magenta-canon 0.2.0 → 0.3.0

package/README.md

@@ -19,7 +19,7 @@ MCP host (Claude Code, Claude Desktop, Cursor, …) and downstream MCP tools, an
 
 ```bash
 npx magenta-canon demo                  # full local proof loop: allow · block · witness · verify · tamper
-npx magenta-canon verify --self-test    # verifier self-check: one VERIFIED pass and one tamper FAIL
+npx magenta-canon verify --self-test    # verifier self-check: all verdict levels incl. a tamper FAIL
 npx magenta-canon gateway <config.json> # the stdio MCP capability gateway
 npx magenta-canon mirror --self-test    # external STH mirror: catch operator history rewrites
 ```
@@ -161,7 +161,10 @@ DOWNSTREAM_LOG=/tmp/downstream-calls.log \
 
 # 3. publish evidence and verify it independently
 curl -s :5000/api/trust/evidence > bundle.json
-npx magenta-canon verify bundle.json              # → RESULT: VERIFIED
+npx magenta-canon verify bundle.json --expected-witness-key witness.pub
+                                       # → RESULT: ORIGIN AND INTEGRITY VERIFIED
+# without --expected-witness-key the honest maximum is: RESULT: INTEGRITY VERIFIED
+# (the bundle can vouch for its math, not for who produced it)
 ```
 </details>
 
@@ -222,11 +225,14 @@ REFUSED_CALL isError=true  :: Blocked by Magenta capability gate: exceeds delega
 {"name":"refund","args":{"amount_cents":8900,"order_id":"4471"}}     ← only the allowed call
 # the blocked $250 refund is ABSENT — it never reached the tool.
 
-$ npx magenta-canon verify bundle.json
+$ npx magenta-canon verify bundle.json --expected-witness-key witness.pub
+  witness-key source: INDEPENDENT (supplied by caller)
   [PASS] STH signature verifies
+  [PASS] STH witness key matches INDEPENDENTLY supplied key
   [PASS] receipt chain intact
+  [PASS] receipt issuer signatures verify (2/2)
   [PASS] recomputed Merkle root == signed STH root
-  RESULT: VERIFIED            (exit code 0)
+  RESULT: ORIGIN AND INTEGRITY VERIFIED            (exit code 0)
 ```
 
 ## Security model

package/dist/MANIFEST.json

@@ -3,7 +3,7 @@
   "scripts/demo-control-plane.js": "3357c8de8e3fe32e73e0be99a3bb02179dff3ee041854d4ee6f8d135e4d8dcbf",
   "scripts/intake-cli.js": "189014db22d6fccb034ed1a93ec11efe8905be820bc468366c68bb2cabaf8a97",
   "scripts/magenta-mirror.js": "cf701065f7a6e20f7f44a9b815396aeb5fe031c3f003bcd793b8014ea8801b85",
-  "scripts/magenta-verify.js": "3c41d176a435ae8f53dd49c2418f63be5ad82de7e26fbe9f436a6545f521d331",
+  "scripts/magenta-verify.js": "f79c60944bef65926530c2d0fd5cc35df10319c5831764b035e547b6bfebe715",
   "scripts/mcp-gateway.js": "335923004b73511fe42ea0fc6f2e567afe8018dc95464a79027e4c2537e30de1",
   "server/agent-policy.js": "20dd9150f8244c33aaf14ecdf3a09f471210960d246cda9ab8d5abe0e8433518",
   "server/agent-record.js": "790bbfa2a10601c2bdcd98873e6e41babdf96d1df7c7ca34f19791de4c8b860f",

package/dist/scripts/magenta-verify.js

@@ -18,12 +18,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyBundle = exports.verifyConsistency = exports.verifyReceiptChain = exports.verifySTH = exports.verifyInclusion = exports.merkleRoot = exports.hashLeaf = exports.chainHash = exports.canonicalHash = exports.canonicalize = exports.VERSION = void 0;
+exports.verifyBundle = exports.verifyReceiptIssuerSignature = exports.verifyConsistency = exports.verifyReceiptChain = exports.verifySTH = exports.verifyInclusion = exports.merkleRoot = exports.hashLeaf = exports.chainHash = exports.canonicalHash = exports.canonicalize = exports.VERSION = void 0;
 const node_crypto_1 = require("node:crypto");
 const node_fs_1 = require("node:fs");
 const tweetnacl_1 = __importDefault(require("tweetnacl"));
 /** Verifier version — emitted in output so a verification run is self-describing. */
-exports.VERSION = "magenta-verify/1.0.0 (spec v1)";
+exports.VERSION = "magenta-verify/1.1.0 (spec v1.1)";
 // ── §1 primitives ──────────────────────────────────────────────────────────
 const utf8 = (s) => Buffer.from(s, "utf8");
 const fromHex = (h) => Buffer.from(h, "hex");
@@ -109,17 +109,79 @@ function verifyConsistency(allLeaves, older, newer) {
         merkleRoot(allLeaves.slice(0, newer.tree_size)) === newer.root_hash);
 }
 exports.verifyConsistency = verifyConsistency;
-function verifyBundle(b) {
+const HEX64 = /^[0-9a-f]{64}$/;
+/** Receipt issuer signature (spec §2): Ed25519 over the canonical receipt body
+ *  (all fields except receipt_signature), message = UTF-8 of the hex hash. */
+function verifyReceiptIssuerSignature(receipt) {
+    const { receipt_signature, issuer_pubkey } = receipt;
+    if (typeof receipt_signature !== "string" || typeof issuer_pubkey !== "string")
+        return false;
+    const body = {};
+    for (const k of Object.keys(receipt))
+        if (k !== "receipt_signature")
+            body[k] = receipt[k];
+    try {
+        return tweetnacl_1.default.sign.detached.verify(utf8((0, exports.canonicalHash)(body)), fromHex(receipt_signature), fromHex(issuer_pubkey));
+    }
+    catch {
+        return false;
+    }
+}
+exports.verifyReceiptIssuerSignature = verifyReceiptIssuerSignature;
+function verifyBundle(b, opts = {}) {
     const checks = [];
+    const skipped = [];
+    const reasons = [];
     const add = (name, pass, detail = "") => checks.push({ name, pass, detail });
+    const skip = (name, reason) => skipped.push({ name, reason });
+    // ── witness-key trust input (§5.6): the expected key must be independent ──
+    let witnessKeySource = "none";
+    if (opts.expectedWitnessKey !== undefined) {
+        witnessKeySource = "cli";
+        // Malformed trusted-key input fails closed: a bad key must never silently
+        // downgrade to bundle-trust.
+        if (!HEX64.test(opts.expectedWitnessKey)) {
+            add("expected witness key well-formed", false, "expected key is not 64 lowercase hex chars — failing closed");
+        }
+    }
+    else if (b.sth || b.witness_pubkey) {
+        witnessKeySource = "bundle";
+    }
     if (b.sth) {
-        const expectedKey = b.witness_pubkey ?? b.sth.witness_pubkey;
         add("STH signature verifies", verifySTH(b.sth), `root ${b.sth.root_hash.slice(0, 16)}… size ${b.sth.tree_size}`);
-        add("STH bound to expected witness key", b.sth.witness_pubkey === expectedKey, b.sth.witness_pubkey === expectedKey ? "matches mirrored key" : "WITNESS KEY MISMATCH");
+        // Internal coherence: the bundle's top-level key must agree with the STH's.
+        if (b.witness_pubkey !== undefined) {
+            add("bundle witness_pubkey == STH witness key", b.witness_pubkey === b.sth.witness_pubkey, b.witness_pubkey === b.sth.witness_pubkey ? "bundle is internally coherent" : "BUNDLE KEY FIELDS DISAGREE");
+        }
+        if (witnessKeySource === "cli" && HEX64.test(opts.expectedWitnessKey)) {
+            const match = b.sth.witness_pubkey === opts.expectedWitnessKey;
+            add("STH witness key matches INDEPENDENTLY supplied key", match, match ? "key supplied via --expected-witness-key matches" : "WITNESS KEY MISMATCH — bundle was NOT signed by the trusted witness");
+        }
+        else if (witnessKeySource === "bundle") {
+            skip("witness key trust", "key taken from the bundle itself — supply --expected-witness-key for origin assurance");
+        }
+    }
+    else if (witnessKeySource === "cli") {
+        add("STH present for expected-key comparison", false, "an expected witness key was supplied but the bundle has no STH");
     }
+    const receiptCount = b.receipts?.length ?? 0;
     if (b.receipts && b.receipts.length) {
         const chain = verifyReceiptChain(b.receipts);
         add("receipt chain intact", chain.valid, chain.error ?? `${b.receipts.length} receipts`);
+        // §2 issuer signatures: enforced when present; absence is surfaced, never hidden.
+        const withSig = b.receipts.filter((r) => r.receipt_signature !== undefined
+            || r.issuer_pubkey !== undefined);
+        if (withSig.length > 0) {
+            const bad = withSig.filter((r) => !verifyReceiptIssuerSignature(r));
+            add(`receipt issuer signatures verify (${withSig.length - bad.length}/${withSig.length})`, bad.length === 0, bad.length === 0 ? "each receipt is Ed25519-signed by its issuer over the canonical body"
+                : `INVALID issuer signature on ${bad.length} receipt(s)`);
+            if (withSig.length < b.receipts.length) {
+                add("all receipts carry issuer signatures", false, `${b.receipts.length - withSig.length} receipt(s) missing issuer signature while others are signed`);
+            }
+        }
+        else {
+            skip("receipt issuer signatures", "no receipt carries issuer_pubkey/receipt_signature — issuer authentication not established");
+        }
         if (b.sth) {
             const leaves = b.receipts.map((r) => (0, exports.hashLeaf)(r.receipt_hash));
             const root = merkleRoot(leaves);
@@ -130,6 +192,18 @@ function verifyBundle(b) {
             }
         }
     }
+    // ── caller-required evidence (§5.7): absence of required proof is a FAILURE ──
+    if (opts.minReceipts !== undefined) {
+        add(`bundle contains >= ${opts.minReceipts} receipt(s)`, receiptCount >= opts.minReceipts, `${receiptCount} present`);
+    }
+    if (opts.requireReceiptHash !== undefined) {
+        const found = (b.receipts ?? []).some((r) => r.receipt_hash === opts.requireReceiptHash);
+        add("required receipt_hash present in bundle", found, found ? `receipt ${opts.requireReceiptHash.slice(0, 16)}… is in the verified chain` : "REQUIRED RECEIPT ABSENT");
+    }
+    if (opts.requireActionHash !== undefined) {
+        const found = (b.receipts ?? []).some((r) => r.action_hash === opts.requireActionHash);
+        add("required action_hash present in bundle", found, found ? "a receipt commits to the required action" : "REQUIRED ACTION ABSENT");
+    }
     if (b.inclusion) {
         const inc = verifyInclusion(b.inclusion.leaf_hash, b.inclusion.proof, b.inclusion.root_hash);
         add(`inclusion proof for leaf #${b.inclusion.index}`, inc, "leaf is provably in the log under the root");
@@ -148,15 +222,127 @@ function verifyBundle(b) {
             add("reveal target exists", false, `no receipt at index ${b.reveal.index}`);
         }
     }
-    return { checks, allPassed: checks.length > 0 && checks.every((c) => c.pass) };
+    const allPassed = checks.length > 0 && checks.every((c) => c.pass);
+    // ── verdict assignment (never silently upgraded) ────────────────────────────
+    let verdict;
+    if (!allPassed) {
+        verdict = "VERIFICATION FAILED";
+        reasons.push(checks.some((c) => !c.pass) ? "one or more performed checks failed" : "no checks could be performed");
+    }
+    else if (receiptCount === 0 && !b.inclusion && !opts.allowEmptyLog) {
+        verdict = "INCOMPLETE EVIDENCE";
+        reasons.push("bundle proves no action: zero receipts and no inclusion proof (use --allow-empty-log for checkpoint-only diagnostics)");
+    }
+    else if (witnessKeySource === "cli") {
+        verdict = "ORIGIN AND INTEGRITY VERIFIED";
+        reasons.push("all checks passed and the witness key matched an independently supplied trusted key");
+    }
+    else {
+        verdict = "INTEGRITY VERIFIED";
+        reasons.push("all checks passed, but the witness key came from the bundle itself — a forger with a fresh key can fabricate a self-consistent history; supply --expected-witness-key (or corroborate via an external mirror) for origin assurance");
+        if (receiptCount === 0 && opts.allowEmptyLog) {
+            reasons.push("EMPTY LOG accepted in explicit diagnostic mode (--allow-empty-log): this verifies a checkpoint, not any action");
+        }
+    }
+    if (witnessKeySource === "cli" && verdict === "ORIGIN AND INTEGRITY VERIFIED" && receiptCount === 0 && opts.allowEmptyLog) {
+        reasons.push("EMPTY LOG accepted in explicit diagnostic mode (--allow-empty-log): this verifies a checkpoint, not any action");
+    }
+    return { checks, skipped, allPassed, verdict, witnessKeySource, reasons };
 }
 exports.verifyBundle = verifyBundle;
 // ── CLI ───────────────────────────────────────────────────────────────────────
+const USAGE = `usage: magenta-canon verify <bundle.json> [options]
+       magenta-canon verify --self-test
+
+options:
+  --expected-witness-key <file-or-hex>  independently trusted witness public key.
+                                        REQUIRED for "ORIGIN AND INTEGRITY VERIFIED";
+                                        without it the best result is
+                                        "INTEGRITY VERIFIED" (bundle-trusted key).
+  --require-receipt <hash>              fail unless this exact receipt_hash is present
+  --require-action-hash <hash>          fail unless a receipt commits to this action_hash
+  --min-receipts <n>                    fail unless the bundle has at least n receipts
+  --allow-empty-log                     diagnostic mode: permit zero-receipt checkpoints
+  --json                                machine-readable outcome on stdout
+  --version                             print verifier version
+
+exit codes: 0 verified (either level) · 1 verification failed · 2 incomplete evidence / usage
+`;
 function printResult(r) {
     console.log(`  verifier: ${exports.VERSION}`);
+    console.log(`  witness-key source: ${r.witnessKeySource === "cli" ? "INDEPENDENT (supplied by caller)"
+        : r.witnessKeySource === "bundle" ? "bundle-provided (NOT independently trusted)" : "none"}`);
     for (const c of r.checks)
         console.log(`  [${c.pass ? "PASS" : "FAIL"}] ${c.name}${c.detail ? `  — ${c.detail}` : ""}`);
-    console.log(`\n  RESULT: ${r.allPassed ? "VERIFIED" : "VERIFICATION FAILED"}`);
+    for (const s of r.skipped)
+        console.log(`  [SKIP] ${s.name}  — ${s.reason}`);
+    for (const reason of r.reasons)
+        console.log(`  note: ${reason}`);
+    console.log(`\n  RESULT: ${r.verdict}`);
+}
+const exitCodeFor = (v) => v === "VERIFICATION FAILED" ? 1 : v === "INCOMPLETE EVIDENCE" ? 2 : 0;
+/** Accept a 64-hex key directly or a path to a file containing one. Fails closed. */
+function loadExpectedKey(arg) {
+    const raw = (() => {
+        try {
+            return (0, node_fs_1.readFileSync)(arg, "utf8");
+        }
+        catch {
+            return arg;
+        }
+    })();
+    return raw.trim().toLowerCase();
+}
+function parseCliArgs(argv) {
+    const opts = {};
+    let bundlePath;
+    let json = false;
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        switch (a) {
+            case "--expected-witness-key": {
+                const v = argv[++i];
+                if (!v)
+                    return { error: "--expected-witness-key requires a value" };
+                opts.expectedWitnessKey = loadExpectedKey(v);
+                break;
+            }
+            case "--require-receipt": {
+                const v = argv[++i];
+                if (!v)
+                    return { error: "--require-receipt requires a value" };
+                opts.requireReceiptHash = v.toLowerCase();
+                break;
+            }
+            case "--require-action-hash": {
+                const v = argv[++i];
+                if (!v)
+                    return { error: "--require-action-hash requires a value" };
+                opts.requireActionHash = v.toLowerCase();
+                break;
+            }
+            case "--min-receipts": {
+                const v = Number(argv[++i]);
+                if (!Number.isInteger(v) || v < 0)
+                    return { error: "--min-receipts requires a non-negative integer" };
+                opts.minReceipts = v;
+                break;
+            }
+            case "--allow-empty-log":
+                opts.allowEmptyLog = true;
+                break;
+            case "--json":
+                json = true;
+                break;
+            default:
+                if (a.startsWith("-"))
+                    return { error: `unknown option '${a}'` };
+                if (bundlePath)
+                    return { error: "multiple bundle paths given" };
+                bundlePath = a;
+        }
+    }
+    return { bundlePath, opts, json };
 }
 function selfTest() {
     // Build a tiny log + STH with an ephemeral witness key, entirely self-contained.
@@ -167,27 +353,59 @@ function selfTest() {
     const root_hash = merkleRoot(leaves);
     const sth = { tree_size: 3, root_hash, timestamp: "2026-05-31T00:00:00Z", witness_pubkey, signature: "" };
     sth.signature = Buffer.from(tweetnacl_1.default.sign.detached(utf8(sthMessage(sth)), kp.secretKey)).toString("hex");
-    console.log("── self-test: valid evidence ──");
-    printResult(verifyBundle({ witness_pubkey, sth, inclusion: { index: 1, leaf_hash: leaves[1], proof: [
+    const valid = { witness_pubkey, sth, inclusion: { index: 1, leaf_hash: leaves[1], proof: [
                 { sibling: leaves[0], right: false }, { sibling: leaves[2], right: true },
-            ], root_hash } }));
+            ], root_hash } };
+    console.log("── self-test: valid evidence, bundle-trusted key (integrity only) ──");
+    printResult(verifyBundle(valid));
+    console.log("\n── self-test: valid evidence + independently pinned key (full origin) ──");
+    printResult(verifyBundle(valid, { expectedWitnessKey: witness_pubkey }));
+    console.log("\n── self-test: ATTACK — fabricated history under a fresh key (must NOT gain origin) ──");
+    const attacker = tweetnacl_1.default.sign.keyPair();
+    const forgedKey = Buffer.from(attacker.publicKey).toString("hex");
+    const forgedSth = { ...sth, witness_pubkey: forgedKey, signature: "" };
+    forgedSth.signature = Buffer.from(tweetnacl_1.default.sign.detached(utf8(sthMessage(forgedSth)), attacker.secretKey)).toString("hex");
+    printResult(verifyBundle({ witness_pubkey: forgedKey, sth: forgedSth, inclusion: valid.inclusion }, { expectedWitnessKey: witness_pubkey }));
+    console.log("\n── self-test: empty checkpoint without --allow-empty-log (must be INCOMPLETE) ──");
+    const emptyRoot = merkleRoot([]);
+    const emptySth = { tree_size: 0, root_hash: emptyRoot, timestamp: "2026-05-31T00:00:00Z", witness_pubkey, signature: "" };
+    emptySth.signature = Buffer.from(tweetnacl_1.default.sign.detached(utf8(sthMessage(emptySth)), kp.secretKey)).toString("hex");
+    printResult(verifyBundle({ witness_pubkey, sth: emptySth, receipts: [] }));
     console.log("\n── self-test: tampered STH root (must FAIL) ──");
     printResult(verifyBundle({ witness_pubkey, sth: { ...sth, root_hash: "00".repeat(32) } }));
 }
 function main() {
-    const arg = process.argv[2];
-    if (arg === "--version") {
+    const argv = process.argv.slice(2);
+    if (argv[0] === "--version") {
         console.log(exports.VERSION);
         return;
     }
-    if (!arg || arg === "--self-test") {
+    if (argv.length === 0 || argv[0] === "--self-test") {
         selfTest();
         return;
     }
-    const bundle = JSON.parse((0, node_fs_1.readFileSync)(arg, "utf8"));
-    const result = verifyBundle(bundle);
-    printResult(result);
-    process.exit(result.allPassed ? 0 : 1);
+    if (argv[0] === "--help" || argv[0] === "-h") {
+        process.stdout.write(USAGE);
+        return;
+    }
+    const parsed = parseCliArgs(argv);
+    if ("error" in parsed) {
+        console.error(`magenta-verify: ${parsed.error}\n\n${USAGE}`);
+        process.exit(2);
+    }
+    if (!parsed.bundlePath) {
+        console.error(`magenta-verify: missing <bundle.json>\n\n${USAGE}`);
+        process.exit(2);
+    }
+    const bundle = JSON.parse((0, node_fs_1.readFileSync)(parsed.bundlePath, "utf8"));
+    const result = verifyBundle(bundle, parsed.opts);
+    if (parsed.json) {
+        console.log(JSON.stringify({ version: exports.VERSION, ...result }, null, 2));
+    }
+    else {
+        printResult(result);
+    }
+    process.exit(exitCodeFor(result.verdict));
 }
 // Run as CLI only when executed directly (not when imported by tests).
 if (process.argv[1] && /magenta-verify\.[cm]?[jt]s$/.test(process.argv[1]))

package/docs/MAGENTA_VERIFICATION_SPEC.md

@@ -1,4 +1,4 @@
-# Magenta Verification Spec v1
+# Magenta Verification Spec v1.1
 
 **What this is:** the complete, language-agnostic recipe for verifying a Magenta
 agent-action record **without trusting — or running — the Magenta server.** If you
@@ -108,6 +108,46 @@ operator cannot make the recomputed root match an STH the auditor *already holds
 unless they also control the witness key and every mirror of that STH. So checks
 (1)+(3)+(4) against a pre-mirrored STH expose insider tampering.
 
+### 5.5 Receipt issuer signatures (enforced — spec v1.1)
+
+Where receipts carry `issuer_pubkey` + `receipt_signature`, the verifier MUST
+check each signature: Ed25519 over the UTF-8 bytes of the lowercase-hex
+canonical hash (§6) of the receipt body **excluding `receipt_signature`**.
+A missing, malformed, mismatched, or wrong-key signature is a verification
+failure. A mixed bundle (some receipts signed, some not) is a verification
+failure. A bundle whose receipts carry no issuer fields at all remains
+verifiable at the integrity level, but the verifier MUST surface the skipped
+issuer-authentication check — it must never imply issuer authenticity it did
+not check.
+
+### 5.6 Verdict levels (spec v1.1) — what was actually proven
+
+A bundle that contains its own witness key can always be **internally**
+self-consistent: an attacker who generates a fresh witness key can fabricate a
+complete history that passes every mathematical check. Internal consistency
+and origin authenticity are therefore SEPARATE claims, and the verifier emits
+layered verdicts that never conflate them:
+
+| Verdict | Meaning |
+|---|---|
+| `ORIGIN AND INTEGRITY VERIFIED` | All checks passed **and** the STH witness key matched a key supplied independently of the bundle (`--expected-witness-key`, a pinned key, or a mirror record). |
+| `INTEGRITY VERIFIED` | All checks passed, but the witness key came from the bundle itself. Proves internal consistency only — NOT who produced the history. |
+| `INCOMPLETE EVIDENCE` | Structurally valid, but the bundle proves no action: zero receipts and no inclusion proof. An empty checkpoint must never pass as action evidence (explicit `--allow-empty-log` exists for checkpoint diagnostics and is labeled as such). |
+| `VERIFICATION FAILED` | A performed check failed, or a caller-required element (exact `receipt_hash`, `action_hash`, or minimum receipt count) is absent. |
+
+Rules: the expected witness key MUST come from outside the bundle and MUST be
+validated (64 lowercase hex chars) — malformed trusted-key input fails closed.
+The verifier MUST report where its witness key came from (caller vs bundle),
+MUST list skipped checks, and MUST NOT describe a bundle-provided key as
+"mirrored", "pinned", or "trusted".
+
+### 5.7 Required-evidence claims
+
+A party verifying a *disputed action* should require the specific evidence,
+not merely a consistent log: `--require-receipt <receipt_hash>`,
+`--require-action-hash <hash>`, and/or `--min-receipts <n>`. Absence of a
+required element is `VERIFICATION FAILED`, not a softer verdict.
+
 ---
 
 ## 6. Canonical JSON details

package/docs/NPM_PACKAGING.md

@@ -5,15 +5,21 @@ what deliberately does not, and how to verify the package locally.
 
 > **Status: published on npm.** The current published release is **`0.1.13`**,
 > carried on **both** the `latest` and `next` dist-tags (CJ published `0.1.13`
-> and explicitly aligned both tags). This refresh prepares **`0.2.0`** — the
-> **lean precompiled artifact**: the package now ships compiled CommonJS
-> (`dist/`) executed directly by Node (no runtime `tsx`/`esbuild`/TypeScript),
-> the hosted Express/Passport/PostgreSQL plane no longer ships, runtime
-> dependencies are **2** (`tweetnacl`, `zod`), a consumer install is
-> **3 packages with zero install scripts**, and the tarball is
-> **49 files / ~124.7 kB packed / ~468 kB unpacked**. `0.2.0` is **not yet
-> published**; publishing remains an explicitly-authorized step done on an
-> authenticated machine.
+> and explicitly aligned both tags). This refresh prepares **`0.3.0`** — the
+> **truth-hardened verifier** (spec v1.1): layered verdicts (`ORIGIN AND
+> INTEGRITY VERIFIED` / `INTEGRITY VERIFIED` / `INCOMPLETE EVIDENCE` /
+> `VERIFICATION FAILED`), independently pinned witness keys
+> (`--expected-witness-key`), empty-evidence rejection, and enforced receipt
+> issuer signatures. `0.2.0` (the lean precompiled artifact) is **published**
+> and carried on both tags. `0.3.0` is **not yet published**; publishing
+> remains an explicitly-authorized step done on an authenticated machine.
+>
+> **Verdict-semantics migration (0.3.0):** scripts that grepped
+> `RESULT: VERIFIED` must match the new verdicts — `RESULT: INTEGRITY
+> VERIFIED` (no independent key supplied) or `RESULT: ORIGIN AND INTEGRITY
+> VERIFIED` (key supplied via `--expected-witness-key <file-or-hex>`).
+> Zero-receipt bundles now exit `2` (`INCOMPLETE EVIDENCE`) instead of
+> verifying. Exit codes: `0` either verified level, `1` failed, `2` incomplete.
 
 ## Release posture
 
@@ -49,7 +55,8 @@ npm dist-tag add magenta-canon@<version> next
 | `0.1.11` | docs-only: README/packaging copy aligned with the published dist-tags (`latest` tracks current; plain `npx magenta-canon` works) |
 | `0.1.12` | the **full trust loop** release: external STH mirror (`mirror` CLI: append/verify/check/--self-test) + mirror-feed operator helper (`mirror-feed`) + operational runbook; supply-chain remediation (`npm audit` 15→**0**, runtime deps 19→17, `ws` removed, `@anthropic-ai/sdk` demoted to dev with a lazy key-gated bridge, express transitives patched via overrides, drizzle-orm 0.45.2, tarball narrowed); intake/gateway test-hygiene; plus the Windows ESM subprocess-path fix + first Windows CI job — **published** |
 | `0.1.13` | **security hardening** (no API change): constant-time `INTERNAL_API_KEY` comparison; trust-key custody regression tests (root/intermediate never transit, actor key never persisted, key-returning routes fail closed) pinning the design Socket's AI heuristic flagged on `server/routes.ts`; threat-model docs (`SECURITY_MODEL.md` "Trust-key custody") + Socket dependency-alert mapping (`SUPPLY_CHAIN_REVIEW.md` §8) |
-| `0.2.0` | the **lean precompiled artifact** (supply-chain cleanroom, PRs #23–#25): minimal in-process demo control plane (the hosted Express/Passport/Postgres plane no longer ships); explicit `files` whitelist; org-storage and org-schema splits keep `pg`/drizzle out of the lean closure; **precompiled CommonJS `dist/`** built by `npm run build:lean` at `prepack` (deterministic, sha256 `MANIFEST.json`); runtime deps 17 → **2** (`tweetnacl`, `zod`); consumer install 111 → **3** packages; **zero install scripts**; no runtime `tsx`/`esbuild`/TypeScript; closure + precompile regression guards in `scripts/lean-closure.test.ts` — **not yet published** |
+| `0.2.0` | the **lean precompiled artifact** (supply-chain cleanroom, PRs #23–#25): minimal in-process demo control plane (the hosted Express/Passport/Postgres plane no longer ships); explicit `files` whitelist; org-storage and org-schema splits keep `pg`/drizzle out of the lean closure; **precompiled CommonJS `dist/`** built by `npm run build:lean` at `prepack` (deterministic, sha256 `MANIFEST.json`); runtime deps 17 → **2** (`tweetnacl`, `zod`); consumer install 111 → **3** packages; **zero install scripts**; no runtime `tsx`/`esbuild`/TypeScript; closure + precompile regression guards in `scripts/lean-closure.test.ts` — **published**; `latest`/`next` aligned |
+| `0.3.0` | **verifier truth hardening** (spec v1.1, PR #27): layered verdicts; `--expected-witness-key` (independently pinned witness identity — a bundle's own key can no longer masquerade as trusted); `INCOMPLETE EVIDENCE` for zero-receipt bundles; `--require-receipt`/`--require-action-hash`/`--min-receipts` claim pinning; **receipt issuer signatures enforced**; `--json` machine output; 21-test adversarial battery; demo now pins the witness key and earns `ORIGIN AND INTEGRITY VERIFIED`. Plus: Durable Witness architecture report, MVAR v1 receipt-standard DRAFT + schema/vectors, public verifier-page design — **not yet published** |
 
 **Verified on macOS / Linux / Windows (current release `0.1.11`; `0.1.12` re-proven via installed-tarball smoke):**
 `npx magenta-canon demo` completes the full
@@ -247,23 +254,23 @@ MCP gateway, and a **local-file external STH mirror foundation** with an
 operator runbook. **Not** included: hosted mirror service, automated network
 publishing, production multi-tenant SaaS, production durability guarantees.
 
-## Verifying the `0.2.0` artifact (release checklist)
+## Verifying the release artifact (checklist — current target `0.3.0`)
 
 From a clean checkout of the release commit:
 
 ```bash
 npm ci && npm run check && npm test          # 0 tsc errors; full suite green
 npm run build:lean && npm run build:lean     # deterministic: dist/MANIFEST.json identical
-npm pack                                     # prepack rebuilds dist/; expect magenta-canon-0.2.0.tgz
-tar -tzf magenta-canon-0.2.0.tgz             # 49 files; no .ts, no .map, no tests, no server/routes.ts
+npm pack                                     # prepack rebuilds dist/; expect magenta-canon-0.3.0.tgz
+tar -tzf magenta-canon-0.3.0.tgz             # ~50 files; no .ts, no .map, no tests, no server/routes.ts
 ```
 
 Then in an empty directory:
 
 ```bash
-npm init -y && npm i ../path/to/magenta-canon-0.2.0.tgz
+npm init -y && npm i ../path/to/magenta-canon-0.3.0.tgz
 ls node_modules                              # exactly: magenta-canon tweetnacl zod
-npx magenta-canon verify --self-test         # RESULT: VERIFIED + tamper VERIFICATION FAILED
+npx magenta-canon verify --self-test         # all verdict levels incl. tamper VERIFICATION FAILED
 npx magenta-canon mirror --self-test         # [PASS] x3
 npx magenta-canon demo                       # allow / block / VERIFIED / tamper FAILED
 ```

package/docs/SECURITY_MODEL.md

@@ -66,6 +66,16 @@ Concretely, proven in `docs/MCP_GATEWAY_RUN.md` and `docs/VERIFICATION_RUN.md`:
    `scripts/magenta-verify.ts` imports only `node:crypto`, `node:fs`, `tweetnacl`
    (test-enforced) and follows `docs/MAGENTA_VERIFICATION_SPEC.md`. An auditor
    should read the spec / re-implement the verifier rather than trust ours blindly.
+5. **Integrity and origin are separate claims (spec v1.1 verdicts).** A bundle
+   carrying its own witness key can always be made internally self-consistent
+   by an attacker holding a fresh key. The verifier therefore reports
+   `INTEGRITY VERIFIED` when its only key source is the bundle, and
+   `ORIGIN AND INTEGRITY VERIFIED` only when the witness key matched one
+   supplied independently (`--expected-witness-key`, a pinned key, or a mirror
+   record). Empty (zero-receipt) checkpoints never verify as action evidence
+   (`INCOMPLETE EVIDENCE`), and receipt issuer signatures are cryptographically
+   enforced when present. Auditors verifying a disputed action should also pin
+   the claim itself: `--require-receipt <hash>` / `--require-action-hash <hash>`.
 
 ## Trust-key custody (root/intermediate never leave; actor key is caller-owned)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "magenta-canon",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "type": "module",
   "license": "Apache-2.0",
   "description": "A verifiable MCP accountability gateway for AI-agent tool calls: allows authorized calls, blocks unauthorized calls, records both, and produces cryptographic evidence anyone can verify.",

package/scripts/demo.mjs

@@ -86,6 +86,7 @@ const F = {
   downstream: path.join(tmp, "downstream-calls.log"),
   bundle: path.join(tmp, "evidence-bundle.json"),
   tampered: path.join(tmp, "tampered-bundle.json"),
+  witnessKey: path.join(tmp, "witness-key.pub"),
   config: path.join(tmp, "gateway.config.json"),
   serverLog: path.join(tmp, "control-plane.log"),
 };
@@ -279,12 +280,19 @@ async function main() {
 
   // ── 6. independent verification ─────────────────────────────────────────────
   step("6/7", "Independent verification (magenta-verify — imports nothing from the server)…");
-  const ver = await capture(process.execPath, [...scriptArgv("scripts/magenta-verify.ts"), F.bundle]);
+  // The operator PINS the witness key of the universe they just created and
+  // hands it to the verifier independently of the bundle (--expected-witness-key)
+  // — the same flow an external auditor uses with a mirrored/pinned key. This
+  // earns the strongest verdict: ORIGIN AND INTEGRITY VERIFIED. Without the
+  // pinned key the verifier honestly reports INTEGRITY VERIFIED only.
+  writeFileSync(F.witnessKey, bundle.witness_pubkey);
+  const ver = await capture(process.execPath, [...scriptArgv("scripts/magenta-verify.ts"), F.bundle,
+    "--expected-witness-key", F.witnessKey]);
   for (const line of ver.out.trim().split("\n")) sub(dim("│ ") + line);
-  if (ver.code !== 0 || !/RESULT: VERIFIED/.test(ver.out)) {
-    die("evidence did NOT verify — the proof loop is broken.", ver.err);
+  if (ver.code !== 0 || !/RESULT: ORIGIN AND INTEGRITY VERIFIED/.test(ver.out)) {
+    die("evidence did NOT fully verify — the proof loop is broken.", ver.err);
   }
-  sub(`${OK} ${grn("VERIFIED")} — anyone can re-run this against the published bundle`);
+  sub(`${OK} ${grn("ORIGIN AND INTEGRITY VERIFIED")} — anyone can re-run this against the published bundle + pinned key`);
 
   // ── 7. negative control: tamper, expect failure ─────────────────────────────
   step("7/7", "Negative control — tamper with one byte of the evidence (must FAIL)…");
@@ -297,7 +305,8 @@ async function main() {
   writeFileSync(F.tampered, JSON.stringify(tampered, null, 2));
   sub(dim(`(edited receipt_hash …${h.slice(-8)} → …${last.receipt_hash.slice(-8)})`));
 
-  const verBad = await capture(process.execPath, [...scriptArgv("scripts/magenta-verify.ts"), F.tampered]);
+  const verBad = await capture(process.execPath, [...scriptArgv("scripts/magenta-verify.ts"), F.tampered,
+    "--expected-witness-key", F.witnessKey]);
   for (const line of verBad.out.trim().split("\n")) {
     const l = /\[FAIL\]|VERIFICATION FAILED/.test(line) ? red(line) : line;
     sub(dim("│ ") + l);