ainfera-verify

Trust no one. Verify the chain yourself. Companion to Ainfera Routing.

ainfera-verify is the public, offline verifier for Ainfera AuditChains. It lets anyone — regulator, auditor, partner, curious developer — fetch an Agent's AuditChain and cryptographically verify it without trusting Ainfera or holding an Ainfera account.

This is the customer trust primitive behind Ainfera's audit-grade transparency claim: chain of custody you can check yourself.

Install

pip install ainfera-verify

Or with Homebrew:

brew install ainfera/tap/verify

Usage

Verify a full AuditChain by Agent ID (fetches from the public read endpoint, then verifies offline):

ainfera-verify chain manwe

Inspect a single AuditEvent:

ainfera-verify event manwe 1245

Verify an offline Annex IV bundle export (use this for air-gapped review):

ainfera-verify bundle ./manwe-2026-05-19.zip

Or verify the minimal JSON export from GET /v1/audit/{agent_id}/annex-iv:

ainfera-verify bundle ./export.json --pinned-key-fingerprint <sha256-hex>

What it verifies

For every AuditEvent in the chain:

1. Hash continuity — previous_hash matches the prior event's event_hash.
2. Event integrity — event_hash is the SHA-256 of previous_hash || canonical_json(payload).
3. HMAC signature — hmac_signature validates against the key fingerprint published at the /.well-known endpoint.
4. Sigstore signature — when present, validated against the Rekor transparency log.

If any check fails, the verifier reports the exact seq where the chain breaks.

Trust model

• The CLI ships under Apache 2.0. The verification logic is auditable.
• After events are fetched, verification is fully offline — no network calls, no Ainfera dependency.
• The key material is published at https://ainfera.ai/.well-known/ainfera-public-key.json and cached locally.
• For air-gapped verification, download the key once or use a bundle export (which embeds the key).

HMAC mode at launch · Ed25519 migration in v1.1

The launch release of the AuditChain signs each event with HMAC-SHA256. This means:

• Hash continuity (checks 1 + 2) is independent of who holds the signing key and is fully verifiable offline. A tampered chain breaks at the exact seq where the modification was introduced. This is the load-bearing security property.
• HMAC signature (check 3) is a symmetric construction. Verifying it requires trusting that the key fingerprint Ainfera publishes at /.well-known/ainfera-public-key.json is the same key used to sign events. There is no public/private key separation in HMAC mode.

VER-02 (shipped): Optional per-event ed25519_signature verification when you pass --agent-pubkey-file (agent PEM from signup). HMAC remains required on all events. See docs/ed25519-migration.md.

Full producer-side Ed25519 signing (API emits signatures on every event) is planned for v1.1. Progress: https://github.com/ainfera-ai/verify/issues (filter ed25519-migration).

If your threat model requires stronger HMAC trust today, pin the published key fingerprint out-of-band and use ainfera-verify --pinned-key-fingerprint.

EU AI Act Annex IV

Annex IV technical documentation requires verifiable evidence of system behavior. ainfera-verify bundle produces a pass/fail with the cryptographic chain of custody — sufficient evidence for a regulator's technical reviewer.

Web version

Don't want to install anything? Drop a bundle into verify.ainfera.ai. All verification runs in your browser.

License

Apache 2.0. See LICENSE.