npm - 0nmcp - Versions diffs - 1.7.0 → 2.1.0 - Mend

0nmcp 1.7.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +113 -48
package/cli.js +705 -1
package/command-runner.js +224 -0
package/commands.js +115 -0
package/index.js +15 -1
package/lib/stats.json +1 -1
package/package.json +42 -3
package/vault/container.js +479 -0
package/vault/crypto-container.js +278 -0
package/vault/deed-collector.js +286 -0
package/vault/deed-importer.js +277 -0
package/vault/deed.js +319 -0
package/vault/escrow.js +227 -0
package/vault/layers.js +254 -0
package/vault/registry.js +159 -0
package/vault/seal.js +74 -0
package/vault/tools-container.js +356 -0
package/vault/tools-deed.js +257 -0

package/vault/escrow.js ADDED Viewed

@@ -0,0 +1,227 @@
+// ============================================================
+// 0nMCP — Vault: Multi-Party Escrow System
+// ============================================================
+// X25519 ECDH key agreement for up to 8 escrow parties.
+// Each party receives encrypted shares for only the layers
+// they're authorized to access via the access matrix.
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { randomBytes } from "crypto";
+import {
+  generateEscrowKeyPair,
+  computeSharedSecret,
+  encryptAESRaw,
+  decryptAESRaw,
+  KEY_LENGTH,
+} from "./crypto-container.js";
+import { LAYER_NAMES, isValidLayer } from "./layers.js";
+const MAX_PARTIES = 8;
+/**
+ * Generate escrow keypair for a party.
+ *
+ * @returns {{ publicKey: Buffer, secretKey: Buffer, partyId: string }}
+ */
+export function generatePartyKeys() {
+  const pair = generateEscrowKeyPair();
+  const partyId = randomBytes(8).toString("hex");
+  return { ...pair, partyId };
+}
+/**
+ * Create per-layer encryption keys (one random 256-bit key per layer).
+ *
+ * @returns {Map<string, Buffer>} layerName → 32-byte AES key
+ */
+export function generateLayerKeys() {
+  const keys = new Map();
+  for (const name of LAYER_NAMES) {
+    keys.set(name, randomBytes(KEY_LENGTH));
+  }
+  return keys;
+}
+/**
+ * Create escrow shares for each party based on access matrix.
+ * Each party's share is encrypted with a shared secret derived via X25519.
+ *
+ * @param {Map<string, Buffer>} layerKeys - Per-layer encryption keys
+ * @param {Buffer} creatorSecretKey - Creator's X25519 secret key
+ * @param {Array<{ partyId: string, publicKey: Buffer }>} parties - Escrow parties
+ * @param {Object<string, Object<string, boolean>>} accessMatrix - Per-party, per-layer access
+ * @returns {Array<{ partyId: string, encryptedShare: Buffer, iv: Buffer, tag: Buffer, authorizedLayers: string[] }>}
+ */
+export function createEscrowShares(layerKeys, creatorSecretKey, parties, accessMatrix) {
+  if (parties.length > MAX_PARTIES) {
+    throw new Error(`Maximum ${MAX_PARTIES} escrow parties allowed`);
+  }
+  const shares = [];
+  for (const party of parties) {
+    const partyAccess = accessMatrix[party.partyId];
+    if (!partyAccess) {
+      throw new Error(`No access matrix entry for party: ${party.partyId}`);
+    }
+    // Collect only the layer keys this party is authorized for
+    const authorizedLayers = [];
+    const shareData = {};
+    for (const [layerName, hasAccess] of Object.entries(partyAccess)) {
+      if (hasAccess && layerKeys.has(layerName)) {
+        authorizedLayers.push(layerName);
+        shareData[layerName] = layerKeys.get(layerName).toString("base64");
+      }
+    }
+    if (authorizedLayers.length === 0) {
+      continue; // Skip parties with no access
+    }
+    // Compute shared secret via X25519
+    const sharedSecret = computeSharedSecret(creatorSecretKey, party.publicKey);
+    // Encrypt the share data with the shared secret
+    const plaintext = Buffer.from(JSON.stringify(shareData), "utf8");
+    const { ciphertext, iv, tag } = encryptAESRaw(plaintext, sharedSecret);
+    shares.push({
+      partyId: party.partyId,
+      encryptedShare: ciphertext,
+      iv,
+      tag,
+      authorizedLayers,
+    });
+  }
+  return shares;
+}
+/**
+ * Unwrap an escrow share using a party's secret key.
+ *
+ * @param {{ encryptedShare: Buffer, iv: Buffer, tag: Buffer }} share - Encrypted share
+ * @param {Buffer} partySecretKey - Party's X25519 secret key
+ * @param {Buffer} creatorPublicKey - Creator's X25519 public key
+ * @returns {Object<string, Buffer>} layerName → decrypted AES key
+ */
+export function unwrapEscrowShare(share, partySecretKey, creatorPublicKey) {
+  // Compute shared secret via X25519 (reverse direction)
+  const sharedSecret = computeSharedSecret(partySecretKey, creatorPublicKey);
+  // Decrypt the share
+  const decrypted = decryptAESRaw(share.encryptedShare, sharedSecret, share.iv, share.tag);
+  const shareData = JSON.parse(decrypted.toString("utf8"));
+  // Convert base64 keys back to Buffers
+  const layerKeys = {};
+  for (const [layerName, keyB64] of Object.entries(shareData)) {
+    layerKeys[layerName] = Buffer.from(keyB64, "base64");
+  }
+  return layerKeys;
+}
+/**
+ * Serialize escrow block for binary container format.
+ *
+ * @param {Array} shares - Escrow shares from createEscrowShares
+ * @param {Buffer} creatorPublicKey - Creator's X25519 public key (for unwrap)
+ * @returns {Buffer} Serialized escrow block
+ */
+export function serializeEscrowBlock(shares, creatorPublicKey) {
+  const parts = [];
+  // Party count (1 byte)
+  const countBuf = Buffer.alloc(1);
+  countBuf.writeUInt8(shares.length);
+  parts.push(countBuf);
+  // Creator escrow public key (32 bytes)
+  parts.push(creatorPublicKey);
+  for (const share of shares) {
+    // Party ID length (1 byte) + Party ID
+    const partyIdBuf = Buffer.from(share.partyId, "utf8");
+    const partyIdLen = Buffer.alloc(1);
+    partyIdLen.writeUInt8(partyIdBuf.length);
+    parts.push(partyIdLen, partyIdBuf);
+    // Authorized layer count (1 byte) + layer indices
+    const layerCount = Buffer.alloc(1);
+    layerCount.writeUInt8(share.authorizedLayers.length);
+    parts.push(layerCount);
+    for (const layerName of share.authorizedLayers) {
+      const idx = Buffer.alloc(1);
+      idx.writeUInt8(LAYER_NAMES.indexOf(layerName));
+      parts.push(idx);
+    }
+    // IV (12 bytes) + Tag (16 bytes) + Share length (4 bytes) + Share ciphertext
+    parts.push(share.iv);
+    parts.push(share.tag);
+    const shareLen = Buffer.alloc(4);
+    shareLen.writeUInt32BE(share.encryptedShare.length);
+    parts.push(shareLen, share.encryptedShare);
+  }
+  return Buffer.concat(parts);
+}
+/**
+ * Deserialize escrow block from binary.
+ *
+ * @param {Buffer} data - Serialized escrow block
+ * @returns {{ creatorPublicKey: Buffer, shares: Array }}
+ */
+export function deserializeEscrowBlock(data) {
+  let offset = 0;
+  const partyCount = data.readUInt8(offset);
+  offset += 1;
+  const creatorPublicKey = data.subarray(offset, offset + 32);
+  offset += 32;
+  const shares = [];
+  for (let i = 0; i < partyCount; i++) {
+    // Party ID
+    const partyIdLen = data.readUInt8(offset);
+    offset += 1;
+    const partyId = data.subarray(offset, offset + partyIdLen).toString("utf8");
+    offset += partyIdLen;
+    // Authorized layers
+    const layerCount = data.readUInt8(offset);
+    offset += 1;
+    const authorizedLayers = [];
+    for (let j = 0; j < layerCount; j++) {
+      const idx = data.readUInt8(offset);
+      offset += 1;
+      authorizedLayers.push(LAYER_NAMES[idx]);
+    }
+    // IV (12) + Tag (16) + Share
+    const iv = data.subarray(offset, offset + 12);
+    offset += 12;
+    const tag = data.subarray(offset, offset + 16);
+    offset += 16;
+    const shareLen = data.readUInt32BE(offset);
+    offset += 4;
+    const encryptedShare = data.subarray(offset, offset + shareLen);
+    offset += shareLen;
+    shares.push({ partyId, authorizedLayers, encryptedShare, iv, tag });
+  }
+  return { creatorPublicKey, shares };
+}
+export { MAX_PARTIES };

package/vault/layers.js ADDED Viewed

@@ -0,0 +1,254 @@
+// ============================================================
+// 0nMCP — Vault: Semantic Layer Manager
+// ============================================================
+// 7 named layers, each independently encrypted with AES-256-GCM.
+// The credentials layer (layer 2) uses double-encryption via
+// Argon2id for maximum protection of API keys and secrets.
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { encryptAES, decryptAES, deriveKeyArgon2, encryptAESRaw, decryptAESRaw, SALT_LENGTH } from "./crypto-container.js";
+import { randomBytes } from "crypto";
+// ── Layer Definitions ────────────────────────────────────────
+export const LAYER_NAMES = [
+  "workflows",      // 1: .0n workflow definitions
+  "credentials",    // 2: API keys, tokens, secrets (double-encrypted)
+  "env_vars",       // 3: Environment variables
+  "mcp_configs",    // 4: MCP server configurations
+  "site_profiles",  // 5: CRO9/site configs
+  "ai_brain",       // 6: AI agent data, prompts, memory
+  "audit_trail",    // 7: Execution logs, timestamps (append-only)
+];
+export const LAYER_COUNT = LAYER_NAMES.length;
+/**
+ * Check if a layer name is valid.
+ * @param {string} name
+ * @returns {boolean}
+ */
+export function isValidLayer(name) {
+  return LAYER_NAMES.includes(name);
+}
+/**
+ * Get the index of a layer by name.
+ * @param {string} name
+ * @returns {number} 0-based index, or -1 if not found
+ */
+export function getLayerIndex(name) {
+  return LAYER_NAMES.indexOf(name);
+}
+// ── Layer Encryption ─────────────────────────────────────────
+/**
+ * Seal (encrypt) a single layer's data.
+ *
+ * @param {string} name - Layer name
+ * @param {any} data - Data to encrypt (will be JSON.stringify'd)
+ * @param {string} passphrase - Encryption passphrase
+ * @returns {{ name: string, ciphertext: Buffer, iv: Buffer, salt: Buffer, tag: Buffer }}
+ */
+export function sealLayer(name, data, passphrase) {
+  if (!isValidLayer(name)) {
+    throw new Error(`Invalid layer name: "${name}". Valid: ${LAYER_NAMES.join(", ")}`);
+  }
+  const plaintext = JSON.stringify(data);
+  const result = encryptAES(plaintext, passphrase);
+  return {
+    name,
+    ciphertext: result.ciphertext,
+    iv: result.iv,
+    salt: result.salt,
+    tag: result.tag,
+  };
+}
+/**
+ * Unseal (decrypt) a single layer's data.
+ *
+ * @param {string} name - Layer name
+ * @param {Buffer} ciphertext
+ * @param {string} passphrase
+ * @param {Buffer} iv
+ * @param {Buffer} salt
+ * @param {Buffer} tag
+ * @returns {any} Parsed JSON data
+ */
+export function unsealLayer(name, ciphertext, passphrase, iv, salt, tag) {
+  if (!isValidLayer(name)) {
+    throw new Error(`Invalid layer name: "${name}"`);
+  }
+  const decrypted = decryptAES(ciphertext, passphrase, iv, salt, tag);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+// ── Credentials Double-Encryption ────────────────────────────
+/**
+ * Seal credentials with double encryption:
+ * 1. First layer: AES-256-GCM with passphrase
+ * 2. Second layer: AES-256-GCM with Argon2id-derived key
+ *
+ * @param {any} data - Credentials data
+ * @param {string} passphrase - Encryption passphrase
+ * @returns {Promise<{ ciphertext: Buffer, iv: Buffer, salt: Buffer, tag: Buffer, argonSalt: Buffer, innerIv: Buffer, innerTag: Buffer }>}
+ */
+export async function sealCredentials(data, passphrase) {
+  const plaintext = Buffer.from(JSON.stringify(data), "utf8");
+  // Inner layer: Argon2id-derived key
+  const argonSalt = randomBytes(SALT_LENGTH);
+  const argonKey = await deriveKeyArgon2(passphrase, argonSalt);
+  const inner = encryptAESRaw(plaintext, argonKey);
+  // Outer layer: standard AES-256-GCM with passphrase
+  // Combine inner ciphertext + iv + tag for outer encryption
+  const innerPayload = Buffer.concat([inner.iv, inner.tag, inner.ciphertext]);
+  const outer = encryptAES(innerPayload, passphrase);
+  return {
+    ciphertext: outer.ciphertext,
+    iv: outer.iv,
+    salt: outer.salt,
+    tag: outer.tag,
+    argonSalt,
+    innerIv: inner.iv,
+    innerTag: inner.tag,
+  };
+}
+/**
+ * Unseal double-encrypted credentials.
+ *
+ * @param {Buffer} ciphertext
+ * @param {string} passphrase
+ * @param {Buffer} iv
+ * @param {Buffer} salt
+ * @param {Buffer} tag
+ * @param {Buffer} argonSalt
+ * @returns {Promise<any>} Parsed credentials
+ */
+export async function unsealCredentials(ciphertext, passphrase, iv, salt, tag, argonSalt) {
+  // Outer layer: decrypt with passphrase
+  const innerPayload = decryptAES(ciphertext, passphrase, iv, salt, tag);
+  // Extract inner components (iv:12 + tag:16 + ciphertext:rest)
+  const innerIv = innerPayload.subarray(0, 12);
+  const innerTag = innerPayload.subarray(12, 28);
+  const innerCiphertext = innerPayload.subarray(28);
+  // Inner layer: Argon2id-derived key
+  const argonKey = await deriveKeyArgon2(passphrase, argonSalt);
+  const decrypted = decryptAESRaw(innerCiphertext, argonKey, innerIv, innerTag);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+// ── Bulk Layer Operations ────────────────────────────────────
+/**
+ * Seal multiple layers at once.
+ *
+ * @param {Object<string, any>} layerData - { layerName: data }
+ * @param {string} passphrase
+ * @returns {Promise<Map<string, object>>} Sealed layers
+ */
+export async function sealAllLayers(layerData, passphrase) {
+  const sealed = new Map();
+  for (const [name, data] of Object.entries(layerData)) {
+    if (!isValidLayer(name)) {
+      throw new Error(`Invalid layer: "${name}"`);
+    }
+    if (name === "credentials") {
+      const result = await sealCredentials(data, passphrase);
+      sealed.set(name, { ...result, doubleEncrypted: true });
+    } else {
+      const result = sealLayer(name, data, passphrase);
+      sealed.set(name, result);
+    }
+  }
+  return sealed;
+}
+/**
+ * Unseal multiple layers at once.
+ *
+ * @param {Map<string, object>} sealedLayers
+ * @param {string} passphrase
+ * @param {string[]} [onlyLayers] - Optional filter: only unseal these layers
+ * @returns {Promise<Object<string, any>>} Unsealed layer data
+ */
+export async function unsealAllLayers(sealedLayers, passphrase, onlyLayers = null) {
+  const result = {};
+  for (const [name, layerInfo] of sealedLayers) {
+    if (onlyLayers && !onlyLayers.includes(name)) continue;
+    if (name === "credentials" && layerInfo.doubleEncrypted) {
+      result[name] = await unsealCredentials(
+        layerInfo.ciphertext, passphrase,
+        layerInfo.iv, layerInfo.salt, layerInfo.tag,
+        layerInfo.argonSalt
+      );
+    } else {
+      result[name] = unsealLayer(
+        name, layerInfo.ciphertext, passphrase,
+        layerInfo.iv, layerInfo.salt, layerInfo.tag
+      );
+    }
+  }
+  return result;
+}
+// ── Layer Access Matrix ──────────────────────────────────────
+/**
+ * Create a layer access matrix for escrow parties.
+ *
+ * @param {Object<string, string[]>} partyAccess - { partyId: [layerNames] }
+ * @returns {Object<string, Object<string, boolean>>} Full matrix
+ */
+export function createAccessMatrix(partyAccess) {
+  const matrix = {};
+  for (const [partyId, layers] of Object.entries(partyAccess)) {
+    matrix[partyId] = {};
+    for (const layerName of LAYER_NAMES) {
+      matrix[partyId][layerName] = layers.includes(layerName);
+    }
+  }
+  return matrix;
+}
+/**
+ * Validate an access matrix.
+ *
+ * @param {Object} matrix
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAccessMatrix(matrix) {
+  const errors = [];
+  for (const [partyId, access] of Object.entries(matrix)) {
+    for (const layerName of Object.keys(access)) {
+      if (!isValidLayer(layerName)) {
+        errors.push(`Party "${partyId}": invalid layer "${layerName}"`);
+      }
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}

package/vault/registry.js ADDED Viewed

@@ -0,0 +1,159 @@
+// ============================================================
+// 0nMCP — Vault: Transfer Registry
+// ============================================================
+// In-memory + file-backed registry for tracking vault transfers.
+// Prevents replay attacks by rejecting duplicate transfer IDs.
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+const VAULT_DIR = join(homedir(), ".0n", "vault");
+const REGISTRY_PATH = join(VAULT_DIR, "transfers.json");
+// In-memory cache
+let registry = null;
+/**
+ * Ensure vault directory exists and load registry from disk.
+ */
+function ensureRegistry() {
+  if (registry !== null) return;
+  if (!existsSync(VAULT_DIR)) {
+    mkdirSync(VAULT_DIR, { recursive: true });
+  }
+  if (existsSync(REGISTRY_PATH)) {
+    try {
+      registry = JSON.parse(readFileSync(REGISTRY_PATH, "utf-8"));
+    } catch {
+      registry = { transfers: {} };
+    }
+  } else {
+    registry = { transfers: {} };
+  }
+}
+/**
+ * Save registry to disk.
+ */
+function saveRegistry() {
+  if (!existsSync(VAULT_DIR)) {
+    mkdirSync(VAULT_DIR, { recursive: true });
+  }
+  writeFileSync(REGISTRY_PATH, JSON.stringify(registry, null, 2));
+}
+/**
+ * Register a new transfer.
+ *
+ * @param {string} transferId - UUID v4
+ * @param {string} sealHex - Seal of Truth hex string
+ * @param {Object} metadata - Additional metadata
+ * @returns {{ success: boolean, error?: string }}
+ */
+export function registerTransfer(transferId, sealHex, metadata = {}) {
+  ensureRegistry();
+  // Replay prevention
+  if (registry.transfers[transferId]) {
+    return {
+      success: false,
+      error: `Transfer ID "${transferId}" already registered — replay rejected`,
+    };
+  }
+  registry.transfers[transferId] = {
+    seal: sealHex,
+    registered_at: new Date().toISOString(),
+    status: "active",
+    ...metadata,
+  };
+  saveRegistry();
+  return { success: true, transferId };
+}
+/**
+ * Look up a transfer by ID.
+ *
+ * @param {string} transferId
+ * @returns {{ found: boolean, transfer?: Object }}
+ */
+export function lookupTransfer(transferId) {
+  ensureRegistry();
+  const transfer = registry.transfers[transferId];
+  if (!transfer) {
+    return { found: false };
+  }
+  return { found: true, transfer: { transferId, ...transfer } };
+}
+/**
+ * Revoke a transfer.
+ *
+ * @param {string} transferId
+ * @returns {{ success: boolean, error?: string }}
+ */
+export function revokeTransfer(transferId) {
+  ensureRegistry();
+  if (!registry.transfers[transferId]) {
+    return { success: false, error: `Transfer ID "${transferId}" not found` };
+  }
+  if (registry.transfers[transferId].status === "revoked") {
+    return { success: false, error: `Transfer "${transferId}" is already revoked` };
+  }
+  registry.transfers[transferId].status = "revoked";
+  registry.transfers[transferId].revoked_at = new Date().toISOString();
+  saveRegistry();
+  return { success: true, transferId, message: `Transfer "${transferId}" has been revoked` };
+}
+/**
+ * List all transfers.
+ *
+ * @param {string} [status] - Optional filter: "active", "revoked"
+ * @returns {Array<Object>}
+ */
+export function listTransfers(status = null) {
+  ensureRegistry();
+  const transfers = [];
+  for (const [id, data] of Object.entries(registry.transfers)) {
+    if (status && data.status !== status) continue;
+    transfers.push({ transferId: id, ...data });
+  }
+  return transfers;
+}
+/**
+ * Check if a transfer ID has been used (for replay prevention).
+ *
+ * @param {string} transferId
+ * @returns {boolean}
+ */
+export function isTransferUsed(transferId) {
+  ensureRegistry();
+  return !!registry.transfers[transferId];
+}
+/**
+ * Reset registry (for testing only).
+ */
+export function resetRegistry() {
+  registry = { transfers: {} };
+  saveRegistry();
+}

package/vault/seal.js ADDED Viewed

@@ -0,0 +1,74 @@
+// ============================================================
+// 0nMCP — Vault: Seal of Truth
+// ============================================================
+// SHA3-256 based content certification hash.
+// Publicly verifiable — anyone can confirm container integrity
+// without decrypting any layer data.
+//
+// Formula:
+//   SHA3-256(transfer_id || timestamp || pubkey || SHA3-256(concat(all_ciphertexts)))
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { sha3, sha3Hex } from "./crypto-container.js";
+/**
+ * Create a Seal of Truth for a vault container.
+ *
+ * @param {string} transferId - UUID v4 transfer ID
+ * @param {number} timestamp - Unix timestamp (ms)
+ * @param {Buffer} pubkey - Ed25519 public key (32 bytes)
+ * @param {Buffer[]} layerCiphertexts - Array of encrypted layer data
+ * @returns {{ seal: Buffer, sealHex: string }}
+ */
+export function createSeal(transferId, timestamp, pubkey, layerCiphertexts) {
+  // Hash all ciphertexts together
+  const contentHash = sha3(Buffer.concat(layerCiphertexts));
+  // Combine components: transferId || timestamp || pubkey || contentHash
+  const transferIdBuf = Buffer.from(transferId, "utf8");
+  const timestampBuf = Buffer.alloc(8);
+  timestampBuf.writeBigUInt64BE(BigInt(timestamp));
+  const sealInput = Buffer.concat([transferIdBuf, timestampBuf, pubkey, contentHash]);
+  const seal = sha3(sealInput);
+  return {
+    seal,
+    sealHex: seal.toString("hex"),
+  };
+}
+/**
+ * Verify a Seal of Truth.
+ *
+ * @param {Buffer} seal - 32-byte seal hash
+ * @param {string} transferId
+ * @param {number} timestamp
+ * @param {Buffer} pubkey
+ * @param {Buffer[]} layerCiphertexts
+ * @returns {boolean} True if seal matches
+ */
+export function verifySeal(seal, transferId, timestamp, pubkey, layerCiphertexts) {
+  const expected = createSeal(transferId, timestamp, pubkey, layerCiphertexts);
+  return Buffer.compare(seal, expected.seal) === 0;
+}
+/**
+ * Generate a human-readable seal summary.
+ *
+ * @param {Buffer} seal
+ * @param {string} transferId
+ * @param {number} timestamp
+ * @returns {string}
+ */
+export function sealSummary(seal, transferId, timestamp) {
+  return [
+    `Seal of Truth: ${seal.toString("hex")}`,
+    `Transfer ID:   ${transferId}`,
+    `Timestamp:     ${new Date(timestamp).toISOString()}`,
+    `Algorithm:     SHA3-256`,
+    `Status:        Verified ✓`,
+  ].join("\n");
+}