agef-verify
Documented for Akmon 2.2.0.
Who this is for
Auditors, compliance reviewers, and CI pipelines that must verify an AGEF .akmon bundle
without installing or running the Akmon agent CLI. agef-verify is a minimal binary that
depends only on akmon-bundle (manifest, framing, objects, and store-independent integrity
checks).
What you will have at the end
- Confirmation that a portable bundle's objects, event chain, and manifest head are internally consistent, or a structured list of violations.
Prerequisites
- A
.akmonbundle file on disk.
Usage
agef-verify /path/to/audit.akmon
agef-verify /path/to/audit.akmon --format json
Optional flags:
--allow-extra-files: tolerate unknown files inside the archive (same semantics asakmon bundle import).--format human|json: defaulthuman.
Operator identity (--operator-key)
agef-verify checks operator attestations recorded by akmon bundle attest
with the same flags as akmon bundle verify:
--operator-key <HEX_FILE>: a trusted operator Ed25519 public key (64 hex chars). Repeatable. Eachmanifest.operator_attestations[]entry is verified against the supplied keys.--require-operator: fail (exit 1) unless at least one operator attestation verifies against an--operator-key.--require-operator-key <HEX_FILE>: fail unless that specific key has a verified attestation. Repeatable; each listed key is also trusted for verification.
"Verified" attaches to the key, not the name. The JSON carries the self-asserted
operator_id/role/org strings verbatim, but the only trust signal is the distinct boolean
operator_key_verified (true only for outcome verified against a key you supplied). Trust in the
name is out-of-band.
agef-verify /path/to/audit.akmon --operator-key operator.pub.hex --require-operator --format json
Exit codes
| Code | Meaning |
|---|---|
0 | Bundle passed all integrity checks |
1 | Bundle read succeeded but verification failed (or non-I/O parse/integrity error) |
3 | I/O or environment error (path not found, not a file, cannot render JSON) |
JSON output
--format json emits BundleVerifyReportV1, the same shape as
akmon bundle import --verify-only --format json, so automation can share jq filters. The
akmon_version field carries the agef-verify crate version.
agef-verify /path/to/audit.akmon --format json | jq '.passed'
Infrastructure errors (cannot open or parse the archive) emit VerifyInfraErrorV1 with
tool: "agef-verify".
Relation to Akmon
| Tool | Scope |
|---|---|
akmon verify <session-id> | On-disk journal / redb store |
akmon bundle verify | Same bundle checks as agef-verify, embedded in Akmon |
akmon bundle import --verify-only | Legacy alias of bundle verify |
agef-verify | Bundle file only; no journal, no agent |