Verify a Passport capsule
Every SBO3L decision is wrapped in a Passport capsule — a
self-contained, offline-verifiable proof artifact. This page
runs the same Rust verifier the CLI ships, compiled to
WebAssembly. You don't trust this server; you trust the bytes
of sbo3l_core_bg.wasm we serve, and you can verify
that bytes match the published sbo3l-core
crate yourself.
What "install" does: adds a desktop / home-screen
launcher that opens this verifier in its own window. The
WebAssembly verifier (sbo3l_core_bg.wasm) is cached
offline by the service worker, so you can verify capsules
without network after the first load.
Chrome / Edge / Opera (desktop): click the Install button above, or look for the install icon (⊕ / ⤓) in the address bar. If the button shows a fallback message instead of a native dialog, your browser is suppressing the prompt — use the address-bar icon directly.
Brave (desktop): Brave waits for ~30 s of page
engagement before beforeinstallprompt fires. Click
anywhere on the page, scroll, paste a capsule, then click
Install — the native dialog should appear. Or open
⋮ menu → Install SBO3L Verify…
Safari (iOS): tap the Share button, then "Add to Home Screen". You'll get an offline-capable launcher.
Safari (macOS): File menu → "Add to Dock…" (Safari 17+).
Firefox: no built-in PWA install. Bookmark the page; the verifier still runs offline once cached by the SW.
Visual reference: the SBO3L Passport spread. Left page carries agent identity + the six cryptographic check seals; right page stamps the decision. The verifier on this page runs the same six checks against any capsule JSON you paste below.
Verify a SBO3L Passport capsule
Paste a capsule JSON and click Verify. The verifier runs entirely
in your browser via the sbo3l-core
Rust crate compiled to WebAssembly — no daemon, no network call.
v2 capsules with embedded policy_snapshot and
audit_segment verify all 6 cryptographic checks
self-contained; v1 capsules pass the structural and request-hash
checks and honestly report the others as SKIPPED.
No capsule? Click Load sample capsule above to drop in a known-good v2 capsule (mainnet ENS agent · KeeperHub executor · 6/6 checks pass), then click Verify. Or browse /kh-fleet for 5 real Passport capsules from a live KeeperHub workflow run; each row's "Verify →" link deep-pastes the capsule into this verifier.
What gets checked
A v2 self-contained capsule embeds policy.policy_snapshot
and audit.audit_segment; the verifier runs all 6 checks
with no aux input:
- structural — schema + cross-field invariants (deny ⇒ no execution, live mode ⇒ evidence, hash agreement, etc.)
- request_hash_recompute — JCS+SHA-256 of the embedded APRP equals the claimed
request_hash - policy_hash_recompute — JCS+SHA-256 of the embedded policy equals the claimed
policy_hash - receipt_signature — Ed25519 signature on the embedded receipt verifies against the embedded receipt-signer pubkey
- audit_chain — the embedded audit-bundle's chain segment verifies (signatures + prev-hash linkage)
- audit_event_link — the bundle's
summary.audit_event_idmatches the capsule'saudit.audit_event_idand is present in the chain segment
v1 capsules pass the structural and request-hash checks; the remaining four show as SKIPPED because the capsule doesn't carry the embedded crypto material. That's an honest report — never a fake-OK.
Source: crates/sbo3l-core/src/passport.rs (wasm.rs for the JS bridge, scripts/build-wasm-verifier.sh for the build pipeline).