@atrib/verify 0.8.0 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/LICENSE +1 -1
  2. package/README.md +16 -2
  3. package/package.json +6 -3
package/LICENSE CHANGED
@@ -201,7 +201,7 @@
201
201
  See the License for the specific language governing permissions and
202
202
  limitations under the License.
203
203
 
204
- Copyright 2025-2026 Atrib contributors
204
+ Copyright 2025-2026 atrib contributors
205
205
 
206
206
  Licensed under the Apache License, Version 2.0 (the "License");
207
207
  you may not use this file except in compliance with the License.
package/README.md CHANGED
@@ -1,9 +1,17 @@
1
1
  # `@atrib/verify`
2
2
 
3
- **Independent verification for Atrib's verifiable action layer. Checks signed records, evidence blocks, handoff packets, and settlement documents. Re-runs the spec [§4.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#46-the-calculation-algorithm) calculation algorithm locally and checks the result against what a recommendation document claims. No trust in any intermediary required.**
3
+ **Independent verification for atrib's verifiable action layer. Checks signed records, evidence blocks, handoff packets, and settlement documents. Re-runs the spec [§4.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#46-the-calculation-algorithm) calculation algorithm locally and checks the result against what a recommendation document claims. No trust in any intermediary required.**
4
4
 
5
5
  This is the **verifier half** of the atrib protocol, used by merchants closing transactions, auditors checking agent activity, teams accepting handoffs, policy systems reviewing high-impact actions, regulators querying historical state, and any party that needs to validate atrib data independently. The agent and tool servers produce signed attribution records. The Merkle log stores them. This package answers the questions any verifier has to answer: _given the graph and the policy, is this distribution actually correct? Was this record actually signed by the key it claims? Did this action actually happen at the time it claims?_
6
6
 
7
+ ## Install
8
+
9
+ ```bash
10
+ pnpm add @atrib/verify
11
+ ```
12
+
13
+ Verify a local build with `pnpm --filter @atrib/verify test`.
14
+
7
15
  ## Quick start
8
16
 
9
17
  ```typescript
@@ -15,6 +23,8 @@ const verifier = new AtribVerifier({
15
23
  logEndpoint: 'https://log.atrib.dev/v1',
16
24
  })
17
25
 
26
+ // recommendationDoc is a §4.7 settlement RecommendationDocument produced by a
27
+ // calculator or merchant (signed distribution over record hashes).
18
28
  const result = await verifier.verify(recommendationDoc)
19
29
  // {
20
30
  // valid: true,
@@ -473,7 +483,7 @@ This is what makes verification possible: the merchant's local recalculation is
473
483
 
474
484
  Per the absolute invariant (also enforced in `@atrib/mcp` and `@atrib/agent`), atrib failures never break the host:
475
485
 
476
- - Missing or invalid `merchantKey` → constructor logs `atrib: ...` warning, `merchantPrivateKey = null`, no throw.
486
+ - Missing or invalid `merchantKey` → constructor logs an `atrib: ...` warning, sets `merchantPrivateKey = null`, and does not throw.
477
487
  - `verify()` errors during signature resolution, graph fetch, or calculation are caught and surfaced as `warnings: string[]` with `valid = false`.
478
488
  - `calculate({ signWith: 'merchant' })` with a missing key returns an unsigned document plus a warning, rather than throwing.
479
489
 
@@ -510,3 +520,7 @@ The full protocol spec is at [`atrib-spec.md`](https://github.com/creatornader/a
510
520
  ---
511
521
 
512
522
  > **A note on documentation links.** The atrib protocol repository is currently private (in-progress public preparation). Links in this README to the spec and sister packages (`atrib-spec.md`, `packages/agent/README.md`, etc.) point at `github.com/creatornader/atrib/blob/main/...` URLs that will resolve once the repository goes public. Until then, see [`atrib.dev`](https://atrib.dev) for the protocol overview.
523
+
524
+ ## Part of atrib
525
+
526
+ atrib is an open protocol for verifiable agent actions. Every action becomes a signed, chain-linked record that anyone can verify against a public Merkle log, with no operator to trust. This package is one entrypoint. See the [full package family](https://github.com/creatornader/atrib#packages) and the [protocol spec](https://github.com/creatornader/atrib/blob/main/atrib-spec.md).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@atrib/verify",
3
- "version": "0.8.0",
3
+ "version": "0.8.2",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "types": "./dist/index.d.ts",
@@ -13,10 +13,13 @@
13
13
  "files": [
14
14
  "dist"
15
15
  ],
16
- "description": "Verifier library for Atrib's verifiable action layer. Checks records, evidence, handoffs, graph derivation, and settlement documents.",
16
+ "description": "Verifier library for atrib's verifiable action layer. Checks records, evidence, handoffs, graph derivation, and settlement documents.",
17
17
  "author": "atrib <hello@atrib.dev>",
18
18
  "license": "Apache-2.0",
19
19
  "homepage": "https://atrib.dev",
20
+ "publishConfig": {
21
+ "access": "public"
22
+ },
20
23
  "keywords": [
21
24
  "mcp",
22
25
  "model-context-protocol",
@@ -33,7 +36,7 @@
33
36
  "@sd-jwt/sd-jwt-vc": "0.19.0",
34
37
  "canonicalize": "^3.0.0",
35
38
  "jose": "6.2.3",
36
- "@atrib/mcp": "0.19.0"
39
+ "@atrib/mcp": "0.19.1"
37
40
  },
38
41
  "devDependencies": {
39
42
  "@types/node": "^25.9.3",