Verify the ledger

Every Axtary decision appends a hash-chained record to a local JSONL ledger. This page covers turning that ledger into evidence a third party can check without trusting Axtary: signed attestations, Merkle inclusion and consistency proofs, and offline incident reconstruction.

The canonical ActionPass v0 draft is public at /spec/actionpass-v0.md; the customer guide is ActionPass spec and verifier.

Create a signed attestation

axtary attest-ledger \
  --ledger .axtary/actions.jsonl \
  --out attestation.json

attest-ledger verifies the full hash chain first, then writes a self-contained bundle: the exported records, an export digest, an RFC 6962 signed tree head (Merkle root + tree size), and a detached ES256 signature. The same date-range and decision filters as export-ledger apply.

Verify it independently

axtary verify-export attestation.json

verify-export is standalone: it checks the signature, the record hash chain, the export digest, and approval↔execution equivalence from the bundle alone — no running proxy, no network, no Axtary service. A single edited, reordered, or deleted record fails the whole bundle, and so does any execution record whose approved and executed payload hashes disagree. On success it prints an equivalence summary alongside the digest.

Prove approvals executed exactly

Every execution that carried a human approval records two hashes: the payload hash the approval was bound to and the hash of the payload that actually executed. prove-equivalence turns that pair into a queryable, exportable proof:

axtary prove-equivalence --ledger .axtary/actions.jsonl --out equivalence.json

Each execution record reports proved (approved == executed, and the executed hash matches the record's own hash-chained payload hash), unproven (no approval evidence was attached — reported truthfully, never presented as proved), or failed. Any failed entry exits non-zero and also fails verify-export for the same ledger: an execution that escaped its approval is treated as tamper, not as a warning. Combine with prove-inclusion to hand a third party the proof for one specific approved execution against the signed Merkle head.

Prove one record is included

Use an inclusion proof when someone needs to check a single decision without receiving the whole export:

axtary prove-inclusion attestation.json --record ap_<jti> --out proof.json
axtary verify-proof proof.json --bundle attestation.json

The proof commits the record to the signed Merkle head, so the verifier learns that this exact record is in the attested ledger — nothing else about the other records.

Verify a foreign issuer

For cross-issuer audits, a verifier can pin another issuer's public trust root and check one ActionPass, its ledger attestation, its inclusion proof, and its fresh revocation/status evidence together. The local proxy publishes the public descriptor at:

curl http://127.0.0.1:7331/.well-known/axtary-trust-root.json

The descriptor contains only public JWKS, the issuer id, and the status-list URI. It is an Axtary verify-only profile with OpenID-Federation-compatible typing markers; it is not a trust-network UI and does not resolve arbitrary federation chains.

Prove the ledger only grew

A consistency proof shows a later attestation append-only-extends an earlier one — records were added, never rewritten:

axtary prove-consistency first.json second.json --out proof.json
axtary verify-proof proof.json --first first.json --second second.json

If any historical record changed between the two heads, verification fails.

Reconstruct an incident offline

axtary forensics attestation.json

forensics replays delegation and execution structure from ledger records alone: whether delegated authority only ever narrowed, whether every execution correlates to exactly one authorization, and whether a revocation cascade contained its descendants. It is a read-only auditor primitive, not anomaly detection.

What this does and does not prove

  • The proofs are post-signing tamper evidence: they detect any change to records after they were attested, and they work offline against public keys.
  • They do not make claims about events that were never recorded, and — like any local-first evidence — the signing boundary is your machine's key custody.
  • Ledger records are payload-free by design: hashes, decisions, reasons, and audit dimensions, never file contents, tokens, or raw shell commands.