Evidence Chain

How it works
Recorded events
Verification
For auditors

Every compliance action in Complior produces a cryptographic evidence entry. The chain is stored in .complior/evidence/chain.json.

How it works

Action occurs

Scan completes, fix applied, passport updated, document generated.

Hash computed

SHA-256 hash of the artifact (scan result, fix diff, passport JSON, document).

Signature created

Ed25519 signs the hash with the project’s private key (~/.config/complior/keys/).

Chain entry added

Entry includes: event type, timestamp, hash, signature, and reference to previous entry.

Recorded events

Event	Trigger	What’s hashed
`scan.completed`	Every `complior scan`	Full scan result
`fix.applied`	Every `complior fix`	Fix diff + before/after
`passport.created`	`complior agent init`	Full passport JSON
`passport.updated`	Score update, manual edit	Updated passport JSON
`fria.generated`	`complior agent fria`	FRIA document
`document.generated`	`complior fix` (B-strategy)	Document content

Verification

# View evidence chain summary
complior agent evidence

# Verify chain integrity (all hashes + signatures)
complior agent evidence --verify

For auditors

The evidence chain proves: what was checked, when, what was found, what was fixed, and in what order. Each entry is independently verifiable without trusting Complior itself — the auditor can re-hash any artifact and verify the ed25519 signature.

Risk Classification Export Formats

⌘I

Get Started

Scan (Static Analysis)

Eval (Dynamic Testing)

Fix (Auto-Remediation)

Agent Passport

Compliance Documents

SDK (Runtime)

MCP Server

Standards

How it works

Recorded events

Verification

For auditors

Get Started

Scan (Static Analysis)

Eval (Dynamic Testing)

Fix (Auto-Remediation)

Agent Passport

Compliance Documents

SDK (Runtime)

MCP Server

Standards

​How it works

​Recorded events

​Verification

​For auditors

How it works

Recorded events

Verification

For auditors