Verify it yourself

Don't take our word for it. Verify the chain yourself.

Download a real, signed Vloex audit bundle and re-derive the chain offline with the stdlib verifier we ship inside it. Signed coding-agent gateway events form a Merkle chain an auditor can rebuild without an account, without a network call, and without trusting us. Change a single byte and the proof breaks.

Download vloex-audit-sample.zip

Real export · 9 signed gateway events + 3 captured browser events · stdlib verifier, no dependencies

Three commands

Prove it, then break it

The verifier is ~120 lines of pure-stdlib Python. Read it first if you like — it's in the zip as vloex-verify.py.

1

Unzip and verify — it should pass

bash
$ unzip vloex-audit-sample.zip -d vloex-sample
$ cd vloex-sample
$ python vloex-verify.py .
OK: 9 events verified against 1 anchors ( 0 pending_anchor, 3 non-verified skipped) [ECDSA-P256: 5, Ed25519: 4]
$ echo $?
0

Exit 0 means every signed leaf re-derived from the bundle walks its Merkle proof to the anchored root. The 3 browser events are captured but unsigned, so the verifier transparently skips them.

2

Change one byte — it must fail

bash
# flip a single hex digit of any payload_hash in events.jsonl, then:
$ python vloex-verify.py .
LEAF DERIVATION MISMATCH for event <the event you changed>
FAILED: 1 events did not verify
$ echo $?
1

One altered byte changes the event's hash, so the re-derived leaf no longer matches what was committed to the Merkle root. The verifier names the broken event and exits non-zero. There is no byte you can change that still verifies.

What just happened

Why this can't be faked

  1. 1

    Each event becomes a leaf hash.

    The device signs the event with a private key that never leaves it. The bundle ships the payload hash, the key id, and the signature — not the prompt text. The verifier re-hashes those three fields into the exact leaf the backend recorded.

  2. 2

    Leaves fold into one Merkle root.

    Every leaf for the day is combined pairwise (RFC 6962) into a single root, published as the anchor. The bundle includes each event’s sibling path, so the verifier walks any leaf up to the root on its own.

  3. 3

    The backend holds only public keys.

    Vloex stores the device’s public key, never its private key. That means the backend — and Vloex — cannot forge a new signature or rewrite a recorded event. You just re-derived the root yourself and confirmed it matches, trusting no one.

What's in the bundle

Exactly what's signed — and what isn't

In the signed chain

9 events

Coding-agent gateway events — Claude Code and Cursor calling MCP tools, some blocked at the choke point. Signed per-event with ECDSA-P256 (5) and Ed25519 (4), folded into the Merkle root.

Captured, not signed

3 events

Browser AI sessions (ChatGPT, Claude.ai, Gemini). They ship in the bundle marked unsigned and the verifier skips them. Shadow-AI / OAuth-discovery events are the same: captured and governed, but not in the signed chain.

We don't claim “every event is signed.” Signing is live on the coding-agent gateway today; the browser and shadow-AI surfaces are captured and governed but not yet part of the signed chain. The bundle also ships only hashes of each event, never the prompt or response text — contents are encrypted at rest, so the chain proves integrity over the hash, not the text. No SOC 2 claim here; this page is about one thing: math you can re-run yourself.

Proof beats promises.

This is the record your auditor gets to keep — verifiable without us in the room. See how the gateway blocks a leak before it happens.