@motebit/verifier 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -0
- package/dist/index.d.ts +2 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +14 -0
- package/dist/index.js.map +1 -1
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -47,6 +47,8 @@ This package wraps the dispatcher with `verifyFile` (path → result), `verifyAr
|
|
|
47
47
|
|
|
48
48
|
It also re-exports **`verifyApprovalDecision`** from `@motebit/crypto` — the "approve" governance band's signed human-consent artifact (`ApprovalDecision`). Unlike the auto-detected artifact types above, an `ApprovalDecision` is verified explicitly against a **pinned approver key** (it carries no `motebit_id → key` binding, so verifying against its own embedded key is circular). See [the governance-triad guide](https://docs.motebit.com/docs/developer/governance-triad) for where a verified decision sits on the binding ladder.
|
|
49
49
|
|
|
50
|
+
For the same reason — authority is the scope/chain, not a `motebit_id → key` ladder resolvable from the artifact alone — the **delegation family** is also re-exported as explicit verifiers (not auto-detected): **`verifyDelegation`** (a standalone or per-tick `DelegationToken`), **`verifyStandingDelegation`** (a standing grant: signature, activation, expiry, and an injected revocation seam), **`verifyTokenAgainstGrant`** (a per-tick token IS a valid tick of its grant — scope narrows, TTL bounded, grant not revoked), and **`verifyDelegationRevocation`** (a revocation's signature; the caller binds it to the grant). A standing grant's revocation check is the consumer's responsibility — the verifiers are I/O-free and cannot fetch a feed — so **`findGrantRevocation`** does that check correctly: it returns the revocation that authoritatively revokes a grant from a candidate set, binding on `grant_id` **and** the grant's `delegator_public_key` **and** a valid signature, so matching `grant_id` alone (the foot-gun) cannot spoof a revocation. Build the `verifyStandingDelegation` `isRevoked` seam from it. This lets a consumer validate a standing monitor's authorization root, every tick token, and revocation through this package alone. See [`standing-delegation@1.0`](https://github.com/motebit/motebit/blob/main/spec/standing-delegation-v1.md).
|
|
51
|
+
|
|
50
52
|
## Guarantees
|
|
51
53
|
|
|
52
54
|
- **No network.** Verification runs entirely offline. No relay calls, no DID resolution over the wire.
|
package/dist/index.d.ts
CHANGED
|
@@ -34,5 +34,6 @@
|
|
|
34
34
|
export { verifyFile, verifyArtifact, verifySkillDirectory, formatHuman } from "./lib.js";
|
|
35
35
|
export type { VerifyFileOptions, VerifyResultWithBinding } from "./lib.js";
|
|
36
36
|
export { verifyApprovalDecision } from "@motebit/crypto";
|
|
37
|
-
export
|
|
37
|
+
export { verifyDelegation, verifyStandingDelegation, verifyTokenAgainstGrant, verifyDelegationRevocation, findGrantRevocation, } from "@motebit/crypto";
|
|
38
|
+
export type { VerifyResult, ArtifactType, SkillVerifyResult, SkillFileVerifyResult, ApprovalDecision, DelegationToken, StandingDelegation, DelegationRevocation, } from "@motebit/crypto";
|
|
38
39
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzF,YAAY,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAO3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzF,YAAY,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAO3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAczD,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -39,4 +39,18 @@ export { verifyFile, verifyArtifact, verifySkillDirectory, formatHuman } from ".
|
|
|
39
39
|
// ladder — see docs/developer/governance-triad.mdx); it is verified explicitly
|
|
40
40
|
// against a pinned approver key, never against its own embedded key alone.
|
|
41
41
|
export { verifyApprovalDecision } from "@motebit/crypto";
|
|
42
|
+
// The delegation family (delegation@1.0 + standing-delegation@1.0). Like
|
|
43
|
+
// `verifyApprovalDecision`, these are NOT auto-detected artifact types: a
|
|
44
|
+
// delegation's authority is the scope/chain + (for a standing grant) the
|
|
45
|
+
// signed revocation feed, not a `motebit_id → key` binding ladder resolvable
|
|
46
|
+
// from the artifact alone. They are verified explicitly. Re-exported here so a
|
|
47
|
+
// consumer already pinning `@motebit/verifier` can validate a standing
|
|
48
|
+
// monitor's authorization root, every per-tick token (against its grant), and
|
|
49
|
+
// a revocation without adding `@motebit/crypto` as a second dependency.
|
|
50
|
+
// - verifyDelegation — a standalone or per-tick token's own signature + expiry
|
|
51
|
+
// - verifyStandingDelegation — the grant (signature, activation, expiry, injected revocation seam)
|
|
52
|
+
// - verifyTokenAgainstGrant — a per-tick token IS a valid tick of its grant
|
|
53
|
+
// - verifyDelegationRevocation — a revocation's signature (caller binds it to the grant)
|
|
54
|
+
// - findGrantRevocation — the consumer-side revocation check done right (binds revocation→grant; build `isRevoked` from it)
|
|
55
|
+
export { verifyDelegation, verifyStandingDelegation, verifyTokenAgainstGrant, verifyDelegationRevocation, findGrantRevocation, } from "@motebit/crypto";
|
|
42
56
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEzF,6EAA6E;AAC7E,6EAA6E;AAC7E,oFAAoF;AACpF,8EAA8E;AAC9E,+EAA+E;AAC/E,2EAA2E;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEzF,6EAA6E;AAC7E,6EAA6E;AAC7E,oFAAoF;AACpF,8EAA8E;AAC9E,+EAA+E;AAC/E,2EAA2E;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,yEAAyE;AACzE,0EAA0E;AAC1E,yEAAyE;AACzE,6EAA6E;AAC7E,+EAA+E;AAC/E,uEAAuE;AACvE,8EAA8E;AAC9E,wEAAwE;AACxE,0FAA0F;AAC1F,sGAAsG;AACtG,gFAAgF;AAChF,2FAA2F;AAC3F,oIAAoI;AACpI,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,iBAAiB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@motebit/verifier",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.5.0",
|
|
4
4
|
"description": "Apache-2.0 library for verifying signed Motebit artifacts (identity files, execution receipts, credentials, presentations) — file-reading and human-formatting helpers on top of @motebit/crypto. The canonical `motebit-verify` CLI now lives at @motebit/verify; this package is the Apache-2.0 library it sits on.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -54,8 +54,8 @@
|
|
|
54
54
|
]
|
|
55
55
|
},
|
|
56
56
|
"dependencies": {
|
|
57
|
-
"@motebit/crypto": "3.
|
|
58
|
-
"@motebit/protocol": "3.
|
|
57
|
+
"@motebit/crypto": "3.5.0",
|
|
58
|
+
"@motebit/protocol": "3.2.0"
|
|
59
59
|
},
|
|
60
60
|
"devDependencies": {
|
|
61
61
|
"@noble/ed25519": "~3.1.0",
|