insumer-verify 1.4.3 → 1.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +4 -4
  2. package/package.json +2 -2
package/README.md CHANGED
@@ -1,10 +1,8 @@
1
1
  # insumer-verify
2
2
 
3
- Client-side verifier for [InsumerAPI](https://insumermodel.com/developers/) wallet auth attestations. Validates ECDSA P-256 signatures, condition hashes, block freshness, and attestation expiry. Zero runtime dependencies. Web Crypto API. Node.js 18+ and modern browsers.
3
+ Client-side verifier for [InsumerAPI](https://insumermodel.com/developers/) wallet auth attestations. Validates ECDSA P-256 signatures, condition hashes, block freshness, and attestation expiry. Zero runtime dependencies. Web Crypto API. Node.js 18+ and modern browsers. Type-agnostic: verifies every condition type (token_balance, nft_ownership, eas_attestation, farcaster_id, ratio_to_amount, ratio_to_supply) by recomputing the condition hash from the signed `evaluatedCondition`.
4
4
 
5
- **In production:** [DJD Agent Score](https://github.com/jacobsd32-cpu/djdagentscore) (Coinbase x402 ecosystem) uses insumer-verify for client-side cryptographic verification in their AI agent wallet trust scoring pipeline. [Case study](https://insumermodel.com/blog/djd-agent-score-insumer-api-integration.html).
6
-
7
- Part of the InsumerAPI ecosystem: [REST API](https://insumermodel.com/developers/) (26 endpoints, 33 chains) | [MCP server](https://www.npmjs.com/package/mcp-server-insumer) (npm) | [LangChain](https://pypi.org/project/langchain-insumer/) (PyPI) | [ElizaOS](https://www.npmjs.com/package/eliza-plugin-insumer) (10 actions, npm) | [OpenAI GPT](https://chatgpt.com/g/g-699c5e43ce2481918b3f1e7f144c8a49-insumerapi-verify) (GPT Store)
5
+ Part of the InsumerAPI ecosystem: [REST API](https://insumermodel.com/developers/) (26 endpoints, 37 chains) | [MCP server](https://www.npmjs.com/package/mcp-server-insumer) (npm) | [LangChain](https://pypi.org/project/langchain-insumer/) (PyPI) | [ElizaOS](https://www.npmjs.com/package/eliza-plugin-insumer) (10 actions, npm) | [OpenAI GPT](https://chatgpt.com/g/g-699c5e43ce2481918b3f1e7f144c8a49-insumerapi-verify) (GPT Store)
8
6
 
9
7
  ## Install
10
8
 
@@ -225,6 +223,8 @@ const result = await verifyAttestation(apiResponse, {
225
223
 
226
224
  When `jwksUrl` is set, the library fetches the JWKS, matches the key by `kid` from the attestation response, and uses it for signature verification. This enables automatic key rotation without library updates.
227
225
 
226
+ **Trust contract.** `jwksUrl` should be a hardcoded constant (e.g. the InsumerAPI JWKS endpoint) or another URL you control — set once at integration time. The library fetches whatever URL you pass, so passing untrusted user input would let a caller direct the library to fetch arbitrary endpoints on the host's behalf.
227
+
228
228
  ## API
229
229
 
230
230
  ### `verifyAttestation(response, options?)`
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "insumer-verify",
3
- "version": "1.4.3",
4
- "description": "Client-side verifier for InsumerAPI condition-based access attestations. ECDSA P-256 signatures, condition hashes, block freshness, expiry. Zero dependencies. Used by DJD Agent Score (Coinbase x402).",
3
+ "version": "1.4.5",
4
+ "description": "Client-side verifier for InsumerAPI condition-based access attestations. ECDSA P-256 signatures, condition hashes, block freshness, expiry. Zero dependencies.",
5
5
  "type": "module",
6
6
  "main": "build/index.js",
7
7
  "types": "build/index.d.ts",