@nobulex/proof 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,58 @@
+import type { HashHex } from '@nobulex/crypto';
+import type { ComplianceProof, ProofVerificationResult, ProofGenerationOptions, AuditEntryData } from './types';
+export type { ComplianceProof, ProofVerificationResult, ProofGenerationOptions, AuditEntryData, } from './types';
+export { poseidonHash, hashToField, fieldToHex, FIELD_PRIME } from './poseidon';
+/**
+ * Compute a Poseidon commitment over a sequence of audit log entries.
+ *
+ * The commitment is built by chaining: start with a zero accumulator,
+ * then for each entry, hash (accumulator, entryFieldElement) with Poseidon.
+ * This produces a sequential commitment that depends on the order and
+ * content of every entry.
+ *
+ * @param entries - The audit entries to commit to
+ * @returns Hex-encoded Poseidon commitment
+ */
+export declare function computeAuditCommitment(entries: AuditEntryData[]): HashHex;
+/**
+ * Compute a Poseidon commitment over a constraint definition string.
+ *
+ * First hashes the string with SHA-256 to get a fixed-size digest,
+ * converts that to a field element, then applies Poseidon.
+ *
+ * @param constraints - The constraint definitions (CCL source or canonical string)
+ * @returns Hex-encoded Poseidon commitment
+ */
+export declare function computeConstraintCommitment(constraints: string): HashHex;
+/**
+ * Generate a compliance proof attesting that the given audit entries
+ * are consistent with the covenant's constraints.
+ *
+ * For v0.1, this produces a Poseidon hash commitment proof:
+ * - Computes audit log commitment (chained Poseidon over entry hashes)
+ * - Computes constraint commitment (Poseidon of SHA-256 of constraints)
+ * - Generates proof = Poseidon(auditLogCommitment, constraintCommitment, covenantId)
+ * - Public inputs = [covenantId, auditLogCommitment, constraintCommitment, entryCount]
+ *
+ * In future versions (groth16, plonk), the proof will be a full ZK-SNARK.
+ *
+ * @param options - Proof generation parameters
+ * @returns A ComplianceProof object
+ */
+export declare function generateComplianceProof(options: ProofGenerationOptions): Promise<ComplianceProof>;
+/**
+ * Verify a compliance proof by checking its structural integrity and
+ * recomputing the proof value from public inputs.
+ *
+ * Verification steps:
+ * 1. Check proof format (version, required fields)
+ * 2. Check public inputs are well-formed (length = 4)
+ * 3. Audit log commitment is consistent (publicInputs[1] matches auditLogCommitment, covenantId matches)
+ * 4. Constraint commitment matches (publicInputs[2] matches constraintCommitment, entryCount matches)
+ * 5. Proof verifies against verification circuit (recompute and compare)
+ *
+ * @param proof - The ComplianceProof to verify
+ * @returns Detailed verification result
+ */
+export declare function verifyComplianceProof(proof: ComplianceProof): Promise<ProofVerificationResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAG/C,OAAO,KAAK,EACV,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,cAAc,EACf,MAAM,SAAS,CAAC;AAGjB,YAAY,EACV,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,cAAc,GACf,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAMhF;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,cAAc,EAAE,GAAG,OAAO,CAgBzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAQxE;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,eAAe,CAAC,CA4C1B;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,uBAAuB,CAAC,CAwHlC"}

package/dist/index.js

@@ -0,0 +1,326 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  FIELD_PRIME: () => FIELD_PRIME,
+  computeAuditCommitment: () => computeAuditCommitment,
+  computeConstraintCommitment: () => computeConstraintCommitment,
+  fieldToHex: () => fieldToHex,
+  generateComplianceProof: () => generateComplianceProof,
+  hashToField: () => hashToField,
+  poseidonHash: () => poseidonHash,
+  verifyComplianceProof: () => verifyComplianceProof
+});
+module.exports = __toCommonJS(index_exports);
+var import_crypto2 = require("@nobulex/crypto");
+
+// src/poseidon.ts
+var import_crypto = require("@nobulex/crypto");
+var FIELD_PRIME = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
+var T = 3;
+var FULL_ROUNDS = 8;
+var PARTIAL_ROUNDS = 57;
+var TOTAL_ROUNDS = FULL_ROUNDS + PARTIAL_ROUNDS;
+function generateRoundConstants() {
+  const constants = [];
+  for (let round = 0; round < TOTAL_ROUNDS; round++) {
+    const roundConsts = [];
+    for (let j = 0; j < T; j++) {
+      const idx = round * T + j;
+      const hash = (0, import_crypto.sha256String)(`poseidon_rc_${idx}`);
+      const value = BigInt("0x" + hash) % FIELD_PRIME;
+      roundConsts.push(value);
+    }
+    constants.push(roundConsts);
+  }
+  return constants;
+}
+var ROUND_CONSTANTS = generateRoundConstants();
+function modInverse(a, p) {
+  a = (a % p + p) % p;
+  if (a === 0n) {
+    throw new Error("No inverse for zero");
+  }
+  let [old_r, r] = [a, p];
+  let [old_s, s] = [1n, 0n];
+  while (r !== 0n) {
+    const quotient = old_r / r;
+    [old_r, r] = [r, old_r - quotient * r];
+    [old_s, s] = [s, old_s - quotient * s];
+  }
+  return (old_s % p + p) % p;
+}
+function buildMDSMatrix() {
+  const matrix = [];
+  for (let i = 0; i < T; i++) {
+    const row = [];
+    for (let j = 0; j < T; j++) {
+      const xi = BigInt(i + 1);
+      const yj = BigInt(T + j + 1);
+      const sum = (xi + yj) % FIELD_PRIME;
+      row.push(modInverse(sum, FIELD_PRIME));
+    }
+    matrix.push(row);
+  }
+  return matrix;
+}
+var MDS_MATRIX = buildMDSMatrix();
+function sbox(x) {
+  const x2 = x * x % FIELD_PRIME;
+  const x4 = x2 * x2 % FIELD_PRIME;
+  return x4 * x % FIELD_PRIME;
+}
+function addRoundConstants(state, round) {
+  const rc = ROUND_CONSTANTS[round];
+  return state.map((s, i) => (s + rc[i]) % FIELD_PRIME);
+}
+function mdsMultiply(state) {
+  const result = new Array(T).fill(0n);
+  for (let i = 0; i < T; i++) {
+    let acc = 0n;
+    for (let j = 0; j < T; j++) {
+      acc = (acc + MDS_MATRIX[i][j] * state[j]) % FIELD_PRIME;
+    }
+    result[i] = acc;
+  }
+  return result;
+}
+function fullRound(state, round) {
+  let s = addRoundConstants(state, round);
+  s = s.map(sbox);
+  return mdsMultiply(s);
+}
+function partialRound(state, round) {
+  let s = addRoundConstants(state, round);
+  s[0] = sbox(s[0]);
+  return mdsMultiply(s);
+}
+function poseidonHash(inputs) {
+  if (inputs.length === 0) {
+    throw new Error("Poseidon hash requires at least one input");
+  }
+  for (let i = 0; i < inputs.length; i++) {
+    const input = inputs[i];
+    if (input < 0n || input >= FIELD_PRIME) {
+      throw new Error(
+        `Input ${i} is out of field range: must be in [0, FIELD_PRIME)`
+      );
+    }
+  }
+  const rate = T - 1;
+  const padded = [...inputs];
+  padded.push(1n);
+  while (padded.length % rate !== 0) {
+    padded.push(0n);
+  }
+  let state = new Array(T).fill(0n);
+  for (let chunk = 0; chunk < padded.length; chunk += rate) {
+    for (let i = 0; i < rate; i++) {
+      state[i] = (state[i] + padded[chunk + i]) % FIELD_PRIME;
+    }
+    state = poseidonPermutation(state);
+  }
+  return state[0];
+}
+function poseidonPermutation(state) {
+  let s = [...state];
+  let round = 0;
+  const halfFull = FULL_ROUNDS / 2;
+  for (let i = 0; i < halfFull; i++) {
+    s = fullRound(s, round);
+    round++;
+  }
+  for (let i = 0; i < PARTIAL_ROUNDS; i++) {
+    s = partialRound(s, round);
+    round++;
+  }
+  for (let i = 0; i < halfFull; i++) {
+    s = fullRound(s, round);
+    round++;
+  }
+  return s;
+}
+function hashToField(hash) {
+  if (hash.length < 2) {
+    throw new Error("Hash string too short for field conversion");
+  }
+  const value = BigInt("0x" + hash);
+  return value % FIELD_PRIME;
+}
+function fieldToHex(value) {
+  if (value < 0n || value >= FIELD_PRIME) {
+    throw new Error("Value out of field range");
+  }
+  return value.toString(16).padStart(64, "0");
+}
+
+// src/index.ts
+function computeAuditCommitment(entries) {
+  if (entries.length === 0) {
+    return fieldToHex(poseidonHash([0n]));
+  }
+  let accumulator = 0n;
+  for (const entry of entries) {
+    const entryField = hashToField(entry.hash);
+    accumulator = poseidonHash([accumulator, entryField]);
+  }
+  return fieldToHex(accumulator);
+}
+function computeConstraintCommitment(constraints) {
+  const constraintHash = (0, import_crypto2.sha256String)(constraints);
+  const constraintField = hashToField(constraintHash);
+  const commitment = poseidonHash([constraintField]);
+  return fieldToHex(commitment);
+}
+async function generateComplianceProof(options) {
+  const { covenantId, constraints, auditEntries, proofSystem = "poseidon_hash" } = options;
+  if (!covenantId || covenantId.length === 0) {
+    throw new Error("covenantId is required");
+  }
+  if (!constraints || constraints.length === 0) {
+    throw new Error("constraints string is required");
+  }
+  const auditLogCommitment = computeAuditCommitment(auditEntries);
+  const constraintCommitment = computeConstraintCommitment(constraints);
+  const auditField = hashToField(auditLogCommitment);
+  const constraintField = hashToField(constraintCommitment);
+  const covenantField = hashToField(covenantId);
+  const proofValue = poseidonHash([auditField, constraintField, covenantField]);
+  const proofHex = fieldToHex(proofValue);
+  const publicInputs = [
+    covenantId,
+    auditLogCommitment,
+    constraintCommitment,
+    String(auditEntries.length)
+  ];
+  return {
+    version: "1.0",
+    covenantId,
+    auditLogCommitment,
+    constraintCommitment,
+    proof: proofHex,
+    publicInputs,
+    proofSystem,
+    generatedAt: (0, import_crypto2.timestamp)(),
+    entryCount: auditEntries.length
+  };
+}
+async function verifyComplianceProof(proof) {
+  const errors = [];
+  if (proof.version !== "1.0") {
+    errors.push(`Unsupported proof version: ${proof.version}`);
+  }
+  if (!proof.covenantId || proof.covenantId.length === 0) {
+    errors.push("Missing covenantId");
+  }
+  if (!proof.auditLogCommitment || proof.auditLogCommitment.length === 0) {
+    errors.push("Missing auditLogCommitment");
+  }
+  if (!proof.constraintCommitment || proof.constraintCommitment.length === 0) {
+    errors.push("Missing constraintCommitment");
+  }
+  if (!proof.proof || proof.proof.length === 0) {
+    errors.push("Missing proof value");
+  }
+  if (proof.proofSystem !== "poseidon_hash" && proof.proofSystem !== "groth16" && proof.proofSystem !== "plonk") {
+    errors.push(`Unsupported proof system: ${proof.proofSystem}`);
+  }
+  if (typeof proof.entryCount !== "number" || proof.entryCount < 0) {
+    errors.push(`Invalid entryCount: ${proof.entryCount}`);
+  }
+  if (!proof.generatedAt || proof.generatedAt.length === 0) {
+    errors.push("Missing generatedAt timestamp");
+  }
+  if (!Array.isArray(proof.publicInputs)) {
+    errors.push("publicInputs must be an array");
+    return {
+      valid: false,
+      covenantId: proof.covenantId ?? "",
+      entryCount: proof.entryCount ?? 0,
+      errors
+    };
+  }
+  if (proof.publicInputs.length !== 4) {
+    errors.push(
+      `publicInputs must have exactly 4 elements, got ${proof.publicInputs.length}`
+    );
+  }
+  if (proof.publicInputs.length === 4) {
+    const [piCovenantId, piAuditCommitment, piConstraintCommitment, piEntryCount] = proof.publicInputs;
+    if (piCovenantId !== proof.covenantId) {
+      errors.push(
+        `publicInputs[0] (covenantId) mismatch: expected ${proof.covenantId}, got ${piCovenantId}`
+      );
+    }
+    if (piAuditCommitment !== proof.auditLogCommitment) {
+      errors.push(
+        `publicInputs[1] (auditLogCommitment) mismatch: expected ${proof.auditLogCommitment}, got ${piAuditCommitment}`
+      );
+    }
+  }
+  if (proof.publicInputs.length === 4) {
+    const [, , piConstraintCommitment, piEntryCount] = proof.publicInputs;
+    if (piConstraintCommitment !== proof.constraintCommitment) {
+      errors.push(
+        `publicInputs[2] (constraintCommitment) mismatch: expected ${proof.constraintCommitment}, got ${piConstraintCommitment}`
+      );
+    }
+    if (piEntryCount !== String(proof.entryCount)) {
+      errors.push(
+        `publicInputs[3] (entryCount) mismatch: expected ${proof.entryCount}, got ${piEntryCount}`
+      );
+    }
+  }
+  if (proof.proofSystem === "poseidon_hash" && errors.length === 0) {
+    try {
+      const auditField = hashToField(proof.auditLogCommitment);
+      const constraintField = hashToField(proof.constraintCommitment);
+      const covenantField = hashToField(proof.covenantId);
+      const expectedProof = poseidonHash([auditField, constraintField, covenantField]);
+      const expectedHex = fieldToHex(expectedProof);
+      if (expectedHex !== proof.proof) {
+        errors.push(
+          `Proof value mismatch: recomputed ${expectedHex}, got ${proof.proof}`
+        );
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      errors.push(`Error recomputing proof: ${message}`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    covenantId: proof.covenantId ?? "",
+    entryCount: proof.entryCount ?? 0,
+    errors
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  FIELD_PRIME,
+  computeAuditCommitment,
+  computeConstraintCommitment,
+  fieldToHex,
+  generateComplianceProof,
+  hashToField,
+  poseidonHash,
+  verifyComplianceProof
+});

package/dist/index.mjs

@@ -0,0 +1,294 @@
+// src/index.ts
+import { sha256String as sha256String2, timestamp } from "@nobulex/crypto";
+
+// src/poseidon.ts
+import { sha256String } from "@nobulex/crypto";
+var FIELD_PRIME = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
+var T = 3;
+var FULL_ROUNDS = 8;
+var PARTIAL_ROUNDS = 57;
+var TOTAL_ROUNDS = FULL_ROUNDS + PARTIAL_ROUNDS;
+function generateRoundConstants() {
+  const constants = [];
+  for (let round = 0; round < TOTAL_ROUNDS; round++) {
+    const roundConsts = [];
+    for (let j = 0; j < T; j++) {
+      const idx = round * T + j;
+      const hash = sha256String(`poseidon_rc_${idx}`);
+      const value = BigInt("0x" + hash) % FIELD_PRIME;
+      roundConsts.push(value);
+    }
+    constants.push(roundConsts);
+  }
+  return constants;
+}
+var ROUND_CONSTANTS = generateRoundConstants();
+function modInverse(a, p) {
+  a = (a % p + p) % p;
+  if (a === 0n) {
+    throw new Error("No inverse for zero");
+  }
+  let [old_r, r] = [a, p];
+  let [old_s, s] = [1n, 0n];
+  while (r !== 0n) {
+    const quotient = old_r / r;
+    [old_r, r] = [r, old_r - quotient * r];
+    [old_s, s] = [s, old_s - quotient * s];
+  }
+  return (old_s % p + p) % p;
+}
+function buildMDSMatrix() {
+  const matrix = [];
+  for (let i = 0; i < T; i++) {
+    const row = [];
+    for (let j = 0; j < T; j++) {
+      const xi = BigInt(i + 1);
+      const yj = BigInt(T + j + 1);
+      const sum = (xi + yj) % FIELD_PRIME;
+      row.push(modInverse(sum, FIELD_PRIME));
+    }
+    matrix.push(row);
+  }
+  return matrix;
+}
+var MDS_MATRIX = buildMDSMatrix();
+function sbox(x) {
+  const x2 = x * x % FIELD_PRIME;
+  const x4 = x2 * x2 % FIELD_PRIME;
+  return x4 * x % FIELD_PRIME;
+}
+function addRoundConstants(state, round) {
+  const rc = ROUND_CONSTANTS[round];
+  return state.map((s, i) => (s + rc[i]) % FIELD_PRIME);
+}
+function mdsMultiply(state) {
+  const result = new Array(T).fill(0n);
+  for (let i = 0; i < T; i++) {
+    let acc = 0n;
+    for (let j = 0; j < T; j++) {
+      acc = (acc + MDS_MATRIX[i][j] * state[j]) % FIELD_PRIME;
+    }
+    result[i] = acc;
+  }
+  return result;
+}
+function fullRound(state, round) {
+  let s = addRoundConstants(state, round);
+  s = s.map(sbox);
+  return mdsMultiply(s);
+}
+function partialRound(state, round) {
+  let s = addRoundConstants(state, round);
+  s[0] = sbox(s[0]);
+  return mdsMultiply(s);
+}
+function poseidonHash(inputs) {
+  if (inputs.length === 0) {
+    throw new Error("Poseidon hash requires at least one input");
+  }
+  for (let i = 0; i < inputs.length; i++) {
+    const input = inputs[i];
+    if (input < 0n || input >= FIELD_PRIME) {
+      throw new Error(
+        `Input ${i} is out of field range: must be in [0, FIELD_PRIME)`
+      );
+    }
+  }
+  const rate = T - 1;
+  const padded = [...inputs];
+  padded.push(1n);
+  while (padded.length % rate !== 0) {
+    padded.push(0n);
+  }
+  let state = new Array(T).fill(0n);
+  for (let chunk = 0; chunk < padded.length; chunk += rate) {
+    for (let i = 0; i < rate; i++) {
+      state[i] = (state[i] + padded[chunk + i]) % FIELD_PRIME;
+    }
+    state = poseidonPermutation(state);
+  }
+  return state[0];
+}
+function poseidonPermutation(state) {
+  let s = [...state];
+  let round = 0;
+  const halfFull = FULL_ROUNDS / 2;
+  for (let i = 0; i < halfFull; i++) {
+    s = fullRound(s, round);
+    round++;
+  }
+  for (let i = 0; i < PARTIAL_ROUNDS; i++) {
+    s = partialRound(s, round);
+    round++;
+  }
+  for (let i = 0; i < halfFull; i++) {
+    s = fullRound(s, round);
+    round++;
+  }
+  return s;
+}
+function hashToField(hash) {
+  if (hash.length < 2) {
+    throw new Error("Hash string too short for field conversion");
+  }
+  const value = BigInt("0x" + hash);
+  return value % FIELD_PRIME;
+}
+function fieldToHex(value) {
+  if (value < 0n || value >= FIELD_PRIME) {
+    throw new Error("Value out of field range");
+  }
+  return value.toString(16).padStart(64, "0");
+}
+
+// src/index.ts
+function computeAuditCommitment(entries) {
+  if (entries.length === 0) {
+    return fieldToHex(poseidonHash([0n]));
+  }
+  let accumulator = 0n;
+  for (const entry of entries) {
+    const entryField = hashToField(entry.hash);
+    accumulator = poseidonHash([accumulator, entryField]);
+  }
+  return fieldToHex(accumulator);
+}
+function computeConstraintCommitment(constraints) {
+  const constraintHash = sha256String2(constraints);
+  const constraintField = hashToField(constraintHash);
+  const commitment = poseidonHash([constraintField]);
+  return fieldToHex(commitment);
+}
+async function generateComplianceProof(options) {
+  const { covenantId, constraints, auditEntries, proofSystem = "poseidon_hash" } = options;
+  if (!covenantId || covenantId.length === 0) {
+    throw new Error("covenantId is required");
+  }
+  if (!constraints || constraints.length === 0) {
+    throw new Error("constraints string is required");
+  }
+  const auditLogCommitment = computeAuditCommitment(auditEntries);
+  const constraintCommitment = computeConstraintCommitment(constraints);
+  const auditField = hashToField(auditLogCommitment);
+  const constraintField = hashToField(constraintCommitment);
+  const covenantField = hashToField(covenantId);
+  const proofValue = poseidonHash([auditField, constraintField, covenantField]);
+  const proofHex = fieldToHex(proofValue);
+  const publicInputs = [
+    covenantId,
+    auditLogCommitment,
+    constraintCommitment,
+    String(auditEntries.length)
+  ];
+  return {
+    version: "1.0",
+    covenantId,
+    auditLogCommitment,
+    constraintCommitment,
+    proof: proofHex,
+    publicInputs,
+    proofSystem,
+    generatedAt: timestamp(),
+    entryCount: auditEntries.length
+  };
+}
+async function verifyComplianceProof(proof) {
+  const errors = [];
+  if (proof.version !== "1.0") {
+    errors.push(`Unsupported proof version: ${proof.version}`);
+  }
+  if (!proof.covenantId || proof.covenantId.length === 0) {
+    errors.push("Missing covenantId");
+  }
+  if (!proof.auditLogCommitment || proof.auditLogCommitment.length === 0) {
+    errors.push("Missing auditLogCommitment");
+  }
+  if (!proof.constraintCommitment || proof.constraintCommitment.length === 0) {
+    errors.push("Missing constraintCommitment");
+  }
+  if (!proof.proof || proof.proof.length === 0) {
+    errors.push("Missing proof value");
+  }
+  if (proof.proofSystem !== "poseidon_hash" && proof.proofSystem !== "groth16" && proof.proofSystem !== "plonk") {
+    errors.push(`Unsupported proof system: ${proof.proofSystem}`);
+  }
+  if (typeof proof.entryCount !== "number" || proof.entryCount < 0) {
+    errors.push(`Invalid entryCount: ${proof.entryCount}`);
+  }
+  if (!proof.generatedAt || proof.generatedAt.length === 0) {
+    errors.push("Missing generatedAt timestamp");
+  }
+  if (!Array.isArray(proof.publicInputs)) {
+    errors.push("publicInputs must be an array");
+    return {
+      valid: false,
+      covenantId: proof.covenantId ?? "",
+      entryCount: proof.entryCount ?? 0,
+      errors
+    };
+  }
+  if (proof.publicInputs.length !== 4) {
+    errors.push(
+      `publicInputs must have exactly 4 elements, got ${proof.publicInputs.length}`
+    );
+  }
+  if (proof.publicInputs.length === 4) {
+    const [piCovenantId, piAuditCommitment, piConstraintCommitment, piEntryCount] = proof.publicInputs;
+    if (piCovenantId !== proof.covenantId) {
+      errors.push(
+        `publicInputs[0] (covenantId) mismatch: expected ${proof.covenantId}, got ${piCovenantId}`
+      );
+    }
+    if (piAuditCommitment !== proof.auditLogCommitment) {
+      errors.push(
+        `publicInputs[1] (auditLogCommitment) mismatch: expected ${proof.auditLogCommitment}, got ${piAuditCommitment}`
+      );
+    }
+  }
+  if (proof.publicInputs.length === 4) {
+    const [, , piConstraintCommitment, piEntryCount] = proof.publicInputs;
+    if (piConstraintCommitment !== proof.constraintCommitment) {
+      errors.push(
+        `publicInputs[2] (constraintCommitment) mismatch: expected ${proof.constraintCommitment}, got ${piConstraintCommitment}`
+      );
+    }
+    if (piEntryCount !== String(proof.entryCount)) {
+      errors.push(
+        `publicInputs[3] (entryCount) mismatch: expected ${proof.entryCount}, got ${piEntryCount}`
+      );
+    }
+  }
+  if (proof.proofSystem === "poseidon_hash" && errors.length === 0) {
+    try {
+      const auditField = hashToField(proof.auditLogCommitment);
+      const constraintField = hashToField(proof.constraintCommitment);
+      const covenantField = hashToField(proof.covenantId);
+      const expectedProof = poseidonHash([auditField, constraintField, covenantField]);
+      const expectedHex = fieldToHex(expectedProof);
+      if (expectedHex !== proof.proof) {
+        errors.push(
+          `Proof value mismatch: recomputed ${expectedHex}, got ${proof.proof}`
+        );
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      errors.push(`Error recomputing proof: ${message}`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    covenantId: proof.covenantId ?? "",
+    entryCount: proof.entryCount ?? 0,
+    errors
+  };
+}
+export {
+  FIELD_PRIME,
+  computeAuditCommitment,
+  computeConstraintCommitment,
+  fieldToHex,
+  generateComplianceProof,
+  hashToField,
+  poseidonHash,
+  verifyComplianceProof
+};

package/dist/poseidon.d.ts

@@ -0,0 +1,33 @@
+import type { HashHex } from '@nobulex/crypto';
+/**
+ * BN254 (alt_bn128) scalar field prime.
+ * This is the standard prime used in Ethereum precompile-compatible ZK circuits.
+ */
+export declare const FIELD_PRIME = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
+/**
+ * Poseidon hash function (t=3, rate=2).
+ *
+ * Accepts an array of field elements and returns a single field element.
+ * For inputs longer than 2, we use a sponge construction: absorb 2 elements
+ * at a time into the first 2 state positions, then squeeze 1 element out.
+ *
+ * @param inputs - Array of bigint field elements (each must be < FIELD_PRIME)
+ * @returns A single bigint field element (the hash)
+ */
+export declare function poseidonHash(inputs: bigint[]): bigint;
+/**
+ * Convert a hex-encoded hash (e.g., SHA-256 output) to a BN254 field element.
+ *
+ * Takes the first 31 bytes (248 bits) of the hash to ensure the result
+ * is always less than FIELD_PRIME (~254 bits but with leading structure).
+ * Then reduces mod FIELD_PRIME for safety.
+ *
+ * @param hash - Hex-encoded hash string (at least 62 hex chars / 31 bytes)
+ * @returns A bigint in the BN254 scalar field
+ */
+export declare function hashToField(hash: HashHex): bigint;
+/**
+ * Convert a bigint field element to a hex string (zero-padded to 64 chars).
+ */
+export declare function fieldToHex(value: bigint): string;
+//# sourceMappingURL=poseidon.d.ts.map

package/dist/poseidon.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"poseidon.d.ts","sourceRoot":"","sources":["../src/poseidon.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,WAAW,iFACwD,CAAC;AAqKjF;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CA0CrD;AAiCD;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CASjD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKhD"}

package/dist/types.d.ts

@@ -0,0 +1,67 @@
+import type { HashHex } from '@nobulex/crypto';
+/**
+ * A zero-knowledge compliance proof attesting that audit log entries
+ * satisfy the constraints defined in a covenant.
+ */
+export interface ComplianceProof {
+    /** Schema version for forward compatibility */
+    version: '1.0';
+    /** The covenant this proof is generated for */
+    covenantId: HashHex;
+    /** Poseidon commitment over all audit log entries */
+    auditLogCommitment: HashHex;
+    /** Poseidon commitment over the constraint set */
+    constraintCommitment: HashHex;
+    /** The proof value (Poseidon hash of commitments for v0.1) */
+    proof: string;
+    /** Public inputs visible to any verifier */
+    publicInputs: string[];
+    /** Which proof system was used */
+    proofSystem: 'poseidon_hash' | 'groth16' | 'plonk';
+    /** ISO 8601 timestamp when the proof was generated */
+    generatedAt: string;
+    /** Number of audit entries covered by this proof */
+    entryCount: number;
+}
+/**
+ * Result of verifying a compliance proof.
+ */
+export interface ProofVerificationResult {
+    /** Whether the proof is valid */
+    valid: boolean;
+    /** The covenant the proof claims to cover */
+    covenantId: HashHex;
+    /** Number of entries covered */
+    entryCount: number;
+    /** Detailed error messages if verification failed */
+    errors: string[];
+}
+/**
+ * Options for generating a compliance proof.
+ */
+export interface ProofGenerationOptions {
+    /** The covenant ID to bind this proof to */
+    covenantId: HashHex;
+    /** The constraint definitions (CCL source or canonical string) */
+    constraints: string;
+    /** Audit log entries to prove compliance over */
+    auditEntries: AuditEntryData[];
+    /** Proof system to use (only poseidon_hash in v0.1) */
+    proofSystem?: 'poseidon_hash';
+}
+/**
+ * Minimal audit entry data needed for proof generation.
+ */
+export interface AuditEntryData {
+    /** The action that was taken */
+    action: string;
+    /** The resource the action targeted */
+    resource: string;
+    /** The enforcement outcome */
+    outcome: 'EXECUTED' | 'DENIED' | 'IMPOSSIBLE';
+    /** ISO 8601 timestamp of the action */
+    timestamp: string;
+    /** SHA-256 hash of the full audit entry */
+    hash: HashHex;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE/C;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,OAAO,EAAE,KAAK,CAAC;IACf,+CAA+C;IAC/C,UAAU,EAAE,OAAO,CAAC;IACpB,qDAAqD;IACrD,kBAAkB,EAAE,OAAO,CAAC;IAC5B,kDAAkD;IAClD,oBAAoB,EAAE,OAAO,CAAC;IAC9B,8DAA8D;IAC9D,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,kCAAkC;IAClC,WAAW,EAAE,eAAe,GAAG,SAAS,GAAG,OAAO,CAAC;IACnD,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,iCAAiC;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,6CAA6C;IAC7C,UAAU,EAAE,OAAO,CAAC;IACpB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,qDAAqD;IACrD,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,4CAA4C;IAC5C,UAAU,EAAE,OAAO,CAAC;IACpB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,YAAY,EAAE,cAAc,EAAE,CAAC;IAC/B,uDAAuD;IACvD,WAAW,CAAC,EAAE,eAAe,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,8BAA8B;IAC9B,OAAO,EAAE,UAAU,GAAG,QAAQ,GAAG,YAAY,CAAC;IAC9C,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,IAAI,EAAE,OAAO,CAAC;CACf"}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@nobulex/proof",
+  "version": "0.1.0",
+  "description": "Proof generation and verification for the Stele covenant framework",
+  "license": "MIT",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "sideEffects": false,
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/agbusiness195/Stele.git",
+    "directory": "packages/proof"
+  },
+  "keywords": [
+    "stele",
+    "covenant",
+    "ai-accountability",
+    "proof",
+    "verification",
+    "merkle"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm && tsc --emitDeclarationOnly --outDir dist",
+    "typecheck": "tsc --noEmit",
+    "bundle": "tsup src/index.ts --format cjs,esm",
+    "dev": "tsup src/index.ts --format cjs,esm --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@nobulex/crypto": "0.1.0",
+    "@nobulex/ccl": "0.1.0"
+  }
+}