@motebit/verifier 1.8.1 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -47,6 +47,8 @@ This package wraps the dispatcher with `verifyFile` (path → result), `verifyAr
47
47
 
48
48
  It also re-exports the structured-verdict surface from `@motebit/crypto`: **`verifyReceiptVerdict`** (a signed receipt → a `VerificationVerdict` whose independent axes — integrity, identityBinding, authority, revocation, temporalBasis, evidenceBasis, plus a first-class `repair` — cannot silently collapse to `true`; there is no top-level `valid` boolean to over-read), **`verifyDelegationTokenVerdict`** (a per-tick token against its standing grant — `authority` and `revocation` stay orthogonal, and `temporalMode` selects whether a clock-rollback is load-bearing), and **`isFullyVerified`** (the fail-closed collapse to a boolean: `true` only when every load-bearing axis passes — stricter than the legacy per-function booleans by design). See [`verify-family-fail-closed.md`](https://github.com/motebit/motebit/blob/main/docs/doctrine/verify-family-fail-closed.md).
49
49
 
50
+ It also re-exports **`verifyEvidenceProvenance`** — the law that re-checks a verdict's `evidenceBasis` down to the primary record (verifiable-locality extended from signatures to _evidence_). A verdict's `EvidenceRef` may carry optional `provenance`; this law confirms the named `span` is an exact substring of `projection(bytes)` where the bytes content-address to `digest` — re-verifiable **presence**, never truth, with no oracle (a fabricated figure cannot be placed into a content-addressed record). The projection recipe is an _injected, app-owned_ seam: absent ⇒ the span is located over the raw bytes directly (re-verifiable by construction); present with no resolver ⇒ it fails closed (`projection_unresolved`), so motebit never owns a document-format catalog. Re-exported here so a consumer pinning `@motebit/verifier` re-checks evidence from the same surface it already consumes. See [`evidence-provenance.md`](https://github.com/motebit/motebit/blob/main/docs/doctrine/evidence-provenance.md).
51
+
50
52
  It also re-exports **`verifyApprovalDecision`** from `@motebit/crypto` — the "approve" governance band's signed human-consent artifact (`ApprovalDecision`). Unlike the auto-detected artifact types above, an `ApprovalDecision` is verified explicitly against a **pinned approver key** (it carries no `motebit_id → key` binding, so verifying against its own embedded key is circular). See [the governance-triad guide](https://docs.motebit.com/docs/developer/governance-triad) for where a verified decision sits on the binding ladder.
51
53
 
52
54
  For the same reason — authority is the scope/chain, not a `motebit_id → key` ladder resolvable from the artifact alone — the **delegation family** is also re-exported as explicit verifiers (not auto-detected): **`verifyDelegation`** (a standalone or per-tick `DelegationToken`), **`verifyStandingDelegation`** (a standing grant: signature, activation, expiry, and an injected revocation seam), **`verifyTokenAgainstGrant`** (a per-tick token IS a valid tick of its grant — scope narrows, TTL bounded, grant not revoked), and **`verifyDelegationRevocation`** (a revocation's signature; the caller binds it to the grant). A standing grant's revocation check is the consumer's responsibility — the verifiers are I/O-free and cannot fetch a feed — so **`findGrantRevocation`** does that check correctly: it returns the revocation that authoritatively revokes a grant from a candidate set, binding on `grant_id` **and** the grant's `delegator_public_key` **and** a valid signature, so matching `grant_id` alone (the foot-gun) cannot spoof a revocation. Build the `verifyStandingDelegation` `isRevoked` seam from it. This lets a consumer validate a standing monitor's authorization root, every tick token, and revocation through this package alone. See [`standing-delegation@1.0`](https://github.com/motebit/motebit/blob/main/spec/standing-delegation-v1.md).
package/dist/index.d.ts CHANGED
@@ -39,5 +39,7 @@ export { signRequestEnvelope, verifyRequestEnvelope } from "@motebit/crypto";
39
39
  export type { SignedRequestEnvelope } from "@motebit/crypto";
40
40
  export type { VerifyResult, ArtifactType, SkillVerifyResult, SkillFileVerifyResult, ApprovalDecision, DelegationToken, StandingDelegation, DelegationRevocation, SubjectBindingV1, } from "@motebit/crypto";
41
41
  export type { VerificationVerdict, VerdictSubject, IntegrityVerdict, IdentityBindingVerdict, AuthorityVerdict, RevocationStatus, RevocationVerdict, RevocationFreshness, TemporalBasis, EvidenceRef, RepairInstruction, } from "@motebit/crypto";
42
+ export type { EvidenceProvenance, EvidenceProvenanceResult, DigestRef, DigestAlgorithm, ProjectionClass, } from "@motebit/crypto";
42
43
  export { verifyReceiptVerdict, verifyDelegationTokenVerdict, isFullyVerified, } from "@motebit/crypto";
44
+ export { verifyEvidenceProvenance } from "@motebit/crypto";
43
45
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzF,YAAY,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAO3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAgBzD,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,0BAA0B,EAC1B,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAIzB,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC7E,YAAY,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC7D,YAAY,EACV,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAMzB,YAAY,EACV,mBAAmB,EACnB,cAAc,EACd,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAQzB,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,eAAe,GAChB,MAAM,iBAAiB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzF,YAAY,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAO3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAgBzD,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,0BAA0B,EAC1B,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAIzB,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC7E,YAAY,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC7D,YAAY,EACV,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAMzB,YAAY,EACV,mBAAmB,EACnB,cAAc,EACd,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AASzB,YAAY,EACV,kBAAkB,EAClB,wBAAwB,EACxB,SAAS,EACT,eAAe,EAIf,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAQzB,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAIzB,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC"}
package/dist/index.js CHANGED
@@ -67,4 +67,8 @@ export { signRequestEnvelope, verifyRequestEnvelope } from "@motebit/crypto";
67
67
  // fail-closed boolean (true only when every load-bearing axis passes — stricter
68
68
  // than the legacy booleans by design).
69
69
  export { verifyReceiptVerdict, verifyDelegationTokenVerdict, isFullyVerified, } from "@motebit/crypto";
70
+ // The evidence-provenance re-check law (pure, I/O-free; the projection recipe is
71
+ // an injected, app-owned seam, so a present projection with no resolver fails
72
+ // closed). Paired with the verdict's `EvidenceRef.provenance` above.
73
+ export { verifyEvidenceProvenance } from "@motebit/crypto";
70
74
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEzF,6EAA6E;AAC7E,6EAA6E;AAC7E,oFAAoF;AACpF,8EAA8E;AAC9E,+EAA+E;AAC/E,2EAA2E;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,yEAAyE;AACzE,0EAA0E;AAC1E,yEAAyE;AACzE,6EAA6E;AAC7E,+EAA+E;AAC/E,uEAAuE;AACvE,8EAA8E;AAC9E,wEAAwE;AACxE,0FAA0F;AAC1F,sGAAsG;AACtG,gFAAgF;AAChF,2FAA2F;AAC3F,oIAAoI;AACpI,kHAAkH;AAClH,yHAAyH;AACzH,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,0BAA0B,EAC1B,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,gFAAgF;AAChF,8EAA8E;AAC9E,+EAA+E;AAC/E,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AA+B7E,6EAA6E;AAC7E,+DAA+D;AAC/D,8EAA8E;AAC9E,8EAA8E;AAC9E,sEAAsE;AACtE,gFAAgF;AAChF,uCAAuC;AACvC,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,eAAe,GAChB,MAAM,iBAAiB,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEzF,6EAA6E;AAC7E,6EAA6E;AAC7E,oFAAoF;AACpF,8EAA8E;AAC9E,+EAA+E;AAC/E,2EAA2E;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,yEAAyE;AACzE,0EAA0E;AAC1E,yEAAyE;AACzE,6EAA6E;AAC7E,+EAA+E;AAC/E,uEAAuE;AACvE,8EAA8E;AAC9E,wEAAwE;AACxE,0FAA0F;AAC1F,sGAAsG;AACtG,gFAAgF;AAChF,2FAA2F;AAC3F,oIAAoI;AACpI,kHAAkH;AAClH,yHAAyH;AACzH,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,0BAA0B,EAC1B,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,gFAAgF;AAChF,8EAA8E;AAC9E,+EAA+E;AAC/E,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAiD7E,6EAA6E;AAC7E,+DAA+D;AAC/D,8EAA8E;AAC9E,8EAA8E;AAC9E,sEAAsE;AACtE,gFAAgF;AAChF,uCAAuC;AACvC,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,eAAe,GAChB,MAAM,iBAAiB,CAAC;AACzB,iFAAiF;AACjF,8EAA8E;AAC9E,qEAAqE;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@motebit/verifier",
3
- "version": "1.8.1",
3
+ "version": "1.10.0",
4
4
  "description": "Apache-2.0 library for verifying signed Motebit artifacts (identity files, execution receipts, credentials, presentations) — file-reading and human-formatting helpers on top of @motebit/crypto. The canonical `motebit-verify` CLI now lives at @motebit/verify; this package is the Apache-2.0 library it sits on.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
@@ -54,8 +54,8 @@
54
54
  ]
55
55
  },
56
56
  "dependencies": {
57
- "@motebit/crypto": "3.12.0",
58
- "@motebit/protocol": "3.5.0"
57
+ "@motebit/crypto": "3.14.0",
58
+ "@motebit/protocol": "3.7.0"
59
59
  },
60
60
  "devDependencies": {
61
61
  "@noble/ed25519": "~3.1.0",