Output-Quality Gate (eval A/B) (push) Waiting to run
CI / Documentation (push) Waiting to run
CI / CI Green (push) Blocked by required conditions
CodeQL / Analyze (actions) (push) Waiting to run
CodeQL / Analyze (rust) (push) Waiting to run
JetBrains Plugin / Validation (push) Waiting to run
JetBrains Plugin / Build (push) Waiting to run
JetBrains Plugin / Test (push) Blocked by required conditions
Security Check / Security Scan (push) Waiting to run
leanctx-verify
Standalone offline verifier for LeanCTX evidence bundles
(evidence-bundle-v1). For auditors: no LeanCTX installation, no
network access, no trust in the audited system required.
leanctx-verify <bundle.zip> [--pubkey <hex ed25519 key>] [--json]
Five independent checks, each reported PASS/FAIL:
- archive + manifest well-formed
- every file matches its SHA-256 in the manifest (no additions/removals)
- audit hash chain replays from anchor to head (no edit/insert/delete/reorder)
- manifest Ed25519 signature verifies
- per-entry signatures verify
Exit code 0 = VALID, 1 = INVALID, 2 = usage error.
Without --pubkey the manifest's embedded key is used (self-attested
mode — proves internal consistency only). Auditors should obtain the
organisation's public key out-of-band; see
docs/enterprise/reading-evidence.md for the full auditor guide.
Design constraints
- Independent implementation. This crate shares no code with the
LeanCTX engine; it implements the published contract
(
docs/contracts/evidence-bundle-v1.md, OCP Part 4). A PASS therefore attests the specification, not "two copies of the same code agree". - Minimal dependencies (
ed25519-dalek,sha2,serde_json,zip), release binary statically stripped. - Mutation-tested. CI flips single bytes in every payload region,
truncates the chain and swaps keys — each must produce INVALID
(
tests/verify_bundle.rs).
Build
cargo build --release # → target/release/leanctx-verify