@adastracomputing/ink 0.1.7 → 0.2.0

package/CHANGELOG.md

@@ -4,9 +4,15 @@ All notable changes to INK are recorded
 here. Pre-1.0 releases follow `0.Y.Z` semantics, see
 [`docs/maturity.md`](docs/maturity.md) for the versioning policy.
 
-## Unreleased
+## 0.2.0, version-keyed body-signature domain
 
-No unreleased changes.
+Version-keyed body-signature domain. The body message signature is now domain-separated by protocol version. ink/0.1 messages, and any object with no explicit ink/0.2 protocol, keep the legacy `tulpa/sign` domain so every signature produced to date still verifies. ink/0.2 messages are signed and verified under the neutral `ink/sign` domain. The verifier selects exactly one domain from the signed `protocol` field and never tries an alternate, so a signature made under one version's domain cannot be replayed under another.
+
+This change is receiver-first and backward compatible. Verifiers accept both versions and `MessageEnvelopeSchema` now accepts ink/0.1 and ink/0.2 as a strict enum, rejecting any unknown version. Senders still emit ink/0.1 by default. The HTTP transport-auth signature is unchanged.
+
+New vectors in `test-vectors/body-signature.json` pin the version-keyed domain including the cross-version and tamper cases. The standalone Python interop client verifies them identically.
+
+Per the pre-1.0 policy this release publishes under the `next` dist-tag.
 
 ## 0.1.7, expose per-intent payload schemas and getPayloadSchema from the package root
 
@@ -79,7 +85,7 @@ Fixes the v0.1.1 erratum: the Python `examples/interop-cli/` shipped in v0.1.1 e
 
 **CLI now builds `connection_request` envelopes.** `ink-interop send/build --intent-type connection_request` (or the alias `connection`) constructs a `ConnectionRequestPayloadSchema`-conformant payload (`method`, `context`, `profileSnapshot`). This is the bootstrap intent for first contact between strangers: receivers that opt in to foreign senders verify the body signature against the inline key extracted from the sender's `did:key` (trust-on-first-use). Other intent types (`intro_request`, `ask`, `follow_up`) presume the sender is already a known contact and remain reserved for established relationships.
 
-Verified end-to-end against `https://api.tulpa.network/ink/v1/<agentId>/intent`: a `did:key:` `connection_request` from `ink-interop send` lands as a pending action in the recipient's inbox (`status: 200`, `accepted: true`, `pendingActionId: 01KT…`). Coverage spans schema validation, body + transport signature verification, replay/freshness, identity resolution, routing, the foreign-DID policy gate, and shield risk-scoring. Tests pinned to the canonical shape (`tests/test_envelope.py`) prevent regression. The npm library itself is unchanged from v0.1.1.
+Verified end-to-end against `https://api.tulpa.network/ink/v1/<agentId>/intent`: a `did:key:` `connection_request` from `ink-interop send` lands as a pending action in the recipient's inbox (`status: 200`, `accepted: true`, `pendingActionId: 01KT…`). Coverage spans schema validation, body + transport signature verification, replay/freshness, identity resolution, routing, and the foreign-DID policy gate. Tests pinned to the canonical shape (`tests/test_envelope.py`) prevent regression. The npm library itself is unchanged from v0.1.1.
 
 **Example-helper API break.** `examples/interop-cli/`'s Python helper `build_intent_envelope()` now requires `keypair`, replaces `intent_type`/`purpose`/`timestamp` with canonical args (`target`, `reason`, `created_at`, etc.), and removes the `extra=` kwarg. Adopters who imported the old helper directly will need to update their calls — the previous signature emitted invalid wire data so no callable interop existed there to preserve. This is an example-only change; the npm library (`@adastracomputing/ink`) exports are unchanged.
 

package/dist/crypto/sign.d.ts

@@ -3,7 +3,7 @@
  *
  * 1. Remove `signature` field if present
  * 2. JCS canonicalize (RFC 8785) via `canonicalize` library
- * 3. Sign canonical bytes directly with Ed25519
+ * 3. Sign domain-prefixed canonical bytes directly with Ed25519
  * 4. Return base64url-encoded signature (no padding)
  */
 export declare function signMessage(message: Record<string, unknown>, privateKey: Uint8Array): Promise<string>;

package/dist/crypto/sign.js

@@ -54,12 +54,39 @@ function isWithinBounds(value) {
     }
     return walk(value, 0);
 }
+/**
+ * Body-signature domain-separation prefix, keyed off the message's
+ * declared `protocol` version.
+ *
+ * - `ink/0.2` -> `ink/sign\n` (neutral, current).
+ * - everything else (`ink/0.1`, or any object with no explicit
+ *   `ink/0.2` protocol) -> `tulpa/sign\n`, the legacy domain, kept
+ *   forever so every signature ever produced still verifies.
+ *
+ * The prefix is derived from the `protocol` field that is part of the
+ * signed body, so a verifier selects exactly one domain and tampering
+ * with `protocol` after signing breaks the signature (an `ink/0.2` body
+ * re-labelled `ink/0.1` is verified under `tulpa/sign\n` against a
+ * signature made over `ink/sign\n`, and fails). Only the exact string
+ * `"ink/0.2"` switches domains, so no other value can smuggle one in.
+ *
+ * This raw signer stays permissive on purpose: it is a general-purpose
+ * Ed25519 message signer (receipts, arbitrary objects), not envelope-
+ * specific. Strict "reject unknown protocol version" lives at the
+ * envelope schema layer, which validates `protocol` against the allowed
+ * set before this function is reached.
+ */
+const LEGACY_SIGN_DOMAIN = "tulpa/sign\n";
+const V02_SIGN_DOMAIN = "ink/sign\n";
+function bodySignatureDomain(unsigned) {
+    return unsigned.protocol === "ink/0.2" ? V02_SIGN_DOMAIN : LEGACY_SIGN_DOMAIN;
+}
 /**
  * Sign a message object using Ed25519.
  *
  * 1. Remove `signature` field if present
  * 2. JCS canonicalize (RFC 8785) via `canonicalize` library
- * 3. Sign canonical bytes directly with Ed25519
+ * 3. Sign domain-prefixed canonical bytes directly with Ed25519
  * 4. Return base64url-encoded signature (no padding)
  */
 export async function signMessage(message, privateKey) {
@@ -83,8 +110,10 @@ export async function signMessage(message, privateKey) {
     if (canonical.length > MAX_MESSAGE_CANONICAL_BYTES) {
         throw new Error("Canonicalized message exceeds maximum allowed size");
     }
-    // Domain-separated signing to prevent cross-protocol signature replay
-    const prefixed = `tulpa/sign\n${canonical}`;
+    // Domain-separated signing to prevent cross-protocol signature replay.
+    // Domain is keyed off the (signed) protocol version; see
+    // bodySignatureDomain. Legacy ink/0.1 keeps the tulpa/sign domain.
+    const prefixed = `${bodySignatureDomain(unsigned)}${canonical}`;
     const bytes = new TextEncoder().encode(prefixed);
     const sig = await ed.signAsync(bytes, privateKey);
     return base64urlEncode(sig);
@@ -124,9 +153,12 @@ export async function verifyMessage(message, publicKey) {
     if (canonical.length > MAX_MESSAGE_CANONICAL_BYTES) {
         return false;
     }
-    // Domain-prefixed verification only — legacy unprefixed signatures are no longer accepted.
-    // signMessage() has always used `tulpa/sign\n` prefix; no callers produce unprefixed signatures.
-    const prefixed = `tulpa/sign\n${canonical}`;
+    // Domain-prefixed verification only. The domain is selected from the
+    // signed `protocol` field (see bodySignatureDomain); a verifier never
+    // tries an alternate prefix, so a signature made under one version's
+    // domain cannot be replayed under another. Legacy unprefixed
+    // signatures are not accepted.
+    const prefixed = `${bodySignatureDomain(unsigned)}${canonical}`;
     const prefixedBytes = new TextEncoder().encode(prefixed);
     try {
         const sig = base64urlDecode(signature);

package/dist/index.d.ts

@@ -16,12 +16,12 @@ export type { InkAuditEventType, InkAuditEvent, InkAuditInclusion, InkReceipt, I
 export { InkChallengeSchema, InkRejectionSchema, InkResolutionSchema, InkTransportSchema, } from "./models/ink-handshake.js";
 export type { AgentCardVisibility, InkChallenge, InkRejection, InkResolution, InkTransport, } from "./models/ink-handshake.js";
 export { AgentCardSchema } from "./models/agent-card.js";
-export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
-export type { MessageEnvelope, IntentType, } from "./models/intent.js";
+export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, ProtocolVersionSchema, INK_PROTOCOL_VERSIONS, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
+export type { MessageEnvelope, ProtocolVersion, IntentType, } from "./models/intent.js";
 export { KeyStatusSchema, KeyRoleSchema, KeyEntrySchema, } from "./models/key-entry.js";
 export type { KeyStatus, KeyRole, KeyEntry, StoredKey, } from "./models/key-entry.js";
 export type { InkSignInput } from "./crypto/ink.js";
 export type { CandidateKey } from "./models/key-entry.js";
-export { resolveAgentInbox } from "./models/agent-card.js";
+export { resolveAgentInbox, agentSupportedProtocolVersions } from "./models/agent-card.js";
 export type { AgentCard } from "./models/agent-card.js";
 export type { BudgetCheckResult, HandshakeBudgetConfig, } from "./ink/handshake-budget.js";

package/dist/index.js

@@ -32,9 +32,9 @@ export { AgentCardSchema } from "./models/agent-card.js";
 // reject malformed envelopes before signature verification; without
 // it they have to re-implement the schema check or import from a
 // non-public path.
-export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
+export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, ProtocolVersionSchema, INK_PROTOCOL_VERSIONS, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
 // Key-entry types and schemas for adopters wiring their own key-set
 // storage and rotation. `CandidateKey` was already root-exported via
 // the verifier surface; this batch adds the persistence shapes.
 export { KeyStatusSchema, KeyRoleSchema, KeyEntrySchema, } from "./models/key-entry.js";
-export { resolveAgentInbox } from "./models/agent-card.js";
+export { resolveAgentInbox, agentSupportedProtocolVersions } from "./models/agent-card.js";

package/dist/ink/discovery-gating.d.ts

@@ -202,6 +202,7 @@ export declare const AgentCardResponseSchema: z.ZodObject<{
         currentSigningKeyId: z.ZodOptional<z.ZodString>;
         currentEncryptionKeyId: z.ZodOptional<z.ZodString>;
         keySetVersion: z.ZodOptional<z.ZodNumber>;
+        supportedProtocolVersions: z.ZodOptional<z.ZodArray<z.ZodString>>;
         visibility: z.ZodOptional<z.ZodEnum<{
             public: "public";
             network_only: "network_only";

package/dist/models/agent-card.d.ts

@@ -129,6 +129,7 @@ export declare const AgentCardSchema: z.ZodObject<{
     currentSigningKeyId: z.ZodOptional<z.ZodString>;
     currentEncryptionKeyId: z.ZodOptional<z.ZodString>;
     keySetVersion: z.ZodOptional<z.ZodNumber>;
+    supportedProtocolVersions: z.ZodOptional<z.ZodArray<z.ZodString>>;
     visibility: z.ZodOptional<z.ZodEnum<{
         public: "public";
         network_only: "network_only";
@@ -153,6 +154,12 @@ export declare const AgentCardSchema: z.ZodObject<{
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type AgentCard = z.infer<typeof AgentCardSchema>;
+/**
+ * The message protocol versions a card's receiver can verify. Falls back
+ * to ink/0.1 when the card does not advertise the field, so a sender
+ * defaults to the original version for any card that predates it.
+ */
+export declare function agentSupportedProtocolVersions(card: Pick<AgentCard, "supportedProtocolVersions">): string[];
 /**
  * Return the inbound message URL for an Agent Card.
  *

package/dist/models/agent-card.js

@@ -58,6 +58,18 @@ export const AgentCardSchema = z.object({
     currentSigningKeyId: z.string().optional(),
     currentEncryptionKeyId: z.string().optional(),
     keySetVersion: z.number().int().positive().optional(),
+    // Message protocol versions this agent's receiver can verify on the
+    // body signature. When absent, assume ink/0.1 only. A sender MUST NOT
+    // emit a newer version to a card that does not advertise it; advertising
+    // a version here is necessary but not sufficient for a sender to use it.
+    //
+    // The entries are advisory hints, so they are accepted as bounded
+    // strings rather than the strict version enum: a newer peer may
+    // advertise a version this build does not know yet, and that must not
+    // make its whole card unparseable. A sender intersects this list with
+    // the versions it can actually emit. The strict enum lives on the
+    // envelope (MessageEnvelopeSchema), where an unknown version is rejected.
+    supportedProtocolVersions: z.array(z.string().max(16)).max(8).optional(),
     // Containment extension (Phase 1)
     visibility: AgentCardVisibilitySchema.optional(),
     governance: z.object({
@@ -83,6 +95,15 @@ export const AgentCardSchema = z.object({
         });
     }
 });
+/**
+ * The message protocol versions a card's receiver can verify. Falls back
+ * to ink/0.1 when the card does not advertise the field, so a sender
+ * defaults to the original version for any card that predates it.
+ */
+export function agentSupportedProtocolVersions(card) {
+    const advertised = card.supportedProtocolVersions;
+    return advertised && advertised.length > 0 ? advertised : ["ink/0.1"];
+}
 /**
  * Return the inbound message URL for an Agent Card.
  *

package/dist/models/intent.d.ts

@@ -214,8 +214,24 @@ export declare const MessageProvenanceSchema: z.ZodOptional<z.ZodObject<{
     extensionId: z.ZodString;
     installationId: z.ZodString;
 }, z.core.$strict>>;
+/**
+ * INK protocol versions a receiver accepts. ink/0.1 is the original wire
+ * version; ink/0.2 differs only in the body-signature domain (see
+ * src/crypto/sign.ts). The enum is strict: an unknown version is rejected
+ * at schema validation, never inferred. Senders still emit ink/0.1 by
+ * default; emitting ink/0.2 is a later, negotiated step.
+ */
+export declare const INK_PROTOCOL_VERSIONS: readonly ["ink/0.1", "ink/0.2"];
+export declare const ProtocolVersionSchema: z.ZodEnum<{
+    "ink/0.1": "ink/0.1";
+    "ink/0.2": "ink/0.2";
+}>;
+export type ProtocolVersion = z.infer<typeof ProtocolVersionSchema>;
 export declare const MessageEnvelopeSchema: z.ZodObject<{
-    protocol: z.ZodLiteral<"ink/0.1">;
+    protocol: z.ZodEnum<{
+        "ink/0.1": "ink/0.1";
+        "ink/0.2": "ink/0.2";
+    }>;
     id: z.ZodString;
     correlationId: z.ZodString;
     createdAt: z.ZodString;

package/dist/models/intent.js

@@ -155,8 +155,17 @@ export const MessageProvenanceSchema = z.object({
     extensionId: z.string().max(ID_MAX),
     installationId: z.string().uuid(),
 }).strict().optional();
+/**
+ * INK protocol versions a receiver accepts. ink/0.1 is the original wire
+ * version; ink/0.2 differs only in the body-signature domain (see
+ * src/crypto/sign.ts). The enum is strict: an unknown version is rejected
+ * at schema validation, never inferred. Senders still emit ink/0.1 by
+ * default; emitting ink/0.2 is a later, negotiated step.
+ */
+export const INK_PROTOCOL_VERSIONS = ["ink/0.1", "ink/0.2"];
+export const ProtocolVersionSchema = z.enum(INK_PROTOCOL_VERSIONS);
 export const MessageEnvelopeSchema = z.object({
-    protocol: z.literal("ink/0.1"),
+    protocol: ProtocolVersionSchema,
     id: z.string().max(ID_MAX),
     correlationId: z.string().max(ID_MAX),
     createdAt: z.string().max(TIMESTAMP_MAX),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adastracomputing/ink",
-  "version": "0.1.7",
+  "version": "0.2.0",
   "description": "Library and specification for the INK (Inter-agent Networking Kernel) protocol",
   "license": "MIT OR Apache-2.0",
   "author": "Ad Astra Computing Inc.",
@@ -49,6 +49,7 @@
     "lint": "eslint src/ test/ scripts/",
     "check:surface": "tsx scripts/check-public-surface.ts",
     "check:pack": "./scripts/check-pack.sh",
+    "gen:body-vectors": "tsx scripts/gen-body-signature-vectors.ts",
     "prepack": "npm run build",
     "prepublishOnly": "npm run build"
   },

package/test-vectors/README.md

@@ -7,16 +7,17 @@ Reference test vectors for INK v0.1 signing, encryption, replay protection, hand
 | File | Covers | Vector count |
 |------|--------|-------------|
 | `keys.json` | Fixed Ed25519 and X25519 key pairs for Alice and Bob (hex-encoded) |, |
-| `signing.json` | Signature generation and verification (§3.3) | 3 |
+| `signing.json` | Transport-auth signature generation and verification (§3.3) | 3 |
+| `body-signature.json` | Version-keyed body message signature: legacy vs ink/0.2 domain, plus cross-version and tamper cases | 9 |
 | `encryption.json` | ECIES encryption/decryption (§3.4) | 2 |
-| `jcs.json` | JCS canonicalization (RFC 8785) | 4 |
+| `jcs.json` | JCS canonicalization (RFC 8785) | 2 |
 | `replay.json` | Replay protection acceptance/rejection (§3.5) | 6 |
 | `receipts-and-audit.json` | Receipt signatures, audit query signatures, hash-chained audit events and fork detection (Auditability §1–§3) | 4 |
 | `handshake.json` | Challenge (Stage 2a), rejection (Stage 2b) and resolution (Stage 3), valid signatures, path/recipient/body binding failures, replay protection | 22 |
 | `witness.json` | Audit submit and query with INK transport auth, plus cross-service interop cases | 15 |
 | `key-rotation.json` | Auth header keyId format, rotated-key verification, historical verification, revoked-key rejection, refresh-on-miss, keyId precedence, unknown keyId fallthrough, audit event signingKeyId tracking | 8 |
 
-**Total: 64 deterministic vectors across 9 families**
+**Total: 71 deterministic vectors across 10 families**
 
 ## Vector categories
 

package/test-vectors/body-signature.json

@@ -0,0 +1,201 @@
+{
+  "description": "INK body message signature: domain is keyed off the signed protocol field (ink/0.2 -> ink/sign, else tulpa/sign). Verify each body with the signer public key; signatureVerifies is the expected verifyMessage result.",
+  "vectors": [
+    {
+      "description": "ink/0.1 body signed under the legacy tulpa/sign domain verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "ink/0.2 body signed under the ink/sign domain verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "protocol-less body signed under the legacy domain verifies",
+      "input": {
+        "body": {
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "qP1oxHKCEImzkYT8Iz00N4Crqi5prbKRguKj_zg8YlLyCrE4CmElrNWECEBWBe-8XV_rNB4oMc1wReXwHqOFCA"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "ink/0.2 body relabelled ink/0.1 (domain mismatch) does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.1 body relabelled ink/0.2 (domain mismatch) does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.2 body with protocol removed (falls back to legacy domain) does not verify",
+      "input": {
+        "body": {
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.1 body with a flipped payload field does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "qr"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.2 body signed under the legacy domain does not verify (a verifier must not try both domains)",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "axpZvQqF8KPG-Mh1q3hnfZhnaSUHbYfToUz-wA_WD7PV0qKOnVHpuTu8DTaR0OTtGBVHoqpoQFlfMVskELfgDg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "unknown protocol string uses the legacy body-signature domain and verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.3",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "I3JIzt0kg9zncGvRU9nSZ2ldVrE4L9JnolDJAgW4kNUAqmp6bLAfPptfbYttqp1nTX4OB3oCCOOBPFCA7Fw4Cw"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    }
+  ]
+}