Documentation

Technical documentation, installation guides, and CLI reference

Installation

Tessara is distributed as a single Go binary with no external runtime dependencies. You can download pre-built binaries or build from source.

Get Access

Tessara is currently in private beta. Contact us to request access and download instructions for your platform (Linux, macOS, or Windows).

Once you have access, installation is simple:

# Example for Linux
curl -L -o tessara [download-url-provided]
chmod +x tessara
sudo mv tessara /usr/local/bin/

System Requirements

Supported Platforms:

  • Linux (amd64, arm64)
  • macOS (Intel, Apple Silicon)
  • Windows (amd64)

Runtime: No external dependencies required (single binary)

Key Management

Tessara uses Ed25519 digital signatures to ensure the integrity and non-repudiation of compliance verdicts. Before running your first check, you must generate a key pair.

tessara keygen --output prod-key

This will generate two files:

  • prod-key: Your private key (PEM-encoded). Keep this secret. It is used to sign verdicts.
  • prod-key.pub: Your public key (PEM-encoded). Distribute this to auditors so they can verify your evidence chain.

Security Note: Tessara never stores or transmits your private key. It only reads it during the check command to sign the resulting verdict locally.

Specification Baselines

A baseline is an immutable reference point derived from a FHIR Implementation Guide (IG). Tessara parses the IG NPM package (.tgz) and builds a Structural Contract Model (SCM) tree with Merkle hashes.

tessara baseline path/to/us-core-6.1.0.tgz --output us-core-v6.json

The baseline contains:

  • SCM Tree: A structural representation of every resource and element required by the IG.
  • Merkle Hashes: 4-level hashes (Leaf → Resource → Endpoint → Root) that enable O(1) comparison.
  • Regulatory Mapping: A Regulatory Provision Index (RPI) that links data elements to CMS-0057-F provisions.

The Evidence Chain

Verification results are stored in a tamper-evident, hash-linked evidence chain. This provides a provable audit trail of your API's conformance over time.

Tamper-Evident

Each verdict record includes the SHA-256 hash of the previous record. Changing a single byte in the history breaks the chain.

Signed Verdicts

Every record is signed with your Ed25519 private key, proving that the check was performed by your organization at the stated time.

SQLite Powered

The chain is stored in a local SQLite database for zero-config persistence and high-performance querying.

Verifying the Chain

Auditors can verify the entire history of checks by running the verify command with your public key.

tessara evidence verify <latest-hash>

CLI Command Reference

baseline <ig-tgz>

Generate specification baseline from FHIR Implementation Guide package

probe <url>

Tier 1 probe of FHIR API (query CapabilityStatement + sample resources)

check

Full 5-stage pipeline: ingest → probe → compare → verdict → evidence

evidence list

List recent conformance verdicts with timestamps and status

evidence show <id>

Display detailed verdict including drift findings and evidence chain

evidence verify <hash>

Verify integrity of evidence chain using hash-linking

keygen

Generate Ed25519 key pair for signing verdicts

version

Print Tessara version and build information

Global Flags

  • --db <path> — Path to SQLite evidence database (default: tessara.db in current directory)
  • --verbose, -v — Print detailed pipeline progress
  • --help — Show help for any command

Full Documentation

For comprehensive technical documentation, architecture details, and advanced configuration:

GitHub Organization

View our open-source contributions and public projects

 Request Documentation

Contact us for detailed technical specifications and architecture docs

Need Help?

If you encounter issues or have questions: