# Vloex sample audit bundle — what's inside

This is a **real, offline-verifiable** Vloex audit-chain export — the same bundle shape a customer downloads from `GET /api/v1/audit/chain/export`. It contains no customer data; every event below is synthetic. It was produced by `packages/backend/scripts/generate_sample_audit_bundle.py`, which runs the actual signing + Merkle-anchor + export pipeline end to end.

## How to verify it yourself (no account, no network, no trust in us)

```
unzip vloex-audit-sample.zip -d vloex-sample
cd vloex-sample
python vloex-verify.py .
```

Expected output (exit code 0):

```
OK: 9 events verified against 1 anchors ( 0 pending_anchor, 3 non-verified skipped) [ECDSA-P256: 5, Ed25519: 4]
```

Now tamper: change one character inside `events.jsonl` (e.g. flip a hex digit of any `payload_hash`) and re-run `python vloex-verify.py .`. The re-derived leaf no longer matches what was committed to the Merkle root, so the verifier reports a mismatch and exits non-zero:

```
LEAF DERIVATION MISMATCH for event f53703de-d09c-4365-8596-4e04b56dbf4a
FAILED: 1 events did not verify
```

## What the bundle proves — and what it doesn't

- The bundle ships **only hashes** of each event (`payload_hash`, `leaf_hash`), never the prompt or response text. Event contents are encrypted at rest and redaction-sensitive; the chain proves integrity over the hash, not the text.
- Each **signed** event's leaf is re-derived offline from `(payload_hash, key_id, signature.value)` and its Merkle inclusion proof is walked to the anchored root. The backend stores **only public keys**, so it cannot forge or rewrite a signed event — and neither can we.
- **Signing covers the coding-agent gateway (MCP proxy) today.** Browser-extension and shadow-AI / OAuth-discovery events are captured and governed but are **not part of the signed chain** — they appear here with `status: "unsigned"` and the verifier transparently skips them. We do not claim "every event is signed."

## Signed gateway events (9) — in the Merkle chain

| event_id | alg | agent | scenario |
| --- | --- | --- | --- |
| `f53703de-d09c-4365-8596-4e04b56dbf4a` | ECDSA-P256 | Claude Code | Claude Code tried to read services/billing/.env (secret file) via the github MCP server — BLOCKED at the gateway. |
| `59836178-2a68-4f5a-9ce1-1ec45e5882c0` | ECDSA-P256 | Claude Code | Claude Code read services/api/routes/users.py — allowed. |
| `abcb11ce-ca77-495d-8d4f-3cfd951f1c1b` | ECDSA-P256 | Claude Code | Claude Code tried to read infra/terraform/prod.tfvars (infra secrets) — BLOCKED at the gateway. |
| `9ef38f35-8a15-4eb3-a41f-db82d4ade679` | ECDSA-P256 | Claude Code | Claude Code searched the repo for 'AKIA' (AWS key prefix) — warned. |
| `8d413e2e-2b1a-4e48-bcee-194adf0cc3bb` | ECDSA-P256 | Claude Code | Claude Code ran a SELECT over the customers table (PII) via the postgres MCP server — warned. |
| `74ad234c-cb8c-4d91-99ce-95f83156f6aa` | Ed25519 | Cursor | Cursor read README.md — allowed. |
| `b3c18c6c-0b24-4eb9-92f5-a6fdf687497f` | Ed25519 | Cursor | Cursor opened a pull request via the github MCP server — allowed. |
| `32899ce4-bf08-4aa1-a2ca-0230716d9853` | Ed25519 | Cursor | Cursor posted a build summary to #eng-payments via the slack MCP server — informed. |
| `0f66988e-bfe7-4412-98b9-06ed981d1fd2` | Ed25519 | Cursor | Cursor filed a Jira issue via the jira MCP server — allowed. |

## Captured, not signed (3) — browser extension

| event_id | surface | provider | scenario |
| --- | --- | --- | --- |
| `bcb27738-3ad4-44a9-b953-61469b431b86` | browser | openai | carol@acme.test pasted a config blob containing an AWS secret key into ChatGPT — detected + blocked in the browser. Captured, not part of the signed chain. |
| `af1a6fda-c2b1-406e-b816-c7fe804fe0b8` | browser | anthropic | carol@acme.test pasted a list of customer emails into Claude.ai — PII detected + warned. Captured, not part of the signed chain. |
| `626910b7-6c9e-467d-b52d-c45a7e989550` | browser | google | carol@acme.test asked Gemini a benign refactoring question — allowed. Captured, not part of the signed chain. |

---

Generated 2026-07-04 for the events dated 2026-06-24. Re-runnable: `python packages/backend/scripts/generate_sample_audit_bundle.py` mints fresh keys and a fresh, independently-verifiable bundle each time.
