DOCUMENTATION

docs

Everything you need to get started with Corsair and integrate it into your GRC workflow.

QUICK START

parley — quick start

# Install

brew install grcorsair/corsair/corsair

npm install -g @grcorsair/cli

# Bun is required to run the CLI (Homebrew installs it via oven-sh/bun)

# Sign tool output into a CPOE

corsair sign --file tool-output.json --mapping ./mappings/toolx.json

# Generate DID + JWKS for did:web verification

corsair did generate --domain acme.com --output did.json

corsair did jwks --domain acme.com --output jwks.json

# Verify any CPOE (always free)

corsair verify --file cpoe.jwt

# Diff two CPOEs — see what changed

corsair diff --current new-cpoe.jwt --previous old-cpoe.jwt --verify

# List recent signed CPOEs

corsair log --last 5

# Publish compliance discovery

corsair trust-txt generate --did did:web:acme.com

# Validate a policy artifact

corsair policy validate --file policy.json

# Generate signing keys

corsair keygen

Persistence: CLI/local use is file-based. Hosted API/production requires Postgres viaDATABASE_URL.

ONBOARD

Getting Started

Quick Start

Install Corsair, sign your first CPOE from tool output, and verify it in under 5 minutes.

Core Concepts

Understanding the Corsair pipeline, provenance model, tool adapters, and Marque signing.

IT Request: Trust Subdomain

A copy-paste request for IT to delegate a trust subdomain for trust.txt and DID hosting.

CONCEPTS

Core Concepts

The CPOE Lifecycle

How security tool output becomes a cryptographically verifiable CPOE.

Marque & CPOE

Ed25519 signing, JWT-VC format, verification flow, trust tiers, and the CPOE attestation system.

Evidence Chain

SHA-256 hash chain that provides tamper-proof cryptographic integrity for all Corsair evidence.

Parley Protocol

The Parley trust exchange protocol — JWT-VC proofs, SCITT transparency logs, and SSF/CAEP real-time signals.

Policy Artifacts

Deterministic acceptance criteria for verifying CPOEs.

FLAGSHIP Events

Real-time compliance change notifications via SSF/SET/CAEP — the FLAGSHIP event system.

Trust Graph

Dependency proofs that make compliance attestations composable across issuers.

PARLEY

Protocol

Documentation for this section is coming soon.

INTEGRATE

Integrations

REST API

Corsair REST API for signing and verifying CPOEs programmatically.

OSCAL Output (Coming Soon)

Generate machine-readable NIST OSCAL Assessment Results from Corsair assessments.

CI/CD Integration

Run Corsair in your CI/CD pipeline for continuous compliance signing and verification.

TypeScript SDK

Monorepo-only SDK for programmatic signing and verification with Corsair.

JWT-VC Integration

Generate and verify CPOEs as W3C Verifiable Credentials encoded in JWT format.

Agent Skills

Distribute Corsair as a SKILL.md so any agent can discover and run it without SDK lock-in.

REFERENCE

Reference

Documentation for this section is coming soon.

Full documentation is available in the GitHub repository.

View on GitHub →