@veritasacta/artifacts 0.1.0

package/SPEC.md

@@ -0,0 +1,107 @@
+# Veritas Acta Signed Artifacts — Specification v1
+
+A minimal standard for creating and verifying Ed25519-signed JSON artifacts.
+
+## Overview
+
+A **signed artifact** is a JSON object with:
+- A typed **payload** (the content being attested)
+- A deterministic **canonical form** (for signing)
+- An Ed25519 **signature** (for verification)
+
+The envelope is the same for all artifact types. The payload schema varies by type.
+
+## Envelope Format
+
+Every signed artifact is a JSON object with these top-level fields:
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `v` | number | yes | Schema version. Currently `1`. |
+| `type` | string | yes | Artifact type identifier (e.g., `scopeblind:decision`, `acta:anchor`). |
+| `timestamp` | string | yes | ISO-8601 timestamp of creation. |
+| `signature` | string | yes | Hex-encoded Ed25519 signature over the canonical form (excluding this field). |
+
+All other fields are payload-specific and defined by the artifact type.
+
+## Canonical Serialization
+
+To produce a deterministic byte string for signing:
+
+1. Remove the `signature` field from the artifact object.
+2. Serialize with `JSON.stringify(obj, Object.keys(obj).sort())` (JCS-style sorted keys).
+3. Encode the resulting string as UTF-8 bytes.
+
+This is the message that gets signed and verified.
+
+## Signing
+
+```
+message = utf8_encode(canonical_json(artifact_without_signature))
+signature = ed25519_sign(message, private_key)
+```
+
+The signature is stored as a lowercase hex string (128 hex chars = 64 bytes).
+
+## Verification
+
+```
+message = utf8_encode(canonical_json(artifact_without_signature))
+valid = ed25519_verify(hex_decode(signature), message, hex_decode(public_key))
+```
+
+## Registered Artifact Types
+
+### `scopeblind:decision`
+An enforcement decision by a ScopeBlind verifier.
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `slug` | string | Tenant identifier |
+| `decision` | string | `allow`, `challenge`, `deny`, `payment_required` |
+| `risk` | number | Risk score (0-100) |
+| `reason` | string | Machine-readable reason |
+| `identity_class` | string | `fingerprint`, `dbsc`, `dpop`, `agent_key` |
+| `identity_hash` | string | Truncated identity hash (privacy-safe) |
+| `country` | string? | 2-letter country code |
+| `epoch` | number? | Epoch window |
+| `ts` | number | Unix timestamp (ms) |
+
+### `acta:anchor`
+A signed checkpoint of all topic chain heads in an Acta instance.
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `merkle_root` | string | SHA-256 Merkle root of chain heads |
+| `chain_heads` | array | `[{ topic, chain_head_hash, chain_length }]` |
+| `topic_count` | number | Number of topics anchored |
+| `public_key` | string | Hex-encoded Ed25519 public key |
+| `charter_hash` | string | Protocol charter hash |
+| `protocol_spec_hash` | string | Protocol spec hash |
+| `protocol_version` | string | Protocol version |
+| `policy_hash` | string | Instance policy hash |
+
+### `acta:resolution`
+A prediction resolution outcome (future — when extracted from Acta).
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `topic` | string | Topic slug |
+| `prediction_id` | string | Entry ID of the prediction |
+| `resolution_type` | string | `confirmed`, `refuted`, `partially_confirmed`, `unresolvable` |
+| `outcome` | string | Human-readable outcome description |
+| `source` | object | Source evidence envelope |
+
+### `delegation:grant` (reserved, not yet implemented)
+A delegation of authority from principal to agent.
+
+## Test Vectors
+
+See `test-vectors.json` for canonical payloads, expected hashes, and signatures using the test keypair:
+
+```
+Private key: 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60
+Public key:  d75a980182b10ab7d54bfed3c964073a0ee172f3daa3f4a18446b0b8d183f8e3
+```
+
+(This is the RFC 8032 test vector #1 keypair — deterministic and well-known.)

package/index.d.ts

@@ -0,0 +1,44 @@
+/**
+ * @veritasacta/artifacts — Type definitions
+ */
+
+/** Produce a deterministic JSON string with sorted keys (JCS-style). */
+export function canonicalize(obj: Record<string, unknown>): string;
+
+/** SHA-256 hash of the canonical form. Returns lowercase hex. */
+export function canonicalHash(obj: Record<string, unknown>): string;
+
+/** Sign result from signArtifact. */
+export interface SignResult {
+  artifact: Record<string, unknown> & { signature: string };
+  signature: string;
+  hash: string;
+}
+
+/** Sign an artifact payload with Ed25519. Payload must include v, type, timestamp. */
+export function signArtifact(
+  payload: Record<string, unknown> & { v: number; type: string; timestamp: string },
+  privateKeyHex: string,
+): SignResult;
+
+/** Verification result from verifyArtifact. */
+export interface VerifyResult {
+  valid: boolean;
+  hash?: string;
+  error?: string;
+}
+
+/** Verify an artifact's Ed25519 signature. */
+export function verifyArtifact(
+  artifact: Record<string, unknown> & { signature: string },
+  publicKeyHex: string,
+): VerifyResult;
+
+/** Generate a new Ed25519 keypair. Returns hex-encoded strings. */
+export function generateKeypair(): { privateKey: string; publicKey: string };
+
+/** Derive public key from private key. */
+export function getPublicKey(privateKeyHex: string): string;
+
+export { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils';
+export { sha256 } from '@noble/hashes/sha256';

package/index.js

@@ -0,0 +1,135 @@
+/**
+ * @veritasacta/artifacts — Signed Artifact Envelope
+ *
+ * Canonical serialization, Ed25519 signing, and verification
+ * for typed JSON payloads (receipts, anchors, resolutions, etc.)
+ *
+ * Both ScopeBlind and Veritas Acta use this shared primitive.
+ *
+ * @license MIT
+ */
+
+import { ed25519 } from '@noble/curves/ed25519';
+import { sha256 } from '@noble/hashes/sha256';
+import { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils';
+
+// ── Canonical Serialization ─────────────────────────────────────
+
+/**
+ * Produce a deterministic JSON string from an object.
+ * Keys are sorted lexicographically at every level (JCS-style).
+ *
+ * @param {Record<string, unknown>} obj
+ * @returns {string}
+ */
+export function canonicalize(obj) {
+  return JSON.stringify(obj, (_key, value) => {
+    if (value && typeof value === 'object' && !Array.isArray(value)) {
+      const sorted = {};
+      for (const k of Object.keys(value).sort()) {
+        sorted[k] = value[k];
+      }
+      return sorted;
+    }
+    return value;
+  });
+}
+
+/**
+ * SHA-256 hash of the canonical form of an object.
+ * Returns lowercase hex.
+ *
+ * @param {Record<string, unknown>} obj
+ * @returns {string}
+ */
+export function canonicalHash(obj) {
+  return bytesToHex(sha256(utf8ToBytes(canonicalize(obj))));
+}
+
+// ── Signing ─────────────────────────────────────────────────────
+
+/**
+ * Sign an artifact payload with Ed25519.
+ *
+ * @param {Record<string, unknown>} payload - Must include `v`, `type`, `timestamp`.
+ * @param {string} privateKeyHex - 64-char hex-encoded Ed25519 private key.
+ * @returns {{ artifact: Record<string, unknown>, signature: string, hash: string }}
+ */
+export function signArtifact(payload, privateKeyHex) {
+  if (!payload.v || !payload.type || !payload.timestamp) {
+    throw new Error('Artifact must include v, type, and timestamp fields');
+  }
+
+  const message = utf8ToBytes(canonicalize(payload));
+  const signature = bytesToHex(ed25519.sign(message, hexToBytes(privateKeyHex)));
+  const hash = bytesToHex(sha256(message));
+
+  return {
+    artifact: { ...payload, signature },
+    signature,
+    hash,
+  };
+}
+
+// ── Verification ────────────────────────────────────────────────
+
+/**
+ * Verify an artifact's Ed25519 signature.
+ *
+ * @param {Record<string, unknown>} artifact - Signed artifact (with `signature` field).
+ * @param {string} publicKeyHex - 64-char hex-encoded Ed25519 public key.
+ * @returns {{ valid: boolean, hash?: string, error?: string }}
+ */
+export function verifyArtifact(artifact, publicKeyHex) {
+  try {
+    if (!artifact.signature) {
+      return { valid: false, error: 'missing_signature' };
+    }
+
+    // Strip signature to reconstruct the signed message
+    const { signature, ...payload } = artifact;
+    const message = utf8ToBytes(canonicalize(payload));
+    const hash = bytesToHex(sha256(message));
+
+    const valid = ed25519.verify(
+      hexToBytes(signature),
+      message,
+      hexToBytes(publicKeyHex),
+    );
+
+    return valid
+      ? { valid: true, hash }
+      : { valid: false, hash, error: 'invalid_signature' };
+  } catch (err) {
+    return { valid: false, error: 'verification_error' };
+  }
+}
+
+// ── Keypair Utilities ───────────────────────────────────────────
+
+/**
+ * Generate a new Ed25519 keypair.
+ * @returns {{ privateKey: string, publicKey: string }}
+ */
+export function generateKeypair() {
+  const privateKey = ed25519.utils.randomPrivateKey();
+  const publicKey = ed25519.getPublicKey(privateKey);
+  return {
+    privateKey: bytesToHex(privateKey),
+    publicKey: bytesToHex(publicKey),
+  };
+}
+
+/**
+ * Derive the public key from a private key.
+ * @param {string} privateKeyHex
+ * @returns {string}
+ */
+export function getPublicKey(privateKeyHex) {
+  return bytesToHex(ed25519.getPublicKey(hexToBytes(privateKeyHex)));
+}
+
+// ── Re-exports for convenience ──────────────────────────────────
+
+export { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils';
+export { sha256 } from '@noble/hashes/sha256';

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@veritasacta/artifacts",
+  "version": "0.1.0",
+  "description": "Signed artifact envelope — canonical serialization, Ed25519 signing, and verification for typed JSON payloads.",
+  "license": "MIT",
+  "type": "module",
+  "main": "index.js",
+  "types": "index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./index.js",
+      "types": "./index.d.ts"
+    },
+    "./test-vectors": "./test-vectors.json"
+  },
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "test-vectors.json",
+    "SPEC.md"
+  ],
+  "dependencies": {
+    "@noble/curves": "^1.8.0",
+    "@noble/hashes": "^1.7.0"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "test": "node --test test.js",
+    "vectors": "node generate-vectors.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "ed25519",
+    "signed-artifacts",
+    "receipts",
+    "canonical-json",
+    "verification",
+    "veritasacta",
+    "scopeblind",
+    "voprf",
+    "audit"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/VeritasActa/artifacts"
+  },
+  "homepage": "https://veritasacta.com"
+}

package/test-vectors.json

@@ -0,0 +1,193 @@
+{
+  "_meta": {
+    "spec_version": 1,
+    "generated_at": "2026-03-13T00:00:00.000Z",
+    "keypair": {
+      "private_key": "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
+      "public_key": "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+      "note": "RFC 8032 Test Vector #1 — do NOT use in production"
+    }
+  },
+  "vectors": [
+    {
+      "name": "ScopeBlind Decision Receipt (deny)",
+      "payload": {
+        "v": 1,
+        "type": "scopeblind:decision",
+        "slug": "test-tenant",
+        "decision": "deny",
+        "risk": 78,
+        "reason": "repeat_visitor",
+        "identity_class": "fingerprint",
+        "identity_hash": "a3f8c1b2",
+        "country": "US",
+        "epoch": 7,
+        "timestamp": "2026-03-13T12:00:00.000Z",
+        "ts": 1773496800000
+      },
+      "canonical": "{\"country\":\"US\",\"decision\":\"deny\",\"epoch\":7,\"identity_class\":\"fingerprint\",\"identity_hash\":\"a3f8c1b2\",\"reason\":\"repeat_visitor\",\"risk\":78,\"slug\":\"test-tenant\",\"timestamp\":\"2026-03-13T12:00:00.000Z\",\"ts\":1773496800000,\"type\":\"scopeblind:decision\",\"v\":1}",
+      "hash": "ae52a4305dff01a97d382bb06bf69f70de6e70ceec9c4174db02b0b9ae9bd787",
+      "signature": "f7b235bcfd8261a00c99694c817b76491eb99d03e7ddcb3b3da625533c520235380c76b4a5457a7baf60d2a45b1129016eeb4f8f75e6fa8d14e79e8c39b22807",
+      "signed_artifact": {
+        "v": 1,
+        "type": "scopeblind:decision",
+        "slug": "test-tenant",
+        "decision": "deny",
+        "risk": 78,
+        "reason": "repeat_visitor",
+        "identity_class": "fingerprint",
+        "identity_hash": "a3f8c1b2",
+        "country": "US",
+        "epoch": 7,
+        "timestamp": "2026-03-13T12:00:00.000Z",
+        "ts": 1773496800000,
+        "signature": "f7b235bcfd8261a00c99694c817b76491eb99d03e7ddcb3b3da625533c520235380c76b4a5457a7baf60d2a45b1129016eeb4f8f75e6fa8d14e79e8c39b22807"
+      },
+      "verification": {
+        "valid": true,
+        "hash": "ae52a4305dff01a97d382bb06bf69f70de6e70ceec9c4174db02b0b9ae9bd787"
+      }
+    },
+    {
+      "name": "Acta Anchor",
+      "payload": {
+        "v": 1,
+        "type": "acta:anchor",
+        "timestamp": "2026-03-13T00:00:00.000Z",
+        "merkle_root": "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789",
+        "chain_heads": [
+          {
+            "topic": "ai-trust",
+            "chain_head_hash": "1111111111111111111111111111111111111111111111111111111111111111",
+            "chain_length": 5
+          },
+          {
+            "topic": "climate",
+            "chain_head_hash": "2222222222222222222222222222222222222222222222222222222222222222",
+            "chain_length": 3
+          }
+        ],
+        "topic_count": 2,
+        "public_key": "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+        "charter_hash": "3a0f734d0000000000000000000000000000000000000000000000000000000",
+        "protocol_spec_hash": "d1f905770000000000000000000000000000000000000000000000000000000",
+        "protocol_version": "1.0.0",
+        "policy_hash": "3f1e07340000000000000000000000000000000000000000000000000000000"
+      },
+      "canonical": "{\"chain_heads\":[{\"chain_head_hash\":\"1111111111111111111111111111111111111111111111111111111111111111\",\"chain_length\":5,\"topic\":\"ai-trust\"},{\"chain_head_hash\":\"2222222222222222222222222222222222222222222222222222222222222222\",\"chain_length\":3,\"topic\":\"climate\"}],\"charter_hash\":\"3a0f734d0000000000000000000000000000000000000000000000000000000\",\"merkle_root\":\"abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789\",\"policy_hash\":\"3f1e07340000000000000000000000000000000000000000000000000000000\",\"protocol_spec_hash\":\"d1f905770000000000000000000000000000000000000000000000000000000\",\"protocol_version\":\"1.0.0\",\"public_key\":\"d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\",\"timestamp\":\"2026-03-13T00:00:00.000Z\",\"topic_count\":2,\"type\":\"acta:anchor\",\"v\":1}",
+      "hash": "ddd17188699186d30a27fc87c7dff27e3cdef0b2ee351b783ddc389b78ea7817",
+      "signature": "a8e9823474d93895f45f6c0e33ea4ef3d83abee292980eb4e0ec575b227d117be5ffedc5dbe6799a64a4599119cb983a05373426e96de07b2893d489ced2660f",
+      "signed_artifact": {
+        "v": 1,
+        "type": "acta:anchor",
+        "timestamp": "2026-03-13T00:00:00.000Z",
+        "merkle_root": "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789",
+        "chain_heads": [
+          {
+            "topic": "ai-trust",
+            "chain_head_hash": "1111111111111111111111111111111111111111111111111111111111111111",
+            "chain_length": 5
+          },
+          {
+            "topic": "climate",
+            "chain_head_hash": "2222222222222222222222222222222222222222222222222222222222222222",
+            "chain_length": 3
+          }
+        ],
+        "topic_count": 2,
+        "public_key": "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+        "charter_hash": "3a0f734d0000000000000000000000000000000000000000000000000000000",
+        "protocol_spec_hash": "d1f905770000000000000000000000000000000000000000000000000000000",
+        "protocol_version": "1.0.0",
+        "policy_hash": "3f1e07340000000000000000000000000000000000000000000000000000000",
+        "signature": "a8e9823474d93895f45f6c0e33ea4ef3d83abee292980eb4e0ec575b227d117be5ffedc5dbe6799a64a4599119cb983a05373426e96de07b2893d489ced2660f"
+      },
+      "verification": {
+        "valid": true,
+        "hash": "ddd17188699186d30a27fc87c7dff27e3cdef0b2ee351b783ddc389b78ea7817"
+      }
+    },
+    {
+      "name": "Prediction Resolution (confirmed)",
+      "payload": {
+        "v": 1,
+        "type": "acta:resolution",
+        "timestamp": "2026-03-13T18:00:00.000Z",
+        "topic": "ai-trust",
+        "prediction_id": "pred_001",
+        "resolution_type": "confirmed",
+        "outcome": "The prediction was confirmed by the resolution source.",
+        "source": {
+          "source_url": "https://example.com/result",
+          "retrieved_at": "2026-03-13T17:30:00.000Z",
+          "content_hash": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        }
+      },
+      "canonical": "{\"outcome\":\"The prediction was confirmed by the resolution source.\",\"prediction_id\":\"pred_001\",\"resolution_type\":\"confirmed\",\"source\":{\"content_hash\":\"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\",\"retrieved_at\":\"2026-03-13T17:30:00.000Z\",\"source_url\":\"https://example.com/result\"},\"timestamp\":\"2026-03-13T18:00:00.000Z\",\"topic\":\"ai-trust\",\"type\":\"acta:resolution\",\"v\":1}",
+      "hash": "e84e52c522cb28100ae14b72ed0030c567fca6bd92b7ca522b27339395f292ae",
+      "signature": "4d1112711310b67bf432d0fc1285d7d91558864a856d48c41540593147c98b5e7efcc954e843285d4f86a97e15853ed9e3a16f102d344107db574dc157c3d300",
+      "signed_artifact": {
+        "v": 1,
+        "type": "acta:resolution",
+        "timestamp": "2026-03-13T18:00:00.000Z",
+        "topic": "ai-trust",
+        "prediction_id": "pred_001",
+        "resolution_type": "confirmed",
+        "outcome": "The prediction was confirmed by the resolution source.",
+        "source": {
+          "source_url": "https://example.com/result",
+          "retrieved_at": "2026-03-13T17:30:00.000Z",
+          "content_hash": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        },
+        "signature": "4d1112711310b67bf432d0fc1285d7d91558864a856d48c41540593147c98b5e7efcc954e843285d4f86a97e15853ed9e3a16f102d344107db574dc157c3d300"
+      },
+      "verification": {
+        "valid": true,
+        "hash": "e84e52c522cb28100ae14b72ed0030c567fca6bd92b7ca522b27339395f292ae"
+      }
+    },
+    {
+      "name": "Delegation Grant (placeholder)",
+      "payload": {
+        "v": 1,
+        "type": "delegation:grant",
+        "timestamp": "2026-03-13T10:00:00.000Z",
+        "principal": "org:example-corp",
+        "delegate": "agent:finance-bot-01",
+        "scope": [
+          "read:transactions",
+          "write:reports"
+        ],
+        "budget": {
+          "max_requests": 1000,
+          "window_hours": 24
+        },
+        "expires": "2026-03-14T10:00:00.000Z"
+      },
+      "canonical": "{\"budget\":{\"max_requests\":1000,\"window_hours\":24},\"delegate\":\"agent:finance-bot-01\",\"expires\":\"2026-03-14T10:00:00.000Z\",\"principal\":\"org:example-corp\",\"scope\":[\"read:transactions\",\"write:reports\"],\"timestamp\":\"2026-03-13T10:00:00.000Z\",\"type\":\"delegation:grant\",\"v\":1}",
+      "hash": "02a01dd7d11ebfedc10b5d286399b8b8787ed5b293a04b1daf1181c01cd80e5d",
+      "signature": "28a33cc114328941ccf364b8e1ab81992605880f6af4cdc9188b8e67e2ffe51451328629ff0223159667d64f891f4b780ee05f9bbafe93b0e89e16add32e4d08",
+      "signed_artifact": {
+        "v": 1,
+        "type": "delegation:grant",
+        "timestamp": "2026-03-13T10:00:00.000Z",
+        "principal": "org:example-corp",
+        "delegate": "agent:finance-bot-01",
+        "scope": [
+          "read:transactions",
+          "write:reports"
+        ],
+        "budget": {
+          "max_requests": 1000,
+          "window_hours": 24
+        },
+        "expires": "2026-03-14T10:00:00.000Z",
+        "signature": "28a33cc114328941ccf364b8e1ab81992605880f6af4cdc9188b8e67e2ffe51451328629ff0223159667d64f891f4b780ee05f9bbafe93b0e89e16add32e4d08"
+      },
+      "verification": {
+        "valid": true,
+        "hash": "02a01dd7d11ebfedc10b5d286399b8b8787ed5b293a04b1daf1181c01cd80e5d"
+      }
+    }
+  ]
+}