Tagline: "The checksum for verification — portable, machine-verifiable assurance."
Project FUSE defines a standard cryptographic artifact — the Verifiable Compliance Envelope (VCE) — that proves a specific procedural verification ran to completion, without revealing proprietary systems, sensitive data, or internal logic.
Key Principle: FUSE proves that a process occurred; it does not assert the truth of the content being verified. We prove "This system ran a procedural checker against this specification and passed."
Stable open-source infrastructure for verifiable procedural proofs.
Version 1.2.0: ✅ Current - Hardened security, finalized scope boundaries, and explicit stability guarantees.
VCE Specification v0.1: ✅ Published - The formal VCE specification is now available. See specs/VCE_SPECIFICATION_V0.1.md for the complete specification.
FUSE follows Semantic Versioning. As of v1.0.0, the core proof format and verification semantics are considered stable.
- Stable: VCE file format,
ComplianceSpecstructure, and proof verification logic. - Experimental: GPU/Hardware acceleration (see
SECURITY.mdfor known limitations).
Breaking changes to the proof surface or core protocol will only be introduced in v2.0.0.
cargo build --releaseGenerate a compliance proof:
cargo run --release --bin fuse-prove -- \
--spec examples/specs/soc2-control-x.json \
--system examples/systems/sample-saas-logs.json \
--output compliance.vceVerify a compliance envelope:
cargo run --release --bin fuse-verify -- compliance.vceFor more examples, see docs/QUICKSTART.md.
ProjectFuse/
├── fuse-core/ # Core protocol implementation
├── fuse-cli/ # CLI tools (fuse-prove, fuse-verify)
├── fuse-checkers/ # Example procedural checkers
├── examples/ # Example specs and test data
│ ├── specs/ # Example specification files
│ └── systems/ # Sample system data for testing
├── specs/ # VCE specification and schemas
│ ├── VCE_SPECIFICATION_V0.1.md # Formal specification
│ └── schemas/ # JSON Schema validation files
└── docs/ # Documentation
-
CLI Tool
fuse-prove <spec> <system>→ outputs.vcefuse-verify <.vce>→ returns pass/fail
-
Example Spec Files
- SOC2 procedural check
- GDPR data residency verification
- Supply-chain provenance validation
- ML model usage constraint
-
Reference Implementation
- Open-source, documented
- Production-ready with real cryptographic proofs
- zkVM: RISC Zero (Rust, CPU/GPU)
- Spec format: JSON/YAML
- Envelope format:
.vce(JSON container with proof + metadata) - Proof type: ZK-SNARK / STARK
| Phase | Timeline | Focus | Key Deliverables |
|---|---|---|---|
| Phase 1 | ✅ Complete | zkVM integration & proof generation | Real RISC Zero proofs, CLI tools, core checkers |
| Phase 2 | ✅ Complete | Testing & Reliability | Official C2PA fixtures, tamper detection, integration tests |
| Phase 3 | ✅ Complete | Security Basics | Fuzzing, internal review, security audit readiness |
| Phase 4 | Q4 2026 | Ecosystem expansion | Auditor tools, governance framework, enterprise features |
VCE Specification v0.1 is now published as an open standard:
- VCE Specification v0.1 - Complete specification document
- JSON Schemas - Validation schemas for
.vcefiles and input specs - Specs Directory - Specification documentation and schemas
The VCE format is designed to be:
- Portable: Works offline, no network dependency
- Verifiable: Cryptographic verification without platform lock-in
- Standardized: Open format, implementable by anyone
- Interoperable: Works across platforms and languages
- Quick Start Guide - Get started in minutes
- Architecture Documentation - Technical deep dive
- Testing Guide - How to run tests and measure coverage
- Implementation Status - Current state and roadmap
- VCE Specification v0.1 - Formal specification
Run tests with:
# All tests (uses dev mode for speed)
RISC0_DEV_MODE=1 cargo test --workspace
# Or use Makefile
make testMeasure coverage:
make coverageRun security checks:
make audit # Dependency vulnerability scan
make lint-security # Security-focused clippy checksSee docs/TESTING.md for detailed testing information.
Status: Pre-audit dev version (internal security review completed)
- ✅ Dependency scanning (
cargo audit) - ✅ Fuzzing infrastructure (5 targets)
- ✅ Internal security review completed
- ⏳ External audit pending
See SECURITY.md for security policy and docs/SECURITY_REVIEW.md for detailed security analysis.
For Pilots: Use "Pre-audit dev version" disclaimer until external audit completed.
This project is licensed under the Apache License 2.0. See LICENSE for details.
Note: FUSE is a proof-of-verification infrastructure. Higher-level trust decisions belong to downstream systems.
We welcome contributions! Please see CONTRIBUTING.md for guidelines on how to contribute to Project FUSE.
Status: ✅ Complete - RISC Zero zkVM integration is fully operational. The system generates real cryptographic proofs using RISC Zero 1.2.6.
Performance: Real proof generation takes 10-20+ minutes depending on data size. For development and testing, use RISC0_DEV_MODE=1 for instant proofs (not cryptographically secure).
Usage: Once the guest program is built, fuse-prove automatically generates real zkVM proofs. The system maintains backward compatibility with placeholder proofs when the guest program is not available.