axiomax-esg-verify 1.0.0

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2026 AXIOMAX LLC, Salinas Puerto Rico
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+NOTE: The reference verifier code in this repository is MIT-licensed.
+The AXIOMAX ESG Carbon Shield system architecture, calibration coefficients,
+and brand are proprietary to AXIOMAX LLC and protected by USPTO Patent Pending
+Application 64/081,419 (filed June 3, 2026).
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

package/README.md

@@ -0,0 +1,56 @@
+# axiomax-esg-verify
+
+Reference verifier for [AXIOMAX ESG Carbon Shield](https://axiomaxllc.com) cryptographic carbon attestation tokens.
+
+> Patent Pending USPTO Application **64/081,419** (filed June 3, 2026).
+> Operated by **AXIOMAX LLC**, Salinas, Puerto Rico.
+
+## Install
+
+```bash
+npm install axiomax-esg-verify
+```
+
+Works in Node.js (>= 18) and modern browsers (Web Crypto API ed25519).
+
+## Usage
+
+```js
+import { verifyToken } from 'axiomax-esg-verify';
+
+const token = JSON.parse(fs.readFileSync('token.json', 'utf-8'));
+const publicKeyPem = fs.readFileSync('client_public.pem', 'utf-8');
+
+const result = await verifyToken(token, publicKeyPem);
+
+if (result.valid) {
+  console.log(`✓ VALID · ${result.n_inferences} inferences certified · ${result.total_wh_saved} Wh saved`);
+} else {
+  console.error(`✗ INVALID · ${result.reason}`);
+}
+```
+
+## How it works
+
+Every AXIOMAX ESG attestation token is signed with ed25519 against a per-client public key. This package implements the canonical verification algorithm:
+
+1. Remove the `signature_ed25519` field from the token
+2. Canonicalize the remaining JSON (sorted keys, minimal separators)
+3. Verify the ed25519 signature over those bytes using the client's public key
+
+If any field in the token has been tampered with, the signature check fails.
+
+## Client public keys
+
+Master and per-client public keys are published at https://github.com/axiomaxllc/esg-carbon-shield/tree/main/public_keys
+
+## License
+
+MIT License for this package. The AXIOMAX ESG Carbon Shield system architecture, calibration coefficients, and brand are proprietary to AXIOMAX LLC (Patent Pending).
+
+## Links
+
+- Main: https://axiomaxllc.com
+- Hosted verifier: https://verify.axiomaxllc.com
+- Browser-side mirror: https://axiomaxllc.github.io/esg-carbon-shield
+- Specification: https://github.com/axiomaxllc/esg-carbon-shield

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "axiomax-esg-verify",
+  "version": "1.0.0",
+  "description": "Reference verifier for AXIOMAX ESG Carbon Shield cryptographic carbon attestation tokens (ed25519 + SHA-256). Patent Pending USPTO 64/081,419.",
+  "main": "src/index.js",
+  "type": "module",
+  "exports": {
+    ".": "./src/index.js"
+  },
+  "scripts": {
+    "test": "node test/verify.test.js"
+  },
+  "keywords": [
+    "esg",
+    "climate-tech",
+    "carbon-accounting",
+    "cryptography",
+    "ed25519",
+    "ai",
+    "sustainability",
+    "csrd",
+    "sec-climate",
+    "verifier",
+    "axiomax"
+  ],
+  "author": "Charles Santana <charles@axiomaxllc.com> (https://axiomaxllc.com)",
+  "license": "MIT",
+  "homepage": "https://github.com/axiomaxllc/esg-carbon-shield",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/axiomaxllc/esg-carbon-shield.git"
+  },
+  "bugs": {
+    "url": "https://github.com/axiomaxllc/esg-carbon-shield/issues"
+  },
+  "files": [
+    "src/",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/index.js

@@ -0,0 +1,90 @@
+/**
+ * AXIOMAX ESG Carbon Shield — Reference Verifier (Node.js + browser via Web Crypto).
+ *
+ * Patent Pending USPTO 64/081,419. AXIOMAX LLC, Salinas Puerto Rico.
+ * MIT License.
+ *
+ * Usage:
+ *   import { verifyToken } from 'axiomax-esg-verify';
+ *
+ *   const result = await verifyToken(tokenObj, publicKeyPem);
+ *   if (result.valid) {
+ *     console.log(`✓ ${result.n_inferences} inferences certified`);
+ *   } else {
+ *     console.error(`✗ ${result.reason}`);
+ *   }
+ */
+
+const isNode = typeof window === 'undefined';
+
+function canonicalize(obj) {
+  if (obj === null || typeof obj !== 'object') return JSON.stringify(obj);
+  if (Array.isArray(obj)) return '[' + obj.map(canonicalize).join(',') + ']';
+  const keys = Object.keys(obj).sort();
+  return '{' + keys.map(k => JSON.stringify(k) + ':' + canonicalize(obj[k])).join(',') + '}';
+}
+
+function hexToBytes(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes.length; i++) bytes[i] = parseInt(hex.substr(i * 2, 2), 16);
+  return bytes;
+}
+
+function pemToBinary(pem) {
+  const b64 = pem.replace(/-----[^-]+-----/g, '').replace(/\s/g, '');
+  if (isNode) return Buffer.from(b64, 'base64');
+  const raw = atob(b64);
+  const bytes = new Uint8Array(raw.length);
+  for (let i = 0; i < raw.length; i++) bytes[i] = raw.charCodeAt(i);
+  return bytes;
+}
+
+/**
+ * Verify an AXIOMAX ESG token against the client's public key.
+ *
+ * @param {object} token — token JSON object with signature_ed25519 field
+ * @param {string} publicKeyPem — client public key in PEM format
+ * @returns {Promise<{valid: boolean, reason?: string, client_id?: string, n_inferences?: number, total_wh_saved?: number, total_co2_kg_saved?: number}>}
+ */
+export async function verifyToken(token, publicKeyPem) {
+  const required = ['v', 'client_id', 'signature_ed25519', 'first_hash', 'last_hash',
+                    'n_inferences', 'total_wh_saved', 'seq_first', 'seq_last'];
+  for (const k of required) {
+    if (!(k in token)) return { valid: false, reason: `missing field: ${k}` };
+  }
+
+  const sigHex = token.signature_ed25519;
+  const tokenCopy = { ...token };
+  delete tokenCopy.signature_ed25519;
+  const canonical = canonicalize(tokenCopy);
+  const sigBytes = hexToBytes(sigHex);
+  const msgBytes = new TextEncoder().encode(canonical);
+  const keyBytes = pemToBinary(publicKeyPem);
+
+  let ok;
+  if (isNode) {
+    const { createPublicKey, verify } = await import('node:crypto');
+    const key = createPublicKey({ key: Buffer.from(keyBytes), format: 'der', type: 'spki' });
+    ok = verify(null, msgBytes, key, sigBytes);
+  } else {
+    const key = await crypto.subtle.importKey('spki', keyBytes, { name: 'Ed25519' }, false, ['verify']);
+    ok = await crypto.subtle.verify('Ed25519', key, sigBytes, msgBytes);
+  }
+
+  if (!ok) return { valid: false, reason: 'signature does not match client public key' };
+
+  return {
+    valid: true,
+    client_id: token.client_id,
+    n_inferences: token.n_inferences,
+    total_tokens: token.total_tokens,
+    total_wh_saved: token.total_wh_saved,
+    total_liters_water_saved: token.total_liters_water_saved,
+    total_co2_kg_saved: token.total_co2_kg_saved,
+    ts_issued_utc: token.ts_issued_utc,
+    seq_first: token.seq_first,
+    seq_last: token.seq_last,
+  };
+}
+
+export default { verifyToken };