Docs
VeriCID guarantees the tool an agent executes is byte-identical to the tool that was registered — dependencies included. It does not claim the tool is safe: that's why every tool runs sandboxed, and why attestations (auditors endorsing immutable CIDs) are a separate layer.
Resolution fetches the artifact, hash-verifies it against the registered CID, shows you the sandbox permissions sealed inside that CID, and pins the exact version in vericid.lock. Execution never trusts the registry's mutable latest pointer.
$ vericid install @demo/weather @demo/weather@1.0.0 verified ✓ network → api.open-meteo.com Approve and pin to vericid.lock? [y/N] y
vericid run re-verifies the pinned CID on every start, then spawns the tool as a stdio MCP server inside a Deno default-deny sandbox with only its approved permissions. Point Claude Code (or any MCP client) at it directly.
{ "mcpServers": { "weather": { "command": "vericid", "args": ["run", "@demo/weather"] } } }The packer seals your entrypoint and its entire dependency tree into one self-contained bundle — the CID covers every byte that will execute. Pure-JS in v1; native addons are rejected at publish time.
$ vericid publish ./my-tool packing @you/my-tool@1.0.0 (sealing full dependency closure)... published — artifact bafkrei… (733,970 bytes, sealed closure)
Any byte out of place — a rug pull, a swapped description, a compromised mirror — and the local hash check refuses before anything runs. This is the whole product in one error message.
🛑 INTEGRITY FAILURE for @demo/weather: expected bafkreiecu2cn…tamq actual bafkreie7ux4a…jngq Refusing to run.