Skip to main content
[AVAILABLE], precisely scoped. packages/runtime/src/services/verification-service.ts. CLAIMS.md 2.15.
An earlier six-stage verification pipeline (@parmana/verification) existed and was deleted (“retired in Session 5 — it had no real implementation and no real test coverage,” per CLAIMS.md §4). It is not documented here as existing. If you see references to Authority/Intent/Evidence verification stages elsewhere, they describe that retired package or a not-yet-built future addition — not current behavior.

The 3 checks, exactly

// packages/runtime/src/services/verification-service.ts:90-153
  1. Integrity — recompute the Trust Record’s canonical hash; must match the stored trustRecordHash.
  2. Signature — the stored cryptographic signature must verify against the stored public key.
  3. Authorization binding — every APPROVED execution must carry a non-empty authorizationId in its metadata. REJECTED-decision executions are exempt.
All three checks always run, independently, regardless of whether an earlier one failed — so a single verification report can name every check that failed, not just the first (runChecks() accumulates failures into an array rather than short-circuiting).

Two different operations, two different routes

SDK callHTTPWhat it does
client.verification.verify(id)POST /verifyRuns a fresh verification; appends a new Verification to the record’s history
client.verification.get_latest(id)GET /verification/:idReads back the most recent Verification without re-verifying
These are genuinely different routes (packages/api/src/routes/verify.ts vs. verify-get.ts), not the same endpoint called twice — a distinction the Python SDK only got right this session (see Python SDK).

Real output

client.verification.verify() -- fresh (POST /verify):
  status:      VerificationStatus.VERIFIED
  verified_at: 2026-07-06 04:10:15.021000+00:00
  hash:        861fe01aaadf904a003d3e6118e74f967164a52d91eb18f97ca6cbce71292768

client.verification.get_latest() -- cached (GET /verification/:id):
  status:      VerificationStatus.VERIFIED
  verified_at: 2026-07-06 04:10:15.021000+00:00
  hash:        861fe01aaadf904a003d3e6118e74f967164a52d91eb18f97ca6cbce71292768
Real run, 2026-07-06, python/examples/verify/.

Tampering is actually caught

packages/api/test/verification-negative.integration.test.ts — “reports FAILED when the persisted record is tampered after execution” — proves this end to end, not just at the unit level.