@motebit/verify 0.6.11 → 1.0.0

package/LICENSE

@@ -1,26 +1,206 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-Copyright (c) 2026 Motebit
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
 
-"Motebit" is a trademark of Motebit, Inc. The MIT License grants rights to
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Motebit, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+"Motebit" is a trademark of Motebit, Inc. The Apache License grants rights to
 this software, not to any Motebit trademarks, logos, or branding. You may not
 use Motebit branding in a way that suggests endorsement or affiliation without
 written permission.

package/NOTICE

@@ -0,0 +1,19 @@
+Motebit
+Copyright 2026 Motebit, Inc.
+
+This product includes software developed at Motebit, Inc. (https://motebit.com).
+
+The permissive-floor packages (the protocol, SDK, cryptographic primitives,
+platform-attestation verifier leaves, scaffolding CLI, and GitHub Action) are
+licensed under the Apache License, Version 2.0. See LICENSE files in each
+`packages/*/` subdirectory and in `spec/` for the full license text.
+
+The remaining packages, apps, and services are licensed under the Business
+Source License 1.1 and convert to the Apache License, Version 2.0 four years
+after each version's first public release. See `LICENSE` at the repository
+root and `LICENSING.md` for the full license boundary.
+
+"Motebit" is a trademark of Motebit, Inc. The licenses granted here cover
+this software only, not Motebit trademarks, logos, or branding. Use of
+Motebit branding in a way that suggests endorsement or affiliation requires
+written permission.

package/README.md

@@ -1,102 +1,121 @@
 # @motebit/verify
 
-Verify any Motebit artifact — identity files, execution receipts, verifiable credentials, and verifiable presentations.
+The canonical motebit artifact verifier. A single `motebit-verify` command that verifies any signed motebit artifact — identity files, execution receipts, credentials, presentations — including credentials carrying hardware-attestation claims under any of the four platforms (Apple App Attest, Google Play Integrity, TPM 2.0, WebAuthn).
 
-One function. Any artifact. Zero runtime dependencies. MIT licensed.
-
-## Install
+Network-free. No relay contact, no external service, no cloud dependency. Every trust anchor is pinned in the installed package.
 
 ```bash
-npm install @motebit/verify
+npm install -g @motebit/verify
+motebit-verify cred.json
+```
+
+```
+VALID (credential)
+  issuer:   did:key:z6MkhaXgBZDvotDkL5257...
+  subject:  did:key:z6MkhaXgBZDvotDkL5257...
+  expired:  no
+  hardware: secure_enclave ✓
 ```
 
+## What it verifies
+
+| Artifact                    | Detection                                                       |
+| --------------------------- | --------------------------------------------------------------- |
+| `motebit.md` identity files | YAML frontmatter + Ed25519 proof                                |
+| Execution receipts          | Signed JSON, signer keys chain                                  |
+| W3C VerifiableCredentials   | `eddsa-jcs-2022` proof, hardware-attestation channel if present |
+| VerifiablePresentations     | Signed envelope + every embedded credential                     |
+
+Hardware-attestation channel covers all four currently-shipped platforms:
+
+| Platform         | Adapter                          | Trust anchor                                                 |
+| ---------------- | -------------------------------- | ------------------------------------------------------------ |
+| `secure_enclave` | `@motebit/crypto` (built-in)     | ECDSA-P256 signature; self-asserted SE public key            |
+| `device_check`   | `@motebit/crypto-appattest`      | Pinned Apple App Attestation Root CA                         |
+| `tpm`            | `@motebit/crypto-tpm`            | Pinned Infineon / Nuvoton / STMicro / Intel PTT vendor roots |
+| `play_integrity` | `@motebit/crypto-play-integrity` | Pinned Google JWKS                                           |
+| `webauthn`       | `@motebit/crypto-webauthn`       | Pinned Apple / Yubico / Microsoft FIDO roots                 |
+
+Unknown platform → named error, fail-closed. Missing adapter context → named error, fail-closed. Never silent acceptance.
+
 ## Usage
 
-```typescript
-import { verify } from "@motebit/verify";
-
-// Identity file
-const r1 = await verify(fs.readFileSync("motebit.md", "utf-8"));
-if (r1.type === "identity" && r1.valid) {
-  console.log(r1.did); // did:key:z...
-  console.log(r1.identity); // full identity file contents
-  console.log(r1.succession); // key rotation chain (if present)
-}
-
-// Execution receipt (object or JSON string)
-const r2 = await verify(receipt);
-if (r2.type === "receipt" && r2.valid) {
-  console.log(r2.signer); // did:key of the signing agent
-  console.log(r2.delegations); // nested delegation verification results
-}
-
-// Verifiable credential
-const r3 = await verify(credential);
-if (r3.type === "credential" && r3.valid) {
-  console.log(r3.issuer); // did:key of the issuer
-  console.log(r3.subject); // did:key of the subject
-  console.log(r3.expired); // false
-}
-
-// Verifiable presentation
-const r4 = await verify(presentation);
-if (r4.type === "presentation" && r4.valid) {
-  console.log(r4.holder); // did:key of the holder
-  console.log(r4.credentials); // each credential verified independently
-}
+```bash
+motebit-verify <file>                     # auto-detect, print human-readable
+motebit-verify <file> --json              # structured JSON output
+motebit-verify <file> --expect credential # pin expected artifact type
+motebit-verify <file> --clock-skew 30     # allow N seconds of clock drift
+
+# Platform overrides (defaults match motebit's canonical identifiers)
+motebit-verify <file> \
+  --bundle-id com.example.app \
+  --android-package com.example.app \
+  --rp-id example.com
 ```
 
-### Strict mode
+Exit codes:
 
-Pass `expectedType` to fail fast if the artifact doesn't match:
+- `0` — artifact verified (including hardware-attestation channel)
+- `1` — artifact detected but signature / hardware channel invalid
+- `2` — usage or I/O error
 
-```typescript
-const result = await verify(artifact, { expectedType: "receipt" });
-// result.valid is false if artifact is not a receipt
-```
+## Programmatic use
 
-### Parse without verifying
+The CLI is a thin wrapper — every capability is available programmatically:
 
-```typescript
-import { parse } from "@motebit/verify";
+```ts
+import { verifyFile } from "@motebit/verifier"; // Apache-2.0 library (file I/O + formatting)
+import { buildHardwareVerifiers } from "@motebit/verify"; // Apache-2.0 CLI + programmatic adapter bundle
 
-const { frontmatter, signature, rawFrontmatter } = parse(identityFileContent);
-console.log(frontmatter.motebit_id);
+const result = await verifyFile("cred.json", {
+  hardwareAttestation: buildHardwareVerifiers(),
+});
 ```
 
-## API
+## The three-package lineage
 
-### `verify(artifact, options?): Promise<VerifyResult>`
+This package sits at the top of a deliberate three-layer split — the same shape long-lived tool lineages use (git / libgit2, cargo / tokio, npm / @npm/arborist):
 
-Verify any Motebit artifact. Detects the type automatically from the input.
+```
+@motebit/verify     Apache-2.0  the CLI motebit-verify + bundled adapters  (the tool — this package)
+@motebit/verifier   Apache-2.0  library: verifyFile, verifyArtifact, formatHuman
+@motebit/crypto     Apache-2.0  primitives: verify, sign, suite dispatch
+```
 
-- **Strings** containing `---` are parsed as identity files
-- **Strings** containing JSON are parsed and detected by shape
-- **Objects** are detected by shape: receipts have `task_id` + `signature`, credentials have `credentialSubject` + `proof`, presentations have `holder` + `verifiableCredential` + `proof`
+All three are Apache-2.0 with explicit patent grant — the full verification surface ships under the permissive floor. The BSL line stays at `motebit` (the operator console) and everything below it, where the motebit-proprietary judgment actually lives.
 
-Returns a discriminated union — narrow on `result.type` to access type-specific fields.
+- Install **`@motebit/verify`** when you want the command-line tool with every platform bundled. One install, verify anything offline, no license friction in CI pipelines.
+- Install **`@motebit/verifier`** when you're writing TypeScript code that needs to read + verify motebit artifacts programmatically and want the dep-thin library without the four bundled platform adapters.
+- Install **`@motebit/crypto`** when you want the primitives — the verify dispatcher, sign APIs, suite registry — to build your own verification tooling from scratch.
 
-### `verifyIdentityFile(content): Promise<LegacyVerifyResult>`
+## Superseding the deprecated `@motebit/verify@0.x`
 
-Verify a `motebit.md` identity file. Returns the legacy result shape with `.identity`, `.did`, `.error` fields directly (no type narrowing needed).
+The original `@motebit/verify@0.7.0` was a zero-dep MIT library with a single `verify()` function. It was deprecated and split:
 
-### `parse(content): { frontmatter, signature, rawFrontmatter }`
+- **The `verify()` library primitive** moved to [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto). Now Apache-2.0 (upgraded from MIT — adds an explicit patent grant), same zero deps, same function shape, plus full sign / verify / cryptosuite support.
+- **The file-reading + human-formatting helpers** live at [`@motebit/verifier`](https://www.npmjs.com/package/@motebit/verifier). Apache-2.0, thin layer above `@motebit/crypto`.
+- **The `motebit-verify` CLI — the tool most users actually wanted when they typed `npm install @motebit/verify`** — is now this package, shipped at `1.0.0`. Runs offline. Verifies every motebit artifact. Bundles every hardware-attestation platform.
 
-Parse a `motebit.md` file into its components. Does not verify the signature. Throws if malformed.
+If you were on `@motebit/verify@^0.7.0`, migration depends on what you were using:
 
-## What can it verify?
+| You were using                                               | Migrate to                                                                          |
+| ------------------------------------------------------------ | ----------------------------------------------------------------------------------- |
+| The `verify()` function in TypeScript                        | `import { verify } from "@motebit/crypto"` — same shape, more features              |
+| `verifyFile()` / `formatHuman()` / programmatic CLI wrappers | `import { ... } from "@motebit/verifier"`                                           |
+| Running `motebit-verify` on the command line                 | `npm install -g @motebit/verify` at `^1.0.0` — same command, full platform coverage |
 
-| Artifact                | Input                                         | What it checks                                                                         |
-| ----------------------- | --------------------------------------------- | -------------------------------------------------------------------------------------- |
-| Identity file           | String (YAML frontmatter + Ed25519 signature) | Signature over frontmatter, succession chain linkage + temporal ordering               |
-| Execution receipt       | Object or JSON                                | Ed25519 signature over canonical JSON, embedded public key, recursive delegation chain |
-| Verifiable credential   | Object or JSON                                | eddsa-jcs-2022 Data Integrity proof, expiry, issuer DID extraction                     |
-| Verifiable presentation | Object or JSON                                | Envelope proof + each contained credential independently                               |
+## Related
 
-All verification is **offline** — no network calls, no relay lookup, no runtime dependency. Receipts embed the signer's public key. Credentials embed the issuer's DID. Everything needed for verification is in the artifact itself.
+- [`@motebit/verifier`](https://www.npmjs.com/package/@motebit/verifier) — Apache-2.0 library underneath this CLI (`verifyFile`, `verifyArtifact`, `formatHuman`)
+- [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto) — Apache-2.0 primitives (`verify`, `sign`, suite dispatch; zero monorepo deps)
+- [`@motebit/crypto-appattest`](https://www.npmjs.com/package/@motebit/crypto-appattest) — Apple App Attest adapter bundled into this CLI
+- [`@motebit/crypto-play-integrity`](https://www.npmjs.com/package/@motebit/crypto-play-integrity) — Google Play Integrity adapter bundled into this CLI
+- [`@motebit/crypto-tpm`](https://www.npmjs.com/package/@motebit/crypto-tpm) — TPM 2.0 EK chain adapter bundled into this CLI
+- [`@motebit/crypto-webauthn`](https://www.npmjs.com/package/@motebit/crypto-webauthn) — WebAuthn packed-attestation adapter bundled into this CLI
+- [`motebit`](https://www.npmjs.com/package/motebit) — reference runtime and operator console
 
 ## License
 
-MIT — see [LICENSE](./LICENSE).
+Apache-2.0 — see [LICENSE](./LICENSE) and [NOTICE](./NOTICE).
 
-"Motebit" is a trademark. The MIT License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.
+"Motebit" is a trademark. The Apache License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.

package/dist/adapters.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Bundled-adapter wiring — the core reason this package exists.
+ *
+ * `@motebit/verifier` (Apache-2.0) accepts an optional
+ * `HardwareAttestationVerifiers` record but wires none of the four
+ * leaves itself; that keeps it dep-thin. This Apache-2.0 aggregator
+ * imports every leaf (`@motebit/crypto-appattest`,
+ * `@motebit/crypto-tpm`, `@motebit/crypto-play-integrity`,
+ * `@motebit/crypto-webauthn`) and
+ * produces a single `HardwareAttestationVerifiers` object the CLI
+ * hands to `verifyFile`. Any credential whose subject carries a
+ * hardware-attestation claim for any of the four platforms now
+ * verifies end-to-end — chain + nonce + bundle + identity — instead
+ * of returning the `adapter not yet shipped` sentinel.
+ *
+ * Defaults match motebit's canonical app identifiers:
+ *   - App Attest    → bundleId `com.motebit.mobile`
+ *   - Play Integrity → packageName `com.motebit.mobile`
+ *   - WebAuthn      → rpId `motebit.com`
+ *   - TPM           → the pinned vendor roots in `@motebit/crypto-tpm`
+ *
+ * Operators verifying credentials from a different motebit deployment
+ * can override any of these via the config parameter.
+ */
+import type { HardwareAttestationVerifiers } from "@motebit/crypto";
+import { type GoogleJwks } from "@motebit/crypto-play-integrity";
+export interface HardwareVerifierBundleConfig {
+    /**
+     * Apple App Attest — bundle ID the attested iOS app was built with.
+     * Defaults to `com.motebit.mobile`. Override when verifying credentials
+     * minted by a different motebit iOS build.
+     */
+    readonly appAttestBundleId?: string;
+    /**
+     * Apple App Attest — override the pinned Apple App Attestation Root
+     * CA PEM. Defaults to the constant in `@motebit/crypto-appattest`.
+     * Exposed only so test fabrications can exercise the chain-validation
+     * code path with a fabricated root.
+     */
+    readonly appAttestRootPem?: string;
+    /**
+     * Google Play Integrity — Android package name the attested app was
+     * built with. Defaults to `com.motebit.mobile`.
+     */
+    readonly playIntegrityPackageName?: string;
+    /**
+     * Google Play Integrity — override the pinned JWKS. Fail-closed by
+     * default (see `@motebit/crypto-play-integrity` doctrine); operators
+     * pin real keys here once the production key-acquisition path lands.
+     */
+    readonly playIntegrityPinnedJwks?: GoogleJwks;
+    /**
+     * Google Play Integrity — relax the device-integrity floor. Defaults
+     * to the strict `"MEETS_DEVICE_INTEGRITY"`. Development / sideloaded
+     * scenarios may lower to `"MEETS_BASIC_INTEGRITY"`.
+     */
+    readonly playIntegrityRequiredDeviceIntegrity?: string;
+    /**
+     * WebAuthn — Relying Party ID the credential was minted for.
+     * Defaults to `motebit.com`.
+     */
+    readonly webauthnRpId?: string;
+    /**
+     * WebAuthn — override the pinned FIDO root set. Defaults to
+     * `DEFAULT_FIDO_ROOTS` (Apple Anonymous Attestation, Yubico, Microsoft).
+     */
+    readonly webauthnRootPems?: ReadonlyArray<string>;
+    /**
+     * TPM — override the pinned vendor root PEMs. Defaults to the four
+     * TPM-vendor roots in `@motebit/crypto-tpm` (Infineon, Nuvoton,
+     * STMicro, Intel PTT).
+     */
+    readonly tpmRootPems?: ReadonlyArray<string>;
+}
+/**
+ * Build the full `HardwareAttestationVerifiers` object covering all four
+ * platform adapters. Pass the result to `verifyFile`:
+ *
+ * ```ts
+ * import { verifyFile } from "@motebit/verifier";
+ * import { buildHardwareVerifiers } from "@motebit/verify";
+ *
+ * const result = await verifyFile("cred.json", {
+ *   hardwareAttestation: buildHardwareVerifiers(),
+ * });
+ * ```
+ *
+ * Pure function: every dependency is captured at factory time and the
+ * returned verifiers are idempotent across calls.
+ */
+export declare function buildHardwareVerifiers(config?: HardwareVerifierBundleConfig): HardwareAttestationVerifiers;
+//# sourceMappingURL=adapters.d.ts.map

package/dist/adapters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAEpE,OAAO,EAAyB,KAAK,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAIxF,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;OAGG;IACH,QAAQ,CAAC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,UAAU,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,oCAAoC,CAAC,EAAE,MAAM,CAAC;IACvD;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAClD;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAOD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,CAAC,EAAE,4BAA4B,GACpC,4BAA4B,CA2B9B"}

package/dist/adapters.js

@@ -0,0 +1,52 @@
+import { deviceCheckVerifier, APPLE_APPATTEST_ROOT_PEM } from "@motebit/crypto-appattest";
+import { playIntegrityVerifier } from "@motebit/crypto-play-integrity";
+import { tpmVerifier } from "@motebit/crypto-tpm";
+import { webauthnVerifier, DEFAULT_FIDO_ROOTS } from "@motebit/crypto-webauthn";
+/** Motebit's canonical iOS / Android app identifier. */
+const DEFAULT_BUNDLE_ID = "com.motebit.mobile";
+/** Motebit's canonical Relying Party ID for WebAuthn credentials. */
+const DEFAULT_WEBAUTHN_RP_ID = "motebit.com";
+/**
+ * Build the full `HardwareAttestationVerifiers` object covering all four
+ * platform adapters. Pass the result to `verifyFile`:
+ *
+ * ```ts
+ * import { verifyFile } from "@motebit/verifier";
+ * import { buildHardwareVerifiers } from "@motebit/verify";
+ *
+ * const result = await verifyFile("cred.json", {
+ *   hardwareAttestation: buildHardwareVerifiers(),
+ * });
+ * ```
+ *
+ * Pure function: every dependency is captured at factory time and the
+ * returned verifiers are idempotent across calls.
+ */
+export function buildHardwareVerifiers(config) {
+    const appAttestBundleId = config?.appAttestBundleId ?? DEFAULT_BUNDLE_ID;
+    const playIntegrityPackageName = config?.playIntegrityPackageName ?? DEFAULT_BUNDLE_ID;
+    const webauthnRpId = config?.webauthnRpId ?? DEFAULT_WEBAUTHN_RP_ID;
+    return {
+        deviceCheck: deviceCheckVerifier({
+            expectedBundleId: appAttestBundleId,
+            rootPem: config?.appAttestRootPem ?? APPLE_APPATTEST_ROOT_PEM,
+        }),
+        tpm: tpmVerifier({
+            ...(config?.tpmRootPems !== undefined ? { rootPems: config.tpmRootPems } : {}),
+        }),
+        playIntegrity: playIntegrityVerifier({
+            expectedPackageName: playIntegrityPackageName,
+            ...(config?.playIntegrityPinnedJwks !== undefined
+                ? { pinnedJwks: config.playIntegrityPinnedJwks }
+                : {}),
+            ...(config?.playIntegrityRequiredDeviceIntegrity !== undefined
+                ? { requiredDeviceIntegrity: config.playIntegrityRequiredDeviceIntegrity }
+                : {}),
+        }),
+        webauthn: webauthnVerifier({
+            expectedRpId: webauthnRpId,
+            rootPems: config?.webauthnRootPems ?? DEFAULT_FIDO_ROOTS,
+        }),
+    };
+}
+//# sourceMappingURL=adapters.js.map

package/dist/adapters.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAyBA,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC1F,OAAO,EAAE,qBAAqB,EAAmB,MAAM,gCAAgC,CAAC;AACxF,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAmDhF,wDAAwD;AACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,qEAAqE;AACrE,MAAM,sBAAsB,GAAG,aAAa,CAAC;AAE7C;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAqC;IAErC,MAAM,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,IAAI,iBAAiB,CAAC;IACzE,MAAM,wBAAwB,GAAG,MAAM,EAAE,wBAAwB,IAAI,iBAAiB,CAAC;IACvF,MAAM,YAAY,GAAG,MAAM,EAAE,YAAY,IAAI,sBAAsB,CAAC;IAEpE,OAAO;QACL,WAAW,EAAE,mBAAmB,CAAC;YAC/B,gBAAgB,EAAE,iBAAiB;YACnC,OAAO,EAAE,MAAM,EAAE,gBAAgB,IAAI,wBAAwB;SAC9D,CAAC;QACF,GAAG,EAAE,WAAW,CAAC;YACf,GAAG,CAAC,MAAM,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/E,CAAC;QACF,aAAa,EAAE,qBAAqB,CAAC;YACnC,mBAAmB,EAAE,wBAAwB;YAC7C,GAAG,CAAC,MAAM,EAAE,uBAAuB,KAAK,SAAS;gBAC/C,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,uBAAuB,EAAE;gBAChD,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,MAAM,EAAE,oCAAoC,KAAK,SAAS;gBAC5D,CAAC,CAAC,EAAE,uBAAuB,EAAE,MAAM,CAAC,oCAAoC,EAAE;gBAC1E,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QACF,QAAQ,EAAE,gBAAgB,CAAC;YACzB,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,MAAM,EAAE,gBAAgB,IAAI,kBAAkB;SACzD,CAAC;KACH,CAAC;AACJ,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,43 @@
+#!/usr/bin/env node
+/**
+ * `motebit-verify` CLI — the canonical motebit artifact verifier.
+ *
+ * Verifies identity files, execution receipts, credentials, and
+ * presentations against their embedded signatures. When a credential
+ * carries a `hardware_attestation` claim for `device_check` / `tpm` /
+ * `play_integrity` / `webauthn`, the bundled platform adapters verify
+ * the chain, nonce, bundle, and identity binding end-to-end.
+ *
+ * ```
+ *   motebit-verify <file>                 # auto-detect, print human
+ *   motebit-verify <file> --json          # structured output
+ *   motebit-verify <file> --expect credential
+ *   motebit-verify <file> --clock-skew 30
+ *
+ *   # Platform-specific overrides (all optional; defaults match
+ *   # motebit's canonical identifiers).
+ *   motebit-verify <file> \
+ *     --bundle-id com.example.app \
+ *     --android-package com.example.app \
+ *     --rp-id example.com
+ * ```
+ *
+ * Exit codes:
+ *   0  artifact verified (including any hardware-attestation channel)
+ *   1  artifact detected but signature / hardware-channel invalid
+ *   2  usage / I/O error
+ *
+ * Network-free by design. Every adapter pins its own trust anchor
+ * (Apple App Attest Root CA, FIDO roots, TPM vendor roots); Play
+ * Integrity's JWKS is fail-closed by default until an operator lands
+ * real bytes (see `@motebit/crypto-play-integrity`'s CLAUDE.md).
+ *
+ * Three-package lineage — mirrors how tools like `git` / `libgit2` or
+ * `cargo` / `tokio` separate the verb-tool from the library layer:
+ *
+ *   @motebit/verify   — this CLI (Apache-2.0, bundles all 4 adapters)
+ *   @motebit/verifier — Apache-2.0 library (file I/O, human formatting)
+ *   @motebit/crypto   — Apache-2.0 primitives (verify, sign, suite dispatch)
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG"}