Verify us. Don't just trust us.
A trust authority that hides its own record is a rubber stamp. This is the public, auditable evidence behind Queldrex: how accurate our detection actually is, a tamper-evident log of every consequential act, the tools we have revoked, and the key you use to check any receipt yourself.
Measured accuracy
Our deterministic detector over a labeled attack dataset in the repo. Reproducible: anyone can rerun it and get the same numbers.
Measured on 96 cases (63 attacks, 33 benign). The live product adds an AI-judge layer that catches the subtler attacks this deterministic score intentionally omits. See the full benchmark.
Tamper-evident ledger
chain intact ✓Every consequential act, a revocation or a blocked tool call, is hash-chained AND individually signed: each entry seals the one before it and carries an Ed25519 signature, so neither a quiet edit nor a database compromise can alter a past record without breaking the chain or the signature. 16 entries recorded. Recompute it yourself from /api/trust/ledger.
Head #7 was timestamped by an independent authority (sectigo) on 7/10/2026, 9:28:59 PM. A third party who distrusts us can confirm this root existed then, so we cannot back-date or rewind it. The RFC3161 token is in /api/trust/ledger.
Revocation list
Tool versions we have condemned, and why. Publishing our "no" is what keeps an issuer-paid authority honest. Full list at /api/trust/revocations.
Verify a receipt
Every verdict we issue is a signed Trust Receipt. Paste one's id to check its signature and current standing.
Signing key
Receipts are signed with this Ed25519 key. Check a receipt against it to confirm it is genuinely ours, with no need to trust this server. Machine-readable at /api/trust/pubkey. The format is an open spec with a zero-dependency verifier (@queldrex/verify) so anyone can check a receipt offline.