Trust

Here is what is true today.

A verification tool should hold itself to the same standard it applies to others.

What PX is

A verification engine

Reads structured evidence, evaluates it against deterministic rules, and reports pass or fail. Rules are declared in JSON profiles. Verification is reproducible.

An evidence packaging tool

Bundles evidence, profile, and result into one pack that recipients can re-verify. SHA-256 hashes prove no tampering after collection.

A CLI that runs wherever Node.js does

Zero external dependencies. Offline capable. ~2,700 lines of vanilla JavaScript. The entire tool is one file.

Open source (MIT)

The entire codebase is public. Read it. Fork it. Audit it. Nothing proprietary in the verification logic.

What PX is not

Not a compliance platform

Does not track risks, manage policies, assign owners, or send reminders. It verifies evidence and packages it. That is all.

Not an auditor

Does not give opinions. Does not assess risk severity. Does not determine compliance. It matches values against rules. Interpretation is for humans.

Not a SaaS

No account. No dashboard. No vendor lock-in. PX runs on your machine. Output is plain files. Everything belongs to you.

What works today

Draft mode
Verify, package, and re-verify locally. Free. Unlimited. Offline.

Custom profiles
Write custom rules in JSON. Verify against any structured evidence.

Lens (review view)
Self-contained HTML file. In-browser re-verification. Offline.

Software release profile
binary + SBOM required, provenance + signature recommended, fail-close enforcement.

Recipient replay
Re-verify via npx without cloning the repo. Runs against bundled inputs.

GitHub Action
Composite action for CI/CD. Self-test passing on main.

Ed25519 manifest signature
Cryptographic signing via --sign flag. Ephemeral keys by default, persistent keys via --key.

What is planned

PX Authority
Seal timestamps, acceptance receipts, recipient binding. Converts Draft to Submission.

Signature chain of trust (PX Authority)
Seal timestamps, acceptance receipts, and persistent key management.

Additional profiles
Domain-specific profiles for SOC 2, ISO 27001, HIPAA, PCI-DSS, etc.

Planned features are not promises.
They indicate current direction. This page is updated with each release. For features that affect your decision, contact us directly.

Principles

Sender-friendly

PX helps the organization that adopts it. Evidence collection becomes faster. The sender benefits, not just the reviewer.

No enemies

PX does not replace auditors, GRC platforms, or existing workflows. It adds a verification layer. Adoption through value, not displacement.

Honest about what exists

Draft mode works today. Authority is planned. We do not market planned features as current capabilities. This page is updated with each release.

Open by default

MIT license. Public codebase. No proprietary cryptography. Anyone should be able to verify the protocol without using PX.

Inspect the implementation.

The best way to trust a verification tool is to verify it yourself.

Open Lens demo Read cli.js (one file, ~2,800 lines) GitHub