Metadata-Version: 2.4
Name: softquantus-verify
Version: 0.1.0
Summary: Offline, independent verifier for QCOS quantum evidence reports.
Project-URL: Homepage, https://platform.softquantus.com
Author: SoftQuantus innovative OÜ
License: MIT
License-File: LICENSE
Keywords: attestation,evidence,qcos,quantum,softquantus,verification
Requires-Python: >=3.9
Requires-Dist: cryptography>=41
Provides-Extra: dev
Requires-Dist: pytest>=8; extra == 'dev'
Description-Content-Type: text/markdown

# softquantus-verify

**Independently verify QCOS quantum evidence — offline, without trusting SoftQuantus.**

Every QCOS Bench report is content-hashed, identity-bound, and signed. This tool
recomputes those hashes from the published report and checks the signature, so a
regulator, auditor, or hardware vendor can confirm a result is authentic and
untampered **without contacting SoftQuantus and without the proprietary engine**.

That independence is the point: a trust claim you can only check by asking the
issuer is not a trust claim. This verifier is open source (MIT); the engine that
*produces* evidence stays proprietary.

## Install

```bash
pip install softquantus-verify
```

Only dependency: `cryptography`.

## CLI

```bash
# Verify hashes and signature
softquantus-verify report.json --public-key softquantus.pem

# Verify hashes only (no key)
softquantus-verify report.json

# Machine-readable output for CI
softquantus-verify report.json -k softquantus.pem --json
```

Exit code is `0` when valid, non-zero otherwise — safe to gate a pipeline on.

## Library

```python
import json
from softquantus_verify import verify_report

report = json.load(open("report.json"))
result = verify_report(report, public_key=open("softquantus.pem", "rb").read())

print(result.status)              # "valid" | "invalid" | "unsigned" | "error"
print(result.content_hash_valid)  # recomputed == published
print(result.evidence_hash_valid)
print(result.signature_valid)     # True / False / None (no key)
```

## What it checks

1. **`content_hash`** — recomputed from the technical content (results, metrics, versions).
2. **`evidence_hash`** — recomputed from the identity-bound content (the value that is signed).
3. **Signature** — Ed25519 over the canonical payload `evidence_hash|schema_version|ruleset_family`.

The exact rules are documented in [`../SPEC.md`](../SPEC.md) and are pinned to the
server by fixtures generated from the production code (`../fixtures`).

## License

MIT — see `LICENSE`.
