Verify it yourself
Download a real, signed Vloex audit bundle and re-derive the chain offline with the stdlib verifier we ship inside it. Signed coding-agent gateway events form a Merkle chain an auditor can rebuild without an account, without a network call, and without trusting us. Change a single byte and the proof breaks.
Real export · 9 signed gateway events + 3 captured browser events · stdlib verifier, no dependencies
Three commands
The verifier is ~120 lines of pure-stdlib Python. Read it first if you like — it's in the zip as vloex-verify.py.
$ unzip vloex-audit-sample.zip -d vloex-sample $ cd vloex-sample $ python vloex-verify.py . OK: 9 events verified against 1 anchors ( 0 pending_anchor, 3 non-verified skipped) [ECDSA-P256: 5, Ed25519: 4] $ echo $? 0
Exit 0 means every signed leaf re-derived from the bundle walks its Merkle proof to the anchored root. The 3 browser events are captured but unsigned, so the verifier transparently skips them.
# flip a single hex digit of any payload_hash in events.jsonl, then: $ python vloex-verify.py . LEAF DERIVATION MISMATCH for event <the event you changed> FAILED: 1 events did not verify $ echo $? 1
One altered byte changes the event's hash, so the re-derived leaf no longer matches what was committed to the Merkle root. The verifier names the broken event and exits non-zero. There is no byte you can change that still verifies.
What just happened
Each event becomes a leaf hash.
The device signs the event with a private key that never leaves it. The bundle ships the payload hash, the key id, and the signature — not the prompt text. The verifier re-hashes those three fields into the exact leaf the backend recorded.
Leaves fold into one Merkle root.
Every leaf for the day is combined pairwise (RFC 6962) into a single root, published as the anchor. The bundle includes each event’s sibling path, so the verifier walks any leaf up to the root on its own.
The backend holds only public keys.
Vloex stores the device’s public key, never its private key. That means the backend — and Vloex — cannot forge a new signature or rewrite a recorded event. You just re-derived the root yourself and confirmed it matches, trusting no one.
What's in the bundle
In the signed chain
9 events
Coding-agent gateway events — Claude Code and Cursor calling MCP tools, some blocked at the choke point. Signed per-event with ECDSA-P256 (5) and Ed25519 (4), folded into the Merkle root.
Captured, not signed
3 events
Browser AI sessions (ChatGPT, Claude.ai, Gemini). They ship in the bundle marked unsigned and the verifier skips them. Shadow-AI / OAuth-discovery events are the same: captured and governed, but not in the signed chain.
We don't claim “every event is signed.” Signing is live on the coding-agent gateway today; the browser and shadow-AI surfaces are captured and governed but not yet part of the signed chain. The bundle also ships only hashes of each event, never the prompt or response text — contents are encrypted at rest, so the chain proves integrity over the hash, not the text. No SOC 2 claim here; this page is about one thing: math you can re-run yourself.
This is the record your auditor gets to keep — verifiable without us in the room. See how the gateway blocks a leak before it happens.