Metadata-Version: 2.4
Name: algovoi-validate
Version: 0.1.1
Summary: Offline, dependency-light validator for AlgoVoi signed compliance evidence — auto-detects signed receipts, signed-chain streams, and evidence packs. Falcon-1024 / RFC 8785 (JCS), public key only. No AlgoVoi code, no service, no secret.
Author-email: AlgoVoi <chopmob@gmail.com>
License: Apache-2.0
Project-URL: Homepage, https://docs.algovoi.co.uk/records-vault
Project-URL: Documentation, https://docs.algovoi.co.uk/records-vault
Keywords: post-quantum,falcon,fn-dsa,ml-kem,jcs,rfc8785,tamper-evident,compliance-evidence,offline-verifier,records-vault
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Legal Industry
Classifier: Intended Audience :: Healthcare Industry
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: NOTICE
Requires-Dist: pqcrypto>=0.4.0
Requires-Dist: rfc8785>=0.1.4
Dynamic: license-file

# algovoi-validate

**Don't trust AlgoVoi — verify it yourself.** A standalone, offline validator for AlgoVoi signed
compliance evidence. Its entire trust base is two public libraries — no AlgoVoi code, no secret key,
no running service, no network.

```bash
pip install algovoi-validate
```

It re-derives every Falcon-1024 (FN-DSA-1024) signature and SHA-256 hash-link itself, from the
published public key alone. If it prints `VERIFIED`, the evidence is genuine and unaltered; change a
single byte and it fails at exactly that entry.

## Use — auto-detect

Drop an AlgoVoi artifact; it identifies the type and validates it:

```bash
algovoi-validate <path>                     # auto-detect
algovoi-validate <path> <public_key.b64>    # ...for a bare receipt/chain
```

An evidence pack embeds its public key. A bare receipt or signed chain also takes the signer's
published public key.

| Artifact | Detected from | Needs a public key? |
|---|---|---|
| Evidence pack (directory) | `*_chain.json` + `public_key.b64` | no (embedded) |
| Signed chain (JSON array) | array of signed envelopes | yes |
| Single receipt (file) | one signed envelope | yes |

## Explicit subcommands

```bash
algovoi-validate pack <pack_dir>
algovoi-validate receipt <receipt.txt> <public_key.b64>
algovoi-validate chain <chain.json> <public_key.b64>
```

Exit code is `0` iff everything verifies.

## What it checks

- **Falcon-1024 / FN-DSA-1024** signatures over RFC 8785 (JCS) canonical bytes, using the published
  public key only.
- **Hash-linked chains** — sequence, `prev`-hash linkage, and head, so a tampered, reordered, or
  removed entry is caught at exactly that point.
- **Evidence packs** — every signed chain in the pack, plus the trusted-timestamp binding (each
  timestamp's message imprint equals the hash of the archive receipt it stamps).

## Library use

```python
from algovoi_validate import autodetect, verify_pack, verify_chain, verify_receipt
```

## Licence

Apache-2.0. Pairs with the production / custody side of [AlgoVoi Records
Vault](https://docs.algovoi.co.uk/records-vault); this verifier is free and always will be.
