Documentation
GuardSpine Docs
Technical reference for GuardSpine's open-source components. All packages are Apache 2.0 licensed with zero telemetry.
guardspine-kernel
GitHub →Offline evidence-bundle verification and sealing with zero runtime dependencies. The trust anchor for the entire ecosystem.
API Reference
sealBundle(items) Takes evidence items (each with item_id, content_type, content), returns sealed items with SHA-256 content hashes and an immutabilityProof containing the root hash. Uses canonical JSON serialization (RFC 8785).
verifyBundle(bundle) Validates a sealed bundle's integrity. Returns { valid: boolean, errors: Error[] }. Checks every item's content hash and that the hash chain is unbroken. Works entirely offline.
computeContentHash(obj) Returns a sha256:-prefixed hash string from the canonical JSON representation of any object.
canonicalJson(obj) Serializes objects per RFC 8785 with sorted keys, producing deterministic output regardless of property insertion order.
guardspine-verify
GitHub →Offline CLI tool and Python library to verify GuardSpine evidence bundles. Zero trust required -- works without network access.
API Reference
guardspine-verify bundle.json CLI: verify a JSON evidence bundle. Supports ZIP exports too. Exit codes: 0=verified, 1=failed, 2=invalid input.
guardspine-verify --verbose --format json CLI: verbose output in JSON format for CI/CD integration.
verify_bundle(path) -> VerificationResult Python API: verify a bundle file. Returns result with valid boolean and errors array.
verify_bundle_data(dict) -> VerificationResult Python API: verify a bundle from a dictionary. Checks hash chain, root hash, content hashes, signatures, sequence, and AI provenance.
guardspine-adapter-webhook
GitHub →Webhook adapter for evidence bundle delivery to Slack, Teams, Discord, and custom endpoints. Ingests GitHub, GitLab, and custom webhooks. Zero runtime dependencies.
API Reference
WebhookHandler Routes incoming webhooks to the first matching provider. Providers registered in priority order.
GitHubProvider Detects x-github-event header, validates HMAC-SHA256 signatures.
GitLabProvider Detects x-gitlab-event header, validates token match.
GenericProvider Always matches, no signature validation. Use as catch-all.
BundleEmitter Infers risk tiers by labels, then file paths, then default. If @guardspine/kernel is installed, sealBundle() adds cryptographic sealing.
Custom providers Implement WebhookProvider interface: matches(headers), validate(headers, body), parse(headers, body).
guardspine-local-council
GitHub →Local AI code review councils using Ollama. No API keys, no cloud APIs, no tokens, no data leaves your network.
API Reference
OllamaProvider(model, base_url) Connects to a local Ollama instance. Default model: llama3.1, default URL: http://localhost:11434.
LocalCouncil(providers, config) Sends review prompts to all providers in parallel. Each returns a structured vote (approve/reject/abstain) with confidence score.
SimpleAggregator Computes confidence-weighted majority decision. Enforces quorum (default 3) and consensus threshold (default 0.66).
rlm-docsync
GitHub →Keeps documentation in sync with your codebase by extracting claims from docs, inspecting source for evidence, and producing cryptographically chained evidence packs.
API Reference
docsync run --manifest file.yaml Extracts claims from docs, inspects source code for evidence, produces hash-chained evidence packs. Supports spec-first (docs as truth) and reality-first (code as truth) modes.
docsync verify --pack file.json Verifies an evidence pack's hash chain. Each pack contains manifest snapshot hash, per-claim results (pass/fail/skip), SHA-256 hash chain, and timestamp metadata.
Manifest format YAML manifest defines per-doc claim definitions, evidence patterns, and scopes for extraction.
n8n-nodes-guardspine
GitHub →n8n community nodes for GuardSpine AI governance: evidence sealing, council voting, approval workflows.
API Reference
GuardSpine Gate Evaluates artifacts against governance rubrics. Routes to Pass or Block outputs based on risk tier.
Beads Create Creates work items in the Beads task spine.
guardspine-connector-template
GitHub →Template and SDK for building GuardSpine connectors to integrate any document source. Includes example connectors for GitHub, SharePoint, Jira, and Slack.
API Reference
BaseConnector Abstract base class. Subclass to integrate a new document source.
watch_changes() -> AsyncIterator[ChangeEvent] Watch a source for changes. Returns an async iterator of change events.
get_diff(event) -> dict Get the diff/delta for a specific change event.
get_artifact_metadata(artifact_id) -> dict Retrieve metadata for an artifact by ID.
BundleEmitter Helper to create evidence bundles from change events.
evidence-bundle-spec v1.0.0
Full Spec →Standardized format for evidence bundles. Self-contained, verifiable offline, vendor-neutral, cryptographically sound (SHA-256, Ed25519).
Top-Level Schema
bundle_idbead_idartifact_idversionrisk_tierscopeitemssignaturesimmutability_proofretention Evidence Types
Verification Rules
- Hash chain links are unbroken
- Root hash matches computed value
- All content hashes match their items
- All signatures verify
- Sequence numbers are contiguous
Export Formats
- • JSON
- • ZIP (with VERIFICATION.md and detached signatures)
- • PDF (human-readable report)
- • SARIF 2.1.0 (security tool integration)