Check the evidence. Don't trust the vendor.

CloakLLM ships a standalone verifier you run on your own machine. It re-checks every artifact a deployer hands you — without our SDK, without our servers, and without taking our word for anything.

Python
$ pip install cloakllm-verifier
JavaScript
$ npm install cloakllm-verifier

Four checks, one exit code

Hash-chain integrity

Recomputes every SHA-256 link from canonical JSON. A tampered, reordered, or relinked entry fails.

RFC 3161 trusted timestamps

Offline-verifies each checkpoint token against an independent authority's clock. Standard tokens — they also verify with plain OpenSSL, so you're never locked into our implementation.

Key provenance + revocation

Verifies signed certificates against the published KeyManifest and a root-signed revocation list — establishing who signed and whether the key was valid.

Compliance-report re-validation

Independently re-verifies the audit chain a report describes, and rejects any report claiming a verified chain or a COMPLIANT verdict over a log that doesn't actually verify. It doesn't trust the report's words — it recomputes.

Real output, not marketing

This is what the tool actually prints — including, in its own output, what a passing result does not prove. We'd rather you read the limitations than discover them.

cloakllm-verify audit ./cloakllm_audit
CloakLLM verify -- hash chain (./cloakllm_audit)
  entries:   50000
  final seq: 49999
  [OK] chain intact: the present entries are internally consistent.
  note: proves integrity of the entries present, NOT completeness
  (a hash chain cannot detect removal of the LAST entries) or
  authenticity (run `keys` for signatures; `timestamp` for an
  existence anchor).

Honest boundary: the verifier reuses CloakLLM's own verification code (single source of truth, no drift) and its crypto is differentially tested against OpenSSL — but it has not yet had an independent third-party cryptographic audit. Being open and self-hosted is what makes that audit possible; you can't audit a black box.

Using CloakLLM? Preparing for a 2027 audit?

We're talking to teams deploying AI under the EU AI Act — what you're building, what an audit will ask of you, and what's missing. Auditors and certification bodies especially welcome.

Talk to us