@rubric-protocol/sdk 1.0.6 → 1.0.7

package/README.md

@@ -85,6 +85,27 @@ HTTP status codes: 202 = pending (retry), 200 = ready, 404 = not found
     console.log("leafIndex:", proof.proof.leafIndex);
     console.log("hcsSeqNum:", proof.hcsSeqNum ?? "pending");
 
+## Payload Privacy — Storing Your payloadKey
+
+Every tieredAttest response includes a payloadKey. This is the only time it is ever returned — Rubric does not store it.
+
+You must store it. If it is lost, the encrypted payload is unrecoverable.
+
+Recommended storage patterns:
+
+- Secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) — index by attestationId
+- Encrypted database column — store alongside your own record of the decision
+- Customer-side KMS — if you operate your own key management system
+
+Never log the payloadKey. Never transmit it over unencrypted channels. Never store it in the same system as the attestation record — the separation is what gives the privacy guarantee its strength.
+
+The payloadCommitment (also in the response) is safe to store anywhere. It is a public binding between the key and the attestation, containing no secret information.
+
+Example:
+
+    const result = await client.attestations.tieredAttest({ data: decision, sourceId: ' + chr(39) + 'my-system' + chr(39) + ' });
+    await mySecretsManager.store(' + chr(39) + 'rubric:key:' + chr(39) + ' + result.attestationId, result.payloadKey);
+
 ## EU AI Act Article 12 Compliance
 
 Rubric satisfies the tamper-evident logging requirements of EU AI Act Article 12 for high-risk AI systems.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubric-protocol/sdk",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Rubric Protocol SDK \u2014 post-quantum AI attestation with ZK inclusion proofs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",