@primust/verifier 1.0.0 → 1.1.0

package/dist/verifier.js

@@ -1,1235 +0,0 @@
-/**
- * primust-verify — Offline VPEC artifact verifier.
- *
- * ZERO runtime dependencies on Primust infrastructure after initial
- * public key fetch. Must verify a VPEC produced today in 10 years.
- *
- * Verification steps (in order):
- * 1. Schema validation
- * 2. SHA-256 integrity + Ed25519 signature (combined)
- * 3. Kid resolution
- * 4. Signer status check (Rekor — stubbed in v1)
- * 5. RFC 3161 timestamp verification (stubbed in v1)
- * 6. Proof level integrity
- * 7. Manifest hash audit
- * 8. ZK proof verification (stubbed in v1)
- * 9. test_mode check
- */
-import { createHash, createPublicKey } from 'node:crypto';
-import { canonical, verify as ed25519Verify, validateArtifact, fromBase64Url, BN254_MODULUS, } from '@primust/artifact-core';
-import { poseidon2Hash } from '@zkpassport/poseidon2';
-import { sha256 } from '@noble/hashes/sha256';
-import { getKey } from './key-cache.js';
-/**
- * Check recursively for reliance_mode field anywhere in the artifact.
- */
-function hasRelianceMode(obj, path = '') {
-    for (const [key, value] of Object.entries(obj)) {
-        const currentPath = path ? `${path}.${key}` : key;
-        if (key === 'reliance_mode') {
-            return currentPath;
-        }
-        if (value && typeof value === 'object' && !Array.isArray(value)) {
-            const found = hasRelianceMode(value, currentPath);
-            if (found)
-                return found;
-        }
-    }
-    return null;
-}
-/**
- * Build a default (failed/empty) VerificationResult from an artifact dict.
- */
-function baseResult(artifact) {
-    const sig = artifact.signature;
-    const issuer = artifact.issuer;
-    const proofDist = artifact.proof_distribution;
-    const coverage = artifact.coverage;
-    const gaps = Array.isArray(artifact.gaps) ? artifact.gaps : [];
-    return {
-        vpec_id: artifact.vpec_id ?? '',
-        valid: false,
-        schema_version: artifact.schema_version ?? '',
-        proof_level: artifact.proof_level ?? '',
-        proof_distribution: proofDist ?? {},
-        org_id: artifact.org_id ?? '',
-        workflow_id: artifact.workflow_id ?? '',
-        process_context_hash: artifact.process_context_hash ?? null,
-        partial: artifact.partial ?? false,
-        test_mode: artifact.test_mode ?? false,
-        signer_id: issuer?.signer_id ?? sig?.signer_id ?? '',
-        kid: issuer?.kid ?? sig?.kid ?? '',
-        signed_at: sig?.signed_at ?? '',
-        timestamp_anchor_valid: null,
-        rekor_status: 'skipped',
-        zk_proof_valid: null,
-        commitment_root_valid: null,
-        manifest_hashes: {},
-        gaps: gaps.map((g) => ({
-            gap_id: g.gap_id ?? '',
-            gap_type: g.gap_type ?? '',
-            severity: g.severity ?? '',
-        })),
-        violations_present: false,
-        violation_count: 0,
-        coverage: coverage ?? {},
-        errors: [],
-        warnings: [],
-    };
-}
-function signatureBody(artifact) {
-    const { signature: _sig, ...documentBody } = artifact;
-    void _sig;
-    return documentBody;
-}
-function timestampBody(artifact) {
-    const { signature: _sig, timestamp_anchor: _ts, ...documentBody } = artifact;
-    void _sig;
-    void _ts;
-    return documentBody;
-}
-/**
- * Verify a VPEC artifact.
- *
- * @param artifact               - Parsed artifact JSON (Record<string, unknown>)
- * @param options                - Verification options
- * @param upstreamRootResolver   - Optional synchronous resolver returning
- *   the PARENT VPEC's `commitment_root_poseidon2` for a given upstream
- *   VPEC envelope ID. When provided, governance_upstream_vpec_inclusion
- *   proofs are anchored to `Poseidon2(lineage_commitment(child_run_id,
- *   upstream_vpec_ids), parentRoot)` — the same reduction
- *   `PolicySnapshotService.openRun` performs at issuance. When omitted,
- *   the verifier falls back to anchoring against the artifact's own
- *   `commitment_root_poseidon2` (legacy behavior — preserves backward
- *   compat for callers that lack upstream-store context).
- * @returns VerificationResult with errors/warnings
- */
-export async function verify(artifact, options = {}, upstreamRootResolver) {
-    const result = baseResult(artifact);
-    const { production = false, skip_network = false, trust_root } = options;
-    // ── Step 1: Schema validation ──
-    const schemaResult = validateArtifact(artifact);
-    if (!schemaResult.valid) {
-        for (const err of schemaResult.errors) {
-            if (err.code === 'RELIANCE_MODE_FORBIDDEN') {
-                result.errors.push('banned_field_reliance_mode');
-            }
-            else if (err.code === 'MANIFEST_HASHES_NOT_MAP') {
-                result.errors.push('manifest_hashes_not_object');
-            }
-            else {
-                result.errors.push(`schema_validation_failed: ${err.code}`);
-            }
-        }
-        return result;
-    }
-    // Extra check: reliance_mode anywhere (validateArtifact already catches this,
-    // but we ensure the specific error string)
-    const reliancePath = hasRelianceMode(artifact);
-    if (reliancePath) {
-        result.errors.push('banned_field_reliance_mode');
-        return result;
-    }
-    // ── Step 4 (early): Kid resolution — issuer.kid must match signature.kid ──
-    const issuer = artifact.issuer;
-    const sig = artifact.signature;
-    if (!issuer || !sig) {
-        result.errors.push('missing_issuer_or_signature');
-        return result;
-    }
-    if (issuer.kid !== sig.kid) {
-        result.errors.push('kid_mismatch');
-        return result;
-    }
-    // ── Step 2+3: Integrity + Ed25519 signature verification ──
-    // The signing process signs the artifact body (everything except 'signature').
-    // We reconstruct the document by stripping the signature field.
-    const documentBody = signatureBody(artifact);
-    // Resolve public key
-    let publicKeyB64Url;
-    try {
-        const pem = await getKey(sig.kid, issuer.public_key_url, trust_root);
-        // PEM may be raw base64url or PEM-wrapped. Handle both.
-        publicKeyB64Url = extractKeyFromPem(pem);
-    }
-    catch (err) {
-        result.errors.push(err.message);
-        return result;
-    }
-    const signatureEnvelope = {
-        signer_id: sig.signer_id,
-        kid: sig.kid,
-        algorithm: sig.algorithm,
-        signature: sig.signature,
-        signed_at: sig.signed_at,
-    };
-    const sigValid = ed25519Verify(documentBody, signatureEnvelope, publicKeyB64Url);
-    if (!sigValid) {
-        result.errors.push('integrity_check_failed');
-        return result;
-    }
-    // ── Step 5: Signer status check (Rekor) ──
-    if (skip_network) {
-        result.rekor_status = 'skipped';
-    }
-    else {
-        result.rekor_status = await checkRekor(publicKeyB64Url, sig.kid);
-        if (result.rekor_status === 'unavailable') {
-            result.warnings.push('rekor_check_unavailable');
-        }
-        else if (result.rekor_status === 'revoked') {
-            result.errors.push('signer_key_revoked');
-            return result;
-        }
-    }
-    // ── Step 6: RFC 3161 timestamp verification ──
-    const tsAnchor = artifact.timestamp_anchor;
-    if (tsAnchor && tsAnchor.type === 'rfc3161' && typeof tsAnchor.value === 'string') {
-        result.timestamp_anchor_valid = verifyTimestampImprint(tsAnchor.value, timestampBody(artifact));
-        if (result.timestamp_anchor_valid === false) {
-            result.warnings.push('rfc3161_imprint_mismatch');
-        }
-        else if (result.timestamp_anchor_valid === true) {
-            result.warnings.push('rfc3161_tsa_cert_chain_not_verified');
-        }
-    }
-    else {
-        result.timestamp_anchor_valid = null;
-    }
-    // ── Step 7: Proof level integrity ──
-    // Already checked by validateArtifact in step 1 (PROOF_LEVEL_MISMATCH),
-    // but we verify again explicitly for the spec requirement.
-    const proofDist = artifact.proof_distribution;
-    if (artifact.proof_level !== proofDist.weakest_link) {
-        result.errors.push('proof_level_mismatch');
-        return result;
-    }
-    // ── Step 8: Manifest hash audit ──
-    const manifestHashes = artifact.manifest_hashes;
-    result.manifest_hashes = manifestHashes;
-    // ── Step 8b: Commitment root validation ──
-    if (artifact.commitment_root != null) {
-        const commitmentRoot = artifact.commitment_root;
-        const checkRecords = artifact.check_execution_records;
-        // Extract commitment hashes from check execution records
-        const hashes = [];
-        if (Array.isArray(checkRecords)) {
-            for (const rec of checkRecords) {
-                const h = (rec.commitment_hash ?? rec.input_commitment_hash);
-                if (h)
-                    hashes.push(h);
-            }
-        }
-        if (hashes.length > 0) {
-            const recomputed = computeMerkleRoot(hashes);
-            if (recomputed === commitmentRoot) {
-                result.commitment_root_valid = true;
-            }
-            else {
-                result.commitment_root_valid = false;
-                result.errors.push('commitment_root_mismatch');
-                return result;
-            }
-        }
-        else {
-            // commitment_root present but no hashes to verify against
-            result.commitment_root_valid = null;
-            result.warnings.push('commitment_root_no_hashes_to_verify');
-        }
-    }
-    else {
-        result.commitment_root_valid = null;
-        result.warnings.push('no_commitment_root');
-    }
-    // ── Step 8c: skip_condition_proof commitment_root anchoring ──
-    // Founder review Finding 5 (post-PR #49): the witness builder now
-    // produces a real Merkle path from the skipped record's slot up to a
-    // modified-tree root. The verifier reproduces the same modified root
-    // from the artifact's check_execution_records and the proof's
-    // skip_condition_hash, then asserts equality with the public input.
-    //
-    // For each `check_result === 'skipped'` record, the modified tree
-    // overrides that record's leaf with
-    //   leaf' = Poseidon2(skip_condition_hash, record.commitment_hash)
-    // and walks Poseidon2 sibling pairs up to the root. Verifier accepts
-    // if ANY skipped record produces a modified root that matches the
-    // proof's commitment_root public input — covers single-skip and
-    // multi-skip runs (the latter where the proof binds to one of
-    // several skipped records).
-    //
-    // Single-record runs collapse: the modified root is the leaf override
-    // itself, and the witness uses the 1-level fallback. Both still
-    // checkable.
-    //
-    // Backward compatibility: this branch handles both legacy single-leaf
-    // shape (commitment_root = leaf override) and the new multi-record
-    // shape (commitment_root = modified-tree root). The verifier doesn't
-    // need to know which one the witness produced — it just iterates
-    // skipped records and compares.
-    const skipAnchorResult = verifySkipConditionProofAnchoring(artifact);
-    if (skipAnchorResult === 'mismatch') {
-        result.errors.push('skip_condition_proof_root_mismatch');
-        return result;
-    }
-    if (skipAnchorResult === 'no_proof_artifact_for_multi_record_artifact') {
-        result.errors.push('skip_condition_proof_no_proof_artifact_for_multi_record_artifact');
-        return result;
-    }
-    if (skipAnchorResult === 'unanchored') {
-        result.warnings.push('skip_condition_proof_no_skipped_record_to_anchor');
-    }
-    // ── Step 8d: governance_upstream_vpec_inclusion / merkle_inclusion anchoring ──
-    //
-    // Mirrors Step 8c for upstream-VPEC inclusion proofs. When the artifact
-    // emits per-circuit ZK proofs in `proof_artifacts[]` (production wire
-    // shape on multi-record runs), the verifier walks EVERY matching entry
-    // and reproduces the merkle_root anchor from the artifact's
-    // commitment_root_poseidon2 (or the entry's bound merkle_root).
-    //
-    // Closes Gap 1 / Gap 2 of the post-PR #70 corrective: the
-    // governance.upstream_vpec ZK proof's public commitment_root MUST equal
-    // the upstream VPEC's commitment_root_poseidon2 (NOT its SHA-256
-    // commitment_root, which is over a different domain). Without this
-    // check, a downstream consumer cannot tell whether the Merkle inclusion
-    // proof is anchored to the real upstream tree or to a fabricated root.
-    //
-    // Rejection: for multi-record artifacts (>1 check_execution_records)
-    // without any `proof_artifacts[]` entry AND no top-level `zk_proof` of
-    // a matching circuit, the verifier MUST refuse — the 1-level fallback
-    // would silently accept a proof whose anchor was never bound. Single-
-    // record artifacts that only carry the legacy top-level `zk_proof`
-    // are still acceptable for backward compat.
-    //
-    // For cross-org chains, the verifier depends on the upstream VPEC
-    // envelope being available; the helper returns 'unanchored' in that
-    // case so the caller can warn rather than fail (cross-org anchor is
-    // checked at the boundary, not here).
-    const upstreamAnchorResult = verifyUpstreamVpecInclusionAnchoring(artifact, upstreamRootResolver);
-    if (upstreamAnchorResult === 'mismatch') {
-        result.errors.push('upstream_vpec_proof_root_mismatch');
-        return result;
-    }
-    if (upstreamAnchorResult === 'no_proof_artifact_for_multi_record_artifact') {
-        result.errors.push('upstream_vpec_inclusion_no_proof_artifact_for_multi_record_artifact');
-        return result;
-    }
-    if (upstreamAnchorResult === 'unanchored') {
-        result.warnings.push('upstream_vpec_proof_no_anchor_root_in_artifact');
-    }
-    // ── Step 9: ZK proof verification ──
-    const pendingFlags = artifact.pending_flags;
-    const proofPending = pendingFlags?.proof_pending === true;
-    const proofArtifacts = Array.isArray(artifact.proof_artifacts)
-        ? artifact.proof_artifacts
-        : [];
-    if (artifact.zk_proof && !proofPending) {
-        const zkProof = artifact.zk_proof;
-        // Accept both 'prover_system' (canonical) and 'proving_system' (legacy)
-        const provingSystem = (zkProof.prover_system ?? zkProof.proving_system);
-        if (provingSystem === 'ultrahonk') {
-            result.zk_proof_valid = await verifyUltraHonk(zkProof);
-            if (result.zk_proof_valid === false) {
-                result.errors.push('zk_proof_invalid');
-            }
-        }
-        else if (provingSystem === 'ezkl') {
-            // EZKL Tier 2: explicit stub — requires EZKL verifier integration
-            result.zk_proof_valid = null;
-            result.warnings.push('ezkl_verification_not_implemented');
-        }
-        else {
-            result.zk_proof_valid = null;
-            result.warnings.push(`unknown_proving_system: ${provingSystem ?? 'none'}`);
-        }
-    }
-    else if (proofPending) {
-        // Proof in flight — cannot verify yet
-        result.zk_proof_valid = null;
-        result.warnings.push('proof_pending');
-    }
-    else {
-        result.zk_proof_valid = null;
-    }
-    // ── Step 9b: ZK proof integrity ──
-    // If a ZK proof was present but failed verification → error.
-    // If a ZK proof was present but verifier unavailable → warning.
-    // If no ZK proof → valid (mathematical level from deterministic rules
-    // is established through commitment chain + policy hash binding).
-    if (result.zk_proof_valid === false) {
-        result.errors.push('zk_proof_verification_failed');
-        return result;
-    }
-    if (artifact.zk_proof && result.zk_proof_valid === null) {
-        result.warnings.push('zk_proof_verifier_unavailable');
-    }
-    if (proofArtifacts.length > 0) {
-        const pendingArtifacts = proofArtifacts.filter((artifactEntry) => artifactEntry.verification_status === 'pending').length;
-        const failedArtifacts = proofArtifacts.filter((artifactEntry) => artifactEntry.verification_status === 'failed').length;
-        const verifiedArtifacts = proofArtifacts.filter((artifactEntry) => artifactEntry.verification_status === 'verified').length;
-        if (pendingArtifacts > 0) {
-            result.warnings.push(`proof_artifacts_pending:${pendingArtifacts}`);
-        }
-        if (failedArtifacts > 0) {
-            result.warnings.push(`proof_artifacts_failed:${failedArtifacts}`);
-        }
-        if (!artifact.zk_proof) {
-            result.warnings.push(`proof_artifacts_present:${verifiedArtifacts}`);
-        }
-    }
-    // ── Step 10: test_mode check ──
-    if (artifact.test_mode === true) {
-        if (production) {
-            result.errors.push('test_mode_rejected_in_production');
-            return result;
-        }
-        result.warnings.push('test_credential');
-    }
-    // ── Step 11: Violations surface verification ──
-    const violations = artifact.violations;
-    if (Array.isArray(violations) && violations.length > 0) {
-        result.violations_present = true;
-        result.violation_count = violations.length;
-    }
-    else {
-        // Backward compatible: treat missing/empty violations as 0
-        result.violations_present = false;
-        result.violation_count = 0;
-    }
-    // Verify governance_decision_summary includes deferred if present
-    const gdSummary = artifact.governance_decision_summary;
-    if (gdSummary && typeof gdSummary === 'object') {
-        // Ensure deferred key is present (default 0 for backward compatibility)
-        if (!('deferred' in gdSummary)) {
-            result.warnings.push('governance_decision_summary_missing_deferred');
-        }
-    }
-    // F6 (review-pass-2) — v29 conformance check. When the artifact carries
-    // v29 envelope shape (envelope_version + run_header.records), run the
-    // dedicated conformance battery so dashboard/browser verification
-    // catches v29-specific tampering (record kind/trust-edge enums,
-    // aggregations reproduction, manifest hashes, runtime binding hash,
-    // signed_at window, manifest cross-checks, aggregations, scope-claim
-    // hash). The Py CLI runs this same path; without it, TS verifiers
-    // pass shape-valid envelopes that fail offline conformance.
-    if (artifact.envelope_version != null && (artifact.run_header || artifact.records)) {
-        try {
-            const { verifyV29 } = await import('./v29-envelope.js');
-            const shapeEnvelope = {
-                envelope_version: artifact.envelope_version,
-                run_header: artifact.run_header ?? {},
-                // Mirror the Py CLI's read-side fallback (envelope_records shim
-                // for envelopes signed before the legacy records → envelope.records
-                // rename landed).
-                records: artifact.records ??
-                    artifact.envelope_records ??
-                    [],
-                aggregations: artifact.aggregations ?? {},
-            };
-            const rh = shapeEnvelope.run_header ?? {};
-            const rb = rh.runtime_binding;
-            const v29Result = verifyV29({
-                envelope: shapeEnvelope,
-                runtimeBinding: rb,
-                // Pubkey resolver wiring is deferred — when the trust-root path
-                // is wired the CLI will pass one, and require_signatures: true
-                // will then enforce the strict-mode preconditions.
-            });
-            if (!v29Result.ok) {
-                result.errors.push(`v29_conformance_failed:${v29Result.reasonCode}`);
-            }
-        }
-        catch (e) {
-            // Defensive — if the v29 module fails to import (very old env),
-            // record a warning rather than blocking legacy VPEC verification.
-            result.warnings.push(`v29_conformance_error:${e.message}`);
-        }
-    }
-    // All checks passed
-    result.valid = result.errors.length === 0;
-    return result;
-}
-/**
- * Compute a Merkle root from an array of hash strings.
- *
- * Each hash is expected as "sha256:<hex>" or raw hex.
- * Returns "sha256:<hex>" root.
- */
-function computeMerkleRoot(hashes) {
-    // Convert hash strings to 32-byte Buffers
-    let leaves = hashes.map((h) => {
-        const hex = h.startsWith('sha256:') ? h.slice(7) : h;
-        return Buffer.from(hex, 'hex');
-    });
-    // Build binary Merkle tree
-    while (leaves.length > 1) {
-        // If odd number of leaves, duplicate last
-        if (leaves.length % 2 !== 0) {
-            leaves.push(leaves[leaves.length - 1]);
-        }
-        const next = [];
-        for (let i = 0; i < leaves.length; i += 2) {
-            const combined = Buffer.concat([leaves[i], leaves[i + 1]]);
-            next.push(createHash('sha256').update(combined).digest());
-        }
-        leaves = next;
-    }
-    return 'sha256:' + leaves[0].toString('hex');
-}
-/**
- * Parse a Poseidon2 hash string ("poseidon2:<64-hex>") to a BN254 field element.
- * Returns null if the input does not have the expected shape.
- */
-function parsePoseidon2HashToField(hash) {
-    if (typeof hash !== 'string')
-        return null;
-    const colonIdx = hash.indexOf(':');
-    if (colonIdx === -1)
-        return null;
-    const algorithm = hash.slice(0, colonIdx);
-    if (algorithm !== 'poseidon2')
-        return null;
-    const hex = hash.slice(colonIdx + 1);
-    if (!/^[0-9a-f]+$/i.test(hex))
-        return null;
-    try {
-        return BigInt('0x' + hex) % BN254_MODULUS;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Format a BN254 field element back as a poseidon2:hex string with the
- * canonical 64-char zero-padded representation used everywhere else in
- * the codebase.
- */
-function formatPoseidon2Field(field) {
-    return 'poseidon2:' + field.toString(16).padStart(64, '0');
-}
-/**
- * Extract the (skip_condition_hash, commitment_root) pair from the artifact's
- * zk_proof.public_inputs. The Noir circuit at
- * `circuits/skip_condition_proof/src/main.nr` declares public inputs in
- * the order [skip_condition_hash, commitment_root], so we read the first
- * two entries.
- */
-function extractSkipConditionPublicInputs(zkProof) {
-    const inputs = zkProof.public_inputs;
-    if (!Array.isArray(inputs) || inputs.length < 2)
-        return null;
-    const skipConditionHash = inputs[0];
-    const commitmentRoot = inputs[1];
-    if (typeof skipConditionHash !== 'string' || typeof commitmentRoot !== 'string') {
-        return null;
-    }
-    return { skipConditionHash, commitmentRoot };
-}
-/**
- * Recompute a modified-tree root for the `skip_condition_proof` circuit.
- *
- * Mirrors `recomputeSkipConditionModifiedRoot` from
- * `@primust/zk-core/src/witnesses/skip_condition_proof.ts`. We
- * intentionally inline the helper rather than depend on @primust/zk-core
- * — the verifier package's invariant is ZERO runtime dependencies on
- * Primust infrastructure after the initial public-key fetch (see file
- * header). The construction:
- *
- *   modifiedLeaves[k*]  = Poseidon2(skip_condition_hash,
- *                                   record.commitment_hash)
- *                         at the skipped slot k*
- *   modifiedLeaves[k]   = record.commitment_hash[k]   for k != k*
- *
- * then walks layered Poseidon2 pairs up to a single root. Single-leaf
- * trees collapse to the override leaf itself (matches the witness
- * builder's fallback path).
- *
- * Returns null if any of the leaf hashes fail to parse — signals the
- * caller to treat that skipped record as un-anchorable.
- */
-function recomputeSkipConditionModifiedRoot(skipConditionField, leaves, skippedIndex) {
-    if (leaves.length === 0)
-        return null;
-    if (skippedIndex < 0 || skippedIndex >= leaves.length)
-        return null;
-    const overrideLeaf = poseidon2Hash([
-        skipConditionField,
-        leaves[skippedIndex],
-    ]);
-    if (leaves.length === 1)
-        return overrideLeaf;
-    let layer = leaves.map((leaf, i) => i === skippedIndex ? overrideLeaf : leaf);
-    while (layer.length > 1) {
-        const next = [];
-        for (let i = 0; i < layer.length; i += 2) {
-            const left = layer[i];
-            const right = i + 1 < layer.length ? layer[i + 1] : layer[i];
-            next.push(poseidon2Hash([left, right]));
-        }
-        layer = next;
-    }
-    return layer[0];
-}
-/**
- * Verify the commitment_root of a `skip_condition_proof` zk_proof against
- * the artifact's full record-tree, with leaf override at each skipped
- * record's slot.
- *
- * For each `check_result === 'skipped'` record, the verifier reproduces
- * the modified-tree root the witness builder would have produced (see
- * `buildSkipConditionWitness`'s full-path branch) and asserts equality
- * with the proof's `commitment_root` public input. ANY skipped record
- * matching anchors the proof — covers single-skip and multi-skip runs.
- *
- * Returns:
- *   - 'ok'         — at least one skipped record's modified-tree root
- *                    matches the proof's commitment_root.
- *   - 'mismatch'   — public inputs are present and the artifact has at
- *                    least one skipped record, but no skipped record's
- *                    modified root matches. Verifier MUST fail.
- *   - 'unanchored' — no `skipped` records on the VPEC, so the proof
- *                    cannot be anchored. Surfaces a warning.
- *   - 'not_applicable' — no skip_condition_proof present, or the proof
- *                    shape didn't match (no public inputs). Skip silently.
- *
- * Note on `commitment_root_poseidon2`:
- *   When the artifact carries `commitment_root_poseidon2`, the verifier
- *   ALSO checks that the artifact's record list reproduces it (the
- *   un-modified Poseidon2 record-tree root) — that pin guarantees the
- *   skipped-record list the verifier iterates is the canonical one.
- *   Absent the field (legacy artifacts pre-Step 1), the verifier still
- *   iterates skipped records and recomputes modified roots; the proof
- *   binds to whatever record list the artifact published, but the
- *   record list itself is anchored only by the SHA-256 commitment_root.
- */
-function verifySkipConditionProofAnchoring(artifact) {
-    const checkRecords = artifact.check_execution_records;
-    const recordCount = Array.isArray(checkRecords) ? checkRecords.length : 0;
-    // Collect all proof bodies whose circuit discriminator is
-    // `skip_condition_proof`. Production multi-record runs emit per-circuit
-    // proofs in `proof_artifacts[]`; legacy single-record runs put a single
-    // proof in `artifact.zk_proof`. We scan BOTH shapes so the verifier
-    // accepts either without forking into two top-level paths.
-    const proofs = collectMatchingProofs(artifact, ['skip_condition_proof']);
-    // Multi-record artifacts MUST carry per-record proofs in
-    // `proof_artifacts[]`. Falling back to the top-level `zk_proof`
-    // single-leaf hash on a multi-record run would silently anchor the
-    // proof to a record list the proof never witnessed — the exact
-    // misuse this gate exists to prevent.
-    if (recordCount > 1 && proofs.fromArray.length === 0) {
-        if (proofs.legacy !== null) {
-            return 'no_proof_artifact_for_multi_record_artifact';
-        }
-        // No matching proof at all → genuinely not_applicable (no anchoring
-        // claim to verify).
-    }
-    const candidates = [...proofs.fromArray];
-    // Single-record artifacts may use the legacy top-level zk_proof; multi-
-    // record artifacts only consider it when proof_artifacts[] also matched
-    // (it would not be reached because of the gate above when array is empty).
-    if (proofs.legacy && (recordCount <= 1 || proofs.fromArray.length > 0)) {
-        candidates.push(proofs.legacy);
-    }
-    if (candidates.length === 0)
-        return 'not_applicable';
-    if (recordCount === 0)
-        return 'unanchored';
-    // Parse all record commitment_hashes once (full leaf set in record
-    // order). Records lacking a parseable commitment_hash are flagged but
-    // we still attempt the iteration — a skipped record with a malformed
-    // hash naturally fails to anchor.
-    const allLeafFields = (checkRecords ?? []).map((rec) => {
-        const h = rec.commitment_hash;
-        return typeof h === 'string' ? parsePoseidon2HashToField(h) : null;
-    });
-    const fullyParsed = allLeafFields.every((f) => f !== null);
-    // Walk EVERY candidate proof. ALL of them must anchor (or the artifact
-    // is rejected). 'ok' returns only when every candidate ties to a
-    // skipped record's modified-tree root.
-    let sawSkippedRecord = false;
-    for (const proof of candidates) {
-        const inputs = extractSkipConditionPublicInputs(proof);
-        if (!inputs)
-            return 'not_applicable';
-        const skipConditionField = parsePoseidon2HashToField(inputs.skipConditionHash);
-        if (skipConditionField === null)
-            return 'not_applicable';
-        const proofRootField = parsePoseidon2HashToField(inputs.commitmentRoot);
-        if (proofRootField === null)
-            return 'not_applicable';
-        let matched = false;
-        for (let i = 0; i < (checkRecords ?? []).length; i++) {
-            const rec = (checkRecords ?? [])[i];
-            if (rec.check_result !== 'skipped')
-                continue;
-            sawSkippedRecord = true;
-            const skippedLeafField = allLeafFields[i];
-            if (skippedLeafField === null)
-                continue;
-            if (fullyParsed && (checkRecords ?? []).length > 1) {
-                const modifiedRoot = recomputeSkipConditionModifiedRoot(skipConditionField, allLeafFields, i);
-                if (modifiedRoot !== null && modifiedRoot === proofRootField) {
-                    matched = true;
-                    break;
-                }
-            }
-            // 1-level fallback for the single-record collapsed shape.
-            const overrideLeaf = poseidon2Hash([
-                skipConditionField,
-                skippedLeafField,
-            ]);
-            if (overrideLeaf === proofRootField) {
-                matched = true;
-                break;
-            }
-        }
-        if (!matched) {
-            if (!sawSkippedRecord)
-                return 'unanchored';
-            return 'mismatch';
-        }
-    }
-    if (!sawSkippedRecord)
-        return 'unanchored';
-    return 'ok';
-}
-/**
- * Canonicalize an arbitrary string to a BN254 field element.
- *
- * Mirrors `parseStringToField` in
- * `@primust/runtime-core/src/utils/lineage_commitment.ts`: SHA-256 the
- * UTF-8 bytes, pack the full 32-byte big-endian digest into a bigint,
- * reduce mod BN254. The verifier package's invariant is ZERO runtime
- * dependencies on Primust infrastructure beyond `@primust/artifact-core`
- * (the wire-format spec) and the public-key fetch path — depending on
- * `@primust/runtime-core` would drag a `better-sqlite3` native binary
- * into a CLI/browser-friendly verifier. The helper is inlined verbatim,
- * not adapted; both sides MUST produce byte-identical field elements.
- */
-function parseStringToFieldLocal(s) {
-    const bytes = new TextEncoder().encode(s);
-    const digest = sha256(bytes);
-    let n = 0n;
-    for (let i = 0; i < 32; i++) {
-        n = (n << 8n) | BigInt(digest[i]);
-    }
-    return n % BN254_MODULUS;
-}
-/**
- * Compute the lineage-commitment leaf for a run with a given list of
- * upstream VPEC IDs.
- *
- * Mirrors `computeLineageCommitment` in
- * `@primust/runtime-core/src/utils/lineage_commitment.ts` byte-for-byte.
- * Both the issuer (PolicySnapshotService.openRun) and the witness
- * dispatcher reduce to this function; the verifier reproduces it locally
- * so the parent-anchored Merkle-root check is a pure-math equality.
- *
- * Output: Poseidon2(parseStringToField(runId),
- *                   ...parseStringToField(upstreamVpecIds))
- *         reduced mod BN254 (poseidon2Hash already returns a field
- *         element).
- */
-function computeLineageCommitmentLocal(runId, upstreamVpecIds) {
-    const inputs = [
-        parseStringToFieldLocal(runId),
-        ...upstreamVpecIds.map(parseStringToFieldLocal),
-    ];
-    return poseidon2Hash(inputs);
-}
-/**
- * Discriminator field on a proof_artifacts[] entry: prefer `circuit_name`
- * (forward-compat surface used by the issuer when emitting per-circuit
- * proofs on multi-record artifacts), fall back to `circuit` (matches
- * the top-level zk_proof shape for entries that mirror the same field).
- */
-function readCircuitName(entry) {
-    const cn = entry.circuit_name;
-    if (typeof cn === 'string' && cn.length > 0)
-        return cn;
-    const c = entry.circuit;
-    if (typeof c === 'string' && c.length > 0)
-        return c;
-    return null;
-}
-/**
- * Scan the artifact for proofs of the requested circuits.
- *
- * Returns:
- *   - fromArray: proof_artifacts[] entries whose circuit discriminator
- *     matches one of `circuitNames`. Each entry is treated as a proof
- *     body for verification purposes; the entry SHOULD carry the same
- *     `public_inputs` shape as a top-level zk_proof. Entries without a
- *     usable proof body are still surfaced (the caller decides whether
- *     to ignore them — e.g. when verification_status === 'pending').
- *   - legacy: the top-level `artifact.zk_proof` if its circuit matches.
- *
- * The scan is shape-agnostic and does NOT mutate the artifact.
- */
-function collectMatchingProofs(artifact, circuitNames) {
-    const wanted = new Set(circuitNames);
-    const fromArray = [];
-    const proofArtifacts = Array.isArray(artifact.proof_artifacts)
-        ? artifact.proof_artifacts
-        : [];
-    for (const entry of proofArtifacts) {
-        if (!entry || typeof entry !== 'object')
-            continue;
-        // Skip non-verified entries — they cannot be the source of a
-        // verifiable anchor (pending or failed proofs do not bind a
-        // commitment_root). 'verified' is the only status that should
-        // contribute to anchoring; absence of the field is treated as
-        // verified for forward-compat.
-        const status = entry.verification_status;
-        if (typeof status === 'string' && status !== 'verified')
-            continue;
-        const name = readCircuitName(entry);
-        if (name && wanted.has(name)) {
-            fromArray.push(entry);
-        }
-    }
-    let legacy = null;
-    const zkProof = artifact.zk_proof;
-    if (zkProof && typeof zkProof === 'object') {
-        const name = readCircuitName(zkProof);
-        if (name && wanted.has(name))
-            legacy = zkProof;
-    }
-    return { fromArray, legacy };
-}
-/**
- * Verify governance_upstream_vpec_inclusion / merkle_inclusion proofs
- * are bound to the artifact's commitment chain.
- *
- * Production multi-record artifacts emit per-circuit proofs in
- * `proof_artifacts[]` rather than in the legacy top-level `zk_proof`
- * field. Walking only `zk_proof` would silently accept artifacts whose
- * inclusion proof was never anchored.
- *
- * Two anchoring modes:
- *
- *   A. Parent-anchored (preferred — Follow-6 fix, Follow-12 chain).
- *      When the caller provides an `upstreamRootResolver` AND the
- *      artifact declares `upstream_vpec_ids` (non-empty), the proof's
- *      merkle_root MUST equal the chain-walk reduction:
- *
- *        node = lineage_commitment(child_run_id, upstream_vpec_ids)
- *        for ancestor_id in upstream_vpec_ids:        // parent-first
- *          node = Poseidon2(node, resolver(ancestor_id))
- *        expected = node
- *
- *      For length=1 this collapses to the legacy
- *      `Poseidon2(lineage, parent_root)` reduction (byte-identical to
- *      Follow-6). For length>1 (capped at 8) it walks every ancestor.
- *      Any missing ancestor → 'unanchored' (cross-org chains verify
- *      boundaries at receive time; here we warn rather than fail).
- *
- *   B. Self-anchored fallback (legacy). When no resolver is provided OR
- *      the artifact has no `upstream_vpec_ids`, fall back to matching
- *      against `artifact.commitment_root_poseidon2` (the child's own
- *      record-tree root) or the entry's own published `merkle_root`.
- *      This branch preserves backward compat for callers that lack
- *      upstream-store context (e.g. the CLI verifier when no SqliteStore
- *      is attached) and for non-upstream inclusion circuits (CVE
- *      inventory etc. that bind to an out-of-band tree).
- *
- * Logic:
- *   1. Collect every `proof_artifacts[]` entry whose
- *      circuit_name (or `circuit`) is `governance_upstream_vpec_inclusion`
- *      or `merkle_inclusion`.
- *   2. For multi-record artifacts (check_execution_records.length > 1),
- *      reject if no matching entry was found AND no top-level zk_proof
- *      of those circuits exists — emit
- *      `no_proof_artifact_for_multi_record_artifact`.
- *   3. For each matching proof, choose the anchoring mode and compare.
- *
- * Returns:
- *   - 'ok' / 'mismatch' / 'unanchored' / 'not_applicable' /
- *     'no_proof_artifact_for_multi_record_artifact'
- */
-/**
- * Match a precomputed expected merkle_root field against every
- * candidate proof's published merkle_root.
- *
- * Public input convention for merkle_inclusion (per
- * packages/zk-core/circuits/merkle_inclusion/src/main.nr):
- *   public_inputs[0] = merkle_root
- *   public_inputs[1] = leaf_exists (must be 1)
- *
- * Entry-level `proof.merkle_root` overrides public_inputs[0] when both
- * are present (cheaper and unambiguous).
- *
- * Returns 'ok' if every candidate matches the expected field, otherwise
- * 'mismatch'. Used by both Mode A priority-1 (artifact-stamped chain
- * roots) and Mode A priority-2 (resolver walk) so the comparison logic
- * stays byte-equivalent across paths.
- */
-function matchCandidatesAgainstExpectedRoot(candidates, expectedRootField) {
-    for (const proof of candidates) {
-        const inputs = proof.public_inputs;
-        let proofMerkleRoot = null;
-        if (Array.isArray(inputs) && inputs.length > 0) {
-            const root = inputs[0];
-            if (typeof root === 'string')
-                proofMerkleRoot = root;
-        }
-        if (typeof proof.merkle_root === 'string') {
-            proofMerkleRoot = proof.merkle_root;
-        }
-        if (proofMerkleRoot === null)
-            return 'mismatch';
-        const proofRootField = parsePoseidon2HashToField(proofMerkleRoot);
-        if (proofRootField === null)
-            return 'mismatch';
-        if (proofRootField !== expectedRootField) {
-            // The bug Follow-6 closes: a proof anchored to the CHILD's own
-            // commitment_root_poseidon2 (which is fabricable) would have
-            // matched in the legacy fallback. The parent-anchored expected
-            // root is the only sound anchor for an upstream-VPEC inclusion
-            // proof.
-            return 'mismatch';
-        }
-    }
-    return 'ok';
-}
-function verifyUpstreamVpecInclusionAnchoring(artifact, upstreamRootResolver) {
-    const checkRecords = artifact.check_execution_records;
-    const recordCount = Array.isArray(checkRecords) ? checkRecords.length : 0;
-    const proofs = collectMatchingProofs(artifact, [
-        'governance_upstream_vpec_inclusion',
-        'merkle_inclusion',
-    ]);
-    if (recordCount > 1 && proofs.fromArray.length === 0) {
-        if (proofs.legacy !== null) {
-            return 'no_proof_artifact_for_multi_record_artifact';
-        }
-    }
-    const candidates = [...proofs.fromArray];
-    if (proofs.legacy && (recordCount <= 1 || proofs.fromArray.length > 0)) {
-        candidates.push(proofs.legacy);
-    }
-    if (candidates.length === 0)
-        return 'not_applicable';
-    // ── Mode A: parent-anchored path (Follow-6) ──
-    //
-    // Triggered when the artifact declares an upstream chain. The proof's
-    // merkle_root MUST equal the parent-first chain reduction
-    //
-    //   node = lineage_commitment(child_run_id, upstream_vpec_ids)
-    //   for ancestor_root in chain_roots:
-    //     node = Poseidon2(node, ancestor_root)
-    //   expected = node    // == topmost ancestor's commitment_root_poseidon2
-    //
-    // Chain-roots resolution priority (parent-first list of fields):
-    //   1. `artifact.upstream_vpec_chain_roots` — when present and
-    //      non-empty, this is the canonical witness/snapshot-stamped list
-    //      (PolicySnapshotService.openRun → witness dispatcher path).
-    //      Length MUST equal `upstream_vpec_ids` length to bind one
-    //      ancestor root per declared upstream id (mirrors
-    //      verifier-py/verifier.py:639-640).
-    //   2. `upstreamRootResolver(vpec_id)` for every id in
-    //      `upstream_vpec_ids` — used when the host injects a local
-    //      upstream-VPEC store but the artifact does not stamp the chain.
-    //   3. Depth-1 legacy fallback handled below in Mode B when neither
-    //      chain_roots nor a resolver is available.
-    //
-    // Note we ONLY engage Mode A when upstream_vpec_ids has at least one
-    // entry; a resolver passed alongside a non-upstream artifact (no
-    // chain) falls back to Mode B as today.
-    const VERIFIER_MAX_CHAIN_DEPTH = 8;
-    const upstreamVpecIdsRaw = artifact.upstream_vpec_ids;
-    const upstreamVpecIds = Array.isArray(upstreamVpecIdsRaw)
-        ? upstreamVpecIdsRaw.filter((x) => typeof x === 'string')
-        : [];
-    const chainRootsRaw = artifact.upstream_vpec_chain_roots;
-    const hasArtifactChainRoots = Array.isArray(chainRootsRaw) && chainRootsRaw.length > 0;
-    if (upstreamVpecIds.length > 0 && hasArtifactChainRoots) {
-        // ── Priority 1: artifact.upstream_vpec_chain_roots ──
-        //
-        // Length mismatch is a hard 'mismatch' (mirrors verifier-py priority
-        // 1: declared chain length disagrees with declared upstream ids ⇒
-        // the proof is bound to a different chain than the artifact claims).
-        if (chainRootsRaw.length !== upstreamVpecIds.length) {
-            return 'mismatch';
-        }
-        // Verifier-side TS cap mirrors the witness builder + policy
-        // snapshot: the Noir circuit supports up to depth 20 but the TS
-        // layer caps at 8 as a safety margin. Beyond the cap we treat the
-        // proof as unanchored rather than risk a partial walk.
-        if (chainRootsRaw.length > VERIFIER_MAX_CHAIN_DEPTH) {
-            return 'unanchored';
-        }
-        const chainFields = [];
-        for (const raw of chainRootsRaw) {
-            if (typeof raw !== 'string' || raw.length === 0)
-                return 'unanchored';
-            const field = parsePoseidon2HashToField(raw);
-            if (field === null)
-                return 'unanchored';
-            chainFields.push(field);
-        }
-        const runId = typeof artifact.run_id === 'string' ? artifact.run_id : '';
-        const lineage = computeLineageCommitmentLocal(runId, upstreamVpecIds);
-        let node = lineage;
-        for (const ancestorField of chainFields) {
-            node = poseidon2Hash([node, ancestorField]);
-        }
-        return matchCandidatesAgainstExpectedRoot(candidates, node);
-    }
-    if (upstreamRootResolver && upstreamVpecIds.length > 0) {
-        // ── Priority 2: resolver-walk (PR #89 path) ──
-        if (upstreamVpecIds.length > VERIFIER_MAX_CHAIN_DEPTH) {
-            return 'unanchored';
-        }
-        const runId = typeof artifact.run_id === 'string' ? artifact.run_id : '';
-        const lineage = computeLineageCommitmentLocal(runId, upstreamVpecIds);
-        // ── Chain-walk anchor (Follow-12) ──
-        //
-        // length === 1: depth-1 single-leaf path. expected = Poseidon2(lineage, parent_root).
-        // length  >  1: depth-N chain walk. Resolve EVERY ancestor's root in
-        //               parent-first order and reduce
-        //                  node = lineage
-        //                  for ancestor_root in chain_roots:
-        //                    node = Poseidon2(node, ancestor_root)
-        //               expected = node // == topmost ancestor's published root
-        //
-        // The reduction MUST match `buildUpstreamVpecInclusionWitness` and
-        // `PolicySnapshotService.openRun`. Any divergence breaks anchoring
-        // for legitimate proofs.
-        let expectedRootField;
-        if (upstreamVpecIds.length === 1) {
-            const directParentId = upstreamVpecIds[0];
-            const parentRoot = upstreamRootResolver(directParentId);
-            if (typeof parentRoot !== 'string' || parentRoot.length === 0) {
-                // Offline-tolerant: parent root not locally available. Cross-org
-                // chains verify the boundary at receive time; here we warn rather
-                // than fail. Caller surfaces this as the
-                // `upstream_vpec_proof_no_anchor_root_in_artifact` warning.
-                return 'unanchored';
-            }
-            const parentRootField = parsePoseidon2HashToField(parentRoot);
-            if (parentRootField === null)
-                return 'unanchored';
-            expectedRootField = poseidon2Hash([lineage, parentRootField]);
-        }
-        else {
-            // Walk every ancestor in parent-first order. If ANY is missing,
-            // emit 'unanchored' (caller surfaces the no-anchor warning) —
-            // matching the depth-1 miss-handling semantics. Partial walks
-            // would silently anchor against a wrong terminal.
-            let node = lineage;
-            for (const ancestorId of upstreamVpecIds) {
-                const root = upstreamRootResolver(ancestorId);
-                if (typeof root !== 'string' || root.length === 0) {
-                    return 'unanchored';
-                }
-                const rootField = parsePoseidon2HashToField(root);
-                if (rootField === null)
-                    return 'unanchored';
-                node = poseidon2Hash([node, rootField]);
-            }
-            expectedRootField = node;
-        }
-        return matchCandidatesAgainstExpectedRoot(candidates, expectedRootField);
-    }
-    // ── Mode B: self-anchored / legacy fallback ──
-    //
-    // Cross-org chain: a proof exists but the artifact carries no
-    // commitment_root_poseidon2 to anchor against AND no per-entry
-    // merkle_root binding. The cross-org boundary verifier checks the
-    // anchor at receive time; here we surface a warning so callers know
-    // the binding wasn't checked locally.
-    const hasArtifactRoot = typeof artifact.commitment_root_poseidon2 === 'string' &&
-        artifact.commitment_root_poseidon2.length > 0;
-    const hasPerEntryRoot = candidates.some((p) => typeof p.merkle_root === 'string');
-    if (!hasArtifactRoot && !hasPerEntryRoot)
-        return 'unanchored';
-    // Acceptable anchors:
-    //   - artifact.commitment_root_poseidon2 (record-tree root)
-    //   - per-entry merkle_root (when the proof binds to an out-of-band
-    //     vulnerability tree root, e.g. CVE inventory)
-    // Either is acceptable per-entry; we accept whichever the prover chose.
-    const artifactRootField = parsePoseidon2HashToField(typeof artifact.commitment_root_poseidon2 === 'string'
-        ? artifact.commitment_root_poseidon2
-        : '');
-    for (const proof of candidates) {
-        // Public input convention for merkle_inclusion (per
-        // packages/zk-core/circuits/merkle_inclusion/src/main.nr):
-        //   public_inputs[0] = merkle_root
-        //   public_inputs[1] = leaf_exists (must be 1)
-        const inputs = proof.public_inputs;
-        let proofMerkleRoot = null;
-        if (Array.isArray(inputs) && inputs.length > 0) {
-            const root = inputs[0];
-            if (typeof root === 'string')
-                proofMerkleRoot = root;
-        }
-        // Entry-level explicit binding: prefer this when the prover ships
-        // it (cheaper than parsing public_inputs and gives a clear field).
-        if (typeof proof.merkle_root === 'string') {
-            proofMerkleRoot = proof.merkle_root;
-        }
-        if (proofMerkleRoot === null)
-            return 'mismatch';
-        const proofRootField = parsePoseidon2HashToField(proofMerkleRoot);
-        let matched = false;
-        // Match path 1: artifact's record-tree Poseidon2 root.
-        if (artifactRootField !== null &&
-            proofRootField !== null &&
-            proofRootField === artifactRootField) {
-            matched = true;
-        }
-        // Match path 2: per-entry merkle_root reproduced verbatim from the
-        // entry's own commitment field. When the prover binds to an
-        // out-of-band tree (CVE inventory etc.) the entry MUST publish the
-        // root it bound to so the verifier can confirm the public input is
-        // the same. Mismatch here is a hard fail.
-        if (!matched && typeof proof.merkle_root === 'string') {
-            // String equality on canonical "poseidon2:hex" form.
-            if (proof.merkle_root === proofMerkleRoot) {
-                // Re-anchor to a per-entry binding: this is informational, not
-                // a true cryptographic anchor unless the entry is itself bound
-                // into the signed VPEC body — which it IS (proof_artifacts[]
-                // is part of the canonical body). So we accept.
-                matched = true;
-            }
-        }
-        if (!matched)
-            return 'mismatch';
-    }
-    return 'ok';
-}
-/**
- * Extract base64url key from PEM or raw base64url string.
- * Handles both PEM-wrapped keys and raw base64url.
- */
-function extractKeyFromPem(pem) {
-    const cleaned = pem.trim();
-    if (cleaned.includes('-----BEGIN')) {
-        try {
-            const jwk = createPublicKey(cleaned).export({ format: 'jwk' });
-            if (jwk.kty === 'OKP' && jwk.crv === 'Ed25519' && typeof jwk.x === 'string') {
-                return jwk.x;
-            }
-        }
-        catch {
-            // Fall through to the legacy normalization path below.
-        }
-        const b64 = cleaned
-            .replace(/-----BEGIN [A-Z ]+-----/g, '')
-            .replace(/-----END [A-Z ]+-----/g, '')
-            .replace(/\s/g, '');
-        return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-    }
-    return cleaned.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-}
-// ── RFC 3161 Timestamp Imprint Verification ──
-/**
- * Verify the message imprint inside an RFC 3161 TimeStampResp matches
- * SHA-256(canonical(documentBody)).
- *
- * Parses enough DER to extract the hashed message from the MessageImprint
- * field. Returns true if imprint matches, false if mismatch, null if unparseable.
- */
-function verifyTimestampImprint(tsTokenB64, documentBody) {
-    try {
-        const tsResp = Buffer.from(tsTokenB64, 'base64');
-        // Find SHA-256 OID (2.16.840.1.101.3.4.2.1) in the DER
-        const sha256Oid = Buffer.from([0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01]);
-        const oidIdx = findBuffer(tsResp, sha256Oid);
-        if (oidIdx === -1)
-            return null;
-        // The message imprint hash follows the AlgorithmIdentifier.
-        // After OID + NULL, look for OCTET STRING (0x04) containing 32-byte hash.
-        const searchStart = oidIdx + sha256Oid.length;
-        for (let i = searchStart; i < Math.min(searchStart + 20, tsResp.length - 33); i++) {
-            if (tsResp[i] === 0x04 && tsResp[i + 1] === 0x20) {
-                const extractedHash = tsResp.subarray(i + 2, i + 2 + 32);
-                // Recompute expected hash
-                const canonicalDoc = canonical(documentBody);
-                const expectedHash = createHash('sha256').update(canonicalDoc).digest();
-                return extractedHash.equals(expectedHash);
-            }
-        }
-        return null; // Could not find hash in DER
-    }
-    catch {
-        return null;
-    }
-}
-function findBuffer(haystack, needle) {
-    for (let i = 0; i <= haystack.length - needle.length; i++) {
-        if (haystack.subarray(i, i + needle.length).equals(needle))
-            return i;
-    }
-    return -1;
-}
-// ── Rekor Status Check ──
-const REKOR_API = 'https://rekor.sigstore.dev/api/v1';
-/**
- * Check Rekor for key revocation by querying with SHA-256 fingerprint
- * of the public key bytes.
- */
-async function checkRekor(publicKeyB64Url, kid) {
-    try {
-        // Decode public key bytes and compute SHA-256 fingerprint
-        const keyBytes = fromBase64Url(publicKeyB64Url);
-        const fingerprint = createHash('sha256').update(Buffer.from(keyBytes)).digest('hex');
-        // Search Rekor index by key fingerprint
-        const resp = await fetch(`${REKOR_API}/index/retrieve`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ hash: `sha256:${fingerprint}` }),
-            signal: AbortSignal.timeout(5000),
-        });
-        if (!resp.ok) {
-            return 'unavailable';
-        }
-        const entries = await resp.json();
-        if (!entries || entries.length === 0) {
-            // No entries found — key has not been submitted to Rekor (not necessarily bad)
-            return 'not_found';
-        }
-        // Key found in Rekor — it's been logged (active, not revoked)
-        return 'active';
-    }
-    catch {
-        return 'unavailable';
-    }
-}
-// ── ZK Proof Verification (UltraHonk) ──
-/**
- * Verify an UltraHonk ZK proof using @aztec/bb.js.
- *
- * Requires:
- * - zk_proof.proof: base64-encoded proof bytes
- * - zk_proof.public_inputs: array of field elements (hex strings)
- * - zk_proof.verification_key: base64-encoded verification key
- *
- * Returns true if valid, false if invalid, null if verification unavailable.
- */
-async function verifyUltraHonk(zkProof) {
-    try {
-        // Dynamic import — @aztec/bb.js is an optional dependency
-        // @ts-expect-error — @aztec/bb.js is optional, may not have type declarations
-        const bb = await import('@aztec/bb.js').catch(() => null);
-        if (!bb) {
-            return null; // bb.js not available
-        }
-        const proofB64 = zkProof.proof;
-        const publicInputs = zkProof.public_inputs;
-        const vkB64 = zkProof.verification_key;
-        if (!proofB64 || !publicInputs || !vkB64) {
-            return false;
-        }
-        const proofBytes = Buffer.from(proofB64, 'base64');
-        const vkBytes = Buffer.from(vkB64, 'base64');
-        // UltraHonk verification
-        const api = await bb.newBarretenbergApiAsync();
-        const valid = await api.acirVerifyUltraHonk(proofBytes, vkBytes);
-        return valid;
-    }
-    catch {
-        return null; // Verification error — treat as unavailable, not invalid
-    }
-}
-//# sourceMappingURL=verifier.js.map