Learning Objectives
By the end of this module, you will be able to:
- Explain the cryptographic verification pipeline and its 18 result states
- Describe safety attestation and why it matters for trust
- Implement bundle revocation and understand its propagation
- GOVERNANCE Articulate VCP's audit guarantees for regulatory compliance
6.1 — The Verification Pipeline in Practice
DEV The VCP verification pipeline runs every check within a 600ms time budget. If verification takes longer, it returns VERIFICATION_TIMEOUT rather than silently proceeding.
from vcp import Orchestrator, TrustConfig
orchestrator = Orchestrator(trust_config=TrustConfig(
trusted_issuers=["org:mercy_hospital"],
trusted_auditors=["auditor:ethics_board"],
))
result = orchestrator.verify(bundle)
match result.status:
case "VALID":
print("Bundle verified — safe to apply")
case "REVOKED":
print("Bundle has been revoked — do not apply")
case "EXPIRED":
print("Bundle has expired — request a fresh one")
case "INVALID_SIGNATURE":
print("Signature check failed — bundle may be tampered")
case "HASH_MISMATCH":
print("Content hash doesn't match — content was altered")
case "REPLAY_DETECTED":
print("This bundle JTI has been seen before — replay attack")
case "UNTRUSTED_ISSUER":
print("Issuer is not in the trusted issuers list")
case _:
print(f"Verification failed: {result.status}")The 18 verification states:
| # | State | Category | Meaning |
|---|---|---|---|
| 0 | VALID | Success | All checks passed |
| 1 | SIZE_EXCEEDED | Configuration | Manifest or content too large |
| 2 | INVALID_SCHEMA | Configuration | Missing required fields |
| 3 | UNTRUSTED_ISSUER | Security | Issuer not in trust configuration |
| 4 | INVALID_SIGNATURE | Security | Issuer signature verification failed |
| 5 | UNTRUSTED_AUDITOR | Security | Auditor not in trust configuration |
| 6 | INVALID_ATTESTATION | Security | Attestation signature verification failed |
| 7 | HASH_MISMATCH | Security | Content hash doesn't match manifest |
| 8 | NOT_YET_VALID | Temporal | Bundle before its nbf timestamp |
| 9 | EXPIRED | Temporal | Bundle past its exp timestamp |
| 10 | FUTURE_TIMESTAMP | Temporal | iat timestamp too far in the future |
| 11 | REPLAY_DETECTED | Security | JTI already seen (prevents replay attacks) |
| 12 | TOKEN_MISMATCH | Configuration | Reserved |
| 13 | BUDGET_EXCEEDED | Configuration | Token count exceeds model context budget |
| 14 | SCOPE_MISMATCH | Configuration | Model, purpose, or environment not in allowed scope |
| 15 | REVOKED | Temporal | Bundle revoked via Certificate Revocation List |
| 16 | FETCH_FAILED | Transient | Revocation check unreachable |
| 17 | VERIFICATION_TIMEOUT | Transient | Exceeded 600ms verification budget |
6.2 — Safety Attestation
A single signature proves who issued the values. Safety attestation adds who independently verified them.
Why this matters:
- An organisation writes their AI constitution (issuer signature)
- An independent auditor reviews the content for safety (auditor signature)
- AI systems can verify both signatures and enforce policies like "only apply constitutions that have been independently audited"
VCP supports several attestation types:
| Type | Purpose |
|---|---|
INJECTION_SAFE | Content has been scanned for prompt injection |
CONTENT_SAFE | General content safety review |
FULL_AUDIT | Comprehensive audit of all constitutional claims |
METTLE_VERIFICATION | Verified via METTLE (inverse Turing test) |
METTLE_GEOMETRIC | METTLE verification with KV-cache geometry proof (open-weight models only) |
BILATERAL_VERIFIED | Verified through bilateral alignment process |
6.3 — Revocation
When values change — an organisation updates their principles, a vulnerability is found in a constitution, or an employee leaves — the old bundle must be revoked immediately.
VCP revocation uses Certificate Revocation Lists (CRLs):
{
"bundle_id": "b_healthcare_v3",
"jti": "550e8400-e29b-41d4-a716-446655440000",
"revoked_at": "2026-02-28T15:30:00Z",
"reason": "Updated patient interaction guidelines"
}The verification pipeline checks revocation status for every bundle. If a bundle has been revoked, verification returns REVOKED regardless of whether the signature and content are still valid.
Stapled proofs allow offline verification — the revocation status is bundled with the attestation so systems don't need to call home to check. When connectivity returns, the stapled proof is refreshed.
6.4 — What This Means for Governance
GOVERNANCE VCP's verification architecture provides:
- Provenance — Cryptographic proof of who authored which values, signed with Ed25519 keys
- Integrity — Tamper-evident SHA-256 content hashing
- Timeliness — Expiry (
exp), not-before (nbf), and revocation ensure stale values don't persist - Accountability — Immutable hash-chain audit trail of what values were active during every interaction
- Independent oversight — Safety attestation enables third-party review with cryptographic proof
- Budget transparency — Token budgets ensure constitutions don't silently consume the model's context window
For regulatory compliance (EU AI Act, sector-specific regulations), this means organisations can demonstrate exactly what values governed their AI's behaviour at any point in time.
Exercise
DEV Implement a verification check in your chat app that refuses to proceed if the active constitution fails verification. Test it by manually expiring a bundle.
Verification is the mechanism that transforms constitutional values from aspirational text into enforceable, auditable commitments.
See It in Action
The Marta demo shows VCP's liveness verification — how tokens are validated and how the system responds when verification fails.