Most logging stacks (Splunk, Datadog, ELK) are great for analytics, but when auditors ask “how do you prove integrity?”, the answer is usually vague or procedural.
Spine answers this using cryptographic audit logs that can be verified offline, without trusting the logging system itself.
The SDK and CLI are now open source. GitHub: https://github.com/EulBite/spine-oss
The problem Recent EU regulations (DORA, NIS2) explicitly require tamper-evident audit trails, but the problem exists independently of regulation:
- Auditors increasingly ask how logs can be proven immutable
- Most companies I talked to had no concrete technical answer
Quick example:
from spine_client import WAL, WALConfig, SigningKey
key = SigningKey.generate() wal = WAL(key, WALConfig(data_dir="./audit_log"))
await wal.initialize() await wal.append({"event_type": "user.login", "user_id": "alice"})
Then verify offline:
$ spine-cli verify --wal ./audit_log
Status: VALID Events verified: 2,341 Signatures verified: 2,341 Chain integrity: INTACT
No server required. An auditor can verify integrity without access to the system that generated the logs.
What’s open source
- spine-sdk-python – create signed audit logs locally
- spine-cli (Rust) – independently verify integrity
Apache 2.0 licensed
The server-side components (batch ledger coordination, timestamping, HA) remain proprietary.
Technical approach:
Each event → BLAKE3 hash → Ed25519 signature → append-only chain.
Instead of a single linear chain (where one corrupted entry invalidates everything after), Spine uses a batch ledger model: events are grouped into signed batches. A compromised batch doesn’t invalidate unrelated history.
Performance notes:
Benchmarks (Criterion, NVMe), included mainly to sanity-check overhead:
Signed + fsync: ~3,900 events/sec
Chain verification: ~537k events/sec
BLAKE3 @ 1KB: ~1.24 GiB/s
Benchmarks are included to validate design tradeoffs, not to claim absolute performance leadership.
Why open source the client? Audit systems require trust. By releasing the SDK + CLI:
Anyone can verify the integrity claims
Audit data remains readable without our infrastructure
Independent security review of verification logic is possible
Looking for discussion
Happy to get feedback or be challenged on architecture choices, crypto primitives, or verification logic.
Repo: https://github.com/EulBite/spine-oss
Project page: https://eulbite.com/open-source