Phase 2D -- Public Registry

Compliance Oracle & Attestation Pool

Your team scans the code. ML-DSA-65 signs the proof. The registry makes it independently verifiable. Three parties. Zero trust required.

# Scan, sign, and publish in one command
$ air-blackbox attest create --publish --name "My AI System"

# Output:
# Published! Registry accepted the attestation.
# Verify: https://airblackbox.ai/verify/air-att-2026-04-12-a7f3c2e1
# Badge: https://airblackbox.ai/badge/air-att-2026-04-12-a7f3c2e1

Three-Party Trust

No single party controls the proof. The architecture makes collusion structurally difficult.

Party 1 -- Provider

Your Team

Runs the scan. Holds the private key. Signs the attestation record with ML-DSA-65 (FIPS 204, quantum-safe). The signature proves the scan results came from your key and have not been modified.

Party 2 -- Verifier

Deployer / Regulator

Clicks the verify link or fetches the API. Sees scan results, cryptographic proof, and evidence hashes. Can independently confirm the signature without trusting the provider or the registry.

Party 3 -- Oracle

AIR Blackbox Registry

Stores the signed attestation. Serves the verification page and SVG badge. Cannot forge signatures (does not hold your private key). Provides availability, not authority.

How It Works

From scan to publicly verifiable proof in four steps.

1

Hash + Scan

The CLI hashes your codebase (SHA-256) and runs compliance checks across all selected frameworks (EU AI Act, ISO 42001, NIST AI RMF, Colorado SB 24-205).

2

Build Attestation Record

Results are assembled into a structured record: system hash, check counts, framework list, scanner version, evidence bundle hash, and timestamps. Schema version 1.0.

3

Sign with ML-DSA-65

The record is serialized to canonical bytes and signed with your ML-DSA-65 private key. The signature, algorithm, and public key fingerprint are embedded in the record.

4

Publish to Registry

With --publish, the signed record is POSTed to the public registry. The registry validates the schema, checks for duplicates, and returns a verification URL and embeddable badge.

Attestation Schema

What the registry stores. No source code. No secrets. Only proof.

Record Fields

attestation_idair-att-2026-04-12-a7f3c2e1
schema_version1.0
subject.system_hashSHA-256 of scanned codebase
subject.system_nameHuman-readable name
scan.frameworks["eu", "iso42001", "nist", "colorado"]
scan.checks_passed35
scan.checks_total51
crypto.algorithmML-DSA-65
crypto.signatureHex-encoded ML-DSA-65 signature
crypto.public_key_fingerprintSHA-256 of public key
evidence.bundle_hashSHA-256 of .air-evidence ZIP
evidence.audit_chain_hashHMAC-SHA256 chain head

API Reference

Three endpoints. All public. No authentication required for reads.

POST /api/attest

Publish a signed attestation record. The registry validates the schema, verifies check count math, requires a cryptographic signature, and rejects duplicates. Max body size: 100KB. Records expire after 2 years.

GET /api/attest?id=air-att-...

Retrieve a raw attestation record as JSON. Returns the full record including cryptographic proof for programmatic verification.

GET /verify/air-att-...

Human-readable verification page. Shows scan summary, system info, cryptographic proof details, and an embeddable badge with copy-to-clipboard markdown.

GET /badge/air-att-...

SVG badge for embedding in READMEs, websites, and CI/CD dashboards. Green for all checks passed, yellow for warnings, blue for multi-framework attestations. Cached for 5 minutes.

Embeddable Badges

Show compliance status anywhere. One line of markdown.

AIR Attested: EU+ISO | 46/51 AIR Attested EU+ISO | 46/51
[![AIR Attested](https://airblackbox.ai/badge/air-att-2026-04-12-a7f3c2e1)](https://airblackbox.ai/verify/air-att-2026-04-12-a7f3c2e1)
Markdown -- paste into any README or documentation

Start Publishing Attestations

Install the scanner. Generate keys. Scan and publish.

$ pip install air-blackbox
$ air-blackbox sign --keygen
$ air-blackbox attest create --publish --name "My AI System"
PyPI · GitHub · Quickstart Guide