[AVAILABLE], precisely scoped.
packages/runtime/src/services/verification-service.ts. CLAIMS.md 2.15.The 3 checks, exactly
- Integrity — recompute the Trust Record’s canonical hash; must match the stored
trustRecordHash. - Signature — the stored cryptographic signature must verify against the stored public key.
- Authorization binding — every
APPROVEDexecution must carry a non-emptyauthorizationIdin its metadata.REJECTED-decision executions are exempt.
runChecks() accumulates failures into an array rather than short-circuiting).
Two different operations, two different routes
| SDK call | HTTP | What it does |
|---|---|---|
client.verification.verify(id) | POST /verify | Runs a fresh verification; appends a new Verification to the record’s history |
client.verification.get_latest(id) | GET /verification/:id | Reads back the most recent Verification without re-verifying |
packages/api/src/routes/verify.ts vs.
verify-get.ts), not the same endpoint called twice — a distinction the Python SDK only
got right this session (see Python SDK).
Real output
python/examples/verify/.
Tampering is actually caught
packages/api/test/verification-negative.integration.test.ts — “reports FAILED when the
persisted record is tampered after execution” — proves this end to end, not just at the
unit level.