@algovoi/audit-verifier 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AlgoVoi / Christopher Hopley
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,113 @@
+# @algovoi/audit-verifier (TypeScript)
+
+TypeScript reference verifier for AlgoVoi selective-disclosure audit bundles.
+Byte-for-byte parity with the Python sibling
+[`algovoi-audit-verifier`](https://pypi.org/project/algovoi-audit-verifier/)
+on PyPI.
+
+Standalone — auditor-runnable on any Node.js 18+ machine with no AlgoVoi
+infrastructure trust required.
+
+## Install
+
+```bash
+npm install @algovoi/substrate canonicalize        # peer deps
+npm install @algovoi/audit-verifier
+```
+
+Or just install the package directly (canonicalize is a dependency, pulled
+automatically):
+
+```bash
+npm install @algovoi/audit-verifier
+```
+
+## Three ways to verify
+
+### 1. Hosted endpoint (zero install)
+
+POST your bundle to `https://verify.algovoi.co.uk/verify` and get a
+structured verification report. Same code path as this package.
+
+### 2. Programmatic use
+
+```ts
+import { verifyBundle } from '@algovoi/audit-verifier';
+
+const bundle = JSON.parse(fs.readFileSync('audit-bundle.json', 'utf-8'));
+const report = await verifyBundle(bundle, {
+  signingKey: process.env.AUDIT_BUNDLE_KEY,  // optional
+});
+
+console.log(report.render());                 // human-readable PASS/FAIL
+console.log(report.toJSON());                 // machine-readable
+if (!report.allPassed) process.exit(1);
+```
+
+### 3. Demo + smoke test
+
+```ts
+import { buildDemoBundle, verifyBundle } from '@algovoi/audit-verifier';
+
+const bundle = buildDemoBundle({ chainName: 'audit_log', rowCount: 3 });
+const report = await verifyBundle(bundle, {
+  signingKey: 'demo-key-not-for-production-use',
+});
+console.log(report.allPassed);   // true
+```
+
+## What this verifier checks
+
+| # | Check | What it proves |
+|---|---|---|
+| 1 | `per_row_content_hash` | Each row's stored `content_hash` matches `SHA-256(JCS(canonical-fields))` — per-row tamper-evidence |
+| 2 | `continuity` | `prev_hash` walks unbroken across `rows + bridging_rows` ordered by `chain_position` — no fabricated gap or reorder |
+| 3 | `bundle_signature` | HMAC-SHA256 over `JCS(bundle - signature)` matches `bundle_signature.hex` — proves AlgoVoi emission (when signing key supplied) |
+| 4 | `selection_criteria_match` | Selected rows actually match the filter declared in `selection_criteria` (when exact-match filters are set) |
+| 5 | `off_vm_anchor` | Off-VM Object-Lock manifest tail entry matches `chain_anchor.current_head` (when `manifestDir` supplied) |
+
+A bundle that passes all five checks (or has them skipped for legitimate
+reasons — no signing key supplied, no manifest available, etc.) has its
+`all_passed` set to `true`.
+
+## Cross-implementation parity
+
+This TypeScript verifier is **byte-for-byte equivalent** to the Python
+sibling on PyPI:
+
+| Implementation | Package |
+|---|---|
+| Python | [`algovoi-audit-verifier`](https://pypi.org/project/algovoi-audit-verifier/) |
+| TypeScript | `@algovoi/audit-verifier` (this package) |
+
+Both verifiers produce identical:
+- JCS canonical bytes for the same input object (RFC 8785)
+- SHA-256 hash for the same canonical preimage
+- HMAC-SHA256 signature for the same `(bundle - signature, key)` pair
+- Per-row `content_hash` for the same row content
+- Check report shape (`all_passed`, `fatal[]`, `checks[]`)
+
+The parity is exercised by 9 cross-impl tests in this repo's
+`test/parity.test.ts`, which generate bundles in Python and verify them in
+TypeScript (and vice versa).
+
+## Substrate
+
+This verifier composes against the AlgoVoi canonicalisation substrate:
+
+- Spec: `specs/canonicalisation.md` ([PR #2436](https://github.com/x402-foundation/x402/pull/2436)) — three-voice coalition co-signed
+- Pin: `urn:x402:canonicalisation:jcs-rfc8785-v1`
+- Substrate SDK: [`@algovoi/substrate`](https://www.npmjs.com/package/@algovoi/substrate)
+- 53-vector conformance corpus: [`chopmob-cloud/algovoi-jcs-conformance-vectors`](https://github.com/chopmob-cloud/algovoi-jcs-conformance-vectors)
+
+## Hosted equivalent
+
+The same code path runs at <https://verify.algovoi.co.uk> behind nginx + Cloudflare on a dedicated VM. POST any audit bundle to `/verify` and get back the same `CheckReportJSON` shape this package returns programmatically.
+
+## Licence
+
+MIT. See `LICENSE`.
+
+## Author
+
+AlgoVoi (Christopher Hopley, GitHub [`chopmob-cloud`](https://github.com/chopmob-cloud)).

package/dist/canonicalize.d.ts

@@ -0,0 +1,5 @@
+export declare function canonicalize(obj: unknown): string;
+export declare function canonicaliseToBytes(obj: unknown): Buffer;
+export declare function sha256Hex(bytes: Buffer | string): string;
+export declare function sha256JcsHex(obj: unknown): string;
+//# sourceMappingURL=canonicalize.d.ts.map

package/dist/canonicalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonicalize.d.ts","sourceRoot":"","sources":["../src/canonicalize.ts"],"names":[],"mappings":"AAUA,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAMjD;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAExD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAExD;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAEjD"}

package/dist/canonicalize.js

@@ -0,0 +1,26 @@
+/**
+ * Canonicalisation wrapper for the audit verifier.
+ *
+ * Uses RFC 8785 JCS via the `canonicalize` npm package, byte-for-byte
+ * equivalent to the Python `rfc8785` package used by the sibling
+ * algovoi-audit-verifier (Python).
+ */
+import canonicalizeLib from 'canonicalize';
+import { createHash } from 'node:crypto';
+export function canonicalize(obj) {
+    const out = canonicalizeLib(obj);
+    if (out === undefined) {
+        throw new Error('canonicalize returned undefined (input not JCS-canonicalisable)');
+    }
+    return out;
+}
+export function canonicaliseToBytes(obj) {
+    return Buffer.from(canonicalize(obj), 'utf-8');
+}
+export function sha256Hex(bytes) {
+    return createHash('sha256').update(bytes).digest('hex');
+}
+export function sha256JcsHex(obj) {
+    return sha256Hex(canonicaliseToBytes(obj));
+}
+//# sourceMappingURL=canonicalize.js.map

package/dist/canonicalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonicalize.js","sourceRoot":"","sources":["../src/canonicalize.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,eAAe,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAsB;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,OAAO,SAAS,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;AAC7C,CAAC"}

package/dist/check-report.d.ts

@@ -0,0 +1,18 @@
+/**
+ * CheckReport — aggregates individual check results into a single
+ * PASS / FAIL summary. Byte-for-byte equivalent to the Python sibling's
+ * CheckReport class.
+ */
+import type { CheckEntry, CheckReportJSON } from './types.js';
+export declare class CheckReport {
+    readonly checks: CheckEntry[];
+    readonly fatal: string[];
+    add(name: string, passed: boolean, detail?: string): void;
+    addSkip(name: string, reason: string): void;
+    addFatal(msg: string): void;
+    get allPassed(): boolean;
+    get hasFatal(): boolean;
+    toJSON(): CheckReportJSON;
+    render(): string;
+}
+//# sourceMappingURL=check-report.d.ts.map

package/dist/check-report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-report.d.ts","sourceRoot":"","sources":["../src/check-report.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE9D,qBAAa,WAAW;IACtB,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,CAAM;IACnC,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,CAAM;IAE9B,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,IAAI;IAIrD,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAI3C,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAI3B,IAAI,SAAS,IAAI,OAAO,CAGvB;IAED,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED,MAAM,IAAI,eAAe;IAQzB,MAAM,IAAI,MAAM;CAiBjB"}

package/dist/check-report.js

@@ -0,0 +1,48 @@
+export class CheckReport {
+    checks = [];
+    fatal = [];
+    add(name, passed, detail = '') {
+        this.checks.push({ name, passed, detail });
+    }
+    addSkip(name, reason) {
+        this.checks.push({ name, passed: null, detail: `skipped: ${reason}` });
+    }
+    addFatal(msg) {
+        this.fatal.push(msg);
+    }
+    get allPassed() {
+        if (this.fatal.length > 0)
+            return false;
+        return this.checks.every((c) => c.passed !== false);
+    }
+    get hasFatal() {
+        return this.fatal.length > 0;
+    }
+    toJSON() {
+        return {
+            all_passed: this.allPassed,
+            fatal: this.fatal.slice(),
+            checks: this.checks.map((c) => ({ ...c })),
+        };
+    }
+    render() {
+        const lines = [];
+        if (this.fatal.length > 0) {
+            lines.push('FATAL:');
+            for (const f of this.fatal)
+                lines.push(`  ! ${f}`);
+            return lines.join('\n');
+        }
+        for (const c of this.checks) {
+            const mark = c.passed === true ? '  ok' : c.passed === false ? 'FAIL' : 'skip';
+            let line = `  [${mark}] ${c.name}`;
+            if (c.detail)
+                line += ` -- ${c.detail}`;
+            lines.push(line);
+        }
+        const verdict = this.allPassed ? 'PASS' : 'FAIL';
+        lines.push(`\nVerdict: ${verdict}`);
+        return lines.join('\n');
+    }
+}
+//# sourceMappingURL=check-report.js.map

package/dist/check-report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-report.js","sourceRoot":"","sources":["../src/check-report.ts"],"names":[],"mappings":"AAOA,MAAM,OAAO,WAAW;IACb,MAAM,GAAiB,EAAE,CAAC;IAC1B,KAAK,GAAa,EAAE,CAAC;IAE9B,GAAG,CAAC,IAAY,EAAE,MAAe,EAAE,MAAM,GAAG,EAAE;QAC5C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO,CAAC,IAAY,EAAE,MAAc;QAClC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,MAAM,EAAE,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,QAAQ,CAAC,GAAW;QAClB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,IAAI,SAAS;QACX,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,MAAM;QACJ,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,KAAK,EAAO,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE;YAC9B,MAAM,EAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,MAAM;QACJ,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK;gBAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACnD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;YAC/E,IAAI,IAAI,GAAG,MAAM,IAAI,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,CAAC,CAAC,MAAM;gBAAE,IAAI,IAAI,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YACxC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;QACpC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF"}

package/dist/checks.d.ts

@@ -0,0 +1,9 @@
+import type { CheckReport } from './check-report.js';
+import type { AuditBundle } from './types.js';
+export declare function checkPerRowContentHash(bundle: AuditBundle, report: CheckReport): void;
+export declare function checkContinuity(bundle: AuditBundle, report: CheckReport): void;
+export declare function checkBundleSignature(bundle: AuditBundle, signingKey: string | null | undefined, report: CheckReport): void;
+export declare function checkSelectionCriteriaMatch(bundle: AuditBundle, report: CheckReport): void;
+export declare function parseObjectKeyShaPrefix(objectKey: string | undefined): string | null;
+export declare function checkOffVmAnchor(bundle: AuditBundle, manifestDir: string | null | undefined, report: CheckReport): Promise<void>;
+//# sourceMappingURL=checks.d.ts.map

package/dist/checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../src/checks.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,OAAO,KAAK,EACV,WAAW,EAGZ,MAAM,YAAY,CAAC;AAMpB,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI,CAuCrF;AAaD,wBAAgB,eAAe,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI,CAsF9E;AAMD,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,WAAW,EACnB,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACrC,MAAM,EAAE,WAAW,GAClB,IAAI,CAmDN;AAmCD,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI,CAgD1F;AAMD,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAWpF;AAED,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACtC,MAAM,EAAE,WAAW,GAClB,OAAO,CAAC,IAAI,CAAC,CAsGf"}

package/dist/checks.js

@@ -0,0 +1,337 @@
+/**
+ * The five verifier checks ported byte-for-byte from verify_audit_bundle.py:
+ *
+ *   1. checkPerRowContentHash  -- SHA-256(JCS(canonical-fields)) per row
+ *   2. checkContinuity         -- prev_hash walks unbroken across rows + bridging
+ *   3. checkBundleSignature    -- HMAC-SHA256 over RFC 8785 canonical bundle
+ *   4. checkSelectionCriteria  -- selected rows actually match the filter
+ *   5. checkOffVmAnchor        -- off-VM Object-Lock manifest cross-check
+ *                                (when manifestDir provided)
+ */
+import { createHash, createHmac } from 'node:crypto';
+import { promises as fs } from 'node:fs';
+import * as path from 'node:path';
+import { canonicaliseToBytes, sha256Hex } from './canonicalize.js';
+import { FIELD_EXTRACTORS, KNOWN_CHAIN_NAMES } from './extractors.js';
+// ---------------------------------------------------------------------------
+// 1. Per-row content_hash
+// ---------------------------------------------------------------------------
+export function checkPerRowContentHash(bundle, report) {
+    const chainName = bundle.chain_name;
+    const extractor = chainName ? FIELD_EXTRACTORS[chainName] : undefined;
+    if (!extractor) {
+        report.add('per_row_content_hash', false, `unknown chain_name '${chainName}' (expected one of ${JSON.stringify(KNOWN_CHAIN_NAMES)})`);
+        return;
+    }
+    const rows = bundle.rows ?? [];
+    if (rows.length === 0) {
+        report.addSkip('per_row_content_hash', 'selection is empty (zero rows)');
+        return;
+    }
+    const failures = [];
+    for (const r of rows) {
+        const expected = r['content_hash'];
+        if (typeof expected !== 'string' || expected.length !== 64) {
+            failures.push(`chain_position=${JSON.stringify(r['chain_position'])}: stored content_hash missing or wrong length`);
+            continue;
+        }
+        const canonical = extractor(r);
+        const actual = sha256Hex(canonicaliseToBytes(canonical));
+        if (actual !== expected) {
+            failures.push(`chain_position=${JSON.stringify(r['chain_position'])}: ` +
+                `recomputed ${actual.slice(0, 16)}... != stored ${expected.slice(0, 16)}...`);
+        }
+    }
+    if (failures.length > 0) {
+        let detail = `${failures.length} of ${rows.length} rows failed: ${failures.slice(0, 3).join('; ')}`;
+        if (failures.length > 3)
+            detail += `; (+${failures.length - 3} more)`;
+        report.add('per_row_content_hash', false, detail);
+    }
+    else {
+        report.add('per_row_content_hash', true, `${rows.length} rows verified`);
+    }
+}
+export function checkContinuity(bundle, report) {
+    const rows = bundle.rows ?? [];
+    const bridging = bundle.bridging_rows ?? [];
+    const bridgingMeta = bundle.bridging ?? {};
+    if (rows.length === 0) {
+        report.addSkip('continuity', 'selection is empty');
+        return;
+    }
+    const union = [];
+    for (const r of rows) {
+        union.push({
+            chain_position: r['chain_position'] ?? null,
+            content_hash: r['content_hash'],
+            prev_hash: r['prev_hash'],
+            kind: 'selected',
+        });
+    }
+    for (const b of bridging) {
+        union.push({
+            chain_position: b['chain_position'] ?? null,
+            content_hash: b['content_hash'],
+            prev_hash: b['prev_hash'],
+            kind: 'bridging',
+        });
+    }
+    // Sort by chain_position, nulls last (Python uses (None, position) tuple).
+    union.sort((a, b) => {
+        if (a.chain_position === null && b.chain_position === null)
+            return 0;
+        if (a.chain_position === null)
+            return 1;
+        if (b.chain_position === null)
+            return -1;
+        return a.chain_position - b.chain_position;
+    });
+    // Detect gaps in the merged set.
+    if (union.length > 1) {
+        const gaps = [];
+        for (let i = 1; i < union.length; i++) {
+            const p0 = union[i - 1].chain_position;
+            const p1 = union[i].chain_position;
+            if (p0 === null || p1 === null)
+                continue;
+            if (p1 - p0 > 1)
+                gaps.push([p0, p1]);
+        }
+        if (gaps.length > 0 && !bridgingMeta.included) {
+            report.addSkip('continuity', `gaps between selected positions ${JSON.stringify(gaps.slice(0, 2))} but bridging_rows not included; ` +
+                'request the bundle with include_bridging_rows=true to enable this check');
+            return;
+        }
+        if (gaps.length > 0) {
+            report.add('continuity', false, `gaps remain after bridging at positions ${JSON.stringify(gaps.slice(0, 3))} -- chain has missing rows`);
+            return;
+        }
+    }
+    // Walk
+    const failures = [];
+    for (let i = 1; i < union.length; i++) {
+        const prev = union[i - 1];
+        const curr = union[i];
+        if (curr.prev_hash !== prev.content_hash) {
+            failures.push(`position ${curr.chain_position} (${curr.kind}): ` +
+                `prev_hash ${(curr.prev_hash ?? '').slice(0, 12)}... != ` +
+                `content_hash of position ${prev.chain_position} (${prev.kind}) ` +
+                `${(prev.content_hash ?? '').slice(0, 12)}...`);
+        }
+    }
+    if (failures.length > 0) {
+        const detail = `${failures.length} broken link(s): ${failures.slice(0, 2).join('; ')}`;
+        report.add('continuity', false, detail);
+    }
+    else {
+        report.add('continuity', true, `${union.length} entries (selected=${rows.length}, bridging=${bridging.length}) chain forward correctly`);
+    }
+}
+// ---------------------------------------------------------------------------
+// 3. Bundle signature
+// ---------------------------------------------------------------------------
+export function checkBundleSignature(bundle, signingKey, report) {
+    const sig = bundle.bundle_signature;
+    if (sig === null || sig === undefined) {
+        report.addSkip('bundle_signature', 'bundle has bundle_signature: null (signing not configured server-side)');
+        return;
+    }
+    if (typeof sig !== 'object' || Array.isArray(sig) || !('hex' in sig)) {
+        report.add('bundle_signature', false, `bundle_signature is not a valid signature object: ${JSON.stringify(sig)}`);
+        return;
+    }
+    const s = sig;
+    if (!signingKey) {
+        report.addSkip('bundle_signature', `bundle is signed with key_id='${s.key_id}', algorithm='${s.algorithm}' -- ` +
+            'pass --signing-key or --signing-key-env to verify');
+        return;
+    }
+    if (s.algorithm !== 'HMAC-SHA256' || s.canonicalisation !== 'RFC 8785') {
+        report.add('bundle_signature', false, `unsupported signature algorithm/canonicalisation: ${s.algorithm}/${s.canonicalisation}`);
+        return;
+    }
+    // Build inner = bundle minus bundle_signature
+    const inner = {};
+    for (const [k, v] of Object.entries(bundle)) {
+        if (k !== 'bundle_signature')
+            inner[k] = v;
+    }
+    const canonical = canonicaliseToBytes(inner);
+    const expected = createHmac('sha256', signingKey).update(canonical).digest('hex');
+    if (expected === s.hex) {
+        report.add('bundle_signature', true, `HMAC-SHA256 verified against key_id='${s.key_id}'`);
+    }
+    else {
+        report.add('bundle_signature', false, `recomputed ${expected.slice(0, 16)}... != stored ${s.hex.slice(0, 16)}... -- wrong key, or bundle tampered`);
+    }
+}
+// ---------------------------------------------------------------------------
+// 4. Selection criteria match
+// ---------------------------------------------------------------------------
+const CRITERIA_EXACT_MATCH = {
+    audit_log: {
+        actor: 'actor',
+        action: 'action',
+        target_type: 'target_type',
+        tenant_id: 'tenant_id',
+        trace_id: 'trace_id',
+    },
+    screening_hits: {
+        subject_type: 'subject_type',
+        action_taken: 'action_taken',
+        screening_context: 'screening_context',
+        tenant_id: 'tenant_id',
+        wallet_address: 'wallet_address',
+    },
+    compliance_events: {
+        tenant_id: 'tenant_id',
+        rule_id: 'rule_id',
+        event_type: 'event_type',
+        payment_ledger_id: 'payment_ledger_id',
+    },
+    negotiation_trace_events: {
+        tenant_id: 'tenant_id',
+        session_id: 'session_id',
+        protocol: 'protocol',
+        payment_ledger_id: 'payment_ledger_id',
+    },
+};
+export function checkSelectionCriteriaMatch(bundle, report) {
+    const rows = bundle.rows ?? [];
+    const criteria = bundle.selection_criteria ?? {};
+    const chainName = bundle.chain_name ?? '';
+    const exactMap = CRITERIA_EXACT_MATCH[chainName] ?? {};
+    // Find which exact-match filters were set
+    const activeFilters = [];
+    for (const [criterionKey, rowField] of Object.entries(exactMap)) {
+        if (criterionKey in criteria && criteria[criterionKey] !== null && criteria[criterionKey] !== undefined) {
+            activeFilters.push([rowField, criteria[criterionKey]]);
+        }
+    }
+    if (activeFilters.length === 0) {
+        report.addSkip('selection_criteria_match', 'no exact-match filters set in selection_criteria');
+        return;
+    }
+    if (rows.length === 0) {
+        report.addSkip('selection_criteria_match', 'no rows to check');
+        return;
+    }
+    const violations = [];
+    for (const r of rows) {
+        for (const [field, expected] of activeFilters) {
+            // Negotiation_trace counterparty is a disjunctive filter handled separately;
+            // exactMap above does not include it.
+            const actual = r[field];
+            if (actual !== expected) {
+                violations.push(`chain_position=${JSON.stringify(r['chain_position'])}: ` +
+                    `row.${field}=${JSON.stringify(actual)} != criteria.${field}=${JSON.stringify(expected)}`);
+                break; // one violation per row is enough
+            }
+        }
+    }
+    if (violations.length > 0) {
+        let detail = `${violations.length} of ${rows.length} rows do not match selection_criteria: ${violations.slice(0, 3).join('; ')}`;
+        if (violations.length > 3)
+            detail += `; (+${violations.length - 3} more)`;
+        report.add('selection_criteria_match', false, detail);
+    }
+    else {
+        report.add('selection_criteria_match', true, `${rows.length} rows match ${activeFilters.length} exact-match filter(s)`);
+    }
+}
+// ---------------------------------------------------------------------------
+// 5. Off-VM anchor
+// ---------------------------------------------------------------------------
+export function parseObjectKeyShaPrefix(objectKey) {
+    if (!objectKey)
+        return null;
+    const basename = objectKey.includes('/') ? objectKey.slice(objectKey.lastIndexOf('/') + 1) : objectKey;
+    if (!basename.endsWith('.ndjson'))
+        return null;
+    const stem = basename.slice(0, -'.ndjson'.length);
+    const dashIdx = stem.lastIndexOf('-');
+    if (dashIdx < 0)
+        return null;
+    const shaPrefix = stem.slice(dashIdx + 1);
+    if (shaPrefix.length !== 16)
+        return null;
+    if (!/^[0-9a-f]+$/.test(shaPrefix))
+        return null;
+    return shaPrefix;
+}
+export async function checkOffVmAnchor(bundle, manifestDir, report) {
+    const anchor = bundle.off_vm_anchor;
+    if (!anchor || !anchor.object_key) {
+        report.addSkip('off_vm_anchor', 'no off_vm_anchor in bundle (chain has not been shipped yet, or bundle is from before shipping started)');
+        return;
+    }
+    if (!manifestDir) {
+        report.addSkip('off_vm_anchor', `manifestDir not provided -- run \`aws s3api head-object --bucket ${anchor.bucket_name} --key ${anchor.object_key}\` and confirm ObjectLockMode=COMPLIANCE`);
+        return;
+    }
+    const expectedShaPrefix = parseObjectKeyShaPrefix(anchor.object_key);
+    if (!expectedShaPrefix) {
+        report.add('off_vm_anchor', false, `object_key has no parseable sha256 prefix: ${anchor.object_key}`);
+        return;
+    }
+    // Try to locate the manifest file: by full key path, by basename.
+    const candidates = [
+        path.join(manifestDir, anchor.object_key),
+        path.join(manifestDir, path.basename(anchor.object_key)),
+    ];
+    let manifestPath = null;
+    for (const c of candidates) {
+        try {
+            await fs.access(c);
+            manifestPath = c;
+            break;
+        }
+        catch {
+            // continue
+        }
+    }
+    if (!manifestPath) {
+        report.add('off_vm_anchor', false, `manifest file not found in ${manifestDir} for object_key=${anchor.object_key}`);
+        return;
+    }
+    // Compute SHA-256 of the file bytes.
+    const buf = await fs.readFile(manifestPath);
+    const fullSha = createHash('sha256').update(buf).digest('hex');
+    if (fullSha.slice(0, 16) !== expectedShaPrefix) {
+        report.add('off_vm_anchor', false, `manifest sha prefix ${fullSha.slice(0, 16)} != object_key prefix ${expectedShaPrefix}`);
+        return;
+    }
+    // Parse last NDJSON line and confirm chain_position + content_hash match bundle.chain_anchor.current_head.
+    const text = buf.toString('utf-8');
+    const lines = text.split('\n').filter((l) => l.trim().length > 0);
+    if (lines.length === 0) {
+        report.add('off_vm_anchor', false, 'manifest file is empty');
+        return;
+    }
+    let lastEntry;
+    try {
+        lastEntry = JSON.parse(lines[lines.length - 1]);
+    }
+    catch (e) {
+        report.add('off_vm_anchor', false, `last NDJSON line is not valid JSON: ${e.message}`);
+        return;
+    }
+    const head = bundle.chain_anchor?.current_head;
+    if (!head) {
+        report.add('off_vm_anchor', false, 'bundle.chain_anchor.current_head missing -- cannot cross-check manifest tail');
+        return;
+    }
+    const headPos = head.chain_position;
+    const headHash = head.content_hash;
+    if (lastEntry['chain_position'] !== headPos) {
+        report.add('off_vm_anchor', false, `manifest tail chain_position=${lastEntry['chain_position']} != bundle chain_anchor.current_head.chain_position=${headPos}`);
+        return;
+    }
+    if (lastEntry['content_hash'] !== headHash) {
+        report.add('off_vm_anchor', false, `manifest tail content_hash=${String(lastEntry['content_hash']).slice(0, 16)}... != bundle chain_anchor.current_head.content_hash=${String(headHash).slice(0, 16)}...`);
+        return;
+    }
+    report.add('off_vm_anchor', true, `manifest sha verified + tail entry at chain_position=${headPos} matches chain_anchor.current_head`);
+}
+//# sourceMappingURL=checks.js.map

package/dist/checks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.js","sourceRoot":"","sources":["../src/checks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAgB,mBAAmB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAEjF,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAOtE,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAM,UAAU,sBAAsB,CAAC,MAAmB,EAAE,MAAmB;IAC7E,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC;IACpC,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,CAAC,GAAG,CACR,sBAAsB,EACtB,KAAK,EACL,uBAAuB,SAAS,sBAAsB,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC,GAAG,CAC3F,CAAC;QACF,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,OAAO,CAAC,sBAAsB,EAAE,gCAAgC,CAAC,CAAC;QACzE,OAAO;IACT,CAAC;IACD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,QAAQ,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC;QACnC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC3D,QAAQ,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,+CAA+C,CAAC,CAAC;YACpH,SAAS;QACX,CAAC;QACD,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,SAAS,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC;QACzD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,IAAI;gBACzD,cAAc,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAC7E,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,IAAI,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,OAAO,IAAI,CAAC,MAAM,iBAAiB,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpG,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,IAAI,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC;QACtE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IACpD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC;AAaD,MAAM,UAAU,eAAe,CAAC,MAAmB,EAAE,MAAmB;IACtE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;IAC5C,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IAE3C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;QACnD,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC;YACT,cAAc,EAAG,CAAC,CAAC,gBAAgB,CAA+B,IAAI,IAAI;YAC1E,YAAY,EAAI,CAAC,CAAC,cAAc,CAAuB;YACvD,SAAS,EAAO,CAAC,CAAC,WAAW,CAA0B;YACvD,IAAI,EAAY,UAAU;SAC3B,CAAC,CAAC;IACL,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC;YACT,cAAc,EAAG,CAAC,CAAC,gBAAgB,CAA+B,IAAI,IAAI;YAC1E,YAAY,EAAI,CAAC,CAAC,cAAc,CAAuB;YACvD,SAAS,EAAO,CAAC,CAAC,WAAW,CAA0B;YACvD,IAAI,EAAY,UAAU;SAC3B,CAAC,CAAC;IACL,CAAC;IACD,2EAA2E;IAC3E,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,cAAc,KAAK,IAAI,IAAI,CAAC,CAAC,cAAc,KAAK,IAAI;YAAE,OAAO,CAAC,CAAC;QACrE,IAAI,CAAC,CAAC,cAAc,KAAK,IAAI;YAAE,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,CAAC,cAAc,KAAK,IAAI;YAAE,OAAO,CAAC,CAAC,CAAC;QACzC,OAAO,CAAC,CAAC,cAAc,GAAG,CAAC,CAAC,cAAc,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,iCAAiC;IACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,GAA4B,EAAE,CAAC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,cAAc,CAAC;YACxC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,cAAc,CAAC;YACpC,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI;gBAAE,SAAS;YACzC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC9C,MAAM,CAAC,OAAO,CACZ,YAAY,EACZ,mCAAmC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,mCAAmC;gBACtG,yEAAyE,CAC1E,CAAC;YACF,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,MAAM,CAAC,GAAG,CACR,YAAY,EACZ,KAAK,EACL,2CAA2C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,4BAA4B,CACxG,CAAC;YACF,OAAO;QACT,CAAC;IACH,CAAC;IAED,OAAO;IACP,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YACzC,QAAQ,CAAC,IAAI,CACX,YAAY,IAAI,CAAC,cAAc,KAAK,IAAI,CAAC,IAAI,KAAK;gBAClD,aAAa,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS;gBACzD,4BAA4B,IAAI,CAAC,cAAc,KAAK,IAAI,CAAC,IAAI,IAAI;gBACjE,GAAG,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,oBAAoB,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvF,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CACR,YAAY,EACZ,IAAI,EACJ,GAAG,KAAK,CAAC,MAAM,sBAAsB,IAAI,CAAC,MAAM,cAAc,QAAQ,CAAC,MAAM,2BAA2B,CACzG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,UAAU,oBAAoB,CAClC,MAAmB,EACnB,UAAqC,EACrC,MAAmB;IAEnB,MAAM,GAAG,GAAG,MAAM,CAAC,gBAAgB,CAAC;IACpC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,CAAC,OAAO,CACZ,kBAAkB,EAClB,wEAAwE,CACzE,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,EAAE,CAAC;QACrE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,KAAK,EAAE,qDAAqD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClH,OAAO;IACT,CAAC;IACD,MAAM,CAAC,GAAG,GAAsB,CAAC;IACjC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,OAAO,CACZ,kBAAkB,EAClB,iCAAiC,CAAC,CAAC,MAAM,iBAAiB,CAAC,CAAC,SAAS,OAAO;YAC5E,mDAAmD,CACpD,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,KAAK,aAAa,IAAI,CAAC,CAAC,gBAAgB,KAAK,UAAU,EAAE,CAAC;QACvE,MAAM,CAAC,GAAG,CACR,kBAAkB,EAClB,KAAK,EACL,qDAAqD,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,gBAAgB,EAAE,CACzF,CAAC;QACF,OAAO;IACT,CAAC;IAED,8CAA8C;IAC9C,MAAM,KAAK,GAA4B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,KAAK,kBAAkB;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAClF,IAAI,QAAQ,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CACR,kBAAkB,EAClB,IAAI,EACJ,wCAAwC,CAAC,CAAC,MAAM,GAAG,CACpD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CACR,kBAAkB,EAClB,KAAK,EACL,cAAc,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,sCAAsC,CAC7G,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,MAAM,oBAAoB,GAA2C;IACnE,SAAS,EAAE;QACT,KAAK,EAAQ,OAAO;QACpB,MAAM,EAAO,QAAQ;QACrB,WAAW,EAAE,aAAa;QAC1B,SAAS,EAAI,WAAW;QACxB,QAAQ,EAAK,UAAU;KACxB;IACD,cAAc,EAAE;QACd,YAAY,EAAO,cAAc;QACjC,YAAY,EAAO,cAAc;QACjC,iBAAiB,EAAE,mBAAmB;QACtC,SAAS,EAAU,WAAW;QAC9B,cAAc,EAAK,gBAAgB;KACpC;IACD,iBAAiB,EAAE;QACjB,SAAS,EAAU,WAAW;QAC9B,OAAO,EAAY,SAAS;QAC5B,UAAU,EAAS,YAAY;QAC/B,iBAAiB,EAAE,mBAAmB;KACvC;IACD,wBAAwB,EAAE;QACxB,SAAS,EAAU,WAAW;QAC9B,UAAU,EAAS,YAAY;QAC/B,QAAQ,EAAW,UAAU;QAC7B,iBAAiB,EAAE,mBAAmB;KACvC;CACF,CAAC;AAEF,MAAM,UAAU,2BAA2B,CAAC,MAAmB,EAAE,MAAmB;IAClF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,kBAAkB,IAAI,EAAE,CAAC;IACjD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,oBAAoB,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IAEvD,0CAA0C;IAC1C,MAAM,aAAa,GAA6B,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChE,IAAI,YAAY,IAAI,QAAQ,IAAI,QAAQ,CAAC,YAAY,CAAC,KAAK,IAAI,IAAI,QAAQ,CAAC,YAAY,CAAC,KAAK,SAAS,EAAE,CAAC;YACxG,aAAa,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IACD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,OAAO,CAAC,0BAA0B,EAAE,kDAAkD,CAAC,CAAC;QAC/F,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,OAAO,CAAC,0BAA0B,EAAE,kBAAkB,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,KAAK,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,6EAA6E;YAC7E,sCAAsC;YACtC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YACxB,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,UAAU,CAAC,IAAI,CACb,kBAAkB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,IAAI;oBACzD,OAAO,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAC1F,CAAC;gBACF,MAAM,CAAE,kCAAkC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,IAAI,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,OAAO,IAAI,CAAC,MAAM,0CAA0C,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjI,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,IAAI,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC;QAC1E,MAAM,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CACR,0BAA0B,EAC1B,IAAI,EACJ,GAAG,IAAI,CAAC,MAAM,eAAe,aAAa,CAAC,MAAM,wBAAwB,CAC1E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,MAAM,UAAU,uBAAuB,CAAC,SAA6B;IACnE,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACvG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,OAAO,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IAC1C,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAmB,EACnB,WAAsC,EACtC,MAAmB;IAEnB,MAAM,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC;IACpC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QAClC,MAAM,CAAC,OAAO,CACZ,eAAe,EACf,wGAAwG,CACzG,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,CAAC,OAAO,CACZ,eAAe,EACf,oEAAoE,MAAM,CAAC,WAAW,UAAU,MAAM,CAAC,UAAU,0CAA0C,CAC5J,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACrE,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,8CAA8C,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QACtG,OAAO;IACT,CAAC;IAED,kEAAkE;IAClE,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;KACzD,CAAC;IACF,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACnB,YAAY,GAAG,CAAC,CAAC;YACjB,MAAM;QACR,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;IACH,CAAC;IACD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,CAAC,GAAG,CACR,eAAe,EACf,KAAK,EACL,8BAA8B,WAAW,mBAAmB,MAAM,CAAC,UAAU,EAAE,CAChF,CAAC;QACF,OAAO;IACT,CAAC;IAED,qCAAqC;IACrC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,iBAAiB,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,CACR,eAAe,EACf,KAAK,EACL,uBAAuB,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,yBAAyB,iBAAiB,EAAE,CACxF,CAAC;QACF,OAAO;IACT,CAAC;IAED,2GAA2G;IAC3G,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAClE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,wBAAwB,CAAC,CAAC;QAC7D,OAAO;IACT,CAAC;IACD,IAAI,SAAkC,CAAC;IACvC,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,uCAAwC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAClG,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC;IAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,8EAA8E,CAAC,CAAC;QACnH,OAAO;IACT,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC;IACnC,IAAI,SAAS,CAAC,gBAAgB,CAAC,KAAK,OAAO,EAAE,CAAC;QAC5C,MAAM,CAAC,GAAG,CACR,eAAe,EACf,KAAK,EACL,gCAAgC,SAAS,CAAC,gBAAgB,CAAC,uDAAuD,OAAO,EAAE,CAC5H,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,SAAS,CAAC,cAAc,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,CACR,eAAe,EACf,KAAK,EACL,8BAA8B,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,wDAAwD,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CACvK,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,CAAC,GAAG,CACR,eAAe,EACf,IAAI,EACJ,wDAAwD,OAAO,oCAAoC,CACpG,CAAC;AACJ,CAAC"}

package/dist/demo.d.ts

@@ -0,0 +1,17 @@
+import type { AuditBundle } from './types.js';
+export declare const GENESIS_PREV_HASH: string;
+export declare const DEFAULT_KEY = "demo-key-not-for-production-use";
+export interface BuildDemoBundleOptions {
+    chainName?: string;
+    rowCount?: number;
+    signingKey?: string;
+    keyId?: string;
+    /**
+     * Override the bundle_emitted_at timestamp; defaults to current time.
+     * Pass a fixed ISO string when you need byte-for-byte determinism (e.g.
+     * cross-impl tests against the Python sibling).
+     */
+    bundleEmittedAt?: string;
+}
+export declare function buildDemoBundle(options?: BuildDemoBundleOptions): AuditBundle;
+//# sourceMappingURL=demo.d.ts.map

package/dist/demo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo.d.ts","sourceRoot":"","sources":["../src/demo.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,WAAW,EAAY,MAAM,YAAY,CAAC;AAExD,eAAO,MAAM,iBAAiB,QAAiB,CAAC;AAChD,eAAO,MAAM,WAAW,oCAAoC,CAAC;AAwH7D,MAAM,WAAW,sBAAsB;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,wBAAgB,eAAe,CAAC,OAAO,GAAE,sBAA2B,GAAG,WAAW,CAiEjF"}