Metadata-Version: 2.4
Name: veridict-verify
Version: 0.2.0
Summary: Standalone offline verifier for VERIDICT case bundles. Free and open: trust, but re-check.
Project-URL: Homepage, https://github.com/CXdefense/veridict-verify
Project-URL: Documentation, https://github.com/CXdefense/veridict-verify/blob/main/docs/bundle-format.md
Project-URL: Issues, https://github.com/CXdefense/veridict-verify/issues
Author: VERIDICT contributors
License: MIT
License-File: LICENSE
Keywords: ed25519,evidence,hash-chain,osint,provenance,verification
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Legal Industry
Classifier: Intended Audience :: Science/Research
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=3.11
Requires-Dist: cryptography>=43
Requires-Dist: rfc8785>=0.1.4
Provides-Extra: timestamps
Requires-Dist: certifi; extra == 'timestamps'
Requires-Dist: rfc3161-client>=1.0; extra == 'timestamps'
Description-Content-Type: text/markdown

# veridict-verify

Standalone offline verifier for VERIDICT case bundles (`.veridict.zip`).
Free and open: **trust, but re-check.**

This package shares **no runtime code** with the VERIDICT engine. It re-checks
hashes, signatures, timestamps, citation spans, corroboration ceilings, and
graph semantics from the published bundle format so a skeptic does not have to
trust the tool that produced the case. You do not need an account, a server,
or the engine — only this package and the bundle you were handed.

## Install

```bash
pip install veridict-verify
# optional RFC-3161 token parsing:
pip install 'veridict-verify[timestamps]'
```

Or from this repository:

```bash
pip install .
```

## Usage

```bash
veridict-verify path/to/case.veridict.zip
veridict-verify path/to/case.veridict.zip --json
veridict-verify path/to/case.veridict.zip --trusted-key <sha256-fingerprint>
```

Try it right now on the demo bundle in this repository:

```bash
veridict-verify examples/demo.veridict.zip
```

### Exit codes

| Code | Meaning |
|------|---------|
| 0 | `VALID` — no findings |
| 2 | `VALID WITH WARNINGS` — integrity holds; review warnings (e.g. pending timestamps, single-source) |
| 1 | `INVALID` — hash/signature/semantic failure |

### Key pinning

Cryptographic verification proves integrity, not identity. Pin a published
investigator fingerprint:

```bash
veridict-verify case.veridict.zip --trusted-key abcdef...64hex...
```

See [docs/key-policy.md](docs/key-policy.md) for custody and publication guidance.

## What it checks

- Manifest hash and Ed25519 signature; key id ↔ public key binding
- Append-only hash chain (seq, prev, body_hash, chain_hash, record signatures)
- Artifact CAS object re-hash; optional standalone `content_signature`
- Claim grounding (`supported-by`), exact citation quote/offsets
- Human `verified-by` signatures; `contradicts` / `supersedes` semantics
- Independence corroboration ceilings (N vs M)
- RFC-3161 / OpenTimestamps proof structure where present
- Key-rotation statements (`veridict-key-rotation/1`)

## Documentation

- [Verify a bundle in 5 minutes](docs/verify-in-5-minutes.md)
- [Bundle format specification](docs/bundle-format.md)
- [Key policy: custody, publication, rotation](docs/key-policy.md)

## Relationship to the VERIDICT engine

The engine that *builds* cases (capture, sealing, AI-assisted analysis,
reporting) is developed separately. This verifier is intentionally
independent so that opposing counsel, auditors, and editors can re-check
conclusions without trusting — or even having — the engine. Conformance
tests that exercise the verifier against engine-produced bundles run in the
engine's CI on every commit.

## License

MIT
