openwright-core 0.6.0__py3-none-any.whl

openwright/adapters/receipt.py

@@ -0,0 +1,198 @@
+"""External receipt-primitive ingest — the "sit on top of receipts" adapter.
+
+(Proposal §A1; adapter isolation FR-NRM-03; untrusted input FR-ING-10.)
+
+OpenWright does not reinvent cryptographic action receipts — it *consumes* them and
+turns them into compliance evidence. This adapter verifies a signed receipt's
+Ed25519 signature **before** ingesting it, then normalizes it into a canonical
+``ComplianceEvent(kind=tool_call)``. We attest events ourselves with the in-house
+Merkle stack *or* anchor on receipts produced upstream; this is the layer above
+the receipt primitive, not a competitor to any one producer.
+
+Other receipt formats (sigstore-style, a first-party format) plug in behind the
+same :class:`ReceiptSource` interface — the receipt primitive is interchangeable.
+
+A receipt is untrusted input (FR-ING-10, NFR-SEC-01): an unsigned, malformed, or
+tampered receipt is rejected with :class:`ReceiptVerificationError` and never
+enters the ledger as a normal event. Verification precedes ingestion.
+"""
+
+from __future__ import annotations
+
+import abc
+import base64
+from typing import Any, Dict, Optional
+
+from ..canonical import canonical_bytes, to_rfc3339
+from ..events import Actor, ComplianceEvent, EventKind, IdentityClaim, IORef, ToolInfo
+from ..signing import KeySource, key_id_for, verify_signature
+
+
+class ReceiptVerificationError(Exception):
+    """A receipt's signature was missing, malformed, or did not verify.
+
+    The receipt is NOT turned into a tool_call event — verification precedes
+    ingestion.
+    """
+
+
+def receipt_signing_bytes(receipt: Dict[str, Any]) -> bytes:
+    """The exact bytes a receipt signs over: its canonical form minus ``sig``.
+
+    Deterministic and verifier-reproducible (the same JCS canonicalization the
+    rest of OpenWright uses), so any party holding the signer's public key can
+    re-derive these bytes and check the signature independently.
+    """
+    return canonical_bytes({k: v for k, v in receipt.items() if k != "sig"})
+
+
+class ReceiptSource(abc.ABC):
+    """Interchangeable receipt-primitive adapter.
+
+    Implement :meth:`verify_and_normalize` to teach OpenWright a new signed-receipt
+    format. Every source verifies its own signature scheme and emits the same
+    canonical :class:`ComplianceEvent`, so receipt primitives are swappable
+    behind one interface.
+    """
+
+    #: ``source.format`` tag stamped on events produced by this source.
+    format: str
+
+    @abc.abstractmethod
+    def verify_and_normalize(
+        self, receipt: Dict[str, Any], *, agent_id_default: Optional[str] = None
+    ) -> ComplianceEvent:
+        """Verify ``receipt``'s signature and return a canonical event, or raise."""
+
+
+class SignedActionReceiptSource(ReceiptSource):
+    """Consumes a signed Ed25519 **action receipt** — the commoditizing receipt
+    primitive several crypto-audit tools emit. This adapter targets the generic,
+    public shape of such a receipt so OpenWright can verify + ingest it; it is not
+    tied to any one producer (other formats plug in behind :class:`ReceiptSource`).
+
+    Receipt shape (all values JSON; ``signer.pubkey`` is base64 of the raw
+    32-byte Ed25519 key and ``sig`` is base64 of the signature)::
+
+        {"action": {"tool": ..., "params_hash": "sha256:...", "target": ...},
+         "signer": {"pubkey": "<b64>", "name": ..., "owner": ...},
+         "ts": <rfc3339|unix>, "nonce": ..., "transport": ..., "sig": "<b64>"}
+
+    Mapping → ``ComplianceEvent(kind=tool_call)``: ``tool.name`` ← action.tool;
+    ``io.arguments_ref`` ← action.params_hash (already a ``sha256:`` ref — fits
+    cleanly with no PII); ``actor.agent_id`` ← signer.name; signer pubkey/owner →
+    ``actor.identity_claim``; nonce/target/transport → ``attributes``.
+    """
+
+    format = "receipt/action-v1"
+
+    def verify_and_normalize(
+        self, receipt: Dict[str, Any], *, agent_id_default: Optional[str] = None
+    ) -> ComplianceEvent:
+        if not isinstance(receipt, dict):
+            raise ReceiptVerificationError("receipt must be a JSON object")
+        action = receipt.get("action")
+        signer = receipt.get("signer")
+        if not isinstance(action, dict) or not isinstance(signer, dict):
+            raise ReceiptVerificationError("receipt missing action/signer object")
+
+        sig_b64 = receipt.get("sig")
+        pubkey_b64 = signer.get("pubkey")
+        if not sig_b64 or not pubkey_b64:
+            raise ReceiptVerificationError("receipt missing signature or signer pubkey")
+        try:
+            sig = base64.b64decode(sig_b64)
+            pub_raw = base64.b64decode(pubkey_b64)
+        except (ValueError, TypeError) as exc:
+            raise ReceiptVerificationError(f"malformed base64 in receipt: {exc}") from exc
+
+        # Verify BEFORE ingest. The signed bytes are the canonical receipt minus
+        # the signature itself, so any tampered field flips this to False.
+        if not verify_signature(pub_raw, sig, receipt_signing_bytes(receipt)):
+            raise ReceiptVerificationError("receipt Ed25519 signature did not verify")
+
+        ts = receipt.get("ts")
+        if ts is None:
+            raise ReceiptVerificationError("receipt missing ts")
+
+        # The signer pubkey/owner are carried (verifiably) into the identity
+        # claim; extra="allow" on IdentityClaim preserves the non-AgentCard fields.
+        identity_extra: Dict[str, Any] = {"public_key_b64": pubkey_b64}
+        if signer.get("owner") is not None:
+            identity_extra["owner"] = signer["owner"]
+        identity = IdentityClaim(
+            claim_type="receipt-signer",
+            public_key_id=key_id_for(pub_raw),
+            signature_b64=sig_b64,
+            **identity_extra,
+        )
+
+        attributes: Dict[str, Any] = {"receipt_verified": True}
+        if receipt.get("nonce") is not None:
+            attributes["nonce"] = receipt["nonce"]
+        if action.get("target") is not None:
+            attributes["target"] = action["target"]
+        if receipt.get("transport") is not None:
+            attributes["transport"] = receipt["transport"]
+
+        params_hash = action.get("params_hash")
+        return ComplianceEvent(
+            timestamp=to_rfc3339(ts),
+            kind=EventKind.TOOL_CALL,
+            actor=Actor(
+                agent_id=signer.get("name") or agent_id_default or "unknown-agent",
+                identity_claim=identity,
+            ),
+            io=IORef(arguments_ref=params_hash) if params_hash else None,
+            tool=ToolInfo(name=action.get("tool")) if action.get("tool") else None,
+            attributes=attributes,
+            source={"format": self.format},
+        )
+
+
+_DEFAULT_SOURCE = SignedActionReceiptSource()
+
+
+def receipt_to_event(
+    receipt: Dict[str, Any], *, agent_id_default: Optional[str] = None
+) -> ComplianceEvent:
+    """Verify + normalize a signed action receipt via the default receipt source."""
+    return _DEFAULT_SOURCE.verify_and_normalize(receipt, agent_id_default=agent_id_default)
+
+
+def sign_receipt(
+    key: KeySource,
+    *,
+    tool: str,
+    params_hash: str,
+    signer_name: str,
+    ts: str,
+    nonce: str,
+    target: Optional[str] = None,
+    owner: Optional[str] = None,
+    transport: Optional[str] = None,
+) -> Dict[str, Any]:
+    """Produce a signed Ed25519 action receipt.
+
+    Stands in for an upstream receipt producer in the demo and tests, and defines
+    the canonical signing bytes once so producer and verifier agree.
+    ``signer.pubkey`` and ``sig`` are base64.
+    """
+    receipt: Dict[str, Any] = {
+        "action": {"tool": tool, "params_hash": params_hash},
+        "signer": {
+            "pubkey": base64.b64encode(key.public_key_raw()).decode("ascii"),
+            "name": signer_name,
+        },
+        "ts": ts,
+        "nonce": nonce,
+    }
+    if target is not None:
+        receipt["action"]["target"] = target
+    if owner is not None:
+        receipt["signer"]["owner"] = owner
+    if transport is not None:
+        receipt["transport"] = transport
+    sig = key.sign(receipt_signing_bytes(receipt))
+    receipt["sig"] = base64.b64encode(sig).decode("ascii")
+    return receipt

openwright/adapters/sarif_in.py

@@ -0,0 +1,68 @@
+"""SARIF side-channel ingest (FR-ING-07).
+
+Consumes SARIF 2.1.0 findings from conformance/security scanners (e.g. a2a-tck,
+Cisco a2a-scanner) and attaches them as ``conformance_finding`` events to an
+agent. We *consume* scanner output; we do not re-implement scanning (OOS-03).
+SARIF is treated as untrusted input (FR-ING-10, NFR-SEC-01): structure is
+validated defensively and malformed entries are skipped, not crashed on.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List, Optional
+
+from ..events import ComplianceEvent, EventKind
+
+
+def sarif_to_events(
+    sarif: Dict[str, Any],
+    *,
+    agent_id: str,
+    timestamp: str,
+    task_id: Optional[str] = None,
+) -> List[ComplianceEvent]:
+    """Convert a SARIF log into conformance-finding events (best-effort, safe)."""
+    events: List[ComplianceEvent] = []
+    if not isinstance(sarif, dict):
+        return events
+    runs = sarif.get("runs")
+    if not isinstance(runs, list):
+        return events
+
+    for run in runs:
+        if not isinstance(run, dict):
+            continue
+        driver = (((run.get("tool") or {}).get("driver")) or {})
+        tool_name = driver.get("name") if isinstance(driver, dict) else None
+        results = run.get("results")
+        if not isinstance(results, list):
+            continue
+        for res in results:
+            if not isinstance(res, dict):
+                continue
+            message = ""
+            if isinstance(res.get("message"), dict):
+                message = str(res["message"].get("text", ""))
+            locations = []
+            for loc in res.get("locations", []) if isinstance(res.get("locations"), list) else []:
+                phys = loc.get("physicalLocation", {}) if isinstance(loc, dict) else {}
+                art = phys.get("artifactLocation", {}) if isinstance(phys, dict) else {}
+                region = phys.get("region", {}) if isinstance(phys, dict) else {}
+                locations.append({"uri": art.get("uri"), "startLine": region.get("startLine")})
+            events.append(
+                ComplianceEvent(
+                    timestamp=timestamp,
+                    kind=EventKind.CONFORMANCE_FINDING,
+                    actor={"agent_id": agent_id},
+                    provenance={"task_id": task_id} if task_id else {},
+                    attributes={
+                        "tool": tool_name,
+                        "rule_id": res.get("ruleId"),
+                        "level": res.get("level", "warning"),
+                        "message": message,
+                        "locations": locations,
+                    },
+                    source={"format": "sarif"},
+                )
+            )
+    return events

openwright/anchor.py

@@ -0,0 +1,134 @@
+"""External anchoring + non-equivocation detection (B7, FR-ATT-08, V14).
+
+A single producer can *equivocate*: show one validly-signed history to party A
+and a divergent one to party B (a "split view"). Signatures alone don't prevent
+this — both views are signed by the producer's own key. The defense is to anchor
+every signed checkpoint to an **external append-only mechanism** that independent
+monitors read, so two inconsistent histories become simultaneously visible and a
+third party can *prove* the equivocation.
+
+This module provides:
+
+* :class:`TransparencyAnchor` — an append-only log of published checkpoints (a
+  stand-in for a public transparency-log gossip endpoint / witness network). The
+  producer publishes every checkpoint; monitors read all of them. A file-backed
+  variant persists across processes so independent observers share one view.
+* :func:`detect_equivocation` — given checkpoints gathered from the anchor and/or
+  different parties, returns an :class:`EquivocationProof` if the producer signed
+  two inconsistent tree heads, else ``None``.
+
+Two inconsistencies are caught:
+
+1. **Same ``tree_size``, different roots** — both validly signed: a direct fork.
+2. **Non-extension** — for sizes ``m < n``, a supplied consistency proof between
+   the two signed roots fails to verify (the larger tree does not extend the
+   smaller), i.e. history was rewritten.
+"""
+
+from __future__ import annotations
+
+import json
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Dict, List, Optional, Tuple
+
+from .merkle import verify_consistency
+from .signing import Checkpoint
+
+
+@dataclass
+class EquivocationProof:
+    """Self-contained evidence that a producer presented divergent histories."""
+
+    reason: str
+    tree_size: int
+    checkpoint_a: dict
+    checkpoint_b: dict
+
+
+class TransparencyAnchor:
+    """Append-only anchor of published checkpoints (in-memory or file-backed).
+
+    A file-backed anchor persists across processes, so independent observers
+    (producer + monitors) share exactly one append-only view.
+    """
+
+    def __init__(self, path: Optional[str] = None) -> None:
+        self.path = Path(path) if path else None
+        self._mem: List[dict] = []
+        if self.path is not None:
+            self.path.parent.mkdir(parents=True, exist_ok=True)
+            self.path.touch(exist_ok=True)
+
+    def publish(self, checkpoint: Checkpoint) -> None:
+        if self.path is None:
+            self._mem.append(checkpoint.model_dump())
+            return
+        with open(self.path, "a", encoding="utf-8") as fh:
+            fh.write(json.dumps(checkpoint.model_dump(), separators=(",", ":")) + "\n")
+
+    def checkpoints(self) -> List[dict]:
+        if self.path is None:
+            return list(self._mem)
+        with open(self.path, "r", encoding="utf-8") as fh:
+            return [json.loads(ln) for ln in fh if ln.strip()]
+
+
+def _is_validly_signed(cp: dict, public_key_raw: bytes) -> bool:
+    try:
+        return Checkpoint.model_validate(cp).verify(public_key_raw)
+    except Exception:  # noqa: BLE001
+        return False
+
+
+def detect_equivocation(
+    checkpoints: List[dict],
+    public_key_raw: bytes,
+    *,
+    consistency_proofs: Optional[Dict[Tuple[int, int], List[str]]] = None,
+) -> Optional[EquivocationProof]:
+    """Return proof of a split view among ``checkpoints``, or ``None`` if consistent.
+
+    Only checkpoints validly signed by ``public_key_raw`` are considered (a forged
+    checkpoint is not the producer equivocating). ``consistency_proofs`` maps
+    ``(smaller_size, larger_size)`` to the producer-supplied proof hex; any pair
+    whose proof fails to verify is an equivocation.
+    """
+    valid = [cp for cp in checkpoints if _is_validly_signed(cp, public_key_raw)]
+
+    # 1. Two signed checkpoints at the same size with different roots = a fork.
+    by_size: Dict[int, dict] = {}
+    for cp in valid:
+        sz = int(cp["tree_size"])
+        prev = by_size.get(sz)
+        if prev is not None and prev["root_hash"] != cp["root_hash"]:
+            return EquivocationProof(
+                "two signed checkpoints at the same tree_size have different roots",
+                sz,
+                prev,
+                cp,
+            )
+        by_size[sz] = cp
+
+    # 2. A supplied consistency proof that fails = a rewritten (non-extending) history.
+    if consistency_proofs:
+        for (m, n), proof in consistency_proofs.items():
+            a, b = by_size.get(m), by_size.get(n)
+            if a is None or b is None or m >= n:
+                continue
+            ok = verify_consistency(
+                m,
+                n,
+                bytes.fromhex(a["root_hash"]),
+                bytes.fromhex(b["root_hash"]),
+                [bytes.fromhex(h) for h in proof],
+            )
+            if not ok:
+                return EquivocationProof(
+                    "consistency proof between two signed checkpoints does not verify "
+                    "(history was rewritten, not extended)",
+                    n,
+                    a,
+                    b,
+                )
+    return None

openwright/authz.py

@@ -0,0 +1,68 @@
+"""Authorization for who may write evidence vs. generate reports (NFR-SEC-04).
+
+A small capability model with segregation of duties: the party that *writes
+evidence* need not be the party that *generates reports*, and neither need hold
+the checkpoint signing key. Authorization is opt-in — pass a ``principal`` +
+``Authorizer`` to the SDK / report builder to enforce it; omit them to run
+unauthenticated (the default, e.g. for the demo). The collector supports
+optional bearer-token authentication mapping tokens to principals.
+"""
+
+from __future__ import annotations
+
+import enum
+from dataclasses import dataclass, field
+from typing import Dict, Optional, Set
+
+
+class Capability(str, enum.Enum):
+    WRITE_EVIDENCE = "write_evidence"
+    GENERATE_REPORT = "generate_report"
+    ADMIN = "admin"
+
+
+class AuthorizationError(PermissionError):
+    pass
+
+
+@dataclass(frozen=True)
+class Principal:
+    id: str
+    capabilities: frozenset = field(default_factory=frozenset)
+
+    def has(self, cap: Capability) -> bool:
+        return Capability.ADMIN in self.capabilities or cap in self.capabilities
+
+
+class Authorizer:
+    """Enforces capabilities. With no principal supplied, enforcement is off."""
+
+    def require(self, principal: Optional[Principal], capability: Capability) -> None:
+        if principal is None:
+            return  # unauthenticated mode (opt-in auth)
+        if not principal.has(capability):
+            raise AuthorizationError(
+                f"principal {principal.id!r} lacks capability {capability.value!r}"
+            )
+
+
+class TokenAuthority:
+    """Maps opaque bearer tokens to principals for the collector (NFR-SEC-04)."""
+
+    def __init__(self, tokens: Optional[Dict[str, Principal]] = None) -> None:
+        self._tokens = dict(tokens or {})
+
+    def add(self, token: str, principal: Principal) -> None:
+        self._tokens[token] = principal
+
+    def principal_for(self, token: Optional[str]) -> Optional[Principal]:
+        if not token:
+            return None
+        return self._tokens.get(token)
+
+    def authorize_bearer(self, authorization_header: Optional[str], capability: Capability) -> bool:
+        token = None
+        if authorization_header and authorization_header.lower().startswith("bearer "):
+            token = authorization_header[7:].strip()
+        principal = self.principal_for(token)
+        return principal is not None and principal.has(capability)

openwright/browser_verifier.py

@@ -0,0 +1,197 @@
+"""OpenWright standalone verifier — ONE file, ZERO third-party dependencies.
+
+This is the auditable root of trust in its purest form (FR-VER-03): pure Python,
+standard library only, no `cryptography`, no network. It runs in CPython and,
+unchanged, inside a stock WASM Python (Pyodide) in the browser (FR-VER-04 [P2],
+see verifier.html). It is intentionally self-contained so a reviewer can read the
+entire trust-critical surface in a single file.
+
+It verifies a OpenWright signed report against its signed checkpoint:
+  * report + checkpoint Ed25519 signatures (pure-Python RFC 8032 verification),
+  * every event's leaf hash recomputed from hash-only content (no raw payloads),
+  * every inclusion proof against the signed root, and the full-tree root,
+  * that cited evidence events are present.
+
+Usage (CLI):  python openwright_verifier.py report.json public_key.pem
+"""
+
+import base64
+import hashlib
+import json
+import sys
+
+# --- canonical JSON (RFC 8785 / JCS-compatible subset; must match producer) ---
+
+def _clean(obj):
+    if isinstance(obj, dict):
+        return {k: _clean(v) for k, v in obj.items() if v is not None}
+    if isinstance(obj, (list, tuple)):
+        return [_clean(v) for v in obj]
+    if isinstance(obj, float):
+        raise ValueError("floats are not allowed in canonical evidence")
+    return obj
+
+def canonical_bytes(obj):
+    return json.dumps(_clean(obj), sort_keys=True, separators=(",", ":"),
+                      ensure_ascii=False, allow_nan=False).encode("utf-8")
+
+# --- RFC 6962 Merkle verification ---
+
+def _leaf_hash(data):       return hashlib.sha256(b"\x00" + data).digest()
+def _node_hash(l, r):       return hashlib.sha256(b"\x01" + l + r).digest()
+
+def _largest_pow2_lt(n):
+    k = 1
+    while k * 2 < n:
+        k *= 2
+    return k
+
+def _tree_hash(leaves):
+    n = len(leaves)
+    if n == 0:
+        return hashlib.sha256(b"").digest()
+    if n == 1:
+        return leaves[0]
+    k = _largest_pow2_lt(n)
+    return _node_hash(_tree_hash(leaves[:k]), _tree_hash(leaves[k:]))
+
+def _verify_inclusion(leaf_index, tree_size, leaf, proof, root):
+    if leaf_index >= tree_size or leaf_index < 0:
+        return False
+    fn, sn, r = leaf_index, tree_size - 1, leaf
+    for p in proof:
+        if sn == 0:
+            return False
+        if (fn & 1) == 1 or fn == sn:
+            r = _node_hash(p, r)
+            if (fn & 1) == 0:
+                while (fn & 1) == 0 and fn != 0:
+                    fn >>= 1
+                    sn >>= 1
+        else:
+            r = _node_hash(r, p)
+        fn >>= 1
+        sn >>= 1
+    return sn == 0 and r == root
+
+# --- pure-Python Ed25519 verification (RFC 8032) ---
+
+_P = 2**255 - 19
+_LO = 2**252 + 27742317777372353535851937790883648493
+def _inv(x): return pow(x, _P - 2, _P)
+_D = (-121665 * _inv(121666)) % _P
+_II = pow(2, (_P - 1) // 4, _P)
+def _xrecover(y):
+    xx = (y * y - 1) * _inv(_D * y * y + 1)
+    x = pow(xx, (_P + 3) // 8, _P)
+    if (x * x - xx) % _P != 0:
+        x = (x * _II) % _P
+    if x % 2 != 0:
+        x = _P - x
+    return x
+_BY = (4 * _inv(5)) % _P
+_B = (_xrecover(_BY) % _P, _BY)
+def _add(p1, p2):
+    x1, y1 = p1; x2, y2 = p2
+    x3 = (x1 * y2 + x2 * y1) * _inv(1 + _D * x1 * x2 * y1 * y2) % _P
+    y3 = (y1 * y2 + x1 * x2) * _inv(1 - _D * x1 * x2 * y1 * y2) % _P
+    return (x3, y3)
+def _mul(point, e):
+    result, addend = (0, 1), point
+    while e > 0:
+        if e & 1:
+            result = _add(result, addend)
+        addend = _add(addend, addend)
+        e >>= 1
+    return result
+def _on_curve(point):
+    x, y = point
+    return (-x * x + y * y - 1 - _D * x * x * y * y) % _P == 0
+def _decodepoint(s):
+    val = int.from_bytes(s, "little")
+    y = val & ((1 << 255) - 1)
+    x = _xrecover(y)
+    if (x & 1) != ((val >> 255) & 1):
+        x = _P - x
+    point = (x, y)
+    if not _on_curve(point):
+        raise ValueError("bad point")
+    return point
+def ed25519_verify(public_key, signature, message):
+    if len(signature) != 64 or len(public_key) != 32:
+        return False
+    try:
+        R = _decodepoint(signature[:32]); A = _decodepoint(public_key)
+    except Exception:
+        return False
+    S = int.from_bytes(signature[32:], "little")
+    if S >= _LO:
+        return False
+    h = int.from_bytes(hashlib.sha512(signature[:32] + public_key + message).digest(), "little") % _LO
+    return _mul(_B, S) == _add(R, _mul(A, h))
+
+def pubkey_raw_from_pem(pem):
+    body = "".join(line for line in pem.splitlines() if "-----" not in line)
+    der = base64.b64decode(body)
+    return der[-32:]  # Ed25519 SPKI ends with the 32-byte raw key
+
+# --- report verification ---
+
+def _key_id(pub):  return "ed25519:" + hashlib.sha256(pub).hexdigest()[:32]
+
+def verify_report(report, trusted_public_key_raw):
+    checks, valid = [], True
+    def chk(name, ok):
+        nonlocal valid
+        checks.append((name, ok))
+        valid = valid and ok
+
+    sig = report.get("signature", {})
+    chk("report_signature", ed25519_verify(
+        trusted_public_key_raw, base64.b64decode(sig.get("signature", "")),
+        canonical_bytes({k: v for k, v in report.items() if k != "signature"})))
+
+    cp = report.get("checkpoint", {})
+    cp_bytes = canonical_bytes({"origin": cp.get("origin"), "root_hash": cp.get("root_hash"),
+                                "timestamp": cp.get("timestamp"), "tree_size": cp.get("tree_size")})
+    chk("checkpoint_signature", ed25519_verify(trusted_public_key_raw,
+        base64.b64decode(cp.get("signature", "")), cp_bytes)
+        and cp.get("public_key_id") == _key_id(trusted_public_key_raw))
+
+    root = bytes.fromhex(cp["root_hash"]); n = int(cp["tree_size"])
+    leaves, leaf_ok, incl_ok, present = {}, True, True, set()
+    for item in report.get("events", []):
+        ev = item.get("event", {}); idx = item.get("leaf_index")
+        present.add(ev.get("event_id"))
+        recomputed = _leaf_hash(canonical_bytes({k: v for k, v in ev.items() if k != "ledger"}))
+        stored = item.get("leaf_hash", "")
+        if recomputed != bytes.fromhex(stored.split(":")[-1] if stored else ""):
+            leaf_ok = False
+        if not _verify_inclusion(idx, n, recomputed, [bytes.fromhex(h) for h in item.get("inclusion_proof", [])], root):
+            incl_ok = False
+        leaves[idx] = recomputed
+    chk("event_leaf_hashes", leaf_ok)
+    chk("inclusion_proofs", incl_ok)
+    if len(leaves) == n and all(i in leaves for i in range(n)):
+        chk("full_tree_root", _tree_hash([leaves[i] for i in range(n)]) == root)
+
+    ev_ok = all(eid in present for c in report.get("controls", []) for eid in c.get("evidence_event_ids", []))
+    chk("evidence_events_present", ev_ok)
+    return valid, checks
+
+
+def main(argv):
+    if len(argv) != 3:
+        print("usage: python openwright_verifier.py report.json public_key.pem")
+        return 2
+    report = json.load(open(argv[1]))
+    pub = pubkey_raw_from_pem(open(argv[2]).read())
+    valid, checks = verify_report(report, pub)
+    print("VALID:", valid)
+    for name, ok in checks:
+        print(f"  [{'OK' if ok else 'FAIL'}] {name}")
+    return 0 if valid else 1
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv))