kolm / verify
Drop a .kolm file below. We parse the manifest, recompute the CID, check the HMAC chain, and replay the K-score gate — all in your browser. Nothing leaves the page.
Works on artifacts of any size up to 200 MB. We never upload the file; the entire check runs on your CPU.
Drop a .kolm file here
or click to pick a file
Parse manifest.json. Confirm RS-1 schema version. Read declared model + adapter + verifier.
SHA-256 every file. Sort by canonical JSON. Recompute cidv1:sha256:hex(manifest). Match against declared CID.
Walk the receipt chain. Verify HMAC-SHA256 over (cid, input_sha, output_sha, ts) using the public verifier key.
Recompute K = 0.40·A + 0.15·S + 0.15·L + 0.15·C + 0.15·V from the eval block. Check the gate.
Confirm builder, base model digest, training timestamp, compile container image hash.
Verify the issuer signature against the kolm issuer pubkey baked into this page.
The CLI verifier is for compilers and operators. kolm-verify in the browser is for the auditor, the procurement reviewer, the insurance underwriter, the regulator. People who want to confirm an artifact is what it claims to be, without installing anything.
Same verification code path. Free forever. Works offline (download the page, run from a USB stick).
The verifier uses crypto.subtle.digest, FileReader, and a stdlib ZIP reader. No external scripts, no upload, no installer. We've tested it on:
Chrome 119+, Edge 119+, Firefox 121+, Safari 17+ on macOS, Windows 10/11, Ubuntu 22.04+.
iOS Safari 17+ (iOS 17.4+), Chrome on Android 10+. Drop a .kolm from Files / Photos / Downloads.
Save the page (right-click · Save As), copy to USB / air-gap network, open the .html locally. Same checks, no network.
Install the CLI and gate your release on it:
npm i -g github:sneaky-hippo/kolmogorov-stack kolm verify path/to/artifact.kolm # OK signature OK, K=0.982, receipt chain intact
Or use our GitHub Action to block a PR merge on K-score regression.