Completes the agentic audit trail. v2.16.0 added attribution + the tamper-evident hash chain; this is Phase 3 — third-party verifiability: an auditor can verify the record off the box, without running or trusting CertMate, and tie it to the instance that produced it.
Added
- Ed25519-signed, independently verifiable export. The instance holds an Ed25519 signing key (persisted at
data/.audit_signing_keylike the Flask secret key — generated on first run,0600, off-box viaAUDIT_SIGNING_KEY_FILE).GET /api/audit/export(admin, optional?from_seq/?to_seq) returns a signed, self-verifying bundle whose manifest pins the instance fingerprint, public key, seq range andhead_hash; the signature over the canonical manifest transitively commits to every entry.GET /api/audit/public-keyexposes the identity to pin out of band. The chain head is also signed into periodic checkpoints. - Verifier upgrade.
python -m modules.core.audit_verify --bundle bundle.json [--pubkey instance.pem]checks the chain structure, manifest consistency, the Ed25519 signature, and the fingerprint, with optional out-of-band key pinning. No new dependencies (cryptographyalready required).
Honest scope
A local signing key detects tampering by anyone who does not hold it and attributes the export to an instance, but does not bind the operator (who holds the key). Fully constraining the operator needs opt-in external anchoring of the signed checkpoints — a planned follow-up. docs/compliance.md and docs/api.md document this precisely.
Validation
18 unit tests for the signing/export/verify paths (key lifecycle, signed checkpoints, tamper/forgery/pinning detection, the CLI, both endpoints); full suite green; independent adversarial review (two should-fix issues found and fixed); and a real-certificate smoke — issued a cert via Cloudflare DNS-01 against Let's Encrypt staging on the built image, then verified the live /api/audit/export bundle off-box with the standalone verifier and key pinning.
Full changelog: v2.16.1...v2.17.0