Check the evidence. Don't trust the vendor.
CloakLLM ships a standalone verifier you run on your own machine. It re-checks every artifact a deployer hands you — without our SDK, without our servers, and without taking our word for anything.
$ pip install cloakllm-verifier$ npm install cloakllm-verifierFour checks, one exit code
Hash-chain integrity
Recomputes every SHA-256 link from canonical JSON. A tampered, reordered, or relinked entry fails.
RFC 3161 trusted timestamps
Offline-verifies each checkpoint token against an independent authority's clock. Standard tokens — they also verify with plain OpenSSL, so you're never locked into our implementation.
Key provenance + revocation
Verifies signed certificates against the published KeyManifest and a root-signed revocation list — establishing who signed and whether the key was valid.
Compliance-report re-validation
Independently re-verifies the audit chain a report describes, and rejects any report claiming a verified chain or a COMPLIANT verdict over a log that doesn't actually verify. It doesn't trust the report's words — it recomputes.
Real output, not marketing
This is what the tool actually prints — including, in its own output, what a passing result does not prove. We'd rather you read the limitations than discover them.
CloakLLM verify -- hash chain (./cloakllm_audit) entries: 50000 final seq: 49999 [OK] chain intact: the present entries are internally consistent. note: proves integrity of the entries present, NOT completeness (a hash chain cannot detect removal of the LAST entries) or authenticity (run `keys` for signatures; `timestamp` for an existence anchor).
Honest boundary: the verifier reuses CloakLLM's own verification code (single source of truth, no drift) and its crypto is differentially tested against OpenSSL — but it has not yet had an independent third-party cryptographic audit. Being open and self-hosted is what makes that audit possible; you can't audit a black box.
Using CloakLLM? Preparing for a 2027 audit?
We're talking to teams deploying AI under the EU AI Act — what you're building, what an audit will ask of you, and what's missing. Auditors and certification bodies especially welcome.
Talk to us