@algovoi/audit-verifier 0.1.0

package/dist/demo.js

@@ -0,0 +1,186 @@
+/**
+ * Demo bundle generator -- builds a small synthetic signed AlgoVoi audit
+ * bundle for testing the verifier.
+ *
+ * Byte-for-byte equivalent to the Python sibling demo_audit_bundle.py
+ * when called with bundle_emitted_at fixed (the Python default uses
+ * datetime.now() so timestamps will differ; passing a fixed emittedAt
+ * makes the two implementations produce identical bytes for the same
+ * row_count + chain_name + signing_key + key_id).
+ */
+import { createHash, createHmac } from 'node:crypto';
+import { canonicaliseToBytes } from './canonicalize.js';
+export const GENESIS_PREV_HASH = '0'.repeat(64);
+export const DEFAULT_KEY = 'demo-key-not-for-production-use';
+function pad(n, width) {
+    return String(n).padStart(width, '0');
+}
+function sha256OfJcs(obj) {
+    return createHash('sha256').update(canonicaliseToBytes(obj)).digest('hex');
+}
+function auditLogRow(chainPosition, prevHash) {
+    const canonical = {
+        trace_id: `00000000-0000-0000-0000-${pad(chainPosition, 12)}`,
+        actor: 'demo-admin@example.com',
+        action: 'tenant.create',
+        target_type: 'tenant',
+        target_id: `tnt-${chainPosition}`,
+        tenant_id: null,
+        before_state: null,
+        after_state: { created: true, seq: chainPosition },
+        ip_address: '203.0.113.7',
+        user_agent: 'demo-agent/1.0',
+        created_at: `2026-05-06T20:00:${pad(chainPosition, 2)}+00:00`,
+        chain_position: chainPosition,
+        prev_hash: prevHash,
+    };
+    const contentHash = sha256OfJcs(canonical);
+    return { id: chainPosition * 100, content_hash: contentHash, ...canonical };
+}
+function screeningHitRow(chainPosition, prevHash) {
+    const canonical = {
+        screened_at: `2026-05-06T20:00:${pad(chainPosition, 2)}+00:00`,
+        subject_type: 'payer',
+        wallet_address: `0xdemo${String(chainPosition).padStart(36, '0')}`,
+        tenant_id: null,
+        payment_ledger_id: null,
+        sanctions_entry_id: chainPosition,
+        action_taken: 'flagged',
+        screening_context: 'realtime',
+        chain_position: chainPosition,
+        prev_hash: prevHash,
+    };
+    const contentHash = sha256OfJcs(canonical);
+    return { id: chainPosition * 100, content_hash: contentHash, ...canonical };
+}
+function complianceEventRow(chainPosition, prevHash) {
+    const fixedUuid = `11111111-1111-1111-1111-${pad(chainPosition, 12)}`;
+    const tenantUuid = `22222222-2222-2222-2222-${pad(chainPosition, 12)}`;
+    const ruleUuid = `33333333-3333-3333-3333-${pad(chainPosition, 12)}`;
+    const canonical = {
+        id: fixedUuid,
+        tenant_id: tenantUuid,
+        rule_id: ruleUuid,
+        payment_ledger_id: null,
+        payer_address_snapshot: null,
+        review_of_event_id: null,
+        event_type: 'alert',
+        metric_value: '100.0000',
+        threshold_value: '50.0000',
+        created_at: `2026-05-06T20:00:${pad(chainPosition, 2)}+00:00`,
+        chain_position: chainPosition,
+        prev_hash: prevHash,
+    };
+    const contentHash = sha256OfJcs(canonical);
+    return { ...canonical, content_hash: contentHash };
+}
+function negotiationTraceRow(chainPosition, prevHash) {
+    const canonical = {
+        trace_id: '44444444-4444-4444-4444-444444444444',
+        session_id: null,
+        tenant_id: null,
+        counterparty_a: 'did:example:demo_agent_a',
+        counterparty_b: 'did:example:demo_agent_b',
+        protocol: 'x402',
+        message_seq: chainPosition,
+        message_role: chainPosition === 1 ? 'offer' : 'counter',
+        message_payload: { step: chainPosition, amount: '10000', asset: 'USDC' },
+        payment_ledger_id: null,
+        created_at: `2026-05-06T20:00:${pad(chainPosition, 2)}+00:00`,
+        chain_position: chainPosition,
+        prev_hash: prevHash,
+    };
+    const contentHash = sha256OfJcs(canonical);
+    const fixedUuid = `55555555-5555-5555-5555-${pad(chainPosition, 12)}`;
+    return { id: fixedUuid, content_hash: contentHash, ...canonical };
+}
+const CHAIN_BUILDERS = {
+    audit_log: auditLogRow,
+    screening_hits: screeningHitRow,
+    compliance_events: complianceEventRow,
+    negotiation_trace_events: negotiationTraceRow,
+};
+const CHAIN_EMPTY_CRITERIA = {
+    audit_log: {
+        actor: null, action: null, target_type: null,
+        tenant_id: null, trace_id: null, since: null, until: null,
+    },
+    screening_hits: {
+        subject_type: null, action_taken: null, screening_context: null,
+        tenant_id: null, wallet_address: null,
+        since: null, until: null,
+    },
+    compliance_events: {
+        tenant_id: null, rule_id: null, event_type: null,
+        payment_ledger_id: null, since: null, until: null,
+    },
+    negotiation_trace_events: {
+        trace_id: null, tenant_id: null, protocol: null,
+        counterparty: null, message_role: null,
+        payment_ledger_id: null, since: null, until: null,
+    },
+};
+export function buildDemoBundle(options = {}) {
+    const chainName = options.chainName ?? 'audit_log';
+    const rowCount = options.rowCount ?? 3;
+    const signingKey = options.signingKey ?? DEFAULT_KEY;
+    const keyId = options.keyId ?? 'demo-v1';
+    if (rowCount < 1)
+        throw new Error('row_count must be >= 1');
+    const builder = CHAIN_BUILDERS[chainName];
+    if (!builder) {
+        const known = Object.keys(CHAIN_BUILDERS).sort();
+        throw new Error(`chain_name '${chainName}' is not recognised. Expected one of: ${JSON.stringify(known)}`);
+    }
+    const rows = [];
+    let prev = GENESIS_PREV_HASH;
+    for (let pos = 1; pos <= rowCount; pos++) {
+        const row = builder(pos, prev);
+        rows.push(row);
+        prev = row['content_hash'];
+    }
+    const head = rows[rows.length - 1];
+    const bundle = {
+        chain_format_version: 1,
+        chain_name: chainName,
+        bundle_emitted_at: options.bundleEmittedAt ?? new Date().toISOString(),
+        selection_criteria: CHAIN_EMPTY_CRITERIA[chainName],
+        selection: {
+            row_count: rows.length,
+            min_chain_position: rows[0]['chain_position'],
+            max_chain_position: head['chain_position'],
+            truncated: false,
+            max_rows_cap: 10000,
+        },
+        rows: rows,
+        bridging_rows: [],
+        bridging: { included: true, row_count: 0, truncated: false },
+        chain_anchor: {
+            chain_name: chainName,
+            genesis_chain_position: 1,
+            genesis_prev_hash: GENESIS_PREV_HASH,
+            current_head: {
+                chain_position: head['chain_position'],
+                content_hash: head['content_hash'],
+            },
+        },
+        off_vm_anchor: null,
+        verification_instructions: `Demo bundle for chain '${chainName}'. Run the AlgoVoi audit ` +
+            `verifier against this file with --signing-key '${signingKey}' to verify.`,
+    };
+    // Sign: HMAC-SHA256 over JCS canonical of bundle minus signature.
+    const inner = {};
+    for (const [k, v] of Object.entries(bundle)) {
+        if (k !== 'bundle_signature')
+            inner[k] = v;
+    }
+    const digest = createHmac('sha256', signingKey).update(canonicaliseToBytes(inner)).digest('hex');
+    bundle.bundle_signature = {
+        algorithm: 'HMAC-SHA256',
+        canonicalisation: 'RFC 8785',
+        key_id: keyId,
+        hex: digest,
+    };
+    return bundle;
+}
+//# sourceMappingURL=demo.js.map

package/dist/demo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo.js","sourceRoot":"","sources":["../src/demo.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,MAAM,CAAC,MAAM,iBAAiB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAChD,MAAM,CAAC,MAAM,WAAW,GAAG,iCAAiC,CAAC;AAE7D,SAAS,GAAG,CAAC,CAAS,EAAE,KAAa;IACnC,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,WAAW,CAAC,aAAqB,EAAE,QAAgB;IAC1D,MAAM,SAAS,GAA4B;QACzC,QAAQ,EAAQ,2BAA2B,GAAG,CAAC,aAAa,EAAE,EAAE,CAAC,EAAE;QACnE,KAAK,EAAW,wBAAwB;QACxC,MAAM,EAAU,eAAe;QAC/B,WAAW,EAAK,QAAQ;QACxB,SAAS,EAAO,OAAO,aAAa,EAAE;QACtC,SAAS,EAAO,IAAI;QACpB,YAAY,EAAI,IAAI;QACpB,WAAW,EAAK,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,aAAa,EAAE;QACrD,UAAU,EAAM,aAAa;QAC7B,UAAU,EAAM,gBAAgB;QAChC,UAAU,EAAM,oBAAoB,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ;QACjE,cAAc,EAAE,aAAa;QAC7B,SAAS,EAAO,QAAQ;KACzB,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAC3C,OAAO,EAAE,EAAE,EAAE,aAAa,GAAG,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,SAAS,EAAE,CAAC;AAC9E,CAAC;AAED,SAAS,eAAe,CAAC,aAAqB,EAAE,QAAgB;IAC9D,MAAM,SAAS,GAA4B;QACzC,WAAW,EAAS,oBAAoB,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ;QACrE,YAAY,EAAQ,OAAO;QAC3B,cAAc,EAAM,SAAS,MAAM,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE;QACtE,SAAS,EAAW,IAAI;QACxB,iBAAiB,EAAG,IAAI;QACxB,kBAAkB,EAAE,aAAa;QACjC,YAAY,EAAQ,SAAS;QAC7B,iBAAiB,EAAG,UAAU;QAC9B,cAAc,EAAM,aAAa;QACjC,SAAS,EAAW,QAAQ;KAC7B,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAC3C,OAAO,EAAE,EAAE,EAAE,aAAa,GAAG,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,SAAS,EAAE,CAAC;AAC9E,CAAC;AAED,SAAS,kBAAkB,CAAC,aAAqB,EAAE,QAAgB;IACjE,MAAM,SAAS,GAAG,2BAA2B,GAAG,CAAC,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC;IACtE,MAAM,UAAU,GAAG,2BAA2B,GAAG,CAAC,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC;IACvE,MAAM,QAAQ,GAAG,2BAA2B,GAAG,CAAC,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC;IACrE,MAAM,SAAS,GAA4B;QACzC,EAAE,EAAsB,SAAS;QACjC,SAAS,EAAe,UAAU;QAClC,OAAO,EAAiB,QAAQ;QAChC,iBAAiB,EAAO,IAAI;QAC5B,sBAAsB,EAAE,IAAI;QAC5B,kBAAkB,EAAM,IAAI;QAC5B,UAAU,EAAc,OAAO;QAC/B,YAAY,EAAY,UAAU;QAClC,eAAe,EAAS,SAAS;QACjC,UAAU,EAAc,oBAAoB,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ;QACzE,cAAc,EAAU,aAAa;QACrC,SAAS,EAAe,QAAQ;KACjC,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAC3C,OAAO,EAAE,GAAG,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,aAAqB,EAAE,QAAgB;IAClE,MAAM,SAAS,GAA4B;QACzC,QAAQ,EAAW,sCAAsC;QACzD,UAAU,EAAS,IAAI;QACvB,SAAS,EAAU,IAAI;QACvB,cAAc,EAAK,0BAA0B;QAC7C,cAAc,EAAK,0BAA0B;QAC7C,QAAQ,EAAW,MAAM;QACzB,WAAW,EAAQ,aAAa;QAChC,YAAY,EAAO,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC5D,eAAe,EAAI,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE;QAC1E,iBAAiB,EAAE,IAAI;QACvB,UAAU,EAAS,oBAAoB,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ;QACpE,cAAc,EAAK,aAAa;QAChC,SAAS,EAAU,QAAQ;KAC5B,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,SAAS,GAAG,2BAA2B,GAAG,CAAC,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC;IACtE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,SAAS,EAAE,CAAC;AACpE,CAAC;AAID,MAAM,cAAc,GAAiC;IACnD,SAAS,EAAiB,WAAW;IACrC,cAAc,EAAY,eAAe;IACzC,iBAAiB,EAAS,kBAAkB;IAC5C,wBAAwB,EAAE,mBAAmB;CAC9C,CAAC;AAEF,MAAM,oBAAoB,GAA4C;IACpE,SAAS,EAAE;QACT,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI;QAC5C,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;KAC1D;IACD,cAAc,EAAE;QACd,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI;QAC/D,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI;QACrC,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;KACzB;IACD,iBAAiB,EAAE;QACjB,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI;QAChD,iBAAiB,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;KAClD;IACD,wBAAwB,EAAE;QACxB,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI;QAC/C,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI;QACtC,iBAAiB,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;KAClD;CACF,CAAC;AAeF,MAAM,UAAU,eAAe,CAAC,UAAkC,EAAE;IAClE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC;IACnD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,WAAW,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,SAAS,CAAC;IAEzC,IAAI,QAAQ,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5D,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,eAAe,SAAS,yCAAyC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5G,CAAC;IAED,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,IAAI,IAAI,GAAG,iBAAiB,CAAC;IAC7B,KAAK,IAAI,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,QAAQ,EAAE,GAAG,EAAE,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,IAAI,GAAG,GAAG,CAAC,cAAc,CAAW,CAAC;IACvC,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC;IACpC,MAAM,MAAM,GAAgB;QAC1B,oBAAoB,EAAE,CAAC;QACvB,UAAU,EAAY,SAAS;QAC/B,iBAAiB,EAAK,OAAO,CAAC,eAAe,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACzE,kBAAkB,EAAI,oBAAoB,CAAC,SAAS,CAAE;QACtD,SAAS,EAAE;YACT,SAAS,EAAW,IAAI,CAAC,MAAM;YAC/B,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAE,CAAC,gBAAgB,CAAC;YAC9C,kBAAkB,EAAE,IAAI,CAAC,gBAAgB,CAAC;YAC1C,SAAS,EAAW,KAAK;YACzB,YAAY,EAAQ,KAAK;SAC1B;QACD,IAAI,EAAW,IAAI;QACnB,aAAa,EAAE,EAAE;QACjB,QAAQ,EAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK,EAAwC;QACvG,YAAY,EAAE;YACZ,UAAU,EAAc,SAAS;YACjC,sBAAsB,EAAE,CAAC;YACzB,iBAAiB,EAAO,iBAAiB;YACzC,YAAY,EAAE;gBACZ,cAAc,EAAE,IAAI,CAAC,gBAAgB,CAAW;gBAChD,YAAY,EAAI,IAAI,CAAC,cAAc,CAAa;aACjD;SACwC;QAC3C,aAAa,EAAE,IAA+C;QAC9D,yBAAyB,EACvB,0BAA0B,SAAS,2BAA2B;YAC9D,kDAAkD,UAAU,cAAc;KAC7E,CAAC;IAEF,kEAAkE;IAClE,MAAM,KAAK,GAA4B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,KAAK,kBAAkB;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjG,MAAM,CAAC,gBAAgB,GAAG;QACxB,SAAS,EAAS,aAAa;QAC/B,gBAAgB,EAAE,UAAU;QAC5B,MAAM,EAAY,KAAK;QACvB,GAAG,EAAe,MAAM;KACzB,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/extractors.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Per-chain canonical-field extractors.
+ *
+ * Each chain (audit_log / screening_hits / compliance_events /
+ * negotiation_trace_events) commits a different set of fields to its
+ * content_hash. These functions MUST byte-for-byte match the Python
+ * sibling (verify_audit_bundle.py) and the emitter side, otherwise every
+ * row will fail verification on the auditor side.
+ */
+import type { FieldExtractor } from './types.js';
+export declare const FIELD_EXTRACTORS: Record<string, FieldExtractor>;
+export declare const KNOWN_CHAIN_NAMES: string[];
+//# sourceMappingURL=extractors.d.ts.map

package/dist/extractors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extractors.d.ts","sourceRoot":"","sources":["../src/extractors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAY,cAAc,EAAE,MAAM,YAAY,CAAC;AAsE3D,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAK3D,CAAC;AAEF,eAAO,MAAM,iBAAiB,UAAuC,CAAC"}

package/dist/extractors.js

@@ -0,0 +1,72 @@
+function auditLogCanonicalFields(row) {
+    return {
+        trace_id: row.trace_id ?? null,
+        actor: row.actor ?? null,
+        action: row.action ?? null,
+        target_type: row.target_type ?? null,
+        target_id: row.target_id ?? null,
+        tenant_id: row.tenant_id ?? null,
+        before_state: row.before_state ?? null,
+        after_state: row.after_state ?? null,
+        ip_address: row.ip_address ?? null,
+        user_agent: row.user_agent ?? null,
+        created_at: row.created_at ?? null,
+        chain_position: row.chain_position ?? null,
+        prev_hash: row.prev_hash ?? null,
+    };
+}
+function screeningHitCanonicalFields(row) {
+    return {
+        screened_at: row.screened_at ?? null,
+        subject_type: row.subject_type ?? null,
+        wallet_address: row.wallet_address ?? null,
+        tenant_id: row.tenant_id ?? null,
+        payment_ledger_id: row.payment_ledger_id ?? null,
+        sanctions_entry_id: row.sanctions_entry_id ?? null,
+        action_taken: row.action_taken ?? null,
+        screening_context: row.screening_context ?? null,
+        chain_position: row.chain_position ?? null,
+        prev_hash: row.prev_hash ?? null,
+    };
+}
+function complianceEventCanonicalFields(row) {
+    return {
+        id: row.id ?? null,
+        tenant_id: row.tenant_id ?? null,
+        rule_id: row.rule_id ?? null,
+        payment_ledger_id: row.payment_ledger_id ?? null,
+        payer_address_snapshot: row.payer_address_snapshot ?? null,
+        review_of_event_id: row.review_of_event_id ?? null,
+        event_type: row.event_type ?? null,
+        metric_value: row.metric_value ?? null,
+        threshold_value: row.threshold_value ?? null,
+        created_at: row.created_at ?? null,
+        chain_position: row.chain_position ?? null,
+        prev_hash: row.prev_hash ?? null,
+    };
+}
+function negotiationTraceCanonicalFields(row) {
+    return {
+        trace_id: row.trace_id ?? null,
+        session_id: row.session_id ?? null,
+        tenant_id: row.tenant_id ?? null,
+        counterparty_a: row.counterparty_a ?? null,
+        counterparty_b: row.counterparty_b ?? null,
+        protocol: row.protocol ?? null,
+        message_seq: row.message_seq ?? null,
+        message_role: row.message_role ?? null,
+        message_payload: row.message_payload ?? null,
+        payment_ledger_id: row.payment_ledger_id ?? null,
+        created_at: row.created_at ?? null,
+        chain_position: row.chain_position ?? null,
+        prev_hash: row.prev_hash ?? null,
+    };
+}
+export const FIELD_EXTRACTORS = {
+    audit_log: auditLogCanonicalFields,
+    screening_hits: screeningHitCanonicalFields,
+    compliance_events: complianceEventCanonicalFields,
+    negotiation_trace_events: negotiationTraceCanonicalFields,
+};
+export const KNOWN_CHAIN_NAMES = Object.keys(FIELD_EXTRACTORS).sort();
+//# sourceMappingURL=extractors.js.map

package/dist/extractors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extractors.js","sourceRoot":"","sources":["../src/extractors.ts"],"names":[],"mappings":"AAWA,SAAS,uBAAuB,CAAC,GAAa;IAC5C,OAAO;QACL,QAAQ,EAAQ,GAAG,CAAC,QAAQ,IAAI,IAAI;QACpC,KAAK,EAAW,GAAG,CAAC,KAAK,IAAI,IAAI;QACjC,MAAM,EAAU,GAAG,CAAC,MAAM,IAAI,IAAI;QAClC,WAAW,EAAK,GAAG,CAAC,WAAW,IAAI,IAAI;QACvC,SAAS,EAAO,GAAG,CAAC,SAAS,IAAI,IAAI;QACrC,SAAS,EAAO,GAAG,CAAC,SAAS,IAAI,IAAI;QACrC,YAAY,EAAI,GAAG,CAAC,YAAY,IAAI,IAAI;QACxC,WAAW,EAAK,GAAG,CAAC,WAAW,IAAI,IAAI;QACvC,UAAU,EAAM,GAAG,CAAC,UAAU,IAAI,IAAI;QACtC,UAAU,EAAM,GAAG,CAAC,UAAU,IAAI,IAAI;QACtC,UAAU,EAAM,GAAG,CAAC,UAAU,IAAI,IAAI;QACtC,cAAc,EAAE,GAAG,CAAC,cAAc,IAAI,IAAI;QAC1C,SAAS,EAAO,GAAG,CAAC,SAAS,IAAI,IAAI;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,GAAa;IAChD,OAAO;QACL,WAAW,EAAS,GAAG,CAAC,WAAW,IAAI,IAAI;QAC3C,YAAY,EAAQ,GAAG,CAAC,YAAY,IAAI,IAAI;QAC5C,cAAc,EAAM,GAAG,CAAC,cAAc,IAAI,IAAI;QAC9C,SAAS,EAAW,GAAG,CAAC,SAAS,IAAI,IAAI;QACzC,iBAAiB,EAAG,GAAG,CAAC,iBAAiB,IAAI,IAAI;QACjD,kBAAkB,EAAE,GAAG,CAAC,kBAAkB,IAAI,IAAI;QAClD,YAAY,EAAQ,GAAG,CAAC,YAAY,IAAI,IAAI;QAC5C,iBAAiB,EAAG,GAAG,CAAC,iBAAiB,IAAI,IAAI;QACjD,cAAc,EAAM,GAAG,CAAC,cAAc,IAAI,IAAI;QAC9C,SAAS,EAAW,GAAG,CAAC,SAAS,IAAI,IAAI;KAC1C,CAAC;AACJ,CAAC;AAED,SAAS,8BAA8B,CAAC,GAAa;IACnD,OAAO;QACL,EAAE,EAAsB,GAAG,CAAC,EAAE,IAAI,IAAI;QACtC,SAAS,EAAe,GAAG,CAAC,SAAS,IAAI,IAAI;QAC7C,OAAO,EAAiB,GAAG,CAAC,OAAO,IAAI,IAAI;QAC3C,iBAAiB,EAAO,GAAG,CAAC,iBAAiB,IAAI,IAAI;QACrD,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,IAAI,IAAI;QAC1D,kBAAkB,EAAM,GAAG,CAAC,kBAAkB,IAAI,IAAI;QACtD,UAAU,EAAc,GAAG,CAAC,UAAU,IAAI,IAAI;QAC9C,YAAY,EAAY,GAAG,CAAC,YAAY,IAAI,IAAI;QAChD,eAAe,EAAS,GAAG,CAAC,eAAe,IAAI,IAAI;QACnD,UAAU,EAAc,GAAG,CAAC,UAAU,IAAI,IAAI;QAC9C,cAAc,EAAU,GAAG,CAAC,cAAc,IAAI,IAAI;QAClD,SAAS,EAAe,GAAG,CAAC,SAAS,IAAI,IAAI;KAC9C,CAAC;AACJ,CAAC;AAED,SAAS,+BAA+B,CAAC,GAAa;IACpD,OAAO;QACL,QAAQ,EAAW,GAAG,CAAC,QAAQ,IAAI,IAAI;QACvC,UAAU,EAAS,GAAG,CAAC,UAAU,IAAI,IAAI;QACzC,SAAS,EAAU,GAAG,CAAC,SAAS,IAAI,IAAI;QACxC,cAAc,EAAK,GAAG,CAAC,cAAc,IAAI,IAAI;QAC7C,cAAc,EAAK,GAAG,CAAC,cAAc,IAAI,IAAI;QAC7C,QAAQ,EAAW,GAAG,CAAC,QAAQ,IAAI,IAAI;QACvC,WAAW,EAAQ,GAAG,CAAC,WAAW,IAAI,IAAI;QAC1C,YAAY,EAAO,GAAG,CAAC,YAAY,IAAI,IAAI;QAC3C,eAAe,EAAI,GAAG,CAAC,eAAe,IAAI,IAAI;QAC9C,iBAAiB,EAAE,GAAG,CAAC,iBAAiB,IAAI,IAAI;QAChD,UAAU,EAAS,GAAG,CAAC,UAAU,IAAI,IAAI;QACzC,cAAc,EAAK,GAAG,CAAC,cAAc,IAAI,IAAI;QAC7C,SAAS,EAAU,GAAG,CAAC,SAAS,IAAI,IAAI;KACzC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAmC;IAC9D,SAAS,EAAiB,uBAAuB;IACjD,cAAc,EAAY,2BAA2B;IACrD,iBAAiB,EAAS,8BAA8B;IACxD,wBAAwB,EAAE,+BAA+B;CAC1D,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @algovoi/audit-verifier
+ *
+ * TypeScript reference verifier for AlgoVoi selective-disclosure audit
+ * bundles. Byte-for-byte parity with the Python sibling
+ * algovoi-audit-verifier (PyPI).
+ *
+ * The hosted version is at https://verify.algovoi.co.uk; the offline /
+ * embedded version is this package.
+ */
+export { canonicalize, canonicaliseToBytes, sha256Hex, sha256JcsHex, } from './canonicalize.js';
+export { FIELD_EXTRACTORS, KNOWN_CHAIN_NAMES } from './extractors.js';
+export { CheckReport } from './check-report.js';
+export { checkPerRowContentHash, checkContinuity, checkBundleSignature, checkSelectionCriteriaMatch, checkOffVmAnchor, parseObjectKeyShaPrefix, } from './checks.js';
+export { verifyBundle, SUPPORTED_CHAIN_FORMAT_VERSIONS } from './verify.js';
+export { buildDemoBundle } from './demo.js';
+export type { AuditBundle, AuditRow, BundleSignature, ChainAnchor, CheckEntry, CheckReportJSON, CheckResult, FieldExtractor, OffVmAnchor, SelectionCriteria, VerifyBundleOptions, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,YAAY,EACZ,mBAAmB,EACnB,SAAS,EACT,YAAY,GACb,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,oBAAoB,EACpB,2BAA2B,EAC3B,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,YAAY,EAAE,+BAA+B,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,YAAY,EACV,WAAW,EACX,QAAQ,EACR,eAAe,EACf,WAAW,EACX,UAAU,EACV,eAAe,EACf,WAAW,EACX,cAAc,EACd,WAAW,EACX,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,17 @@
+/**
+ * @algovoi/audit-verifier
+ *
+ * TypeScript reference verifier for AlgoVoi selective-disclosure audit
+ * bundles. Byte-for-byte parity with the Python sibling
+ * algovoi-audit-verifier (PyPI).
+ *
+ * The hosted version is at https://verify.algovoi.co.uk; the offline /
+ * embedded version is this package.
+ */
+export { canonicalize, canonicaliseToBytes, sha256Hex, sha256JcsHex, } from './canonicalize.js';
+export { FIELD_EXTRACTORS, KNOWN_CHAIN_NAMES } from './extractors.js';
+export { CheckReport } from './check-report.js';
+export { checkPerRowContentHash, checkContinuity, checkBundleSignature, checkSelectionCriteriaMatch, checkOffVmAnchor, parseObjectKeyShaPrefix, } from './checks.js';
+export { verifyBundle, SUPPORTED_CHAIN_FORMAT_VERSIONS } from './verify.js';
+export { buildDemoBundle } from './demo.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,YAAY,EACZ,mBAAmB,EACnB,SAAS,EACT,YAAY,GACb,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,oBAAoB,EACpB,2BAA2B,EAC3B,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,YAAY,EAAE,+BAA+B,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Public type surface for the audit-verifier.
+ */
+export type AuditRow = Record<string, unknown>;
+export type FieldExtractor = (row: AuditRow) => Record<string, unknown>;
+export interface BundleSignature {
+    hex: string;
+    algorithm?: string;
+    canonicalisation?: string;
+    key_id?: string;
+}
+export interface OffVmAnchor {
+    bucket_name?: string;
+    object_key?: string;
+    region?: string;
+    object_lock_until?: string;
+}
+export interface ChainAnchor {
+    current_head?: {
+        chain_position?: number;
+        content_hash?: string;
+    };
+}
+export interface SelectionCriteria {
+    [key: string]: unknown;
+    since?: string;
+    until?: string;
+}
+export interface BridgingMeta {
+    included?: boolean;
+}
+export interface AuditBundle {
+    chain_format_version?: number;
+    chain_name?: string;
+    rows?: AuditRow[];
+    bridging_rows?: AuditRow[];
+    bridging?: BridgingMeta;
+    bundle_signature?: BundleSignature | null;
+    off_vm_anchor?: OffVmAnchor;
+    chain_anchor?: ChainAnchor;
+    selection_criteria?: SelectionCriteria;
+    [key: string]: unknown;
+}
+export type CheckResult = 'ok' | 'fail' | 'skip';
+export interface CheckEntry {
+    name: string;
+    passed: boolean | null;
+    detail: string;
+}
+export interface VerifyBundleOptions {
+    signingKey?: string | null;
+    manifestDir?: string | null;
+}
+export interface CheckReportJSON {
+    all_passed: boolean;
+    fatal: string[];
+    checks: CheckEntry[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE/C,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAExE,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,WAAW;IAC1B,YAAY,CAAC,EAAE;QACb,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,aAAa,CAAC,EAAE,QAAQ,EAAE,CAAC;IAC3B,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,gBAAgB,CAAC,EAAE,eAAe,GAAG,IAAI,CAAC;IAC1C,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,YAAY,CAAC,EAAE,WAAW,CAAC;IAC3B,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IACvC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,WAAW,GAAG,IAAI,GAAG,MAAM,GAAG,MAAM,CAAC;AAEjD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,IAAI,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,UAAU,EAAE,CAAC;CACtB"}

package/dist/types.js

@@ -0,0 +1,5 @@
+/**
+ * Public type surface for the audit-verifier.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/verify.d.ts

@@ -0,0 +1,10 @@
+/**
+ * verifyBundle -- run all checks against a parsed bundle, return CheckReport.
+ *
+ * Behaviour byte-for-byte parity with the Python sibling verify_bundle().
+ */
+import { CheckReport } from './check-report.js';
+import type { AuditBundle, VerifyBundleOptions } from './types.js';
+export declare const SUPPORTED_CHAIN_FORMAT_VERSIONS: Set<number>;
+export declare function verifyBundle(bundle: AuditBundle, options?: VerifyBundleOptions): Promise<CheckReport>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAShD,OAAO,KAAK,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEnE,eAAO,MAAM,+BAA+B,aAAuB,CAAC;AAEpE,wBAAsB,YAAY,CAChC,MAAM,EAAE,WAAW,EACnB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,WAAW,CAAC,CA4CtB"}

package/dist/verify.js

@@ -0,0 +1,44 @@
+/**
+ * verifyBundle -- run all checks against a parsed bundle, return CheckReport.
+ *
+ * Behaviour byte-for-byte parity with the Python sibling verify_bundle().
+ */
+import { CheckReport } from './check-report.js';
+import { checkPerRowContentHash, checkContinuity, checkBundleSignature, checkSelectionCriteriaMatch, checkOffVmAnchor, } from './checks.js';
+import { KNOWN_CHAIN_NAMES } from './extractors.js';
+export const SUPPORTED_CHAIN_FORMAT_VERSIONS = new Set([1]);
+export async function verifyBundle(bundle, options = {}) {
+    const report = new CheckReport();
+    // Version check first.
+    const version = bundle.chain_format_version;
+    if (version === undefined || version === null) {
+        report.addFatal("bundle is missing required field 'chain_format_version' " +
+            '-- bundle is malformed or was not emitted by AlgoVoi');
+        return report;
+    }
+    if (!SUPPORTED_CHAIN_FORMAT_VERSIONS.has(version)) {
+        const supported = Array.from(SUPPORTED_CHAIN_FORMAT_VERSIONS).sort();
+        report.addFatal(`bundle.chain_format_version=${JSON.stringify(version)} is not supported by ` +
+            `this verifier (supported: ${JSON.stringify(supported)}). ` +
+            'Pull a fresh verifier from https://github.com/chopmob-cloud/algovoi-audit-verifier ' +
+            '-- running an older verifier against a newer bundle risks a false PASS.');
+        return report;
+    }
+    const chainName = bundle.chain_name;
+    if (!chainName || !KNOWN_CHAIN_NAMES.includes(chainName)) {
+        report.addFatal(`bundle.chain_name='${chainName}' is not recognised ` +
+            `(expected one of: ${JSON.stringify(KNOWN_CHAIN_NAMES)})`);
+        return report;
+    }
+    if (!('rows' in bundle)) {
+        report.addFatal("bundle is missing required field 'rows'");
+        return report;
+    }
+    checkPerRowContentHash(bundle, report);
+    checkContinuity(bundle, report);
+    checkSelectionCriteriaMatch(bundle, report);
+    checkBundleSignature(bundle, options.signingKey ?? null, report);
+    await checkOffVmAnchor(bundle, options.manifestDir ?? null, report);
+    return report;
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,oBAAoB,EACpB,2BAA2B,EAC3B,gBAAgB,GACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,MAAM,CAAC,MAAM,+BAA+B,GAAG,IAAI,GAAG,CAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAEpE,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAmB,EACnB,UAA+B,EAAE;IAEjC,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;IAEjC,uBAAuB;IACvB,MAAM,OAAO,GAAG,MAAM,CAAC,oBAAoB,CAAC;IAC5C,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QAC9C,MAAM,CAAC,QAAQ,CACb,0DAA0D;YAC1D,sDAAsD,CACvD,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,CAAC,+BAA+B,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC,IAAI,EAAE,CAAC;QACrE,MAAM,CAAC,QAAQ,CACb,+BAA+B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,uBAAuB;YAC7E,6BAA6B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK;YAC3D,qFAAqF;YACrF,yEAAyE,CAC1E,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC;IACpC,IAAI,CAAC,SAAS,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACzD,MAAM,CAAC,QAAQ,CACb,sBAAsB,SAAS,sBAAsB;YACrD,qBAAqB,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC,GAAG,CAC1D,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,QAAQ,CAAC,yCAAyC,CAAC,CAAC;QAC3D,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sBAAsB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,2BAA2B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,IAAI,IAAI,EAAE,MAAM,CAAC,CAAC;IACjE,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,EAAE,MAAM,CAAC,CAAC;IAEpE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@algovoi/audit-verifier",
+  "version": "0.1.0",
+  "description": "Standalone reference verifier for AlgoVoi selective-disclosure audit bundles. TypeScript port; byte-for-byte parity with the Python algovoi-audit-verifier.",
+  "keywords": [
+    "algovoi",
+    "audit",
+    "verifier",
+    "jcs",
+    "rfc8785",
+    "hash-chain",
+    "compliance",
+    "agentic-payments"
+  ],
+  "homepage": "https://verify.algovoi.co.uk",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/chopmob-cloud/algovoi-audit-verifier.git",
+    "directory": "typescript"
+  },
+  "bugs": {
+    "url": "https://github.com/chopmob-cloud/algovoi-audit-verifier/issues"
+  },
+  "license": "MIT",
+  "author": "AlgoVoi <chopmob@gmail.com>",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist/**/*",
+    "src/**/*",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rimraf dist",
+    "prepublishOnly": "npm run clean && npm run build && npm test"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "canonicalize": "^3.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "rimraf": "^5.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^1.6.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/canonicalize.ts

@@ -0,0 +1,29 @@
+/**
+ * Canonicalisation wrapper for the audit verifier.
+ *
+ * Uses RFC 8785 JCS via the `canonicalize` npm package, byte-for-byte
+ * equivalent to the Python `rfc8785` package used by the sibling
+ * algovoi-audit-verifier (Python).
+ */
+import canonicalizeLib from 'canonicalize';
+import { createHash } from 'node:crypto';
+
+export function canonicalize(obj: unknown): string {
+  const out = canonicalizeLib(obj);
+  if (out === undefined) {
+    throw new Error('canonicalize returned undefined (input not JCS-canonicalisable)');
+  }
+  return out;
+}
+
+export function canonicaliseToBytes(obj: unknown): Buffer {
+  return Buffer.from(canonicalize(obj), 'utf-8');
+}
+
+export function sha256Hex(bytes: Buffer | string): string {
+  return createHash('sha256').update(bytes).digest('hex');
+}
+
+export function sha256JcsHex(obj: unknown): string {
+  return sha256Hex(canonicaliseToBytes(obj));
+}

package/src/check-report.ts

@@ -0,0 +1,58 @@
+/**
+ * CheckReport — aggregates individual check results into a single
+ * PASS / FAIL summary. Byte-for-byte equivalent to the Python sibling's
+ * CheckReport class.
+ */
+import type { CheckEntry, CheckReportJSON } from './types.js';
+
+export class CheckReport {
+  readonly checks: CheckEntry[] = [];
+  readonly fatal: string[] = [];
+
+  add(name: string, passed: boolean, detail = ''): void {
+    this.checks.push({ name, passed, detail });
+  }
+
+  addSkip(name: string, reason: string): void {
+    this.checks.push({ name, passed: null, detail: `skipped: ${reason}` });
+  }
+
+  addFatal(msg: string): void {
+    this.fatal.push(msg);
+  }
+
+  get allPassed(): boolean {
+    if (this.fatal.length > 0) return false;
+    return this.checks.every((c) => c.passed !== false);
+  }
+
+  get hasFatal(): boolean {
+    return this.fatal.length > 0;
+  }
+
+  toJSON(): CheckReportJSON {
+    return {
+      all_passed: this.allPassed,
+      fatal:      this.fatal.slice(),
+      checks:     this.checks.map((c) => ({ ...c })),
+    };
+  }
+
+  render(): string {
+    const lines: string[] = [];
+    if (this.fatal.length > 0) {
+      lines.push('FATAL:');
+      for (const f of this.fatal) lines.push(`  ! ${f}`);
+      return lines.join('\n');
+    }
+    for (const c of this.checks) {
+      const mark = c.passed === true ? '  ok' : c.passed === false ? 'FAIL' : 'skip';
+      let line = `  [${mark}] ${c.name}`;
+      if (c.detail) line += ` -- ${c.detail}`;
+      lines.push(line);
+    }
+    const verdict = this.allPassed ? 'PASS' : 'FAIL';
+    lines.push(`\nVerdict: ${verdict}`);
+    return lines.join('\n');
+  }
+}