Auditor SDK - EnfinitOS

The auditor / verifier is the single most important library EnfinitOS publishes. It is open source under MIT in three published repositories:

github.com/EnfinitOS/sdk-auditor-ts — TypeScript / npm
github.com/EnfinitOS/sdk-auditor-py — Python / pip
github.com/EnfinitOS/sdk-auditor-rs — Rust / cargo

Don’t trust us. Verify. The library is offline by default — it does not call EnfinitOS or any third-party service. Anyone can fork it, audit it, fuzz the parser, and ship it inside their own compliance pipeline.

What it verifies

A proof pack is a signed, hash-chained document. The auditor does four things against it:

Ed25519 signature against the published EnfinitOS verification key.
SHA-256 hash chain walked end-to-end for the tenant.
Metering re-projection from the source events embedded in the pack — re-running the same projection the platform settled against.
Settlement reconciliation re-run, asserting bit-identical output.

Any failure on any step fails verification. The auditor never “warns” — it either verifies cleanly or it doesn’t.

Three language implementations

TypeScript
Python
Rust

npm install @enfinitos/sdk-auditor

import { verifyProofPack, walkChain } from "@enfinitos/sdk-auditor";

const result = await verifyProofPack(packBytes, {
  publicKey: ENFINITOS_VERIFICATION_KEY,
});

if (!result.ok) {
  console.error("Verification failed:", result.reason);
  process.exit(1);
}

const chain = await walkChain(allPacks);
if (chain.broken) {
  console.error("Chain breaks at pack", chain.firstBreakSequence);
}

pip install enfinitos-sdk-auditor

from enfinitos_auditor import verify_proof_pack, walk_chain

result = verify_proof_pack(pack_bytes, public_key=ENFINITOS_VERIFICATION_KEY)
if not result.ok:
    raise SystemExit(f"Verification failed: {result.reason}")

chain = walk_chain(all_packs)
if chain.broken:
    raise SystemExit(f"Chain breaks at pack {chain.first_break_sequence}")

cargo add enfinitos-sdk-auditor

use enfinitos_auditor::{verify_proof_pack, walk_chain, VerifyOptions};

let result = verify_proof_pack(&pack_bytes, &VerifyOptions {
    public_key: ENFINITOS_VERIFICATION_KEY,
})?;

if !result.ok {
    eprintln!("Verification failed: {}", result.reason);
    std::process::exit(1);
}

let chain = walk_chain(&all_packs)?;
if chain.broken {
    eprintln!("Chain breaks at pack {}", chain.first_break_sequence);
}

Byte compatibility

All three implementations are byte-compatible against a shared conformance test vector set. A proof pack that verifies under the TypeScript implementation must verify byte-identically under the Python and Rust implementations. The canonical vectors are in the sdk-auditor-ts repository under __tests__/vectors/.

Verification key rotation

The verification key is published — and rotates on a published schedule — at docs.enfinitos.com/security/keys. Rotation windows are at least 90 days so offline auditors have time to pick up the new key without service interruption.

Contributing

PRs welcome. Especially:

Fuzzers for the proof-pack parser (fast-check, Hypothesis, cargo-fuzz).
New language bindings — Go, Java, C#, Swift, Kotlin. Match the conformance vectors and we’ll review.
Conformance-suite additions — edge cases around chain breaks, signature mismatch, and metering re-projection.

See CONTRIBUTING.md in each repo (ts, py, rs).

Security disclosure

If you find a vulnerability, do not file a public issue. Email security@enfinitos.com. Full policy in SECURITY.md in each repo (ts, py, rs).

Documentation Index

​What it verifies

​Three language implementations

​Byte compatibility

​Verification key rotation

​Contributing

​Security disclosure

What it verifies

Three language implementations

Byte compatibility

Verification key rotation

Contributing

Security disclosure