twzrd-receipt-verifier 1.0.0 → 1.0.2

package/README.md

@@ -14,6 +14,21 @@ This tool recomputes the leaf **and** checks the signature against the published
 key. If it says `VALID`, the receipt was authored by TWZRD and was not altered.
 Unsigned, wrong-key, or tampered receipts fail.
 
+## Where this fits: the agent trust loop
+
+This verifier is the **last step** of the x402 trust rail an agent runs before and
+after it spends:
+
+1. **Discover** a model/provider - [`wzrd-client`](https://pypi.org/project/wzrd-client/) (PyPI) or [`@wzrd_sol/sdk`](https://www.npmjs.com/package/@wzrd_sol/sdk) (npm)
+2. **Preflight** the seller wallet, free - `POST https://intel.twzrd.xyz/v1/intel/preflight` (or MCP `get_readiness_card_tool`)
+3. **Pay** with a signed receipt - `GET https://intel.twzrd.xyz/v1/intel/trust/{seller}` (0.05 USDC, x402)
+4. **Verify** the receipt offline - **this package** (trust nothing but the bytes + the public key)
+
+```bash
+# zero-install: verify a receipt straight from the published package
+npx twzrd-receipt-verifier receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf
+```
+
 ## The published signing key
 
 | field | value |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "twzrd-receipt-verifier",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Standalone offline verifier for TWZRD AO-Receipt V5 (Ed25519-signed keccak256 leaf). No trust in TWZRD servers or code.",
   "keywords": ["twzrd", "x402", "solana", "ed25519", "keccak256", "receipt", "verifier", "agent", "attestation"],
   "homepage": "https://intel.twzrd.xyz",

package/verify_twzrd_receipt.js

@@ -119,7 +119,29 @@ function verify(receipt, trustedPubkey) {
 
 async function main() {
   const args = process.argv.slice(2);
-  if (args.length === 0) { console.error('usage: verify_twzrd_receipt.js <receipt.json|-> [--pubkey KEY] [--base-url URL] [--self-test]'); process.exit(1); }
+  const HELP = `twzrd-receipt-verifier -- offline verifier for TWZRD AO-Receipt V5 (Ed25519-signed keccak256 leaf)
+
+Verifies, with NO trust in TWZRD's servers or code, that a receipt was authored by
+TWZRD's published Ed25519 key and was not tampered with.
+
+usage:
+  twzrd-receipt-verifier <receipt.json|-> [--pubkey KEY] [--base-url URL] [--self-test]
+
+arguments:
+  <receipt.json>   path to the receipt JSON, or "-" to read from stdin
+  --pubkey KEY     trust this base58 Ed25519 pubkey (out-of-band) instead of fetching it
+  --base-url URL   where to fetch the published key (default: ${DEFAULT_BASE_URL})
+  --self-test      additionally confirm a tampered copy FAILS (proves the check works)
+  -h, --help       show this help
+
+exit code: 0 = VALID, 1 = INVALID / error
+key source: ${DEFAULT_BASE_URL}/.well-known/x402`;
+  if (args.includes('-h') || args.includes('--help')) { console.log(HELP); process.exit(0); }
+  if (args.length === 0) {
+    console.error('usage: twzrd-receipt-verifier <receipt.json|-> [--pubkey KEY] [--base-url URL] [--self-test]');
+    console.error('       twzrd-receipt-verifier --help');
+    process.exit(1);
+  }
   const receiptArg = args[0];
   const getOpt = (name) => { const i = args.indexOf(name); return i >= 0 ? args[i + 1] : undefined; };
   const selfTest = args.includes('--self-test');