@adastracomputing/ink 0.1.6 → 0.2.0

package/CHANGELOG.md

@@ -4,9 +4,23 @@ All notable changes to INK are recorded
 here. Pre-1.0 releases follow `0.Y.Z` semantics, see
 [`docs/maturity.md`](docs/maturity.md) for the versioning policy.
 
-## Unreleased
+## 0.2.0, version-keyed body-signature domain
 
-No unreleased changes.
+Version-keyed body-signature domain. The body message signature is now domain-separated by protocol version. ink/0.1 messages, and any object with no explicit ink/0.2 protocol, keep the legacy `tulpa/sign` domain so every signature produced to date still verifies. ink/0.2 messages are signed and verified under the neutral `ink/sign` domain. The verifier selects exactly one domain from the signed `protocol` field and never tries an alternate, so a signature made under one version's domain cannot be replayed under another.
+
+This change is receiver-first and backward compatible. Verifiers accept both versions and `MessageEnvelopeSchema` now accepts ink/0.1 and ink/0.2 as a strict enum, rejecting any unknown version. Senders still emit ink/0.1 by default. The HTTP transport-auth signature is unchanged.
+
+New vectors in `test-vectors/body-signature.json` pin the version-keyed domain including the cross-version and tamper cases. The standalone Python interop client verifies them identically.
+
+Per the pre-1.0 policy this release publishes under the `next` dist-tag.
+
+## 0.1.7, expose per-intent payload schemas and getPayloadSchema from the package root
+
+Pure additive release. Re-exports every per-intent Zod payload schema (`ScheduleMeetingPayloadSchema`, `IntroRequestPayloadSchema`, `OpportunityPayloadSchema`, `ConnectionRequestPayloadSchema`, `FollowUpPayloadSchema`, `AskPayloadSchema`, `PingPayloadSchema`, `RetractPayloadSchema`, `ContextSharePayloadSchema`, `MultiPartySyncPayloadSchema`, plus the matching `*ResponsePayloadSchema` variants) and the `getPayloadSchema(intent)` resolver from the package root. Adopters writing intent-aware receivers / handlers can now type their dispatch surface directly against the canonical payload shapes.
+
+No wire-level changes. No behavior changes inside the existing functions. Receivers on 0.1.6 work unchanged on 0.1.7.
+
+Per the pre-1.0 policy this release publishes under the `next` dist-tag.
 
 ## 0.1.6, expose intent + key-entry types and add optional inclusionProof to InkAuditInclusionSchema
 
@@ -71,7 +85,7 @@ Fixes the v0.1.1 erratum: the Python `examples/interop-cli/` shipped in v0.1.1 e
 
 **CLI now builds `connection_request` envelopes.** `ink-interop send/build --intent-type connection_request` (or the alias `connection`) constructs a `ConnectionRequestPayloadSchema`-conformant payload (`method`, `context`, `profileSnapshot`). This is the bootstrap intent for first contact between strangers: receivers that opt in to foreign senders verify the body signature against the inline key extracted from the sender's `did:key` (trust-on-first-use). Other intent types (`intro_request`, `ask`, `follow_up`) presume the sender is already a known contact and remain reserved for established relationships.
 
-Verified end-to-end against `https://api.tulpa.network/ink/v1/<agentId>/intent`: a `did:key:` `connection_request` from `ink-interop send` lands as a pending action in the recipient's inbox (`status: 200`, `accepted: true`, `pendingActionId: 01KT…`). Coverage spans schema validation, body + transport signature verification, replay/freshness, identity resolution, routing, the foreign-DID policy gate, and shield risk-scoring. Tests pinned to the canonical shape (`tests/test_envelope.py`) prevent regression. The npm library itself is unchanged from v0.1.1.
+Verified end-to-end against `https://api.tulpa.network/ink/v1/<agentId>/intent`: a `did:key:` `connection_request` from `ink-interop send` lands as a pending action in the recipient's inbox (`status: 200`, `accepted: true`, `pendingActionId: 01KT…`). Coverage spans schema validation, body + transport signature verification, replay/freshness, identity resolution, routing, and the foreign-DID policy gate. Tests pinned to the canonical shape (`tests/test_envelope.py`) prevent regression. The npm library itself is unchanged from v0.1.1.
 
 **Example-helper API break.** `examples/interop-cli/`'s Python helper `build_intent_envelope()` now requires `keypair`, replaces `intent_type`/`purpose`/`timestamp` with canonical args (`target`, `reason`, `created_at`, etc.), and removes the `extra=` kwarg. Adopters who imported the old helper directly will need to update their calls — the previous signature emitted invalid wire data so no callable interop existed there to preserve. This is an example-only change; the npm library (`@adastracomputing/ink`) exports are unchanged.
 

package/dist/crypto/sign.d.ts

@@ -3,7 +3,7 @@
  *
  * 1. Remove `signature` field if present
  * 2. JCS canonicalize (RFC 8785) via `canonicalize` library
- * 3. Sign canonical bytes directly with Ed25519
+ * 3. Sign domain-prefixed canonical bytes directly with Ed25519
  * 4. Return base64url-encoded signature (no padding)
  */
 export declare function signMessage(message: Record<string, unknown>, privateKey: Uint8Array): Promise<string>;

package/dist/crypto/sign.js

@@ -54,12 +54,39 @@ function isWithinBounds(value) {
     }
     return walk(value, 0);
 }
+/**
+ * Body-signature domain-separation prefix, keyed off the message's
+ * declared `protocol` version.
+ *
+ * - `ink/0.2` -> `ink/sign\n` (neutral, current).
+ * - everything else (`ink/0.1`, or any object with no explicit
+ *   `ink/0.2` protocol) -> `tulpa/sign\n`, the legacy domain, kept
+ *   forever so every signature ever produced still verifies.
+ *
+ * The prefix is derived from the `protocol` field that is part of the
+ * signed body, so a verifier selects exactly one domain and tampering
+ * with `protocol` after signing breaks the signature (an `ink/0.2` body
+ * re-labelled `ink/0.1` is verified under `tulpa/sign\n` against a
+ * signature made over `ink/sign\n`, and fails). Only the exact string
+ * `"ink/0.2"` switches domains, so no other value can smuggle one in.
+ *
+ * This raw signer stays permissive on purpose: it is a general-purpose
+ * Ed25519 message signer (receipts, arbitrary objects), not envelope-
+ * specific. Strict "reject unknown protocol version" lives at the
+ * envelope schema layer, which validates `protocol` against the allowed
+ * set before this function is reached.
+ */
+const LEGACY_SIGN_DOMAIN = "tulpa/sign\n";
+const V02_SIGN_DOMAIN = "ink/sign\n";
+function bodySignatureDomain(unsigned) {
+    return unsigned.protocol === "ink/0.2" ? V02_SIGN_DOMAIN : LEGACY_SIGN_DOMAIN;
+}
 /**
  * Sign a message object using Ed25519.
  *
  * 1. Remove `signature` field if present
  * 2. JCS canonicalize (RFC 8785) via `canonicalize` library
- * 3. Sign canonical bytes directly with Ed25519
+ * 3. Sign domain-prefixed canonical bytes directly with Ed25519
  * 4. Return base64url-encoded signature (no padding)
  */
 export async function signMessage(message, privateKey) {
@@ -83,8 +110,10 @@ export async function signMessage(message, privateKey) {
     if (canonical.length > MAX_MESSAGE_CANONICAL_BYTES) {
         throw new Error("Canonicalized message exceeds maximum allowed size");
     }
-    // Domain-separated signing to prevent cross-protocol signature replay
-    const prefixed = `tulpa/sign\n${canonical}`;
+    // Domain-separated signing to prevent cross-protocol signature replay.
+    // Domain is keyed off the (signed) protocol version; see
+    // bodySignatureDomain. Legacy ink/0.1 keeps the tulpa/sign domain.
+    const prefixed = `${bodySignatureDomain(unsigned)}${canonical}`;
     const bytes = new TextEncoder().encode(prefixed);
     const sig = await ed.signAsync(bytes, privateKey);
     return base64urlEncode(sig);
@@ -124,9 +153,12 @@ export async function verifyMessage(message, publicKey) {
     if (canonical.length > MAX_MESSAGE_CANONICAL_BYTES) {
         return false;
     }
-    // Domain-prefixed verification only — legacy unprefixed signatures are no longer accepted.
-    // signMessage() has always used `tulpa/sign\n` prefix; no callers produce unprefixed signatures.
-    const prefixed = `tulpa/sign\n${canonical}`;
+    // Domain-prefixed verification only. The domain is selected from the
+    // signed `protocol` field (see bodySignatureDomain); a verifier never
+    // tries an alternate prefix, so a signature made under one version's
+    // domain cannot be replayed under another. Legacy unprefixed
+    // signatures are not accepted.
+    const prefixed = `${bodySignatureDomain(unsigned)}${canonical}`;
     const prefixedBytes = new TextEncoder().encode(prefixed);
     try {
         const sig = base64urlDecode(signature);

package/dist/index.d.ts

@@ -16,12 +16,12 @@ export type { InkAuditEventType, InkAuditEvent, InkAuditInclusion, InkReceipt, I
 export { InkChallengeSchema, InkRejectionSchema, InkResolutionSchema, InkTransportSchema, } from "./models/ink-handshake.js";
 export type { AgentCardVisibility, InkChallenge, InkRejection, InkResolution, InkTransport, } from "./models/ink-handshake.js";
 export { AgentCardSchema } from "./models/agent-card.js";
-export { validateMessage, MessageEnvelopeSchema, IntentTypeSchema, } from "./models/intent.js";
-export type { MessageEnvelope, IntentType, } from "./models/intent.js";
+export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, ProtocolVersionSchema, INK_PROTOCOL_VERSIONS, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
+export type { MessageEnvelope, ProtocolVersion, IntentType, } from "./models/intent.js";
 export { KeyStatusSchema, KeyRoleSchema, KeyEntrySchema, } from "./models/key-entry.js";
 export type { KeyStatus, KeyRole, KeyEntry, StoredKey, } from "./models/key-entry.js";
 export type { InkSignInput } from "./crypto/ink.js";
 export type { CandidateKey } from "./models/key-entry.js";
-export { resolveAgentInbox } from "./models/agent-card.js";
+export { resolveAgentInbox, agentSupportedProtocolVersions } from "./models/agent-card.js";
 export type { AgentCard } from "./models/agent-card.js";
 export type { BudgetCheckResult, HandshakeBudgetConfig, } from "./ink/handshake-budget.js";

package/dist/index.js

@@ -32,9 +32,9 @@ export { AgentCardSchema } from "./models/agent-card.js";
 // reject malformed envelopes before signature verification; without
 // it they have to re-implement the schema check or import from a
 // non-public path.
-export { validateMessage, MessageEnvelopeSchema, IntentTypeSchema, } from "./models/intent.js";
+export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, ProtocolVersionSchema, INK_PROTOCOL_VERSIONS, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
 // Key-entry types and schemas for adopters wiring their own key-set
 // storage and rotation. `CandidateKey` was already root-exported via
 // the verifier surface; this batch adds the persistence shapes.
 export { KeyStatusSchema, KeyRoleSchema, KeyEntrySchema, } from "./models/key-entry.js";
-export { resolveAgentInbox } from "./models/agent-card.js";
+export { resolveAgentInbox, agentSupportedProtocolVersions } from "./models/agent-card.js";

package/dist/ink/discovery-gating.d.ts

@@ -96,9 +96,9 @@ export declare const AgentCardResponseSchema: z.ZodObject<{
                 timezone: z.ZodString;
                 meetingHours: z.ZodOptional<z.ZodString>;
                 responseSla: z.ZodOptional<z.ZodString>;
-            }, z.core.$strip>>;
+            }, z.core.$strict>>;
             openTo: z.ZodArray<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
         capabilities: z.ZodObject<{
             intentsAccepted: z.ZodArray<z.ZodEnum<{
                 schedule_meeting: "schedule_meeting";
@@ -202,6 +202,7 @@ export declare const AgentCardResponseSchema: z.ZodObject<{
         currentSigningKeyId: z.ZodOptional<z.ZodString>;
         currentEncryptionKeyId: z.ZodOptional<z.ZodString>;
         keySetVersion: z.ZodOptional<z.ZodNumber>;
+        supportedProtocolVersions: z.ZodOptional<z.ZodArray<z.ZodString>>;
         visibility: z.ZodOptional<z.ZodEnum<{
             public: "public";
             network_only: "network_only";

package/dist/models/agent-card.d.ts

@@ -23,9 +23,9 @@ export declare const AgentCardSchema: z.ZodObject<{
             timezone: z.ZodString;
             meetingHours: z.ZodOptional<z.ZodString>;
             responseSla: z.ZodOptional<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
         openTo: z.ZodArray<z.ZodString>;
-    }, z.core.$strip>>;
+    }, z.core.$strict>>;
     capabilities: z.ZodObject<{
         intentsAccepted: z.ZodArray<z.ZodEnum<{
             schedule_meeting: "schedule_meeting";
@@ -129,6 +129,7 @@ export declare const AgentCardSchema: z.ZodObject<{
     currentSigningKeyId: z.ZodOptional<z.ZodString>;
     currentEncryptionKeyId: z.ZodOptional<z.ZodString>;
     keySetVersion: z.ZodOptional<z.ZodNumber>;
+    supportedProtocolVersions: z.ZodOptional<z.ZodArray<z.ZodString>>;
     visibility: z.ZodOptional<z.ZodEnum<{
         public: "public";
         network_only: "network_only";
@@ -153,6 +154,12 @@ export declare const AgentCardSchema: z.ZodObject<{
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type AgentCard = z.infer<typeof AgentCardSchema>;
+/**
+ * The message protocol versions a card's receiver can verify. Falls back
+ * to ink/0.1 when the card does not advertise the field, so a sender
+ * defaults to the original version for any card that predates it.
+ */
+export declare function agentSupportedProtocolVersions(card: Pick<AgentCard, "supportedProtocolVersions">): string[];
 /**
  * Return the inbound message URL for an Agent Card.
  *

package/dist/models/agent-card.js

@@ -58,6 +58,18 @@ export const AgentCardSchema = z.object({
     currentSigningKeyId: z.string().optional(),
     currentEncryptionKeyId: z.string().optional(),
     keySetVersion: z.number().int().positive().optional(),
+    // Message protocol versions this agent's receiver can verify on the
+    // body signature. When absent, assume ink/0.1 only. A sender MUST NOT
+    // emit a newer version to a card that does not advertise it; advertising
+    // a version here is necessary but not sufficient for a sender to use it.
+    //
+    // The entries are advisory hints, so they are accepted as bounded
+    // strings rather than the strict version enum: a newer peer may
+    // advertise a version this build does not know yet, and that must not
+    // make its whole card unparseable. A sender intersects this list with
+    // the versions it can actually emit. The strict enum lives on the
+    // envelope (MessageEnvelopeSchema), where an unknown version is rejected.
+    supportedProtocolVersions: z.array(z.string().max(16)).max(8).optional(),
     // Containment extension (Phase 1)
     visibility: AgentCardVisibilitySchema.optional(),
     governance: z.object({
@@ -83,6 +95,15 @@ export const AgentCardSchema = z.object({
         });
     }
 });
+/**
+ * The message protocol versions a card's receiver can verify. Falls back
+ * to ink/0.1 when the card does not advertise the field, so a sender
+ * defaults to the original version for any card that predates it.
+ */
+export function agentSupportedProtocolVersions(card) {
+    const advertised = card.supportedProtocolVersions;
+    return advertised && advertised.length > 0 ? advertised : ["ink/0.1"];
+}
 /**
  * Return the inbound message URL for an Agent Card.
  *

package/dist/models/intent.d.ts

@@ -33,7 +33,7 @@ export declare const ScheduleMeetingPayloadSchema: z.ZodObject<{
     }>;
     context: z.ZodOptional<z.ZodString>;
     location: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const ScheduleMeetingResponsePayloadSchema: z.ZodObject<{
     status: z.ZodEnum<{
         accepted: "accepted";
@@ -50,7 +50,7 @@ export declare const ScheduleMeetingResponsePayloadSchema: z.ZodObject<{
         too_busy: "too_busy";
         deferred: "deferred";
     }>>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const IntroRequestPayloadSchema: z.ZodObject<{
     target: z.ZodString;
     reason: z.ZodString;
@@ -59,7 +59,7 @@ export declare const IntroRequestPayloadSchema: z.ZodObject<{
         low: "low";
         normal: "normal";
     }>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const IntroResponsePayloadSchema: z.ZodObject<{
     status: z.ZodEnum<{
         declined: "declined";
@@ -72,7 +72,7 @@ export declare const IntroResponsePayloadSchema: z.ZodObject<{
         declined: "declined";
         pending: "pending";
     }>>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const OpportunityPayloadSchema: z.ZodObject<{
     type: z.ZodEnum<{
         role: "role";
@@ -88,7 +88,7 @@ export declare const OpportunityPayloadSchema: z.ZodObject<{
     matchReason: z.ZodString;
     expiresAt: z.ZodOptional<z.ZodString>;
     url: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const OpportunityResponsePayloadSchema: z.ZodObject<{
     status: z.ZodEnum<{
         not_interested: "not_interested";
@@ -113,7 +113,7 @@ export declare const OpportunityResponsePayloadSchema: z.ZodObject<{
         retract: "retract";
         multi_party_sync: "multi_party_sync";
     }>>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const ConnectionRequestPayloadSchema: z.ZodObject<{
     method: z.ZodEnum<{
         qr: "qr";
@@ -131,10 +131,10 @@ export declare const ConnectionRequestPayloadSchema: z.ZodObject<{
             timezone: z.ZodString;
             meetingHours: z.ZodOptional<z.ZodString>;
             responseSla: z.ZodOptional<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
         openTo: z.ZodArray<z.ZodString>;
-    }, z.core.$strip>;
-}, z.core.$strip>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
 export declare const ConnectionResponsePayloadSchema: z.ZodObject<{
     status: z.ZodEnum<{
         accepted: "accepted";
@@ -149,11 +149,11 @@ export declare const ConnectionResponsePayloadSchema: z.ZodObject<{
             timezone: z.ZodString;
             meetingHours: z.ZodOptional<z.ZodString>;
             responseSla: z.ZodOptional<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
         openTo: z.ZodArray<z.ZodString>;
-    }, z.core.$strip>>;
+    }, z.core.$strict>>;
     note: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const FollowUpPayloadSchema: z.ZodObject<{
     referenceId: z.ZodString;
     message: z.ZodString;
@@ -163,7 +163,7 @@ export declare const FollowUpPayloadSchema: z.ZodObject<{
         review: "review";
         none: "none";
     }>>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const AskPayloadSchema: z.ZodObject<{
     question: z.ZodString;
     context: z.ZodOptional<z.ZodString>;
@@ -173,18 +173,18 @@ export declare const AskPayloadSchema: z.ZodObject<{
     }>>;
     choices: z.ZodOptional<z.ZodArray<z.ZodString>>;
     deadline: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const AskResponsePayloadSchema: z.ZodObject<{
     answer: z.ZodString;
     choiceIndex: z.ZodOptional<z.ZodNumber>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const PingPayloadSchema: z.ZodObject<{
     note: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const RetractPayloadSchema: z.ZodObject<{
     targetMessageId: z.ZodString;
     reason: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const ContextSharePayloadSchema: z.ZodObject<{
     context: z.ZodString;
     category: z.ZodEnum<{
@@ -196,7 +196,7 @@ export declare const ContextSharePayloadSchema: z.ZodObject<{
     }>;
     referenceId: z.ZodOptional<z.ZodString>;
     expiresAt: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const MultiPartySyncPayloadSchema: z.ZodObject<{
     enclaveType: z.ZodEnum<{
         meeting_sync: "meeting_sync";
@@ -204,7 +204,7 @@ export declare const MultiPartySyncPayloadSchema: z.ZodObject<{
     purpose: z.ZodString;
     participants: z.ZodArray<z.ZodString>;
     expiresAt: z.ZodString;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const MessageProvenanceSchema: z.ZodOptional<z.ZodObject<{
     origin: z.ZodEnum<{
         human: "human";
@@ -213,9 +213,25 @@ export declare const MessageProvenanceSchema: z.ZodOptional<z.ZodObject<{
     }>;
     extensionId: z.ZodString;
     installationId: z.ZodString;
-}, z.core.$strip>>;
+}, z.core.$strict>>;
+/**
+ * INK protocol versions a receiver accepts. ink/0.1 is the original wire
+ * version; ink/0.2 differs only in the body-signature domain (see
+ * src/crypto/sign.ts). The enum is strict: an unknown version is rejected
+ * at schema validation, never inferred. Senders still emit ink/0.1 by
+ * default; emitting ink/0.2 is a later, negotiated step.
+ */
+export declare const INK_PROTOCOL_VERSIONS: readonly ["ink/0.1", "ink/0.2"];
+export declare const ProtocolVersionSchema: z.ZodEnum<{
+    "ink/0.1": "ink/0.1";
+    "ink/0.2": "ink/0.2";
+}>;
+export type ProtocolVersion = z.infer<typeof ProtocolVersionSchema>;
 export declare const MessageEnvelopeSchema: z.ZodObject<{
-    protocol: z.ZodLiteral<"ink/0.1">;
+    protocol: z.ZodEnum<{
+        "ink/0.1": "ink/0.1";
+        "ink/0.2": "ink/0.2";
+    }>;
     id: z.ZodString;
     correlationId: z.ZodString;
     createdAt: z.ZodString;
@@ -242,6 +258,8 @@ export declare const MessageEnvelopeSchema: z.ZodObject<{
     payload: z.ZodUnknown;
     signature: z.ZodString;
     signingKeyId: z.ZodOptional<z.ZodString>;
+    timestamp: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
     provenance: z.ZodOptional<z.ZodObject<{
         origin: z.ZodEnum<{
             human: "human";
@@ -250,8 +268,8 @@ export declare const MessageEnvelopeSchema: z.ZodObject<{
         }>;
         extensionId: z.ZodString;
         installationId: z.ZodString;
-    }, z.core.$strip>>;
-}, z.core.$strip>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
 export type MessageEnvelope = z.infer<typeof MessageEnvelopeSchema>;
 /**
  * Validate a message envelope AND its payload based on the intent type.
@@ -260,6 +278,10 @@ export type MessageEnvelope = z.infer<typeof MessageEnvelopeSchema>;
 export declare function validateMessage(raw: unknown): MessageEnvelope;
 /**
  * Get the payload schema for a given intent type.
+ *
+ * Runtime-validates the `intent` argument against IntentTypeSchema so a
+ * JS caller cannot pass an arbitrary string and silently get `undefined`
+ * back; the function instead throws ZodError on an invalid intent.
  */
 export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
     proposedTimes: z.ZodArray<z.ZodString>;
@@ -277,7 +299,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
     }>;
     context: z.ZodOptional<z.ZodString>;
     location: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     status: z.ZodEnum<{
         accepted: "accepted";
         declined: "declined";
@@ -293,7 +315,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
         too_busy: "too_busy";
         deferred: "deferred";
     }>>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     target: z.ZodString;
     reason: z.ZodString;
     context: z.ZodOptional<z.ZodString>;
@@ -301,7 +323,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
         low: "low";
         normal: "normal";
     }>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     status: z.ZodEnum<{
         declined: "declined";
         forwarded: "forwarded";
@@ -313,7 +335,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
         declined: "declined";
         pending: "pending";
     }>>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     type: z.ZodEnum<{
         role: "role";
         investment: "investment";
@@ -328,7 +350,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
     matchReason: z.ZodString;
     expiresAt: z.ZodOptional<z.ZodString>;
     url: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     status: z.ZodEnum<{
         not_interested: "not_interested";
         interested: "interested";
@@ -352,7 +374,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
         retract: "retract";
         multi_party_sync: "multi_party_sync";
     }>>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     method: z.ZodEnum<{
         qr: "qr";
         intro: "intro";
@@ -369,10 +391,10 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
             timezone: z.ZodString;
             meetingHours: z.ZodOptional<z.ZodString>;
             responseSla: z.ZodOptional<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
         openTo: z.ZodArray<z.ZodString>;
-    }, z.core.$strip>;
-}, z.core.$strip> | z.ZodObject<{
+    }, z.core.$strict>;
+}, z.core.$strict> | z.ZodObject<{
     status: z.ZodEnum<{
         accepted: "accepted";
         declined: "declined";
@@ -386,11 +408,11 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
             timezone: z.ZodString;
             meetingHours: z.ZodOptional<z.ZodString>;
             responseSla: z.ZodOptional<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
         openTo: z.ZodArray<z.ZodString>;
-    }, z.core.$strip>>;
+    }, z.core.$strict>>;
     note: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     referenceId: z.ZodString;
     message: z.ZodString;
     actionRequested: z.ZodOptional<z.ZodEnum<{
@@ -399,7 +421,7 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
         review: "review";
         none: "none";
     }>>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     question: z.ZodString;
     context: z.ZodOptional<z.ZodString>;
     responseFormat: z.ZodOptional<z.ZodEnum<{
@@ -408,15 +430,15 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
     }>>;
     choices: z.ZodOptional<z.ZodArray<z.ZodString>>;
     deadline: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     answer: z.ZodString;
     choiceIndex: z.ZodOptional<z.ZodNumber>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     note: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     targetMessageId: z.ZodString;
     reason: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     context: z.ZodString;
     category: z.ZodEnum<{
         availability: "availability";
@@ -427,11 +449,11 @@ export declare function getPayloadSchema(intent: IntentType): z.ZodObject<{
     }>;
     referenceId: z.ZodOptional<z.ZodString>;
     expiresAt: z.ZodOptional<z.ZodString>;
-}, z.core.$strip> | z.ZodObject<{
+}, z.core.$strict> | z.ZodObject<{
     enclaveType: z.ZodEnum<{
         meeting_sync: "meeting_sync";
     }>;
     purpose: z.ZodString;
     participants: z.ZodArray<z.ZodString>;
     expiresAt: z.ZodString;
-}, z.core.$strip>;
+}, z.core.$strict>;

package/dist/models/intent.js

@@ -19,35 +19,45 @@ export const IntentTypeSchema = z.enum([
     "multi_party_sync",
 ]);
 // --- Intent Payloads ---
+// Reusable scalar caps. Timestamps cap at 64 chars (ISO-8601 fits in
+// ~30), correlation/message IDs at 256, DIDs at 512. URL fields cap
+// at 2048 BEFORE `.url()` parsing so the parser never runs on attacker-
+// sized strings. Every exported schema is `.strict()` so adopters using
+// the schemas directly (without `validateMessage()`) still get the
+// same unknown-field rejection that the central validator applies.
+const TIMESTAMP_MAX = 64;
+const ID_MAX = 256;
+const DID_MAX = 512;
+const URL_MAX = 2048;
 export const ScheduleMeetingPayloadSchema = z.object({
-    proposedTimes: z.array(z.string()).min(1).max(10),
+    proposedTimes: z.array(z.string().max(TIMESTAMP_MAX)).min(1).max(10),
     topic: z.string().max(500),
     format: z.enum(["video", "phone", "in_person", "async"]),
     urgency: z.enum(["low", "normal", "urgent"]),
     context: z.string().max(2000).optional(),
     location: z.string().max(500).optional(),
-});
+}).strict();
 export const ScheduleMeetingResponsePayloadSchema = z.object({
     status: z.enum(["accepted", "declined", "countered"]),
-    confirmedTime: z.string().optional(),
-    counterTimes: z.array(z.string()).max(10).optional(),
-    meetingLink: z.string().url().optional(),
+    confirmedTime: z.string().max(TIMESTAMP_MAX).optional(),
+    counterTimes: z.array(z.string().max(TIMESTAMP_MAX)).max(10).optional(),
+    meetingLink: z.string().max(URL_MAX).url().optional(),
     note: z.string().max(1000).optional(),
     declineReason: z
         .enum(["unavailable", "not_interested", "too_busy", "deferred"])
         .optional(),
-});
+}).strict();
 export const IntroRequestPayloadSchema = z.object({
-    target: z.string(),
+    target: z.string().max(DID_MAX),
     reason: z.string().max(2000),
     context: z.string().max(2000).optional(),
     urgency: z.enum(["low", "normal"]),
-});
+}).strict();
 export const IntroResponsePayloadSchema = z.object({
     status: z.enum(["forwarded", "declined", "pending_target"]),
     note: z.string().max(1000).optional(),
     targetResponse: z.enum(["accepted", "declined", "pending"]).optional(),
-});
+}).strict();
 export const OpportunityPayloadSchema = z.object({
     type: z.enum([
         "role",
@@ -61,60 +71,60 @@ export const OpportunityPayloadSchema = z.object({
     org: z.string().max(200).optional(),
     description: z.string().max(5000),
     matchReason: z.string().max(2000),
-    expiresAt: z.string().optional(),
-    url: z.string().url().optional(),
-});
+    expiresAt: z.string().max(TIMESTAMP_MAX).optional(),
+    url: z.string().max(URL_MAX).url().optional(),
+}).strict();
 export const OpportunityResponsePayloadSchema = z.object({
     status: z.enum(["interested", "not_interested", "maybe_later"]),
     note: z.string().max(1000).optional(),
     followUpIntent: IntentTypeSchema.optional(),
-});
+}).strict();
 export const ConnectionRequestPayloadSchema = z.object({
     method: z.enum(["qr", "intro", "discovery", "import"]),
-    introducedBy: z.string().optional(),
+    introducedBy: z.string().max(DID_MAX).optional(),
     context: z.string().max(2000),
     profileSnapshot: ProfileSnapshotSchema,
-});
+}).strict();
 export const ConnectionResponsePayloadSchema = z.object({
     status: z.enum(["accepted", "declined", "pending"]),
     profileSnapshot: ProfileSnapshotSchema.optional(),
     note: z.string().max(1000).optional(),
-});
+}).strict();
 export const FollowUpPayloadSchema = z.object({
-    referenceId: z.string(),
+    referenceId: z.string().max(ID_MAX),
     message: z.string().max(5000),
     actionRequested: z.enum(["reply", "schedule", "review", "none"]).optional(),
-});
+}).strict();
 export const AskPayloadSchema = z.object({
     question: z.string().max(5000),
     context: z.string().max(2000).optional(),
     responseFormat: z.enum(["text", "choice"]).optional(),
     choices: z.array(z.string().max(500)).max(10).optional(),
-    deadline: z.string().optional(),
-});
+    deadline: z.string().max(TIMESTAMP_MAX).optional(),
+}).strict();
 export const AskResponsePayloadSchema = z.object({
     answer: z.string().max(5000),
     choiceIndex: z.number().int().min(0).optional(),
-});
+}).strict();
 export const PingPayloadSchema = z.object({
     note: z.string().max(1000).optional(),
-});
+}).strict();
 export const RetractPayloadSchema = z.object({
-    targetMessageId: z.string(),
+    targetMessageId: z.string().max(ID_MAX),
     reason: z.string().max(1000).optional(),
-});
+}).strict();
 export const ContextSharePayloadSchema = z.object({
     context: z.string().max(5000),
     category: z.enum(["professional_background", "project_update", "expertise", "availability", "general"]),
-    referenceId: z.string().optional(),
-    expiresAt: z.string().optional(),
-});
+    referenceId: z.string().max(ID_MAX).optional(),
+    expiresAt: z.string().max(TIMESTAMP_MAX).optional(),
+}).strict();
 export const MultiPartySyncPayloadSchema = z.object({
     enclaveType: z.enum(["meeting_sync"]),
     purpose: z.string().max(500),
-    participants: z.array(z.string()).min(2).max(20),
-    expiresAt: z.string(),
-});
+    participants: z.array(z.string().max(DID_MAX)).min(2).max(20),
+    expiresAt: z.string().max(TIMESTAMP_MAX),
+}).strict();
 // --- Payload discriminated union ---
 const payloadSchemas = {
     schedule_meeting: ScheduleMeetingPayloadSchema,
@@ -134,25 +144,48 @@ const payloadSchemas = {
     multi_party_sync: MultiPartySyncPayloadSchema,
 };
 // --- Message Envelope ---
+// Caps for envelope-level fields. Signatures are base64url-encoded
+// Ed25519 (64 bytes raw → 86 chars base64url, plus the legacy keyId=
+// suffix). 256 is comfortable headroom without permitting megabyte
+// signature blobs.
+const SIGNATURE_MAX = 256;
+const KEY_ID_MAX = 128;
 export const MessageProvenanceSchema = z.object({
     origin: z.enum(["human", "agent_approved", "agent_autonomous"]),
-    extensionId: z.string(),
+    extensionId: z.string().max(ID_MAX),
     installationId: z.string().uuid(),
-}).optional();
+}).strict().optional();
+/**
+ * INK protocol versions a receiver accepts. ink/0.1 is the original wire
+ * version; ink/0.2 differs only in the body-signature domain (see
+ * src/crypto/sign.ts). The enum is strict: an unknown version is rejected
+ * at schema validation, never inferred. Senders still emit ink/0.1 by
+ * default; emitting ink/0.2 is a later, negotiated step.
+ */
+export const INK_PROTOCOL_VERSIONS = ["ink/0.1", "ink/0.2"];
+export const ProtocolVersionSchema = z.enum(INK_PROTOCOL_VERSIONS);
 export const MessageEnvelopeSchema = z.object({
-    protocol: z.literal("ink/0.1"),
-    id: z.string(),
-    correlationId: z.string(),
-    createdAt: z.string(),
-    expiresAt: z.string().optional(),
-    from: z.string(),
-    to: z.string(),
+    protocol: ProtocolVersionSchema,
+    id: z.string().max(ID_MAX),
+    correlationId: z.string().max(ID_MAX),
+    createdAt: z.string().max(TIMESTAMP_MAX),
+    expiresAt: z.string().max(TIMESTAMP_MAX).optional(),
+    from: z.string().max(DID_MAX),
+    to: z.string().max(DID_MAX),
     intent: IntentTypeSchema,
     payload: z.unknown(),
-    signature: z.string(),
-    signingKeyId: z.string().optional(),
+    signature: z.string().max(SIGNATURE_MAX),
+    signingKeyId: z.string().max(KEY_ID_MAX).optional(),
+    // HTTP §3.3 transport-auth metadata that rides alongside the
+    // canonical envelope fields. The body-level signature commits to
+    // both (they cannot be tampered in transit) and `verifyInkAuth`
+    // reads them from the body for freshness + replay checks. Explicit
+    // optional capped declarations are required for `.strict()` to keep
+    // accepting documented sender envelopes (see README signing example).
+    timestamp: z.string().max(TIMESTAMP_MAX).optional(),
+    nonce: z.string().max(ID_MAX).optional(),
     provenance: MessageProvenanceSchema,
-});
+}).strict();
 /**
  * Validate a message envelope AND its payload based on the intent type.
  * Returns the validated message or throws a ZodError.
@@ -166,7 +199,12 @@ export function validateMessage(raw) {
 }
 /**
  * Get the payload schema for a given intent type.
+ *
+ * Runtime-validates the `intent` argument against IntentTypeSchema so a
+ * JS caller cannot pass an arbitrary string and silently get `undefined`
+ * back; the function instead throws ZodError on an invalid intent.
  */
 export function getPayloadSchema(intent) {
+    IntentTypeSchema.parse(intent);
     return payloadSchemas[intent];
 }

package/dist/models/profile.d.ts

@@ -3,7 +3,7 @@ export declare const AvailabilityConfigSchema: z.ZodObject<{
     timezone: z.ZodString;
     meetingHours: z.ZodOptional<z.ZodString>;
     responseSla: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const ProfileSnapshotSchema: z.ZodObject<{
     headline: z.ZodString;
     skills: z.ZodArray<z.ZodString>;
@@ -12,9 +12,9 @@ export declare const ProfileSnapshotSchema: z.ZodObject<{
         timezone: z.ZodString;
         meetingHours: z.ZodOptional<z.ZodString>;
         responseSla: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>;
+    }, z.core.$strict>>;
     openTo: z.ZodArray<z.ZodString>;
-}, z.core.$strip>;
+}, z.core.$strict>;
 export declare const ProfileSchema: z.ZodObject<{
     agentId: z.ZodString;
     handle: z.ZodString;
@@ -29,9 +29,9 @@ export declare const ProfileSchema: z.ZodObject<{
                 timezone: z.ZodString;
                 meetingHours: z.ZodOptional<z.ZodString>;
                 responseSla: z.ZodOptional<z.ZodString>;
-            }, z.core.$strip>>;
+            }, z.core.$strict>>;
             openTo: z.ZodArray<z.ZodString>;
-        }, z.core.$strip>;
+        }, z.core.$strict>;
         connected: z.ZodObject<{
             headline: z.ZodString;
             skills: z.ZodArray<z.ZodString>;
@@ -40,9 +40,9 @@ export declare const ProfileSchema: z.ZodObject<{
                 timezone: z.ZodString;
                 meetingHours: z.ZodOptional<z.ZodString>;
                 responseSla: z.ZodOptional<z.ZodString>;
-            }, z.core.$strip>>;
+            }, z.core.$strict>>;
             openTo: z.ZodArray<z.ZodString>;
-        }, z.core.$strip>;
+        }, z.core.$strict>;
         custom: z.ZodRecord<z.ZodString, z.ZodObject<{
             headline: z.ZodString;
             skills: z.ZodArray<z.ZodString>;
@@ -51,9 +51,9 @@ export declare const ProfileSchema: z.ZodObject<{
                 timezone: z.ZodString;
                 meetingHours: z.ZodOptional<z.ZodString>;
                 responseSla: z.ZodOptional<z.ZodString>;
-            }, z.core.$strip>>;
+            }, z.core.$strict>>;
             openTo: z.ZodArray<z.ZodString>;
-        }, z.core.$strip>>;
+        }, z.core.$strict>>;
     }, z.core.$strip>;
 }, z.core.$strip>;
 export type AvailabilityConfig = z.infer<typeof AvailabilityConfigSchema>;

package/dist/models/profile.js

@@ -1,16 +1,20 @@
 import { z } from "zod";
 export const AvailabilityConfigSchema = z.object({
-    timezone: z.string(),
-    meetingHours: z.string().optional(),
-    responseSla: z.string().optional(),
-});
+    // IANA timezone name. The longest legitimate value is ~50 chars.
+    timezone: z.string().max(64),
+    // Free-text availability description ("9-5 PT weekdays") capped
+    // to a sane display length. Larger values are almost certainly
+    // garbage or an attempted DoS.
+    meetingHours: z.string().max(200).optional(),
+    responseSla: z.string().max(200).optional(),
+}).strict();
 export const ProfileSnapshotSchema = z.object({
     headline: z.string().max(500),
     skills: z.array(z.string().max(100)).max(50),
     interests: z.array(z.string().max(100)).max(50),
     availability: AvailabilityConfigSchema.optional(),
     openTo: z.array(z.string().max(100)).max(20),
-});
+}).strict();
 export const ProfileSchema = z.object({
     agentId: z.string(),
     handle: z.string(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adastracomputing/ink",
-  "version": "0.1.6",
+  "version": "0.2.0",
   "description": "Library and specification for the INK (Inter-agent Networking Kernel) protocol",
   "license": "MIT OR Apache-2.0",
   "author": "Ad Astra Computing Inc.",
@@ -49,6 +49,7 @@
     "lint": "eslint src/ test/ scripts/",
     "check:surface": "tsx scripts/check-public-surface.ts",
     "check:pack": "./scripts/check-pack.sh",
+    "gen:body-vectors": "tsx scripts/gen-body-signature-vectors.ts",
     "prepack": "npm run build",
     "prepublishOnly": "npm run build"
   },

package/test-vectors/README.md

@@ -7,16 +7,17 @@ Reference test vectors for INK v0.1 signing, encryption, replay protection, hand
 | File | Covers | Vector count |
 |------|--------|-------------|
 | `keys.json` | Fixed Ed25519 and X25519 key pairs for Alice and Bob (hex-encoded) |, |
-| `signing.json` | Signature generation and verification (§3.3) | 3 |
+| `signing.json` | Transport-auth signature generation and verification (§3.3) | 3 |
+| `body-signature.json` | Version-keyed body message signature: legacy vs ink/0.2 domain, plus cross-version and tamper cases | 9 |
 | `encryption.json` | ECIES encryption/decryption (§3.4) | 2 |
-| `jcs.json` | JCS canonicalization (RFC 8785) | 4 |
+| `jcs.json` | JCS canonicalization (RFC 8785) | 2 |
 | `replay.json` | Replay protection acceptance/rejection (§3.5) | 6 |
 | `receipts-and-audit.json` | Receipt signatures, audit query signatures, hash-chained audit events and fork detection (Auditability §1–§3) | 4 |
 | `handshake.json` | Challenge (Stage 2a), rejection (Stage 2b) and resolution (Stage 3), valid signatures, path/recipient/body binding failures, replay protection | 22 |
 | `witness.json` | Audit submit and query with INK transport auth, plus cross-service interop cases | 15 |
 | `key-rotation.json` | Auth header keyId format, rotated-key verification, historical verification, revoked-key rejection, refresh-on-miss, keyId precedence, unknown keyId fallthrough, audit event signingKeyId tracking | 8 |
 
-**Total: 64 deterministic vectors across 9 families**
+**Total: 71 deterministic vectors across 10 families**
 
 ## Vector categories
 

package/test-vectors/body-signature.json

@@ -0,0 +1,201 @@
+{
+  "description": "INK body message signature: domain is keyed off the signed protocol field (ink/0.2 -> ink/sign, else tulpa/sign). Verify each body with the signer public key; signatureVerifies is the expected verifyMessage result.",
+  "vectors": [
+    {
+      "description": "ink/0.1 body signed under the legacy tulpa/sign domain verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "ink/0.2 body signed under the ink/sign domain verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "protocol-less body signed under the legacy domain verifies",
+      "input": {
+        "body": {
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "qP1oxHKCEImzkYT8Iz00N4Crqi5prbKRguKj_zg8YlLyCrE4CmElrNWECEBWBe-8XV_rNB4oMc1wReXwHqOFCA"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "ink/0.2 body relabelled ink/0.1 (domain mismatch) does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.1 body relabelled ink/0.2 (domain mismatch) does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.2 body with protocol removed (falls back to legacy domain) does not verify",
+      "input": {
+        "body": {
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.1 body with a flipped payload field does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "qr"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.2 body signed under the legacy domain does not verify (a verifier must not try both domains)",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "axpZvQqF8KPG-Mh1q3hnfZhnaSUHbYfToUz-wA_WD7PV0qKOnVHpuTu8DTaR0OTtGBVHoqpoQFlfMVskELfgDg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "unknown protocol string uses the legacy body-signature domain and verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.3",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "I3JIzt0kg9zncGvRU9nSZ2ldVrE4L9JnolDJAgW4kNUAqmp6bLAfPptfbYttqp1nTX4OB3oCCOOBPFCA7Fw4Cw"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    }
+  ]
+}