npm - @adastracomputing/ink - Versions diffs - 0.1.0-alpha.0 → 0.1.0-alpha.1 - Mend

@adastracomputing/ink 0.1.0-alpha.0 → 0.1.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,22 @@ here. Pre-1.0 releases follow `0.Y.Z` semantics, see
 No unreleased changes.
+## 0.1.0-alpha.1, spec clarification
+Spec-only release. Reference-implementation code in `src/` is
+unchanged from `0.1.0-alpha.0`; the bundled spec text is updated.
+### Spec changes
+- `specs/ink-auditability.md` now pins the canonical
+  inclusion-receipt signature format: `ink/audit-inclusion/v1\n` +
+  JCS(`{eventId, leafIndex, treeSize, rootHash, timestamp}`).
+  Previously the spec described the signature as "over (eventId +
+  treeSize + rootHash + timestamp)" without specifying a separator
+  or encoding, which caused interop drift between implementations.
+  No code change in this package; downstream witness and verifier
+  implementations should align with the canonical format.
 ## 0.1.0-alpha.0, first public alpha
 Initial open-source release of the INK protocol reference implementation

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@adastracomputing/ink",
-  "version": "0.1.0-alpha.0",
+  "version": "0.1.0-alpha.1",
   "description": "Reference implementation and specification of the INK (Inter-agent Networking Kernel) protocol",
   "license": "MIT OR Apache-2.0",
   "author": "Ad Astra Computing Inc.",
@@ -46,7 +46,7 @@
   },
   "dependencies": {
     "@noble/curves": "^2.2.0",
-    "@noble/ed25519": "^2.1.0",
+    "@noble/ed25519": "^3.1.0",
     "@noble/hashes": "^1.8.0",
     "canonicalize": "^2.1.0",
     "zod": "^3.23.0"
@@ -58,7 +58,7 @@
     "@typescript-eslint/parser": "^8.60.0",
     "eslint": "^10.4.0",
     "tsx": "^4.22.3",
-    "typescript": "^5.6.0",
+    "typescript": "^6.0.3",
     "vitest": "^4.1.7"
   },
   "keywords": [

package/specs/ink-auditability.md CHANGED Viewed

@@ -498,10 +498,18 @@ Authorization: INK-Ed25519 <signature>
   "leafIndex": 48290,
   "rootHash": "<SHA-256 hex of Merkle tree root>",
   "timestamp": "2026-03-19T12:00:01Z",
-  "serviceSignature": "<Ed25519 signature over (eventId + treeSize + rootHash + timestamp)>"
+  "serviceSignature": "<Ed25519 signature, see canonical format below>"
 }
 ```
+**Canonical signature format.** `serviceSignature` is an Ed25519 signature over the bytes:
+```
+"ink/audit-inclusion/v1\n" || JCS(receipt-fields-without-serviceSignature)
+```
+where `JCS` is the RFC 8785 canonical JSON serialization of the inclusion-receipt object with all top-level fields except `serviceSignature` itself. The receipt object's fields used for the signature MUST be exactly `{eventId, leafIndex, treeSize, rootHash, timestamp}`. `protocol` and `type` are envelope metadata, not part of the signed payload. Verifiers reconstruct the signed bytes from the response and check the signature against the witness's published Ed25519 public key.
 The inclusion receipt is analogous to CT's Signed Certificate Timestamp (SCT). The agent stores it alongside the audit event and can present it as proof of timely submission.
 #### 7.3 Verification Protocol

package/src/crypto/keys.ts CHANGED Viewed

@@ -17,9 +17,8 @@ export interface Keypair {
 /** Generate a new Ed25519 keypair (signing). */
 export async function generateKeypair(): Promise<Keypair> {
-  const privateKey = ed.utils.randomPrivateKey();
-  const publicKey = await ed.getPublicKeyAsync(privateKey);
-  return { privateKey, publicKey };
+  const { secretKey, publicKey } = await ed.keygenAsync();
+  return { privateKey: secretKey, publicKey };
 }
 /** Generate a new X25519 keypair (encryption). */