1. Download (Free)
Get the official Linux CLI package. Core audit workflow is included.
Download FreeSystem
AuditWalk System Contract
AuditWalk is local-first integrity software built around a strict workflow contract. The interface and modules are implementation layers of this contract — not separate products.
The canonical operator workflow is: Scan → Baseline Scan → PreFlight → Compare → Doctor → Repair. Scan and Baseline Scan are deliberately separate steps. A scan captures what's there — it makes no claim about whether that state is good. Baseline Scan is the operator's explicit sign-off: "I've reviewed this scan and I vouch for it as the trusted state." That separation is the safety boundary at the foundation of everything else.
Modules
Core System Modules
Five modules execute in sequence. Each produces a typed artifact consumed by the next.
Scan Module
Captures filesystem state into a versioned artifact. Observation only — no claims about trust. Produces the scan_id used by Baseline Scan.
- SHA-256 hash + metadata per file
- Profiles: quick, full, paranoid
- Internal PreScan tracks progress during execution
Baseline Module
The operator's trust gesture. Promotes a scan artifact to the authoritative trusted reference. Unlocks PreFlight and Compare. Never automatic — always explicit.
baseline set --scan-id <scan_id>- Operator sign-off required — intentional by design
- Cancelled scans never overwrite an existing baseline
PreFlight Module
Fast, scoped verification against the confirmed baseline. Targets specific areas — files, browser, agents, system — without re-scanning everything.
- Scopes: files, browser, agents, crypto, system
- Does not redefine baseline semantics
- Requires a confirmed baseline to run
Findings Module
Full factual diff between current state and confirmed baseline. Evidence generation only — interpretation is handled by doctor.
- added / removed / modified classification
- Severity: clear → critical
- Category: system, user, binary, config
Report Module
Renders outputs in Markdown, JSON, or PDF. Human-readable for review, machine-readable for pipelines.
auditwalk report render- Formats: md, json, pdf
- Written to
~/auditwalk-reports/
State Machine
Canonical Runtime States
All UI controls are gated by state. The key gate is Baseline Scan — PreFlight, Compare, and all downstream commands are only available after a baseline has been explicitly reviewed by the operator.
Findings Contract
Required Findings Schema
Every finding follows a strict structure so evidence and severity are machine-consistent across scans.
This is a display model — a simplified projection for documentation purposes. The canonical Finding record is defined in docs/architecture/auditwalk-engine-spec-v1.md §4.3.
{
"id": str,
"path": str,
"change_type": "added|removed|modified",
"category": "system|user|binary|config",
"severity": "clear|review|attention|critical",
"hash_before": str | None,
"hash_after": str | None,
"timestamp": datetime,
"notes": str
}- idstrUnique finding identifier per scan
- pathstrAbsolute filesystem path of changed artifact
- change_typeenumadded, removed, or modified
- categoryenumsystem, user, binary, or config
- severityenumclear → critical; drives sort and filter priority
- hash_beforestr|NoneSHA-256 at baseline; null for added files
- hash_afterstr|NoneSHA-256 at scan time; null for removed files
- timestampdatetimeUTC timestamp of finding detection
- notesstrHuman-readable context or rationale
Default grouping by change_type. Sortable by path, severity, and timestamp.
Interface
The Complete AuditWalk Experience
Findings
Baseline
PreFlight
RUN SCAN
STATUS SCANNING
PATHS 14,302
FINDINGS 9
BASELINE CONFIRMED
Path
Change
Severity
Hash
/etc/systemd/system/update-helper.service
added
attention
a3f9c2...
~/.ssh/authorized_keys
modified
attention
7d14e8...
/usr/local/bin/sys-monitor
added
review
b2c4f1...
/etc/nginx/nginx.conf
modified
review
9e3a7d...
/home/user/.bashrc
modified
clear
4c8b2a...
Progress
67%
Profile
full
Target
/home
Findings
9
Runtime
1m 42s
Linux CLI — available now
Desktop GUI — ships to all active licenses
Dock tool + mobile — ships with GUI
macOS + Windows CLI — following Linux
Desktop application
A full-window interface for the complete scan lifecycle. Left-panel navigation through workflow stages, findings table with severity classification, baseline management, PreFlight controls, and one-click export. Runs locally — no cloud, no telemetry.
Dashboard dock tool
A persistent icon in your system dock that runs predefined scan schedules in the background. Amber while scanning, green when clear, red when findings require attention. Your system is being watched while you work.
Mobile companion
Tethered view of your desktop's scan status and findings on iPhone or Android. View findings, baseline status, and attention alerts in real time — all from your phone. Desktop remains the sole execution surface.
Mobile companion connects over local Wi-Fi using a QR-paired session. Remote access is not supported in v1.
The Linux CLI is available now and delivers the full audit workflow. The desktop GUI, dock tool, and mobile companion are in active development — included automatically with every active license when they ship.
Next Steps
Start with the Linux CLI. Install in under 2 minutes.
Full audit workflow is available now: scan, baseline, preflight, compare, and doctor.