Verify the monthly Audit Pack offline
Client emails you a .jsonl.gz + .pdf + .sig. How do you know the PDF comes from the monsys runtime, not from the client's editor?
- Sidebar → Audit Packs
- Download .jsonl.gz + .sig for the month
- Click 'Download verify-CLI'
- Run CLI locally — green checkmarks
↳ manifest_hash, hash chain root, and Ed25519 signature all live in the same .sig file. Independently validatable.
Same via API (bash) — for automation
wget https://get.monsys.ai/monsys-verify-eat-linux-x64
chmod +x monsys-verify-eat-linux-x64
./monsys-verify-eat-linux-x64 verify-pack \
--pack 2026-04.jsonl.gz \
--sig 2026-04.sig \
--pubkey https://transparency.monsys.ai/pubkeys/hub.pub
# ✓ manifest_hash matches signature
# ✓ hash chain root matches manifest
# ✓ Ed25519 signature valid against pubkey 7c34a9e2b1f0…
# ✓ 1247 entries in pack, 0 tampered