twzrd-receipt-verifier 1.0.3 → 1.0.5

package/README.md

@@ -27,6 +27,9 @@ after it spends:
 ```bash
 # zero-install: verify a receipt straight from the published package
 npx twzrd-receipt-verifier receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf
+
+# replay-resistance (opt-in): reject receipts older than 60s — and reject any with no timestamp
+npx twzrd-receipt-verifier receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf --max-age 60
 ```
 
 ## The published signing key
@@ -72,21 +75,27 @@ The receipt object looks like:
 ## Python
 
 ```bash
-pip install pynacl pycryptodome     # libsodium Ed25519 + original Keccak-256
+pip install twzrd-receipt-verifier   # PyPI; or: pip install pynacl pycryptodome for script-only use
 
 # fetch the published key and verify:
-python verify_twzrd_receipt.py receipt.json
+twzrd-verify-receipt receipt.json
+# or: python verify_twzrd_receipt.py receipt.json
 
 # pin the key out-of-band (recommended):
 python verify_twzrd_receipt.py receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf
 
 # also confirm a tampered copy FAILS:
-python verify_twzrd_receipt.py receipt.json --self-test
+twzrd-verify-receipt receipt.json --self-test
+
+# replay-resistance (opt-in; same semantics as the npm CLI --max-age):
+twzrd-verify-receipt receipt.json --max-age 300
 
 # from stdin:
-cat receipt.json | python verify_twzrd_receipt.py -
+cat receipt.json | twzrd-verify-receipt -
 ```
 
+Source: [packages/twzrd-agent-intel/verifier](https://github.com/twzrd-sol/wzrd-final/tree/main/packages/twzrd-agent-intel/verifier)
+
 ## Node
 
 ```bash

package/package.json

@@ -1,9 +1,17 @@
 {
   "name": "twzrd-receipt-verifier",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "Standalone offline verifier for TWZRD AO-Receipt V5 (Ed25519-signed keccak256 leaf). No trust in TWZRD servers or code.",
   "keywords": ["twzrd", "x402", "solana", "ed25519", "keccak256", "receipt", "verifier", "agent", "attestation"],
   "homepage": "https://intel.twzrd.xyz",
+  "bugs": {
+    "url": "https://github.com/twzrd-sol/wzrd-final/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/twzrd-sol/wzrd-final.git",
+    "directory": "packages/twzrd-agent-intel/verifier"
+  },
   "license": "MIT",
   "author": "TWZRD",
   "bin": {

package/verify_twzrd_receipt.js

@@ -143,12 +143,15 @@ Verifies, with NO trust in TWZRD's servers or code, that a receipt was authored
 TWZRD's published Ed25519 key and was not tampered with.
 
 usage:
-  twzrd-receipt-verifier <receipt.json|-> [--pubkey KEY] [--base-url URL] [--self-test]
+  twzrd-receipt-verifier <receipt.json|-> [--pubkey KEY] [--base-url URL] [--max-age SECS] [--self-test]
 
 arguments:
   <receipt.json>   path to the receipt JSON, or "-" to read from stdin
   --pubkey KEY     trust this base58 Ed25519 pubkey (out-of-band) instead of fetching it
   --base-url URL   where to fetch the published key (default: ${DEFAULT_BASE_URL})
+  --max-age SECS   replay-resistance policy: reject if preimage.timestamp_unix is older than
+                   SECS, OR if the receipt carries no valid timestamp. Crypto (leaf+sig) is
+                   time-independent; this is opt-in relying-party policy.
   --self-test      additionally confirm a tampered copy FAILS (proves the check works)
   -h, --help       show this help
 
@@ -156,7 +159,7 @@ exit code: 0 = VALID, 1 = INVALID / error
 key source: ${DEFAULT_BASE_URL}/.well-known/x402`;
   if (args.includes('-h') || args.includes('--help')) { console.log(HELP); process.exit(0); }
   if (args.length === 0) {
-    console.error('usage: twzrd-receipt-verifier <receipt.json|-> [--pubkey KEY] [--base-url URL] [--self-test]');
+    console.error('usage: twzrd-receipt-verifier <receipt.json|-> [--pubkey KEY] [--base-url URL] [--max-age SECS] [--self-test]');
     console.error('       twzrd-receipt-verifier --help');
     process.exit(1);
   }
@@ -164,6 +167,8 @@ key source: ${DEFAULT_BASE_URL}/.well-known/x402`;
   const getOpt = (name) => { const i = args.indexOf(name); return i >= 0 ? args[i + 1] : undefined; };
   const selfTest = args.includes('--self-test');
   const baseUrl = getOpt('--base-url') || DEFAULT_BASE_URL;
+  const maxAgeArg = getOpt('--max-age');
+  const maxAge = maxAgeArg ? parseInt(maxAgeArg, 10) : 0;  // 0 = freshness check off (opt-in policy)
 
   // keccak self-test: refuse to run with a broken hash backend
   if (keccak256('') !== KECCAK_EMPTY) { console.error('FATAL: keccak256 backend is wrong'); process.exit(1); }
@@ -177,6 +182,25 @@ key source: ${DEFAULT_BASE_URL}/.well-known/x402`;
   console.log(`trusted pubkey: ${trusted}  [source: ${src}]`);
 
   const res = verify(receipt, trusted);
+
+  // Opt-in replay-resistance freshness gate. Crypto (leaf+sig) is time-independent; this is
+  // relying-party policy. A receipt with missing/zero timestamp_unix is REJECTED when
+  // --max-age is set (no silent bypass) — mirrors the Python verifier (#720).
+  if (maxAge > 0) {
+    res.errors = res.errors || [];
+    const ts = receipt && receipt.preimage ? Number(receipt.preimage.timestamp_unix) : NaN;
+    if (!Number.isFinite(ts) || ts <= 0) {
+      res.errors.push(`--max-age ${maxAge}s set but receipt has no valid timestamp_unix`);
+      res.valid = false;
+    } else {
+      const age = Math.abs(Math.floor(Date.now() / 1000) - ts);
+      if (age > maxAge) {
+        res.errors.push(`receipt too old (age ${age}s > --max-age ${maxAge}s)`);
+        res.valid = false;
+      }
+    }
+  }
+
   console.log(`leaf_valid       : ${res.leaf_valid}`);
   console.log(`signature_valid  : ${res.signature_valid}`);
   res.errors.forEach((e) => console.log('  - ' + e));