@motebit/verifier 1.0.0

package/LICENSE

@@ -0,0 +1,206 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Motebit, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+"Motebit" is a trademark of Motebit, Inc. The Apache License grants rights to
+this software, not to any Motebit trademarks, logos, or branding. You may not
+use Motebit branding in a way that suggests endorsement or affiliation without
+written permission.

package/NOTICE

@@ -0,0 +1,19 @@
+Motebit
+Copyright 2026 Motebit, Inc.
+
+This product includes software developed at Motebit, Inc. (https://motebit.com).
+
+The permissive-floor packages (the protocol, SDK, cryptographic primitives,
+platform-attestation verifier leaves, scaffolding CLI, and GitHub Action) are
+licensed under the Apache License, Version 2.0. See LICENSE files in each
+`packages/*/` subdirectory and in `spec/` for the full license text.
+
+The remaining packages, apps, and services are licensed under the Business
+Source License 1.1 and convert to the Apache License, Version 2.0 four years
+after each version's first public release. See `LICENSE` at the repository
+root and `LICENSING.md` for the full license boundary.
+
+"Motebit" is a trademark of Motebit, Inc. The licenses granted here cover
+this software only, not Motebit trademarks, logos, or branding. Use of
+Motebit branding in a way that suggests endorsement or affiliation requires
+written permission.

package/README.md

@@ -0,0 +1,82 @@
+# @motebit/verifier
+
+Offline third-party verifier for every signed Motebit artifact.
+
+```bash
+npm i -g @motebit/verifier
+motebit-verify motebit.md
+```
+
+Outputs
+
+```
+VALID (identity)
+  did:  did:motebit:01234567-...
+  name: my-agent
+```
+
+Zero relay contact. Zero network. The signer's public key is embedded in the artifact or derivable from it; verification is pure crypto against committed wire formats.
+
+## Why this exists
+
+Motebit's moat is the **self-signing body**: every action the agent takes emits a signed receipt that any third party can verify without running the motebit. This package is the smallest public surface of that promise — a CLI and a library that together answer _"is this signed artifact authentic, and what does it claim?"_
+
+## What it verifies
+
+The unified `verify()` dispatcher in [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto) auto-detects and verifies:
+
+- **identity** — `motebit.md` (YAML frontmatter + content + Ed25519 signature)
+- **receipt** — `ExecutionReceipt` (task ID, tools used, prompt/result hashes, signature)
+- **credential** — W3C-style Verifiable Credentials
+- **presentation** — W3C-style Verifiable Presentations
+
+## Usage
+
+```
+motebit-verify <file> [options]
+
+  --json                    Print structured JSON instead of human.
+  --expect <type>           Pin expected type: identity | receipt | credential | presentation.
+  --clock-skew <seconds>    Allowance for credential/presentation time bounds.
+  -h, --help
+  -V, --version
+```
+
+### Exit codes
+
+| Code | Meaning                                             |
+| ---- | --------------------------------------------------- |
+| `0`  | Artifact verified                                   |
+| `1`  | Artifact invalid (bad signature, expired, mismatch) |
+| `2`  | Usage or I/O error                                  |
+
+POSIX-friendly — chain into CI gates, `make` targets, `git` hooks.
+
+### Library
+
+```ts
+import { verifyFile } from "@motebit/verifier";
+
+const result = await verifyFile("./receipt.json");
+if (result.valid) console.log(`receipt signed by ${result.receipt?.signer}`);
+```
+
+## Guarantees
+
+- **No network.** Verification runs entirely offline. No relay calls, no DID resolution over the wire.
+- **No dependencies beyond `@motebit/crypto`.** Every dependency is a trust attack surface we'd have to re-audit on every upgrade.
+- **Suite-agile.** New signature suites (post-quantum, future) are registry additions, not CLI changes — `@motebit/crypto`'s `verifyBySuite` dispatches for us.
+
+## Related
+
+- [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto) — the verification primitives this package wraps (Apache-2.0, zero deps)
+- [`@motebit/protocol`](https://www.npmjs.com/package/@motebit/protocol) — protocol types for the artifacts being verified (Apache-2.0, zero deps)
+- [`@motebit/sdk`](https://www.npmjs.com/package/@motebit/sdk) — developer contract for building Motebit-powered agents
+- [`create-motebit`](https://www.npmjs.com/package/create-motebit) — scaffold a signed agent identity
+- [`motebit`](https://www.npmjs.com/package/motebit) — reference runtime and operator console
+
+## License
+
+Apache-2.0 — see [LICENSE](./LICENSE).
+
+"Motebit" is a trademark. The Apache License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.

package/dist/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * @motebit/verifier — Apache-2.0 permissive-floor library for verifying every
+ * signed Motebit artifact.
+ *
+ * The moat: anything a motebit signs (identity file, execution receipt,
+ * credential, presentation) is third-party verifiable with only this
+ * package and the signer's public key — no relay contact, no motebit
+ * runtime, no network. This module is the smallest public library
+ * surface of that promise.
+ *
+ * Library-only as of v1.0. The `motebit-verify` CLI moved to the BSL
+ * `@motebit/verify` package, which layers bundled hardware-attestation
+ * adapters (Apple App Attest, TPM 2.0, Google Play Integrity, WebAuthn)
+ * on top of this library. The split mirrors long-lived tool lineages
+ * like `git` / `libgit2` or `cargo` / `tokio`: permissive-floor library
+ * underneath, BSL verb-named CLI on top. Third parties building
+ * permissive-floor-only verifiers compose this package and
+ * `@motebit/crypto` freely — Apache-2.0 carries an explicit patent grant.
+ *
+ * Composition:
+ *
+ *   - `verifyFile(path, opts?)` — read an artifact off disk, detect its
+ *     kind, return the typed `VerifyResult` from `@motebit/crypto`.
+ *   - `verifyArtifact(content, opts?)` — same, but accept the artifact
+ *     already-loaded (string for identity, object or JSON string for
+ *     JSON artifacts).
+ *   - `formatHuman(result)` — render a `VerifyResult` as the
+ *     multi-line human-readable output a CLI would print.
+ *   - `VerifyFileOptions.hardwareAttestation` — optional injection of
+ *     platform-specific verifiers for `device_check` / `tpm` /
+ *     `play_integrity` / `webauthn` claims. Permissive-floor consumers can
+ *     supply their own; `@motebit/verify` wires the canonical bundle.
+ */
+export { verifyFile, verifyArtifact, formatHuman } from "./lib.js";
+export type { VerifyFileOptions } from "./lib.js";
+export type { VerifyResult, ArtifactType } from "@motebit/crypto";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACnE,YAAY,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAClD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,35 @@
+/**
+ * @motebit/verifier — Apache-2.0 permissive-floor library for verifying every
+ * signed Motebit artifact.
+ *
+ * The moat: anything a motebit signs (identity file, execution receipt,
+ * credential, presentation) is third-party verifiable with only this
+ * package and the signer's public key — no relay contact, no motebit
+ * runtime, no network. This module is the smallest public library
+ * surface of that promise.
+ *
+ * Library-only as of v1.0. The `motebit-verify` CLI moved to the BSL
+ * `@motebit/verify` package, which layers bundled hardware-attestation
+ * adapters (Apple App Attest, TPM 2.0, Google Play Integrity, WebAuthn)
+ * on top of this library. The split mirrors long-lived tool lineages
+ * like `git` / `libgit2` or `cargo` / `tokio`: permissive-floor library
+ * underneath, BSL verb-named CLI on top. Third parties building
+ * permissive-floor-only verifiers compose this package and
+ * `@motebit/crypto` freely — Apache-2.0 carries an explicit patent grant.
+ *
+ * Composition:
+ *
+ *   - `verifyFile(path, opts?)` — read an artifact off disk, detect its
+ *     kind, return the typed `VerifyResult` from `@motebit/crypto`.
+ *   - `verifyArtifact(content, opts?)` — same, but accept the artifact
+ *     already-loaded (string for identity, object or JSON string for
+ *     JSON artifacts).
+ *   - `formatHuman(result)` — render a `VerifyResult` as the
+ *     multi-line human-readable output a CLI would print.
+ *   - `VerifyFileOptions.hardwareAttestation` — optional injection of
+ *     platform-specific verifiers for `device_check` / `tpm` /
+ *     `play_integrity` / `webauthn` claims. Permissive-floor consumers can
+ *     supply their own; `@motebit/verify` wires the canonical bundle.
+ */
+export { verifyFile, verifyArtifact, formatHuman } from "./lib.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC"}

package/dist/lib.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Library core — thin wrapper over `@motebit/crypto`'s unified `verify()`
+ * dispatcher with file-reading + human-rendering helpers. No state, no
+ * side effects beyond filesystem reads you requested.
+ *
+ * Supported artifact kinds (auto-detected by `@motebit/crypto`):
+ *   - `identity`    — `motebit.md` identity file with YAML frontmatter
+ *   - `receipt`     — signed `ExecutionReceipt` JSON
+ *   - `credential`  — W3C-style `VerifiableCredential` JSON
+ *   - `presentation`— `VerifiablePresentation` JSON
+ *
+ * Error handling: file I/O errors throw (caller decides how to surface).
+ * Parse / signature errors are returned as `valid: false` results so the
+ * caller can render a structured reason instead of catching exceptions.
+ */
+import { type ArtifactType, type HardwareAttestationVerifiers, type VerifyResult } from "@motebit/crypto";
+export interface VerifyFileOptions {
+    /**
+     * Pin the expected artifact type. When set, detection must match or
+     * the result is `valid: false` with an explanatory error. Useful in
+     * CI where you want to reject a credential passed into a
+     * receipt-verification step.
+     */
+    readonly expectedType?: ArtifactType;
+    /**
+     * Clock skew allowance (seconds) for credential / presentation
+     * time-bounded fields (`issuanceDate`, `expirationDate`, etc.).
+     * Forwarded to `@motebit/crypto`. Defaults to the crypto package's
+     * default.
+     */
+    readonly clockSkewSeconds?: number;
+    /**
+     * Optional platform-specific hardware-attestation verifiers. Forwarded
+     * through to `@motebit/crypto::verify` so credentials carrying a
+     * `hardware_attestation` claim for `device_check` / `tpm` /
+     * `play_integrity` / `webauthn` can be verified end-to-end. Leaving
+     * this unset keeps the permissive-floor path fail-closed —
+     * hardware-attested credentials still verify their Ed25519 proof, but the
+     * `hardware_attestation` channel reports `adapter not yet shipped`
+     * (the expected permissive-floor-only behavior). The BSL companion CLI
+     * `@motebit/verify` wires all four leaves automatically.
+     */
+    readonly hardwareAttestation?: HardwareAttestationVerifiers;
+}
+/**
+ * Verify an artifact read from disk. Auto-detects type via content
+ * inspection in `@motebit/crypto`.
+ */
+export declare function verifyFile(path: string, opts?: VerifyFileOptions): Promise<VerifyResult>;
+/**
+ * Verify an already-loaded artifact. Accepts a JSON string, an
+ * already-parsed object, or a `motebit.md` identity string.
+ */
+export declare function verifyArtifact(content: string | object, opts?: VerifyFileOptions): Promise<VerifyResult>;
+/**
+ * Render a `VerifyResult` as the CLI's default human-readable block.
+ * `--json` bypasses this and prints the raw result directly.
+ *
+ * Layout:
+ *   ```
+ *   VALID (receipt)
+ *     signer: did:motebit:...
+ *     id:     rcpt_01JZN...
+ *   ```
+ * or
+ *   ```
+ *   INVALID (credential)
+ *     - credentialSubject.id missing
+ *     - signature mismatch
+ *   ```
+ */
+export declare function formatHuman(result: VerifyResult): string;
+//# sourceMappingURL=lib.d.ts.map

package/dist/lib.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lib.d.ts","sourceRoot":"","sources":["../src/lib.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,4BAA4B,EACjC,KAAK,YAAY,EAElB,MAAM,iBAAiB,CAAC;AAEzB,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACrC;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,4BAA4B,CAAC;CAC7D;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,CAG9F;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,IAAI,CAAC,EAAE,iBAAiB,GACvB,OAAO,CAAC,YAAY,CAAC,CAgBvB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAqBxD"}

package/dist/lib.js

@@ -0,0 +1,146 @@
+/**
+ * Library core — thin wrapper over `@motebit/crypto`'s unified `verify()`
+ * dispatcher with file-reading + human-rendering helpers. No state, no
+ * side effects beyond filesystem reads you requested.
+ *
+ * Supported artifact kinds (auto-detected by `@motebit/crypto`):
+ *   - `identity`    — `motebit.md` identity file with YAML frontmatter
+ *   - `receipt`     — signed `ExecutionReceipt` JSON
+ *   - `credential`  — W3C-style `VerifiableCredential` JSON
+ *   - `presentation`— `VerifiablePresentation` JSON
+ *
+ * Error handling: file I/O errors throw (caller decides how to surface).
+ * Parse / signature errors are returned as `valid: false` results so the
+ * caller can render a structured reason instead of catching exceptions.
+ */
+import { readFile } from "node:fs/promises";
+import { verify, } from "@motebit/crypto";
+/**
+ * Verify an artifact read from disk. Auto-detects type via content
+ * inspection in `@motebit/crypto`.
+ */
+export async function verifyFile(path, opts) {
+    const content = await readFile(path, "utf-8");
+    return verifyArtifact(content, opts);
+}
+/**
+ * Verify an already-loaded artifact. Accepts a JSON string, an
+ * already-parsed object, or a `motebit.md` identity string.
+ */
+export function verifyArtifact(content, opts) {
+    const cryptoOpts = opts?.expectedType !== undefined ||
+        opts?.clockSkewSeconds !== undefined ||
+        opts?.hardwareAttestation !== undefined
+        ? {
+            ...(opts.expectedType !== undefined && { expectedType: opts.expectedType }),
+            ...(opts.clockSkewSeconds !== undefined && {
+                clockSkewSeconds: opts.clockSkewSeconds,
+            }),
+            ...(opts.hardwareAttestation !== undefined && {
+                hardwareAttestation: opts.hardwareAttestation,
+            }),
+        }
+        : undefined;
+    return verify(content, cryptoOpts);
+}
+/**
+ * Render a `VerifyResult` as the CLI's default human-readable block.
+ * `--json` bypasses this and prints the raw result directly.
+ *
+ * Layout:
+ *   ```
+ *   VALID (receipt)
+ *     signer: did:motebit:...
+ *     id:     rcpt_01JZN...
+ *   ```
+ * or
+ *   ```
+ *   INVALID (credential)
+ *     - credentialSubject.id missing
+ *     - signature mismatch
+ *   ```
+ */
+export function formatHuman(result) {
+    const header = `${result.valid ? "VALID" : "INVALID"} (${result.type})`;
+    const lines = [header];
+    if (result.valid) {
+        const summary = summarizeValid(result);
+        for (const [k, v] of summary) {
+            lines.push(`  ${k.padEnd(8)} ${v}`);
+        }
+    }
+    else {
+        const errs = "errors" in result && result.errors ? result.errors : [];
+        if (errs.length === 0) {
+            lines.push("  (no detail provided)");
+        }
+        else {
+            for (const e of errs) {
+                lines.push(`  - ${e.message}`);
+            }
+        }
+    }
+    return lines.join("\n");
+}
+function summarizeValid(result) {
+    switch (result.type) {
+        case "identity": {
+            if (!result.identity)
+                return [];
+            const out = [];
+            if (result.did)
+                out.push(["did:", result.did]);
+            if (result.identity.service_name) {
+                out.push(["name:", result.identity.service_name]);
+            }
+            out.push(["id:", result.identity.motebit_id]);
+            return out;
+        }
+        case "receipt": {
+            if (!result.receipt)
+                return [];
+            const out = [];
+            out.push(["task:", result.receipt.task_id]);
+            out.push(["motebit:", result.receipt.motebit_id]);
+            if (result.signer)
+                out.push(["signer:", result.signer]);
+            return out;
+        }
+        case "credential": {
+            if (!result.credential)
+                return [];
+            const out = [];
+            if (result.issuer)
+                out.push(["issuer:", result.issuer]);
+            if (result.subject)
+                out.push(["subject:", result.subject]);
+            if (result.expired !== undefined) {
+                out.push(["expired:", result.expired ? "yes" : "no"]);
+            }
+            // Hardware-attestation channel — shown only when the credential's
+            // subject declared a claim. Absent field = no line (no hardware
+            // claim was made, which is different from "fails"). Verifier CLI
+            // output is the user's only hook into this until a GUI surface
+            // grows one, so the line is terse but unambiguous.
+            if (result.hardware_attestation) {
+                const ha = result.hardware_attestation;
+                const status = ha.valid ? "✓" : "✗";
+                const platform = ha.platform ?? "unknown";
+                out.push(["hardware:", `${platform} ${status}`]);
+            }
+            return out;
+        }
+        case "presentation": {
+            if (!result.presentation)
+                return [];
+            const out = [];
+            if (result.holder)
+                out.push(["holder:", result.holder]);
+            if (result.credentials) {
+                out.push(["creds:", String(result.credentials.length)]);
+            }
+            return out;
+        }
+    }
+}
+//# sourceMappingURL=lib.js.map

package/dist/lib.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lib.js","sourceRoot":"","sources":["../src/lib.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EACL,MAAM,GAKP,MAAM,iBAAiB,CAAC;AA+BzB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,IAAwB;IACrE,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,OAAwB,EACxB,IAAwB;IAExB,MAAM,UAAU,GACd,IAAI,EAAE,YAAY,KAAK,SAAS;QAChC,IAAI,EAAE,gBAAgB,KAAK,SAAS;QACpC,IAAI,EAAE,mBAAmB,KAAK,SAAS;QACrC,CAAC,CAAC;YACE,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,IAAI;gBACzC,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;aACxC,CAAC;YACF,GAAG,CAAC,IAAI,CAAC,mBAAmB,KAAK,SAAS,IAAI;gBAC5C,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;aAC9C,CAAC;SACH;QACH,CAAC,CAAC,SAAS,CAAC;IAChB,OAAO,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,WAAW,CAAC,MAAoB;IAC9C,MAAM,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC;IACxE,MAAM,KAAK,GAAa,CAAC,MAAM,CAAC,CAAC;IAEjC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,GAAG,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,cAAc,CAAC,MAAoB;IAC1C,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAAE,OAAO,EAAE,CAAC;YAChC,MAAM,GAAG,GAAqC,EAAE,CAAC;YACjD,IAAI,MAAM,CAAC,GAAG;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/C,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;gBACjC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;YACpD,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;YAC9C,OAAO,GAAG,CAAC;QACb,CAAC;QACD,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,OAAO;gBAAE,OAAO,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAqC,EAAE,CAAC;YACjD,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;YAC5C,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;YAClD,IAAI,MAAM,CAAC,MAAM;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YACxD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,KAAK,YAAY,CAAC,CAAC,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,UAAU;gBAAE,OAAO,EAAE,CAAC;YAClC,MAAM,GAAG,GAAqC,EAAE,CAAC;YACjD,IAAI,MAAM,CAAC,MAAM;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YACxD,IAAI,MAAM,CAAC,OAAO;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YAC3D,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;gBACjC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YACxD,CAAC;YACD,kEAAkE;YAClE,gEAAgE;YAChE,iEAAiE;YACjE,+DAA+D;YAC/D,mDAAmD;YACnD,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAChC,MAAM,EAAE,GAAG,MAAM,CAAC,oBAAoB,CAAC;gBACvC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACpC,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,IAAI,SAAS,CAAC;gBAC1C,GAAG,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,GAAG,QAAQ,IAAI,MAAM,EAAE,CAAC,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,YAAY;gBAAE,OAAO,EAAE,CAAC;YACpC,MAAM,GAAG,GAAqC,EAAE,CAAC;YACjD,IAAI,MAAM,CAAC,MAAM;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YACxD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,77 @@
+{
+  "name": "@motebit/verifier",
+  "version": "1.0.0",
+  "description": "Apache-2.0 library for verifying signed Motebit artifacts (identity files, execution receipts, credentials, presentations) — file-reading and human-formatting helpers on top of @motebit/crypto. The canonical `motebit-verify` CLI now lives at @motebit/verify; this package is the Apache-2.0 library it sits on.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.js.map",
+    "dist/**/*.d.ts",
+    "dist/**/*.d.ts.map",
+    "LICENSE",
+    "NOTICE",
+    "README.md"
+  ],
+  "sideEffects": false,
+  "license": "Apache-2.0",
+  "keywords": [
+    "motebit",
+    "verify",
+    "library",
+    "ed25519",
+    "signature",
+    "receipt",
+    "credential",
+    "identity",
+    "offline",
+    "audit"
+  ],
+  "homepage": "https://github.com/motebit/motebit/tree/main/packages/verifier#readme",
+  "bugs": {
+    "url": "https://github.com/motebit/motebit/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/motebit/motebit",
+    "directory": "packages/verifier"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "motebit": {
+    "implements": [
+      "spec/identity-v1.md",
+      "spec/credential-v1.md"
+    ]
+  },
+  "dependencies": {
+    "@motebit/crypto": "1.0.0"
+  },
+  "devDependencies": {
+    "@noble/ed25519": "~3.0.1",
+    "@noble/hashes": "~1.6.0",
+    "@types/node": "^22.0.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsc -b",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint --parser-options=project:tsconfig.eslint.json src/",
+    "lint:pack": "publint --strict && attw --pack --profile esm-only",
+    "clean": "rm -rf dist .turbo *.tsbuildinfo"
+  }
+}