settld 0.2.3 → 0.2.5

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/governance/revocations.json

@@ -0,0 +1 @@
+{"generatedAt":"2026-02-02T00:00:00.000Z","listHash":"5c286871ea76001026b765f52296df51f76f4e040b537963fde671850684cf87","listId":"revocations_default_v1","revocations":[],"rotations":[],"schemaVersion":"RevocationList.v1","signature":"IG/Mwb9syG1HtzD7YwEM+eG4dPPhcIqy75SC3GjzoZZcepeWY/YpYVVzxxwBINkaFrr/mtUmq+s+Kizogs75Bw==","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_4bd1ee0813b265cb6670a1cc"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/invoice/invoice_claim.json

@@ -0,0 +1 @@
+{"createdAt":"2026-02-02T00:00:00.000Z","currency":"USD","invoiceId":"invoice_fixture_1","jobProof":{"embeddedPath":"payload/job_proof_bundle","headAttestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","manifestHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8"},"lineItems":[{"amountCents":"1500","code":"WORK_MINUTES","quantity":"10","unitPriceCents":"150"}],"schemaVersion":"InvoiceClaim.v1","subtotalCents":"1500","tenantId":"tenant_fixture","totalCents":"1500"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/manifest.json

@@ -0,0 +1 @@
+{"createdAt":"2026-02-02T00:00:00.000Z","files":[{"bytes":949,"name":"governance/policy.json","sha256":"ecc617ae2edbddddecbc3580b509b6e2f218787238e883a348a575f278f1f662"},{"bytes":409,"name":"governance/revocations.json","sha256":"7dd89653b90b485f06e17990b064a5cb2d2d1e39e144f019f0ab164432d008b2"},{"bytes":519,"name":"invoice/invoice_claim.json","sha256":"fe64b5bee3e55bfdf61628896a1e92df5b4c9a48973e6ffd594e7448d250537f"},{"bytes":537,"name":"metering/metering_report.json","sha256":"1f19f5309e33a4c133fd60fae5dbe10f50b9a12d9541fc8bb975eff432c72c06"},{"bytes":864,"name":"payload/job_proof_bundle/attestation/bundle_head_attestation.json","sha256":"641947fd28044f926bae840ad343bb4d75d6be44b29e329098210f0af4c28a43"},{"bytes":515,"name":"payload/job_proof_bundle/events/events.jsonl","sha256":"1fbc8ef4a9d8a42efc02e2885b043578f3a0584d4054d98c3f06b1cfa276a126"},{"bytes":186,"name":"payload/job_proof_bundle/events/payload_material.jsonl","sha256":"338953ab5054bdc4a7d83c9ef1fef8d3c83ee78916f32c250636238208de62d3"},{"bytes":778,"name":"payload/job_proof_bundle/governance/global/events/events.jsonl","sha256":"a56f271f30f0c485a0cb80ab65f74b65fd438422d1f9d2e7e1664e5f028ce520"},{"bytes":449,"name":"payload/job_proof_bundle/governance/global/events/payload_material.jsonl","sha256":"1e2b95a0192f324d49a45c4378936d5a32c6548f44648d72ed79522186b0867f"},{"bytes":152,"name":"payload/job_proof_bundle/governance/global/snapshot.json","sha256":"4a5b0d84a0b96dd0fec4650d1f5483b8a4795d0c891595d730bf74a556f4368b"},{"bytes":951,"name":"payload/job_proof_bundle/governance/policy.json","sha256":"e88b6fdf8494a31264f18df85a4f2de96d69be1c03ddbfc901157a03cf02341c"},{"bytes":409,"name":"payload/job_proof_bundle/governance/revocations.json","sha256":"7dd89653b90b485f06e17990b064a5cb2d2d1e39e144f019f0ab164432d008b2"},{"bytes":0,"name":"payload/job_proof_bundle/governance/tenant/events/events.jsonl","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"},{"bytes":0,"name":"payload/job_proof_bundle/governance/tenant/events/payload_material.jsonl","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"},{"bytes":66,"name":"payload/job_proof_bundle/governance/tenant/snapshot.json","sha256":"353bc53464b75d5a61a810a29014b9a2fcdcdeb0762d18da745ef15765919400"},{"bytes":138,"name":"payload/job_proof_bundle/job/snapshot.json","sha256":"819c087bd8fc5a6fbf833ff13e31915433bc1687f32e8231bd6263718f31bab8"},{"bytes":470,"name":"payload/job_proof_bundle/keys/public_keys.json","sha256":"e88c404c67d245925a0c7e21d5381428b2ef3df69fd31041a39105c5ec7849eb"},{"bytes":1930,"name":"payload/job_proof_bundle/manifest.json","sha256":"844451c8a0efb43b28c5f4ea44dd291e908590fa00583d7d9cc6934c2143c7fb"},{"bytes":297,"name":"payload/job_proof_bundle/verify/report.json","sha256":"1f7725687929166e2258c0f68f4f50d5419a59a0ef490abd407fbcfc9a4123f8"},{"bytes":1312,"name":"payload/job_proof_bundle/verify/verification_report.json","sha256":"86c22381caf30735783418f603518c8f7301b53cb2e8f4e49326e1e1d46c9f06"},{"bytes":112,"name":"pricing/pricing_matrix.json","sha256":"c43476f394086b2f66ac1df090a303f32713547b64ecf29e83ac6762ddbc1fb3"},{"bytes":346,"name":"pricing/pricing_matrix_signatures.json","sha256":"25c1ebf3c5af800807a1fe1a9b824760099c5171765fb4ef8610cfb91d20564e"},{"bytes":601,"name":"settld.json","sha256":"b6033ab19043026b8c5df1c41ce33446088edebc96a0c1cf564ab3d4484b79af"}],"hashing":{"excludes":["verify/**"],"fileOrder":"path_asc","schemaVersion":"InvoiceBundleManifestHash.v1"},"invoiceId":"invoice_fixture_1","manifestHash":"7b348ab1bb5a84f7899b718a08bd7827bb6b7b213b97ef74142061270fb2233a","protocol":"1.0","schemaVersion":"InvoiceBundleManifest.v1","tenantId":"tenant_fixture","type":"InvoiceBundle.v1"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/metering/metering_report.json

@@ -0,0 +1 @@
+{"evidenceRefs":[{"path":"job/snapshot.json","sha256":"819c087bd8fc5a6fbf833ff13e31915433bc1687f32e8231bd6263718f31bab8"}],"generatedAt":"2026-02-02T00:00:00.000Z","invoiceId":"invoice_fixture_1","items":[{"code":"WORK_MINUTES","quantity":"10"}],"jobProof":{"embeddedPath":"payload/job_proof_bundle","headAttestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","manifestHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8"},"schemaVersion":"MeteringReport.v1","tenantId":"tenant_fixture"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/attestation/bundle_head_attestation.json

@@ -0,0 +1 @@
+{"attestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","generatedAt":"2026-02-02T00:00:00.000Z","heads":{"governance":{"global":{"lastChainHash":"92b4cd341b48c58fc8dffea3d6bbc0f62f979965d9271339ced8b8f7bf258e60","lastEventId":"evt_gov_serverA_registered"},"tenant":{"lastChainHash":null,"lastEventId":null}},"job":{"lastChainHash":"e698a6e1d597a4be85d31bdac90a34a66b9d43886ad43f59c0cc4e77efdde78d","lastEventId":"evt_job_created"}},"kind":"JobProofBundle.v1","manifestHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","schemaVersion":"BundleHeadAttestation.v1","scope":{"jobId":"job_fixture_1"},"signature":"WqNZduwUjQcSlBF7PnWoRyaBuyeD73eevVB3jz58Fa3xd6J+HT6ivilEdUMaATF4QxA+s2p4sMhJYrHeqKB3CQ==","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_9ed38005b42d9364601ffab3","tenantId":"tenant_fixture"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/events/events.jsonl

@@ -0,0 +1 @@
+{"actor":{"id":"proxy","type":"system"},"at":"2026-02-02T00:00:00.000Z","chainHash":"e698a6e1d597a4be85d31bdac90a34a66b9d43886ad43f59c0cc4e77efdde78d","id":"evt_job_created","payload":{"jobId":"job_fixture_1"},"payloadHash":"6b46a068dfe3479d2f09f84ae0ed29bb7e2cd9e1ec4c17bccca1c1307a04c47c","prevChainHash":null,"signature":"ZmciBEg0pm549K4dpIE988oH5xwRDeimD9g73v5hHXKeGYa0RXZ3hFkJ6BzxCxODFDlUQzzyJkDkjKSpeOkvDg==","signerKeyId":"key_9ed38005b42d9364601ffab3","streamId":"job_fixture_1","type":"JOB_CREATED","v":1}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/events/payload_material.jsonl

@@ -0,0 +1 @@
+{"actor":{"id":"proxy","type":"system"},"at":"2026-02-02T00:00:00.000Z","id":"evt_job_created","payload":{"jobId":"job_fixture_1"},"streamId":"job_fixture_1","type":"JOB_CREATED","v":1}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/governance/global/events/events.jsonl

@@ -0,0 +1 @@
+{"actor":{"id":"proxy","type":"system"},"at":"2026-01-01T00:00:00.000Z","chainHash":"92b4cd341b48c58fc8dffea3d6bbc0f62f979965d9271339ced8b8f7bf258e60","id":"evt_gov_serverA_registered","payload":{"keyId":"key_9ed38005b42d9364601ffab3","publicKeyPem":"-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAQ70D1FtwopWnvJeFsiKdThSP/9QADgSeaZYKip79KQI=\n-----END PUBLIC KEY-----\n","reason":"fixture","registeredAt":"2026-01-01T00:00:00.000Z","tenantId":"tenant_default"},"payloadHash":"d996dc5347a113a6050ed453e7b5feb2f1edb93a5ffb68d4fbca7b015336c61b","prevChainHash":null,"signature":"ovzEbrAqeEhQ7xrz/cIIor85ygkD7bgBvbWxKsQetxKkWjCBDoVUfmPn9UrqF/iNtIZcqBK9TA/SXrNk/VjHAg==","signerKeyId":"key_9ed38005b42d9364601ffab3","streamId":"governance","type":"SERVER_SIGNER_KEY_REGISTERED","v":1}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/governance/global/events/payload_material.jsonl

@@ -0,0 +1 @@
+{"actor":{"id":"proxy","type":"system"},"at":"2026-01-01T00:00:00.000Z","id":"evt_gov_serverA_registered","payload":{"keyId":"key_9ed38005b42d9364601ffab3","publicKeyPem":"-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAQ70D1FtwopWnvJeFsiKdThSP/9QADgSeaZYKip79KQI=\n-----END PUBLIC KEY-----\n","reason":"fixture","registeredAt":"2026-01-01T00:00:00.000Z","tenantId":"tenant_default"},"streamId":"governance","type":"SERVER_SIGNER_KEY_REGISTERED","v":1}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/governance/global/snapshot.json

@@ -0,0 +1 @@
+{"lastChainHash":"92b4cd341b48c58fc8dffea3d6bbc0f62f979965d9271339ced8b8f7bf258e60","lastEventId":"evt_gov_serverA_registered","streamId":"governance"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/governance/policy.json

@@ -0,0 +1 @@
+{"algorithms":["ed25519"],"bundleHeadAttestationSigners":[{"allowedKeyIds":["key_9ed38005b42d9364601ffab3"],"allowedScopes":["global","tenant"],"requireGoverned":true,"requiredPurpose":"server","subjectType":"JobProofBundle.v1"}],"generatedAt":"2026-02-02T00:00:00.000Z","policyHash":"f8588a9eef597dd67d29035ff157b00a79bbf2d17056ce063e9a65a390d005d7","policyId":"governance_policy_default_v2","revocationList":{"path":"governance/revocations.json","sha256":"5c286871ea76001026b765f52296df51f76f4e040b537963fde671850684cf87"},"schemaVersion":"GovernancePolicy.v2","signature":"lxr9K5+X7/oVnIFATriFJW/+i96UUDXPP5ATFseAtqlSe/0juicaoad8U0kMT4Xks6xDHrLLOD/ASEm/DRcVDA==","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_4bd1ee0813b265cb6670a1cc","verificationReportSigners":[{"allowedKeyIds":["key_9ed38005b42d9364601ffab3"],"allowedScopes":["global","tenant"],"requireGoverned":true,"requiredPurpose":"server","subjectType":"JobProofBundle.v1"}]}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/governance/revocations.json

@@ -0,0 +1 @@
+{"generatedAt":"2026-02-02T00:00:00.000Z","listHash":"5c286871ea76001026b765f52296df51f76f4e040b537963fde671850684cf87","listId":"revocations_default_v1","revocations":[],"rotations":[],"schemaVersion":"RevocationList.v1","signature":"IG/Mwb9syG1HtzD7YwEM+eG4dPPhcIqy75SC3GjzoZZcepeWY/YpYVVzxxwBINkaFrr/mtUmq+s+Kizogs75Bw==","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_4bd1ee0813b265cb6670a1cc"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/governance/tenant/snapshot.json

@@ -0,0 +1 @@
+{"lastChainHash":null,"lastEventId":null,"streamId":"governance"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/job/snapshot.json

@@ -0,0 +1 @@
+{"id":"job_fixture_1","lastChainHash":"e698a6e1d597a4be85d31bdac90a34a66b9d43886ad43f59c0cc4e77efdde78d","lastEventId":"evt_job_created"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/keys/public_keys.json

@@ -0,0 +1 @@
+{"generatedAt":"2026-02-02T00:00:00.000Z","keys":[{"createdAt":null,"description":null,"keyId":"key_9ed38005b42d9364601ffab3","publicKeyPem":"-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAQ70D1FtwopWnvJeFsiKdThSP/9QADgSeaZYKip79KQI=\n-----END PUBLIC KEY-----\n","purpose":"server","revokedAt":null,"rotatedAt":null,"status":null,"tenantId":"tenant_fixture","validFrom":null,"validTo":null}],"order":"keyId_asc","schemaVersion":"PublicKeys.v1","tenantId":"tenant_fixture"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/manifest.json

@@ -0,0 +1 @@
+{"files":[{"bytes":515,"name":"events/events.jsonl","sha256":"1fbc8ef4a9d8a42efc02e2885b043578f3a0584d4054d98c3f06b1cfa276a126"},{"bytes":186,"name":"events/payload_material.jsonl","sha256":"338953ab5054bdc4a7d83c9ef1fef8d3c83ee78916f32c250636238208de62d3"},{"bytes":778,"name":"governance/global/events/events.jsonl","sha256":"a56f271f30f0c485a0cb80ab65f74b65fd438422d1f9d2e7e1664e5f028ce520"},{"bytes":449,"name":"governance/global/events/payload_material.jsonl","sha256":"1e2b95a0192f324d49a45c4378936d5a32c6548f44648d72ed79522186b0867f"},{"bytes":152,"name":"governance/global/snapshot.json","sha256":"4a5b0d84a0b96dd0fec4650d1f5483b8a4795d0c891595d730bf74a556f4368b"},{"bytes":951,"name":"governance/policy.json","sha256":"e88b6fdf8494a31264f18df85a4f2de96d69be1c03ddbfc901157a03cf02341c"},{"bytes":409,"name":"governance/revocations.json","sha256":"7dd89653b90b485f06e17990b064a5cb2d2d1e39e144f019f0ab164432d008b2"},{"bytes":0,"name":"governance/tenant/events/events.jsonl","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"},{"bytes":0,"name":"governance/tenant/events/payload_material.jsonl","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"},{"bytes":66,"name":"governance/tenant/snapshot.json","sha256":"353bc53464b75d5a61a810a29014b9a2fcdcdeb0762d18da745ef15765919400"},{"bytes":138,"name":"job/snapshot.json","sha256":"819c087bd8fc5a6fbf833ff13e31915433bc1687f32e8231bd6263718f31bab8"},{"bytes":470,"name":"keys/public_keys.json","sha256":"e88c404c67d245925a0c7e21d5381428b2ef3df69fd31041a39105c5ec7849eb"}],"generatedAt":"2026-02-02T00:00:00.000Z","hashing":{"excludes":["verify/**"],"fileOrder":"path_asc","schemaVersion":"ProofBundleManifestHash.v1"},"kind":"JobProofBundle.v1","manifestHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","schemaVersion":"ProofBundleManifest.v1","scope":{"jobId":"job_fixture_1"},"tenantId":"tenant_fixture"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/verify/report.json

@@ -0,0 +1 @@
+{"artifacts":[],"compiledPolicies":[],"eventChain":{"ok":true},"generatedAt":"2026-02-02T00:00:00.000Z","kind":"JobProofBundle.v1","schemaVersion":"ProofBundleVerifyReport.v1","scope":{"jobId":"job_fixture_1"},"settlementProofRefs":{"checked":0,"errors":[],"ok":true},"tenantId":"tenant_fixture"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/payload/job_proof_bundle/verify/verification_report.json

@@ -0,0 +1 @@
+{"bundleHeadAttestation":{"attestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","manifestHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","schemaVersion":"BundleHeadAttestation.v1","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_9ed38005b42d9364601ffab3"},"profile":"strict","reportHash":"7bfcc64af8ec9c5df4d5b87150cab3954d5748deb725be672a0cd464c20b3b29","schemaVersion":"VerificationReport.v1","signature":"4QIO0WgDiudPESt/mGSFC7zXcU7RJnF4MftOQHTB7BvtVenQ7SubgBkl1Kc8jj+GPQdtGbIxWZQRR5pL9OrKBQ==","signedAt":"2026-02-02T00:00:00.000Z","signer":{"governanceEventRef":{"chainHash":"92b4cd341b48c58fc8dffea3d6bbc0f62f979965d9271339ced8b8f7bf258e60","eventId":"evt_gov_serverA_registered","payloadHash":"d996dc5347a113a6050ed453e7b5feb2f1edb93a5ffb68d4fbca7b015336c61b","type":"SERVER_SIGNER_KEY_REGISTERED"},"keyId":"key_9ed38005b42d9364601ffab3","scope":"global"},"signerKeyId":"key_9ed38005b42d9364601ffab3","subject":{"createdAt":"2026-02-02T00:00:00.000Z","manifestHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","scope":{"jobId":"job_fixture_1"},"tenantId":"tenant_fixture","type":"JobProofBundle.v1"},"tool":{"commit":"0123456789abcdef0123456789abcdef01234567","name":"settld","version":"0.0.0-fixture"},"warnings":[]}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/pricing/pricing_matrix.json

@@ -0,0 +1 @@
+{"currency":"USD","prices":[{"code":"WORK_MINUTES","unitPriceCents":"150"}],"schemaVersion":"PricingMatrix.v1"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/pricing/pricing_matrix_signatures.json

@@ -0,0 +1 @@
+{"pricingMatrixCanonicalHash":"0fdad09bbc49efc35602932ef73950509de0f4f929bac0af35efeeb4d138c128","schemaVersion":"PricingMatrixSignatures.v2","signatures":[{"signature":"BzQbDsMHYcKavlJznp5nc7++boaRGMzFrfTPst79HrTMp7cIfL5foPq7zYzvOc7QsIqyycFCi/WOzIqha6/KAg==","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_4bd1ee0813b265cb6670a1cc"}]}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/settld.json

@@ -0,0 +1 @@
+{"createdAt":"2026-02-02T00:00:00.000Z","inputs":{"invoiceClaimHash":"fe64b5bee3e55bfdf61628896a1e92df5b4c9a48973e6ffd594e7448d250537f","jobProofBundleHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","jobProofHeadAttestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","meteringReportHash":"1f19f5309e33a4c133fd60fae5dbe10f50b9a12d9541fc8bb975eff432c72c06","pricingMatrixHash":"c43476f394086b2f66ac1df090a303f32713547b64ecf29e83ac6762ddbc1fb3"},"invoiceId":"invoice_fixture_1","protocol":"1.0","tenantId":"tenant_fixture","type":"InvoiceBundle.v1"}

package/services/magic-link/assets/samples/closepack/known-good/payload/invoice_bundle/verify/verification_report.json

@@ -0,0 +1 @@
+{"bundleHeadAttestation":{"attestationHash":"8b15727b811d865a5187aa9da01066a3271dd6465f6c18e6c8d1b59c0a955755","manifestHash":"7b348ab1bb5a84f7899b718a08bd7827bb6b7b213b97ef74142061270fb2233a","schemaVersion":"BundleHeadAttestation.v1","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_9ed38005b42d9364601ffab3"},"inputs":{"invoiceClaimHash":"fe64b5bee3e55bfdf61628896a1e92df5b4c9a48973e6ffd594e7448d250537f","jobProofBundleHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","jobProofHeadAttestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","meteringReportHash":"1f19f5309e33a4c133fd60fae5dbe10f50b9a12d9541fc8bb975eff432c72c06","pricingMatrixHash":"c43476f394086b2f66ac1df090a303f32713547b64ecf29e83ac6762ddbc1fb3"},"policy":null,"profile":"strict","reportHash":"4ce80dafad18c9a29898f65df7e501d10e81c5705982db859ac2e90d0cf72d97","schemaVersion":"VerificationReport.v1","signature":"7mKxfGQ/dSufj2WY9aWJsuhbAe6PgLkGZdBpU4F5ojU9kyjEXEOLZx2wosmzPGVy6b9isC/kgyqw3kx65kwGDQ==","signedAt":"2026-02-02T00:00:00.000Z","signer":{"governanceEventRef":null,"keyId":"key_9ed38005b42d9364601ffab3","scope":"global"},"signerKeyId":"key_9ed38005b42d9364601ffab3","subject":{"createdAt":"2026-02-02T00:00:00.000Z","invoiceId":"invoice_fixture_1","manifestHash":"7b348ab1bb5a84f7899b718a08bd7827bb6b7b213b97ef74142061270fb2233a","protocol":"1.0","tenantId":"tenant_fixture","type":"InvoiceBundle.v1"},"tool":{"commit":"0123456789abcdef0123456789abcdef01234567","name":"settld","version":"0.0.0-fixture"},"warnings":[]}

package/services/magic-link/assets/samples/closepack/known-good/settld.json

@@ -0,0 +1 @@
+{"createdAt":"2026-02-02T00:00:00.000Z","inputs":{"invoiceBundleCreatedAt":"2026-02-02T00:00:00.000Z","invoiceBundleHeadAttestationHash":"8b15727b811d865a5187aa9da01066a3271dd6465f6c18e6c8d1b59c0a955755","invoiceBundleManifestHash":"7b348ab1bb5a84f7899b718a08bd7827bb6b7b213b97ef74142061270fb2233a","invoiceBundleTenantId":"tenant_fixture","invoiceBundleType":"InvoiceBundle.v1","invoiceClaimHash":"fe64b5bee3e55bfdf61628896a1e92df5b4c9a48973e6ffd594e7448d250537f","jobProofBundleHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","jobProofHeadAttestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","meteringReportHash":"1f19f5309e33a4c133fd60fae5dbe10f50b9a12d9541fc8bb975eff432c72c06","pricingMatrixHash":"c43476f394086b2f66ac1df090a303f32713547b64ecf29e83ac6762ddbc1fb3"},"invoiceBundle":{"embeddedPath":"payload/invoice_bundle","headAttestationHash":"8b15727b811d865a5187aa9da01066a3271dd6465f6c18e6c8d1b59c0a955755","manifestHash":"7b348ab1bb5a84f7899b718a08bd7827bb6b7b213b97ef74142061270fb2233a"},"invoiceId":"invoice_fixture_1","protocol":"1.0","tenantId":"tenant_fixture","type":"ClosePack.v1"}

package/services/magic-link/assets/samples/closepack/known-good/sla/sla_definition.json

@@ -0,0 +1 @@
+{"generatedAt":"2026-02-02T00:00:00.000Z","rules":[],"schemaVersion":"SlaDefinition.v1"}

package/services/magic-link/assets/samples/closepack/known-good/sla/sla_evaluation.json

@@ -0,0 +1 @@
+{"generatedAt":"2026-02-02T00:00:00.000Z","overallStatus":"ok","results":[],"schemaVersion":"SlaEvaluation.v1"}

package/services/magic-link/assets/samples/closepack/known-good/verify/verification_report.json

@@ -0,0 +1 @@
+{"bundleHeadAttestation":{"attestationHash":"eaf7436e7aef6529f7d95031ffc7f741ed68a65d8d2b5e3048f9593076ae6652","manifestHash":"0821f3de3cf3bbe659a61a0c14ca38fc82b22239f039e908a9e4b36e4f27744a","schemaVersion":"BundleHeadAttestation.v1","signedAt":"2026-02-02T00:00:00.000Z","signerKeyId":"key_9ed38005b42d9364601ffab3"},"inputs":{"invoiceBundleCreatedAt":"2026-02-02T00:00:00.000Z","invoiceBundleHeadAttestationHash":"8b15727b811d865a5187aa9da01066a3271dd6465f6c18e6c8d1b59c0a955755","invoiceBundleManifestHash":"7b348ab1bb5a84f7899b718a08bd7827bb6b7b213b97ef74142061270fb2233a","invoiceBundleTenantId":"tenant_fixture","invoiceBundleType":"InvoiceBundle.v1","invoiceClaimHash":"fe64b5bee3e55bfdf61628896a1e92df5b4c9a48973e6ffd594e7448d250537f","jobProofBundleHash":"6775ce8a23cb436fdd6e2809bf79d2b1ac05f76a820094342b0cc68f425ef9d8","jobProofHeadAttestationHash":"c70b62f9e28ac91fa07073c802495d1801921c0d01924a2538f981a7e18f8d5b","meteringReportHash":"1f19f5309e33a4c133fd60fae5dbe10f50b9a12d9541fc8bb975eff432c72c06","pricingMatrixHash":"c43476f394086b2f66ac1df090a303f32713547b64ecf29e83ac6762ddbc1fb3"},"policy":null,"profile":"strict","reportHash":"3f1570dffe2e987105a6fcdabcd6e494006bf4ba0f1ff512b358bb21edac3c6a","schemaVersion":"VerificationReport.v1","signature":"WQPcVQLKsn0ivoKQa41yHDeAjzVrbkUgLCh0KWuQFKNthdT3Dvs7cDWLsp75BatG8Ymu9lq9kjc973mDinFjDA==","signedAt":"2026-02-02T00:00:00.000Z","signer":{"governanceEventRef":null,"keyId":"key_9ed38005b42d9364601ffab3","scope":"global"},"signerKeyId":"key_9ed38005b42d9364601ffab3","subject":{"createdAt":"2026-02-02T00:00:00.000Z","invoiceId":"invoice_fixture_1","manifestHash":"0821f3de3cf3bbe659a61a0c14ca38fc82b22239f039e908a9e4b36e4f27744a","protocol":"1.0","scope":{"invoiceId":"invoice_fixture_1"},"tenantId":"tenant_fixture","type":"ClosePack.v1"},"tool":{"commit":"0123456789abcdef0123456789abcdef01234567","name":"settld","version":"0.0.0-fixture"},"warnings":[]}

package/services/magic-link/assets/samples/trust.json

@@ -0,0 +1,11 @@
+{
+  "governanceRoots": {
+    "key_4bd1ee0813b265cb6670a1cc": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAFzw7qxt31VJOSAJCw7zy267twYhbJzf9H0dwm3ZmCDM=\n-----END PUBLIC KEY-----\n"
+  },
+  "pricingSigners": {
+    "key_4bd1ee0813b265cb6670a1cc": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAFzw7qxt31VJOSAJCw7zy267twYhbJzf9H0dwm3ZmCDM=\n-----END PUBLIC KEY-----\n"
+  },
+  "timeAuthorities": {
+    "key_0c6b00150d3433d8d612eef2": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA9CRBU82m4eS1uHNL6PtKBKPLN0YdtubYFP/f9flGVd0=\n-----END PUBLIC KEY-----\n"
+  }
+}

package/services/magic-link/src/audit-log.js

@@ -0,0 +1,24 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+function monthKeyUtc(d) {
+  const year = d.getUTCFullYear();
+  const month = String(d.getUTCMonth() + 1).padStart(2, "0");
+  return `${year}-${month}`;
+}
+
+function auditJsonlPath({ dataDir, tenantId, monthKey }) {
+  return path.join(dataDir, "audit", tenantId, `${monthKey}.jsonl`);
+}
+
+export async function appendAuditRecord({ dataDir, tenantId, record } = {}) {
+  const at = typeof record?.at === "string" ? record.at : new Date().toISOString();
+  const atMs = Date.parse(at);
+  const monthKey = Number.isFinite(atMs) ? monthKeyUtc(new Date(atMs)) : monthKeyUtc(new Date());
+
+  const fp = auditJsonlPath({ dataDir, tenantId, monthKey });
+  await fs.mkdir(path.dirname(fp), { recursive: true });
+  await fs.appendFile(fp, JSON.stringify({ schemaVersion: "MagicLinkAuditRecord.v1", ...record, at }) + "\n", "utf8");
+  return { ok: true, monthKey };
+}
+

package/services/magic-link/src/buyer-auth.js

@@ -0,0 +1,220 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+
+import { sendSmtpMail } from "./smtp.js";
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function sha256Hex(text) {
+  return crypto.createHash("sha256").update(String(text ?? ""), "utf8").digest("hex");
+}
+
+function clampText(v, { max }) {
+  const s = String(v ?? "").trim();
+  if (!s) return null;
+  return s.length <= max ? s : s.slice(0, Math.max(0, max - 1)) + "…";
+}
+
+export function normalizeEmailLower(value) {
+  const raw = clampText(value, { max: 320 });
+  if (!raw) return null;
+  const email = raw.toLowerCase();
+  if (!email.includes("@")) return null;
+  const [local, domain, ...rest] = email.split("@");
+  if (!local || !domain || rest.length) return null;
+  if (/\s/.test(email)) return null;
+  return email;
+}
+
+function otpRecordPath({ dataDir, tenantId, email }) {
+  const key = sha256Hex(`${tenantId}\n${email}`);
+  return path.join(dataDir, "buyer-otp", tenantId, `${key}.json`);
+}
+
+function otpOutboxPath({ dataDir, tenantId, email }) {
+  const key = sha256Hex(`${tenantId}\n${email}`);
+  return path.join(dataDir, "buyer-otp-outbox", `${tenantId}_${key}.json`);
+}
+
+function issueCode6() {
+  const n = crypto.randomInt(0, 1_000_000);
+  return String(n).padStart(6, "0");
+}
+
+export async function issueBuyerOtp({ dataDir, tenantId, email, ttlSeconds, deliveryMode, smtp } = {}) {
+  const emailNorm = normalizeEmailLower(email);
+  if (!emailNorm) return { ok: false, error: "INVALID_EMAIL", message: "invalid email" };
+
+  const t = String(tenantId ?? "").trim();
+  if (!t) return { ok: false, error: "INVALID_TENANT", message: "tenantId is required" };
+
+  const ttl = Number.parseInt(String(ttlSeconds ?? ""), 10);
+  if (!Number.isInteger(ttl) || ttl <= 0) throw new TypeError("ttlSeconds must be a positive integer");
+
+  const code = issueCode6();
+  const createdAt = nowIso();
+  const expiresAt = new Date(Date.now() + ttl * 1000).toISOString();
+  const codeSha256 = sha256Hex(`${t}\n${emailNorm}\n${code}`);
+
+  const record = {
+    schemaVersion: "BuyerOtpRecord.v1",
+    tenantId: t,
+    email: emailNorm,
+    codeSha256,
+    createdAt,
+    expiresAt,
+    consumedAt: null,
+    attempts: 0
+  };
+
+  const fp = otpRecordPath({ dataDir, tenantId: t, email: emailNorm });
+  await fs.mkdir(path.dirname(fp), { recursive: true });
+  await fs.writeFile(fp, JSON.stringify(record, null, 2) + "\n", "utf8");
+
+  const mode = String(deliveryMode ?? "record").trim().toLowerCase();
+  if (mode === "record") {
+    const outFp = otpOutboxPath({ dataDir, tenantId: t, email: emailNorm });
+    await fs.mkdir(path.dirname(outFp), { recursive: true });
+    await fs.writeFile(
+      outFp,
+      JSON.stringify(
+        { schemaVersion: "BuyerOtpOutboxRecord.v1", tenantId: t, email: emailNorm, code, createdAt, expiresAt },
+        null,
+        2
+      ) + "\n",
+      "utf8"
+    );
+  } else if (mode === "log") {
+    // eslint-disable-next-line no-console
+    console.log(`buyer otp tenant=${t} email=${emailNorm} code=${code} expiresAt=${expiresAt}`);
+  } else if (mode === "smtp") {
+    const from = typeof smtp?.from === "string" ? smtp.from.trim() : "";
+    if (!from) return { ok: false, error: "SMTP_NOT_CONFIGURED", message: "smtp.from is required" };
+    try {
+      await sendSmtpMail({
+        host: smtp?.host,
+        port: smtp?.port,
+        secure: Boolean(smtp?.secure),
+        starttls: smtp?.starttls === undefined ? true : Boolean(smtp?.starttls),
+        auth: smtp?.user && smtp?.pass ? { user: smtp.user, pass: smtp.pass } : null,
+        from,
+        to: emailNorm,
+        subject: "Your Settld login code",
+        text: `Your login code is: ${code}\n\nThis code expires at: ${expiresAt}\n\nIf you did not request this code, you can ignore this email.\n`
+      });
+    } catch (err) {
+      return { ok: false, error: "SMTP_SEND_FAILED", message: err?.message ?? String(err ?? "smtp failed") };
+    }
+  } else {
+    throw new Error("invalid deliveryMode");
+  }
+
+  return { ok: true, tenantId: t, email: emailNorm, expiresAt };
+}
+
+export async function verifyAndConsumeBuyerOtp({ dataDir, tenantId, email, code, maxAttempts }) {
+  const emailNorm = normalizeEmailLower(email);
+  const codeNorm = clampText(code, { max: 32 });
+  const t = String(tenantId ?? "").trim();
+  if (!t || !emailNorm || !codeNorm) return { ok: false, error: "OTP_INVALID", message: "tenantId, email, and code are required" };
+
+  const max = Number.parseInt(String(maxAttempts ?? ""), 10);
+  if (!Number.isInteger(max) || max < 1) throw new TypeError("maxAttempts must be an integer >= 1");
+
+  const fp = otpRecordPath({ dataDir, tenantId: t, email: emailNorm });
+  let rec = null;
+  try {
+    rec = JSON.parse(await fs.readFile(fp, "utf8"));
+  } catch {
+    rec = null;
+  }
+  if (!rec || typeof rec !== "object" || Array.isArray(rec) || rec.schemaVersion !== "BuyerOtpRecord.v1") {
+    return { ok: false, error: "OTP_MISSING", message: "no active otp" };
+  }
+  if (String(rec.tenantId ?? "") !== t || String(rec.email ?? "") !== emailNorm) {
+    return { ok: false, error: "OTP_MISSING", message: "no active otp" };
+  }
+  if (typeof rec.consumedAt === "string" && rec.consumedAt) return { ok: false, error: "OTP_CONSUMED", message: "otp already used" };
+
+  const expiresMs = Date.parse(String(rec.expiresAt ?? ""));
+  if (!Number.isFinite(expiresMs) || Date.now() > expiresMs) return { ok: false, error: "OTP_EXPIRED", message: "otp expired" };
+
+  const attempts = Number.parseInt(String(rec.attempts ?? "0"), 10);
+  if (Number.isInteger(attempts) && attempts >= max) return { ok: false, error: "OTP_LOCKED", message: "too many attempts" };
+
+  const expected = String(rec.codeSha256 ?? "");
+  const actual = sha256Hex(`${t}\n${emailNorm}\n${codeNorm}`);
+  if (expected !== actual) {
+    rec.attempts = (Number.isInteger(attempts) ? attempts : 0) + 1;
+    await fs.writeFile(fp, JSON.stringify(rec, null, 2) + "\n", "utf8");
+    return { ok: false, error: "OTP_INVALID", message: "invalid code" };
+  }
+
+  rec.consumedAt = nowIso();
+  rec.attempts = Number.isInteger(attempts) ? attempts : 0;
+  await fs.writeFile(fp, JSON.stringify(rec, null, 2) + "\n", "utf8");
+  return { ok: true, tenantId: t, email: emailNorm };
+}
+
+function hmacBase64Url(key, text) {
+  return crypto.createHmac("sha256", key).update(String(text ?? ""), "utf8").digest("base64url");
+}
+
+function safeEqualBase64Url(a, b) {
+  try {
+    const aa = Buffer.from(String(a ?? ""), "base64url");
+    const bb = Buffer.from(String(b ?? ""), "base64url");
+    if (aa.length !== bb.length) return false;
+    return crypto.timingSafeEqual(aa, bb);
+  } catch {
+    return false;
+  }
+}
+
+export function createBuyerSessionToken({ sessionKey, tenantId, email, ttlSeconds }) {
+  const t = String(tenantId ?? "").trim();
+  const e = normalizeEmailLower(email);
+  const ttl = Number.parseInt(String(ttlSeconds ?? ""), 10);
+  if (!t || !e) return { ok: false, error: "INVALID_SESSION_INPUT" };
+  if (!Buffer.isBuffer(sessionKey) || sessionKey.length < 16) return { ok: false, error: "SESSION_KEY_MISSING" };
+  if (!Number.isInteger(ttl) || ttl <= 0) return { ok: false, error: "INVALID_TTL" };
+
+  const issuedAt = nowIso();
+  const expiresAt = new Date(Date.now() + ttl * 1000).toISOString();
+  const nonce = crypto.randomBytes(16).toString("hex");
+  const payload = { schemaVersion: "MagicLinkBuyerSession.v1", tenantId: t, email: e, issuedAt, expiresAt, nonce };
+  const payloadB64 = Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
+  const sigB64 = hmacBase64Url(sessionKey, payloadB64);
+  return { ok: true, token: `${payloadB64}.${sigB64}`, payload };
+}
+
+export function verifyBuyerSessionToken({ sessionKey, token }) {
+  if (!Buffer.isBuffer(sessionKey) || sessionKey.length < 16) return { ok: false, error: "SESSION_KEY_MISSING" };
+  const raw = String(token ?? "").trim();
+  const parts = raw.split(".");
+  if (parts.length !== 2) return { ok: false, error: "SESSION_INVALID" };
+  const [payloadB64, sigB64] = parts;
+  const expected = hmacBase64Url(sessionKey, payloadB64);
+  if (!safeEqualBase64Url(expected, sigB64)) return { ok: false, error: "SESSION_INVALID" };
+
+  let payload = null;
+  try {
+    payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+  } catch {
+    payload = null;
+  }
+  if (!payload || typeof payload !== "object" || Array.isArray(payload)) return { ok: false, error: "SESSION_INVALID" };
+  if (String(payload.schemaVersion ?? "") !== "MagicLinkBuyerSession.v1") return { ok: false, error: "SESSION_INVALID" };
+
+  const tenantId = String(payload.tenantId ?? "").trim();
+  const email = normalizeEmailLower(payload.email);
+  if (!tenantId || !email) return { ok: false, error: "SESSION_INVALID" };
+
+  const expiresMs = Date.parse(String(payload.expiresAt ?? ""));
+  if (!Number.isFinite(expiresMs) || Date.now() > expiresMs) return { ok: false, error: "SESSION_EXPIRED" };
+
+  return { ok: true, payload: { ...payload, tenantId, email } };
+}