Verification

Check the record without trusting the system that stored it.

Verification recomputes hashes and receipt checks from exported records, optional original input, public keys, or hosted ledger entries. Use it in audits, support packets, CI, and customer-facing proof reviews.

Start with a Decision Record. Add packet verification, receipt signatures, and audit-chain checks when the boundary becomes production-critical.

Open hosted verifier API reference Decision intelligence Error reference

Decision Record verification flow

The verifier does not rerun the decision. It checks whether the exported artifact still matches the canonical hashes and configured receipt signature.

01 export

Decision Record

Paste a stored record, fetch by decision_id, or pass an exported JSON file into the verifier.

02 canonicalize

Hash input and record

Recompute input_hash, output_hash, record_hash, and policy_bundle_hash using the declared canonicalization.

03 receipt

Check receipt signature

Verify HMAC for internal systems or Ed25519 against the key registry for portable public records.

04 result

Return proof checks

Report pass/fail checks for record integrity, policy bundle binding, signature validity, and optional original input.

Decision Packet v1 verification

Decision Packets are the portable review bundle for audits and support. They include the Decision Record plus optional input, execution receipts, Outcome Records, intelligence reports, and retained audit-chain links.

record

Decision Record

Record and receipt hashes are checked first.

execution

Execution receipts

Each execution_hash must link to the same decision and action binding.

outcome

Outcome Records

Outcome hashes bind final results and observed metrics back to the decision.

reports

Intelligence hashes

Effectiveness, confidence, benchmark, and anomaly report hashes are checked when present.

chain

Audit chain

Retained links are checked against the rolling Merkle root metadata.

Verification paths

Hosted

/verify

Paste or upload a record, original input, public key, or stored decision id and inspect individual checks.

API

`/api/decision/verify`

POST an exported Decision Record directly from automation. Use /api/decision/:id/verify when checking a stored ledger entry.

CLI

`npx @decide-fyi/sdk verify`

Run local verification in CI, support tooling, or procurement review scripts.

Exported record

npx @decide-fyi/sdk verify decision-record.json \
  --input decision-input.json \
  --key-registry https://www.decide.fyi/api/decision/receipt-keys \
  --json

Decision packet

npx @decide-fyi/sdk verify-packet decision-packet.json \
  --key-registry https://www.decide.fyi/api/decision/receipt-keys \
  --summary

CI check

npx @decide-fyi/sdk verify ./artifacts/decision-record.json \
  --input ./artifacts/decision-input.json \
  --key-registry https://www.decide.fyi/api/decision/receipt-keys \
  --json

Keys, signing modes, and fixtures

Public

Ed25519 registry

/api/decision/receipt-keys returns public receipt verification keys when portable signing is configured.

Private

HMAC mode

Internal systems can verify with DECIDE_RECEIPT_SIGNING_SECRET without publishing public keys.

Conformance

Fixture pack

The SDK ships valid, tampered, input, and replay/diff fixtures so teams can test verification before production access.

Conformance fixture

npx @decide-fyi/sdk verify sdk/fixtures/valid-decision-record.json \
  --input sdk/fixtures/decision-input.json \
  --hmac-secret decide_conformance_hmac_secret_v1 \
  --json

External public key

npx @decide-fyi/sdk verify decision-record.json \
  --input decision-input.json \
  --public-key decide-receipt-public.pem

Verification scope

Trust escalation starts with a Decision Record. Add packet verification, receipt signatures, and audit-chain checks when the boundary becomes production-critical. Verification proves that an exported record or packet matches its hashes and signatures; execution receipts and Outcome Records provide later lifecycle evidence about what happened.

npm package npm metadata npm source tarball Public SDK notes GitHub source: access-controlled

Verified on May 22, 2026 against npm registry metadata: npm latest is 0.1.13 and the package tarball is reachable with published integrity data. npm package metadata declares git+https://github.com/nodeblur/decidesite.git with SDK source in /sdk; that GitHub repository is access-controlled, so public review should use the npm artifact or granted repository access.