# Portable Audit Pack Rekor Offline Verification Profile

Status: Draft frozen for implementation handoff (2026-02-10).

## Required Rekor material in pack
At least one of:
- `rekor/tile.tar`
- `rekor/tiles.bundle`

And manifest references:
- `rekor.log_id`
- `rekor.api_version` (`2`)
- `rekor.tile_refs[]`
- `rekor.root_hash`

## Offline verification flow
1. Validate manifest signature and manifest file inventory/digests.
2. Load bundled tile material referenced by `rekor.tile_refs[]`.
3. Reconstruct inclusion proof path for covered digests.
4. Validate Merkle root equals `rekor.root_hash`.
5. Validate checkpoint key material from `verifiers.rekor_pub` when present.
6. Fail closed on any missing tile/proof/checkpoint dependency.

## Stable failure codes
- `ERR_REKOR_TILE_MISSING`
- `ERR_REKOR_TILE_DIGEST_MISMATCH`
- `ERR_REKOR_PROOF_INVALID`
- `ERR_REKOR_CHECKPOINT_INVALID`
- `ERR_REKOR_ROOT_MISMATCH`
- `ERR_REKOR_REFERENCE_UNCOVERED`

## Tamper test requirements
- Corrupt one tile byte -> `ERR_REKOR_TILE_DIGEST_MISMATCH`.
- Modify inclusion path node -> `ERR_REKOR_PROOF_INVALID`.
- Alter checkpoint signature -> `ERR_REKOR_CHECKPOINT_INVALID`.
- Alter `rekor.root_hash` in manifest -> `ERR_REKOR_ROOT_MISMATCH`.

## Compatibility notes
- Existing Rekor receipt contracts remain valid for legacy bundle profiles.
- Portable profile requires deterministic file references under `rekor/` in the manifest.