A small protocol, not a platform.
Audits are signed protobuf messages. Logs are append-only. Consumers verify offline. OpenVet is the host — you keep the keys.
Audits pin exact bytes
Every audit covers a specific (registry, package, version, hash). Republished artifacts don't silently
inherit prior trust.
Sign with your own keys
Drafts live on the server; signing happens in the CLI with your own SSH key. Custodial keys are available for low-friction starts and are publicly visible in your keyset.
Subscribe to logs you trust
Each account owns a single append-only audit log. Follow auditors and orgs you trust;
their published reviews flow into your CI gate via openvet.toml.
Require the claims that matter
Demand safe-to-deploy, memory-unsafe-code = false, or your own
claims. Builds fail loudly when coverage drops below what your policy requires.
Open source, self-hostable
CLI and server are MIT OR Apache-2.0. Self-host your own log on a static file server if you
want zero dependence on this registry.
cargo today, more soon
The protocol is registry-agnostic; cargo is what's wired up in v1. npm, pypi, and gems are next.
Wire it into your CI in five minutes.
The CLI does the verification. The web UI is for everything else.