Independent verifier for CLG signed receipts and receipt chains.
@clgplatform/verify is a verification layer for receipts emitted by CLG-integrated runtimes.
It validates receipt integrity and authenticity cryptographically.
- canonical hash matches content
- signature is valid
- required fields are present
- previous receipt hashes link correctly in chains
- does not intercept MCP tool calls
- does not enforce mandates
- does not create receipts
- does not replace runtime controls or governance processes
It can verify offline when you provide a local key or resolver.
The CLI defaults to HTTP key resolution unless you pass --public-key, --jwks, or --offline.
Library usage resolves keys according to the PEM string or resolver you pass to verifyReceipt or verifyChain.
npm install @clgplatform/verifyimport { verifyReceipt, fileResolver } from '@clgplatform/verify';
const result = await verifyReceipt(receipt, fileResolver('./signing-key.pem'));
console.log(result.valid);# single receipt
clg-verify receipt receipt.json
# chain
clg-verify chain receipts.json
# local key file
clg-verify --public-key signing-key.pem receipt receipt.json
# JWKS-style endpoint
clg-verify --jwks https://api.clgplatform.com/.well-known/clg-keys receipt receipt.json
# force no default HTTP key lookup (requires --public-key or --jwks)
clg-verify --offline --public-key signing-key.pem receipt receipt.json
# pretty JSON output
clg-verify --pretty --public-key signing-key.pem chain receipts.json
# stdin
cat receipt.json | clg-verify --public-key signing-key.pem receipt -| Code | Meaning |
|---|---|
| 0 | Valid |
| 1 | Invalid |
| 2 | Error (network, file, parse) |
Single receipt:
import { verifyReceipt, httpResolver } from '@clgplatform/verify';
const result = await verifyReceipt(receipt, httpResolver('https://api.clgplatform.com'));Receipt chain:
import { verifyChain, jwksResolver } from '@clgplatform/verify';
const result = await verifyChain(receipts, jwksResolver('https://api.clgplatform.com/.well-known/clg-keys'));httpResolver(baseUrl?)→ fetches{baseUrl}/v1/keys/{kid}jwksResolver(url?)→ fetches key set once and caches bykidstaticResolver(pem)→ always returns the same PEMfileResolver(path)→ reads PEM from local file
You can also pass a PEM string directly to verifyReceipt / verifyChain.
- Select canonical content fields.
- Canonicalize the content.
- Hash canonical content.
- Compare computed hash with
receipt_hash. - Verify signature with signer public key.
- Verify
previous_receipt_hasheslinks for chains.
@clgplatform/mcpguards MCP tool execution and creates signed receipts.@clgplatform/verifyverifies those receipts afterward.
Beta.
BUSL-1.1. See LICENSE.