hardpoint verify
Verify that AI configuration files haven’t been modified since they were trusted. Detects Rules File Backdoor attacks where attackers modify AI config files.Usage
Arguments
| Argument | Description |
|---|---|
file | Specific file to verify (optional, verifies all if omitted) |
Flags
| Flag | Description |
|---|---|
--ci | CI mode: exit code 1 if verification fails |
How It Works
- Hardpoint verifies the HMAC signature of
.hardpoint/trusted.yaml - For each trusted file, computes the current SHA-256 hash
- Compares current hashes against the baseline
- Reports any mismatches as potential tampering
Examples
Verify All Trusted Files
Verify Specific File
CI Mode
Verification Results
| Status | Symbol | Meaning |
|---|---|---|
| PASSED | ✓ | File hash matches trusted baseline |
| MODIFIED | ✗ | File hash does not match (potential tampering) |
| MISSING | ? | File no longer exists |
| NOT TRUSTED | - | File exists but was never trusted |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | All files verified successfully |
| 1 | Verification failed (files modified or missing) |
| 2 | Error (no trusted files, invalid baseline, etc.) |
CI Integration
Add to your CI pipeline:Best Practices
- Run in CI - Add
hardpoint verify --cito catch unauthorized changes - Investigate modifications - If verification fails, scan the file before re-trusting
- Update baseline intentionally - Only run
hardpoint trustafter reviewing changes