Verification¶

Use the AttestationVerifier to validate evidence against the transformed context. Verification checks report structure, binding, and platform claims.

Recommended workflow¶

Run axiom.reason() in attested tier
Store transformedContext and attestationEvidence
Verify evidence before sending transformed context to external services

import { AttestationVerifier } from "@axiom-infra/core";

const verifier = new AttestationVerifier();
const verdict = await verifier.verify(
  result.attestationEvidence,
  result.transformedContext,
  {
    expectedMeasurement: result.verificationHint?.expectedMeasurement,
    expectedConfigHash: result.attestationEvidence?.configHash,
    mode: "permissive",
  }
);

if (!verdict.valid) {
  throw new Error(verdict.errors.join(", "));
}

What gets verified¶

Report structure is valid
Measurement matches expected value
Output binding matches report_data
Timestamp freshness (default 5 minutes)
Platform authentication (simulator produces warnings)
Configuration hash binding (if expected value provided)

Evidence-only validation¶

If you want to pre-check evidence format before full verification:

const verdict = await verifier.verifyEvidenceOnly(result.attestationEvidence, {
  mode: "permissive",
});

Binding formula¶

report_data = SHA-256(session_id || config_hash || output_hash || timestamp)

Prev: Attested Mode | Next: Troubleshooting