# Verifier Artifacts v0

`verifier-export` materializes a replayable verifier bundle for one query. The bundle is designed for a
reviewer who wants files and hashes, not an interactive application trace.

## Command

```bash
python3 -m pip install -r requirements-dev.txt
BUNDLE_ID="ai-act-article-113-annex-iii-$(git rev-parse --short HEAD)"
BUNDLE_DIR="out/verifier/$BUNDLE_ID"

python3 -m ai_act_agent.cli verifier-export \
  "Build evidence bundle for sv:eu-ai-act/article/113 and sv:eu-ai-act/annex/III." \
  --output-dir "$BUNDLE_DIR" \
  --include-eval \
  --stability-runs 3 \
  --sign-manifest \
  --gpg-key 231DF589D89C25FAD7A8E8E685F9BA1E0016C226
```

Every written JSON artifact has a sibling `.sha256` file in GNU coreutils format. These sidecars are
useful for manual inspection, but the built-in `verify` command is the normative verifier path because
it replays the predicates and source-twin checks, not only file hashes:

```bash
(cd "$BUNDLE_DIR" && sha256sum -c response.json.sha256)
(cd "$BUNDLE_DIR" && sha256sum -c synthesis.json.sha256)
(cd "$BUNDLE_DIR" && sha256sum -c graph_state.json.sha256)
(cd "$BUNDLE_DIR" && sha256sum -c manifest.json.sha256)
```

Run the built-in verifier:

```bash
python3 -m ai_act_agent.cli verify "$BUNDLE_DIR" \
  --require-eval \
  --require-signature
```

## Files

The export writes:

- `response.json`: the controller output with route, citations, payload, claim boundary, and
  `response_digest`.
- `citation_validation.json`: the provenance report for response citations.
- `synthesis.json`: the bounded synthesis draft and cited spans.
- `synthesis_validation.json`: the synthesis validation checks and deterministic failure reasons, if any.
- `graph_state.json`: the joined graph state and `graph_digest`.
- `eval_report.json`: optional, written when `--include-eval` is passed.
- `manifest.json`: an inventory of the bundle, including artifact paths, file digests, the source twin
  digest, response digest, synthesis digest, graph digest, validation result, replay commits, dirty flags,
  and `manifest_digest`.
- `manifest.json.sig`: optional detached GPG signature, written when `--sign-manifest` is passed. The
  signature is outside the manifest digest because it signs `manifest.json`.

## Verification Rules

A reviewer should prefer `verify` over manual inspection. It performs these checks:

1. `manifest_digest`: recomputes the manifest digest with the self-reference excluded.
2. `manifest_sidecar`: checks `manifest.json.sha256`.
3. `artifact_sidecars`: checks every manifest-listed artifact digest and sidecar.
4. `source_twin_digest`: confirms the manifest carries a source-twin digest.
5. `source_twin_digest_match`: compares the manifest digest to the locally loaded EU AI Act twin.
6. `source_twin_replay`: resolves every cited node from the local twin and compares text, text digest,
   source-twin digest, node type, and parent provenance.
7. `bundle_digest_replay`: rebuilds evidence bundles from the local twin and compares `bundle_digest`.
8. `response_digest`: recomputes `response_digest` from `response.json`.
9. `response_claim_boundary`: checks the response claim boundary against the manifest.
10. `citation_validation`: recomputes the citation-validation report digest and checks `PASS`.
11. `citation_validation_replay`: reruns `validate_response_citations(response)`.
12. `synthesis_digest`: recomputes `synthesis_digest` from `synthesis.json`.
13. `synthesis_validation`: recomputes the synthesis-validation report digest and checks `PASS`.
14. `synthesis_validation_replay`: reruns `validate_synthesis(response, synthesis)`.
15. `graph_digest`: recomputes `graph_digest` from `graph_state.json`.
16. `graph_artifact_consistency`: compares standalone artifacts to their nested copies in `graph_state.json`.
17. `manifest_artifact_consistency`: checks that manifest query, route, digests, and validation outcomes
    match the underlying artifacts.
18. `eval_result`: checks that required eval output is present and passing.
19. `eval_report`: recomputes the eval report digest and checks `PASS`.
20. `eval_report_replay`: reruns `run_agent_eval(stability_runs=manifest.eval_stability_runs)` and
    compares it to `eval_report.json`.
21. `manifest_signature`: verifies `manifest.json.sig` when present or required.
22. `manifest_signature_sidecar`: checks `manifest.json.sig.sha256` when present or required.

Manual sidecar checks are still useful for quick transit-integrity inspection, but they are not equivalent
to verifier replay. This verifies artifact integrity and the local claim boundary. It does not convert the
output into legal advice, an official benchmark score, or an external timestamped attestation. Rekor or
another transparency log can be added later by anchoring the signed manifest and sidecars.