Auditor Contract Specification
If you are building an auditor in a language other than Python (not using the Lucid SDK), your container must implement this interface to be compatible with the Lucid Operator and Lucid Verifier.
🏷️ Required OCI Labels
Your container image must include the following labels in its metadata. The Lucid CLI uses these during the lucid auditor verify step.
| Label | Description | Example |
|---|---|---|
io.lucid.auditor |
Must be set to true |
true |
io.lucid.schema_version |
The version of the auditor contract | 1.0 |
io.lucid.phase |
The primary phase this auditor targets | request, response |
io.lucid.interfaces |
comma-separated list of implemented APIs | health,audit |
📡 Required Endpoints
The auditor must listen on a port (configurable in auditors.yaml, defaults to 8080) and implement the following REST endpoints.
1. GET /health
Used by the Lucid Operator to determine when the sidecar is ready to receive traffic.
- Response: 200 OK
- Body: {"status": "ok"}
2. POST /audit
The main entry point for safety checks.
- Request Body: The data to be audited (varies by phase).
- Responses:
- 200 OK: Data passed the audit.
- Body: {"status": "proceed", "modifications": {}}
- 200 OK: Data should be redacted.
- Body: {"status": "redact", "modifications": {"key": "masked_val"}}
- 200 OK: Data is dangerous and must be blocked.
- Body: {"status": "deny", "message": "Reason for denial"}
🔏 Attestation Protocol
To produce hardware-signed evidence, your auditor must communicate with the local Attestation Agent (usually listening on http://localhost:8006).
For every audit decision, you should: 1. Generate Claim objects (unsigned assertions) and bundle them into an Evidence container. 2. Send the Evidence blob to the Attestation Agent for signing. 3. Forward the signed Evidence to the Lucid Verifier.
[!NOTE] RFC 9334 Compliance: As of v2.0, Lucid uses the RATS (Remote ATtestation procedureS) model: - Claim: Unsigned assertion (e.g., toxicity score, injection detection result) - Evidence: Signed container of Claims from a single Attester (auditor) - AttestationResult: Verifier's assessment stored in the AI Passport
[!TIP] Using the SDK is recommended. The Lucid SDK handles all label generation, endpoint setup, and attestation signing automatically.