Free local verifier. Scans your Hugging Face and Ollama caches against the signed Fall Risk Registry.
Most people do not know what models are sitting on their machines.
Trustfall Lite tells you what is verified, what is an unknown variant, and what is not enrolled. It runs locally. It checks against the signed Fall Risk Registry. It does not phone home with your filenames.
pipx install fallrisk-trustfall
Free. Open source. Apache-2.0.
Trustfall Lite verifies what model artifact you have.
Trustfall Deep verifies which model is actually computing.
--local-only.
By default, hashes are sent to the verification API for lookup.Install with pipx:
pipx install fallrisk-trustfall
trustfall scanThe first scan walks your Hugging Face cache and Ollama store, hashes every artifact, and returns one of four statuses for each. For a worked example of a real first scan, read the Founder Scan.
Source: github.com/fallrisk-ai/trustfall-lite. License: Apache-2.0.
Trustfall Lite is licensed under Apache-2.0. The release will install on Linux and macOS via pipx;
Windows support is on the same release path.
The release will expose five commands. The shape is final; the staging build and the public release run the same surface.
| Command | Purpose |
|---|---|
| trustfall scan | Scan default Hugging Face and Ollama locations when present. Reports a status per artifact. |
| trustfall verify <hash> | Verify a single SHA-256 against the signed registry. |
| trustfall registry | Show registry status: manifest digest, issuer kid, snapshot date. |
| trustfall version | Print Lite version and registry version. |
| trustfall diff <baseline.json> [current.json] | Compare two scan-output JSONs and report group, artifact, and status changes. |
To compare a current scan against a prior one — for example, to detect new or removed model artifacts since you last looked — capture a baseline, then diff against it later:
trustfall scan --json > baseline.json
# ... time passes, you install or remove some models ...
trustfall diff baseline.json # implicit current scan
trustfall diff baseline.json current.json # explicit comparisonBy default, trustfall diff prints the diff and exits 0
regardless of what changed. For CI use, two opt-in flags are available:
--exit-code (exit 1 on any change) and
--exit-code-on-status-regression (exit 2 only when a previously
verified artifact is no longer verified).
Every artifact in your cache resolves to one of four statuses. The vocabulary is locked. Trustfall Lite does not editorialize beyond what each status says.
What this means: the artifact's SHA-256 matches an enrolled record in the signed registry, and the record's signature verifies under the published key.
What to do next: nothing. The file on disk is the file the registry records.
What this means: a model with this name appears in the registry, but the bytes on your disk do not match any signed enrollment for that model. The variant could be a legitimate alternate build, or the artifact could have been modified.
What to do next: compare the hash to the publisher's stated checksums. If you need a signed answer for this specific artifact, contact integrations@fallrisk.ai.
What this means: Fall Risk has not enrolled this model. The registry holds no record against which to verify the artifact. Lite does not assert anything about whether the file is good or bad — only that there is nothing to compare it to.
What to do next: if you want this model enrolled and signed, contact integrations@fallrisk.ai.
What this means: the model is on the pilot enrollment list. It is not signed yet, but it is queued for measurement under contract and will appear in the signed registry on completion.
What to do next: if this model matters for your stack, request pilot prioritization at integrations@fallrisk.ai.
I ran Trustfall Lite against my own local Hugging Face and Ollama caches. The result is exactly what the tool is built to show: what is known, what is unknown, and what needs deeper verification.
Scans run locally. File paths and filenames are not sent.
By default, Trustfall Lite sends artifact SHA-256 hashes to the verification API for lookup. The API endpoint is api.attest.fallrisk.ai/v1/, which redacts hashes from access logs at the web tier. The application tier records aggregate counters only. Details are in the API documentation.
If you prefer no network at all, run Trustfall Lite with --local-only against a downloaded copy
of registry.json. In local-only mode no
hashes leave the machine.
The registry is the authority. Trustfall Lite is a client.
Every Lite verdict is a signed claim from the registry, not a Lite assertion. You can verify each verdict
yourself: the public key is published on the
registry page, the JWKS is at
/.well-known/jwks.json, and the
verification guide reproduces the trust chain step by step.
Lite asks. The registry answers. The signature is the proof.
Lite tells you the file is the file you think it is. Deep tells you the running process is computing what the file says it should.
Artifact verification — what Lite does — is necessary but not sufficient when:
For those cases, Trustfall Deep performs the structural measurement under contract. Deep is an enrollment-based service: integrations@fallrisk.ai.
Trustfall Lite verifies what model artifact you have.
Trustfall Deep verifies which model is actually computing.
A signed artifact verdict is only as honest as the chain that produced it. This page belongs to that chain.
github.com/fallrisk-ai/trustfall-lite
private during the release freeze; will become public alongside the package release.
fallrisk-trustfall on PyPI
staging; install command will be published here once the package is serving.