strix-verify

Independent, in-browser verification of Strix governance artifacts. Pure static. No Strix server in the trust path. WebCrypto Ed25519. How it works.

Drop an SVG artifact here or click to choose a file Strix-emitted .svg only · screenshots cannot be verified

try a sample · the verifier is willing to fail publicly

how this page verifies

  1. Extract metadata. The page parses the SVG's <metadata> block: the visual kind, the embedded canonical payload, the Ed25519 signature, the signing kid, and the declared canonicalHash. Strict regex — no HTML entity decoding, no XML reordering. If metadata is absent (screenshot, exported image, decorative SVG) we say so and stop.
  2. Recompute SHA-256. We compute sha256(embeddedPayload) in your browser and compare to the embedded canonicalHash. Mismatch → TAMPERED_METADATA, exit immediately.
  3. Fetch JWKS — pinned and live, in parallel. The pinned snapshot ships with this page (jwks.pinned.json). The live JWKS is fetched from strixgov.com/.well-known/strix-jwks.json directly in your browser. Both are inspectable in DevTools.
  4. Verify Ed25519 against both keys. WebCrypto runs in your browser. We never send the bytes to a server.
  5. Surface drift, never hide it. If the pinned and live keys agree, you see VERIFIED. If they disagree, you see both verdicts plus the fingerprint of each key — you decide which trust source to honor. Drift is evidence.

The CLI npx @strixgov/verifier follows the same gates, in the same order, with the same outcome language. Same input → same verdict, both here and from your terminal. Mirror this page on your own host and you'll get the same verdict for the same bytes.