# Evidence Fabric Sample Package v1.0.0 A buyer-runnable, auditor-runnable sample of an Evidence Fabric package as described in the [Vertical Edge AI Evidence Fabric Methodology v1.1.0](https://verticaledgeai.ai/methodology.html). **This is synthetic data. The cryptography is real.** --- ## What is in this package | File | Purpose | |---|---| | `receipt.json` | Signed sample receipt for a synthetic healthcare workflow | | `manifest.json` | Lists every artifact in the package with SHA-256 hash; manifest itself is signed | | `framework_mapping.md` | Maps receipt fields to AIUC-1, NIST AI RMF, ISO 42001, Article 50, HIPAA, SOC 2, Reg S-P | | `verifier_cli.py` | Standalone Python verifier; depends only on `cryptography` | | `sign_and_verify.py` | Build script: generates Ed25519 keypair, signs artifacts, runs verifier, captures transcript | | `public_key.json` | Synthetic Ed25519 public key (`vke_synthetic_2026-05`) for offline verification; ships pre-committed and is required by the verify command | | `verifier_transcript.txt` | Recorded verifier run output | | `README.md` | This file | `public_key.json` ships pre-committed so the verify command runs without first building. Running `sign_and_verify.py --sign` regenerates the signatures and rewrites `public_key.json` and `verifier_transcript.txt` from scratch. --- ## How to verify (3 steps) ### Step 1: Install the one dependency ```bash pip install cryptography ``` That is the only Python package required. Tested against `cryptography` 41.x and 42.x on Python 3.9, 3.10, 3.11, 3.12, 3.13. ### Step 2: Build the signatures (first-time only) If you downloaded the package fresh (signatures contain `PLACEHOLDER`), run the build script to generate the synthetic keypair and sign the artifacts: ```bash python sign_and_verify.py --sign ``` This regenerates `receipt.json` and `manifest.json` with real Ed25519 signatures and writes `public_key.json`. The private key (synthetic, for demonstration) is also embedded in the script for reproducibility. If you downloaded the package already-signed (from `verticaledgeai.ai/sample-evidence-package.zip`), skip Step 2. ### Step 3: Verify ```bash python verifier_cli.py --receipt receipt.json --public-key-file public_key.json ``` Expected output: ``` == VeilEngine Receipt Verifier == Loading receipt: receipt.json Receipt: VERIFIED Overall: PASS ``` The verifier exits with code 0 on PASS. To verify the manifest too: ```bash python verifier_cli.py --manifest manifest.json --public-key-file public_key.json ``` Or run the full sign-and-verify cycle (regenerates signatures, then verifies) in one shot: ```bash python sign_and_verify.py ``` The verifier returns exit code 0 on PASS, 1 on FAIL, 2 on argument/environment error. --- ## What this package demonstrates - The Evidence Fabric methodology produces real, structured, cryptographically-signed artifacts. - The verifier runs without vendor dependencies (only `cryptography` + Python 3). - An auditor with the public key can verify a receipt's signature, and the manifest's artifact hashes, without trusting Vertical Edge AI. - The hash-linked chain-of-receipts pattern is expressed in the receipt schema today; the sample verifier validates single-receipt signatures and manifest hashes, not chain linkage (cross-receipt chain-walk verification is on the roadmap). - The signing path is documented and byte-for-byte reproducible. ## What this package does NOT demonstrate - That Vertical Edge AI has deployed this in production with customers (sample is synthetic). - That the methodology is correct for your specific regulatory framework (your auditor and counsel interpret). - That the AI providers retained or did not retain data (provider-side claim; this package records what the operator did, not what the provider then did). --- ## Synthetic-data notice - All names, MRNs, DOBs, diagnosis codes, clinician identifiers, and session IDs are fictional and labeled `"synthetic": true` in the receipt and manifest metadata. - The signer key `vke_synthetic_2026-05` is a synthetic Ed25519 keypair generated solely for the sample. The private key is intentionally exposed in `sign_and_verify.py` so anyone can re-verify. In production, the signer key is the operator's, not Vertical Edge AI's. - The cryptographic primitives (Ed25519 signatures, SHA-256 hashes, JSON canonicalization) are real algorithms used the same way they would be in a production gateway. --- ## License The verifier is provided under the MIT License (see `LICENSE`). Audit, modify, and redistribute it freely. We ask that you not alter the verification logic in `verifier_cli.py` without re-publishing a documented diff -- its value rests on byte-for-byte alignment with the gateway's signing path. --- ## Provenance - **Methodology:** [Evidence Fabric Methodology v1.1.0](https://verticaledgeai.ai/methodology.html) - **Specification:** [Sample Evidence Package Specification v1.0.0](https://verticaledgeai.ai/sample-evidence-package.html) - **Verifier lineage:** customer-facing subset of the internal VeilEngine receipt verifier, published here for buyer and auditor inspection - **Authored:** 2026-05-19 by Vertical Edge AI LLC (Austin, TX) --- ## Contact [cordero_ryan@verticaledgeai.ai](mailto:cordero_ryan@verticaledgeai.ai) | [verticaledgeai.ai](https://verticaledgeai.ai) Vertical Edge AI is not an audit firm. The package is published to demonstrate the Evidence Fabric methodology, not to substitute for an audit opinion.