Integration

Verify the corpus yourself

Every Apeiris artifact is content-addressed by SHA-256 and pinned in a single manifest.json, which is itself signed with an offline Ed25519 key. Nothing here is "trust us" — recompute it. This page does it live in your browser, and the commands below let you do it out-of-band.

Live verification
Fetches the manifest, recomputes every domain artifact's SHA-256, and checks the manifest signature.
Manifest signature (Ed25519)not run
Artifact checksums (SHA-256)not run

Trust anchor

AlgorithmEd25519 over the RFC 8785 (JCS) canonical manifest, minus integrity.signature
Key ided25519-1f89c22423ab21b2
Second channelthe same public key is committed in the apeirisai/apeiris git repo (github.com) — a distinct origin from this CDN

The public key is the trust anchor. The private key is held offline and never enters the repo or the served site. A mismatch on the signature or any checksum means the copy you fetched does not match what Apeiris signed — treat it as fail-closed and stop.

Verify out-of-band

Recompute a domain artifact's hash and compare it to the manifest (no Apeiris code required):

# SHA-256 of a domain artifact, vs manifest.domains[].sha256
curl -s https://apeiris.ai/integration/domains/security-controls-full.json | sha256sum
curl -s https://apeiris.ai/integration/manifest.json | python3 -c "import sys,json; m=json.load(sys.stdin); print(next(d['sha256'] for d in m['domains'] if d['slug']=='security'))"

Verify the Ed25519 manifest signature yourself, with only Node's built-in crypto — no Apeiris code, no repo access. This is a complete, runnable test vector: it fetches the manifest and the published public key, reconstructs the RFC 8785 (JCS) canonical bytes the signer signed (the manifest minus the integrity.signature field), and checks the signature against the trust-anchor key.

# save as verify.mjs, then: node verify.mjs   (Node 18+)
import { createPublicKey, verify } from "node:crypto";
const B = "https://apeiris.ai/integration";
const m   = await (await fetch(B + "/manifest.json")).json();
const pub = await (await fetch(B + "/keys/manifest-signing-ed25519.pub.json")).json();
const { signature, ...integrity } = m.integrity;            // the signed payload is the manifest minus the signature
const jcs = v => Array.isArray(v) ? "[" + v.map(jcs).join(",") + "]"   // RFC 8785 JCS: sort keys, no whitespace
  : v && typeof v === "object" ? "{" + Object.keys(v).sort().map(k => JSON.stringify(k) + ":" + jcs(v[k])).join(",") + "}"
  : JSON.stringify(v);
const ok = verify(null, Buffer.from(jcs({ ...m, integrity }), "utf8"),
  createPublicKey(pub.public_key_spki_pem), Buffer.from(signature, "base64"));
console.log(m.integrity.key_id, ok ? "VERIFIED" : "FAILED");
# -> ed25519-1f89c22423ab21b2 VERIFIED

If it prints VERIFIED, the manifest you fetched is byte-for-byte what Apeiris signed with the offline key whose public half is at keys/manifest-signing-ed25519.pub.json. The Apeiris tooling (npm run verify:manifest) does the same check; this snippet lets you reproduce it independently.