Files
wehub-resource-sync 26382a7ac6
CI / Test (macos-latest) (push) Waiting to run
CI / Test (ubuntu-latest) (push) Waiting to run
CI / Test (windows-latest) (push) Waiting to run
CI / Clippy (push) Waiting to run
CI / Build (no embeddings / no ORT) (push) Waiting to run
CI / Format (push) Waiting to run
CI / Cookbook (Node) (push) Waiting to run
CI / Pi Extension (Node) (push) Waiting to run
CI / Rust SDK (lean-ctx-client) (push) Waiting to run
CI / Embed SDK (lean-ctx-sdk) (push) Waiting to run
CI / Python SDK (leanctx) (push) Waiting to run
CI / Hermes Plugin (Python) (push) Waiting to run
CI / SDK Conformance Matrix (push) Waiting to run
CI / Coverage (push) Waiting to run
CI / cargo-deny (push) Waiting to run
CI / Adversarial Safety (push) Waiting to run
CodeQL / Analyze (javascript-typescript) (push) Waiting to run
JetBrains Plugin / Actionlint (push) Waiting to run
CI / Benchmarks (push) Waiting to run
CI / Output-Quality Gate (eval A/B) (push) Waiting to run
CI / Documentation (push) Waiting to run
CI / CI Green (push) Blocked by required conditions
CodeQL / Analyze (actions) (push) Waiting to run
CodeQL / Analyze (rust) (push) Waiting to run
JetBrains Plugin / Validation (push) Waiting to run
JetBrains Plugin / Build (push) Waiting to run
JetBrains Plugin / Test (push) Blocked by required conditions
Security Check / Security Scan (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 12:35:30 +08:00
..

leanctx-verify

Standalone offline verifier for LeanCTX evidence bundles (evidence-bundle-v1). For auditors: no LeanCTX installation, no network access, no trust in the audited system required.

leanctx-verify <bundle.zip> [--pubkey <hex ed25519 key>] [--json]

Five independent checks, each reported PASS/FAIL:

  1. archive + manifest well-formed
  2. every file matches its SHA-256 in the manifest (no additions/removals)
  3. audit hash chain replays from anchor to head (no edit/insert/delete/reorder)
  4. manifest Ed25519 signature verifies
  5. per-entry signatures verify

Exit code 0 = VALID, 1 = INVALID, 2 = usage error.

Without --pubkey the manifest's embedded key is used (self-attested mode — proves internal consistency only). Auditors should obtain the organisation's public key out-of-band; see docs/enterprise/reading-evidence.md for the full auditor guide.

Design constraints

  • Independent implementation. This crate shares no code with the LeanCTX engine; it implements the published contract (docs/contracts/evidence-bundle-v1.md, OCP Part 4). A PASS therefore attests the specification, not "two copies of the same code agree".
  • Minimal dependencies (ed25519-dalek, sha2, serde_json, zip), release binary statically stripped.
  • Mutation-tested. CI flips single bytes in every payload region, truncates the chain and swaps keys — each must produce INVALID (tests/verify_bundle.rs).

Build

cargo build --release   # → target/release/leanctx-verify