`, a live-tree MATCH/MISMATCH verdict; with `--policy `, the SAME policy verdict
embedded as a "Policy compliance" section) into ONE deterministic document a reviewer files; `vh dataset
attest` emits the canonical, byte-deterministic **UNSIGNED** payload a human signing/timestamp trust-root
signs over (`needs-human`, P-3 in [`STRATEGY.md`](STRATEGY.md)); `vh dataset verify-attest` is the
**offline, no key, no network, CI-gateable exit code** (0 ACCEPTED / 3 REJECTED) VERIFIER a buyer runs on a
SIGNED attestation container — it recovers the signer, optionally pins the expected publisher (`--signer`)
and binds the signature to the buyer's own dataset (`--manifest`). All are **offline, need NO key, and need
NO network**. A PASS attests only that the dataset's UNTRUSTED, self-asserted hints satisfy the policy —
NOT that the licenses are genuinely correct.
This build ships the signed-attestation **FORMAT, the offline VERIFIER, AND the `vh dataset sign` command**
(all proved with throwaway test keys). `vh dataset sign` reads a key YOU provisioned OUTSIDE the loop
(`--key-env`/`--key-file`), signs the canonical `vh dataset attest` bytes, and writes the container
`verify-attest` accepts — it **never generates, persists, or logs a key** and touches no network. So the
human's remaining P-3 step (`needs-human`, [`STRATEGY.md`](STRATEGY.md)) collapses to: **PROVISION a real
key, choose the trust-root option, and run `vh dataset sign --key-env `**. A verified signature proves
the key-holder vouched for the dataset identity, NOT a "unaltered since date T" timestamp (still P-3).
The Merkle root commits to file **names AND bytes** (the SAME path-bound convention as `vh hash `),
so any edit/rename/add/remove changes it. What DataLedger does **NOT** prove: it is **not a timestamp**
— "unaltered since date T" needs the human-owned signing/timestamp trust-root, a `needs-human` step in
[`STRATEGY.md`](STRATEGY.md) — and the per-file `{source, license}` **hints are UNTRUSTED self-asserted
metadata** that are NOT bound into the root (the summary counts what the dataset CLAIMS). Do not
overclaim. Full buyer-facing spec, worked example, and the auditor / EU-AI-Act evidence mapping:
[`docs/DATALEDGER.md`](docs/DATALEDGER.md).
### Data-delivery receipts (ProofParcel)
ProofParcel is a **second income product on the SAME provenance core**, aimed at a different paying
buyer: B2B data exchange where a delivery dispute ("you never sent file X" / "the file you sent was
altered") is expensive. It issues a portable, independently-verifiable **proof-of-delivery receipt** that
pins exactly which files (names AND bytes) were delivered for a parcel, plus a signable attestation over
that parcel's identity. Every command is **offline, needs NO key, and needs NO network**.
vh parcel build --out # tamper-evident delivery receipt: Merkle root + per-file leaves + optional UNTRUSTED parcel meta
vh parcel verify
--manifest # re-derive the root from a fresh copy on disk + per-file ADDED/REMOVED/CHANGED diff; exit 0 MATCH / 3 MISMATCH
vh parcel attest [--json] [--out ] # canonical UNSIGNED parcel-attestation payload (root+fileCount+manifestDigest) a human trust-root signs; offline, no key, no network
vh parcel sign --key-env |--key-file [--out
] [--json] # sign the UNSIGNED parcel attestation with a key YOU provisioned -> the signed container verify-attest accepts; reads YOUR key (never generates/persists/logs one); offline, no network
vh parcel verify-attest [--manifest ] [--signer ] [--json] # OFFLINE-verify a SIGNED parcel attestation: recover the signer, pin the sender, bind YOUR parcel; offline, no key, no network, CI-gateable exit code (0 ACCEPTED / 3 REJECTED)
vh parcel timestamp-request [--out ] [--json] # emit the SHA-256 digest your RFC-3161 TSA stamps (P-3 Option B); offline, no key, no network
vh parcel timestamp-wrap --token [--out
] [--json] # wrap a TSA's RFC-3161 token -> a verifiable verifyhash.parcel-attestation-timestamped container; offline, no key, no network
vh parcel verify-timestamp [--manifest ] [--json] # OFFLINE-verify a timestamped parcel attestation: re-derive the digest, confirm the RFC-3161 token binds it, bind YOUR parcel; ACCEPTED (genTime/serial/policy) or REJECTED; offline, no key, no network, CI-gateable exit code (0 ACCEPTED / 3 REJECTED)
`vh parcel attest` emits the canonical, byte-deterministic **UNSIGNED** payload a sender signs over —
over the SAME signed-attestation core as `vh dataset attest`, with `signed:false`. `vh parcel
verify-attest` is the **offline, no key, no network, CI-gateable exit code** (0 ACCEPTED / 3 REJECTED)
VERIFIER a recipient runs on a SIGNED container: it recovers the signer, optionally pins the expected
sender (`--signer`) and binds the signature to the recipient's own parcel (`--manifest`). The signed
container uses ProofParcel's own `verifyhash.parcel-attestation-signed` kind, so a dataset
signed-container does **not** cross-verify as a parcel one.
ProofParcel inherits the **SAME honest trust posture as DataLedger**: the receipt binds the file SET and
is signable, but is **NOT by itself a trusted delivery TIMESTAMP** — "delivered ON date T" rides the
human-owned signing/timestamp trust-root (`needs-human`, P-3 in [`STRATEGY.md`](STRATEGY.md)); a valid
signature proves the key-holder vouched for the parcel identity, NOT a "unaltered since date T"
timestamp. The `parcel` metadata (parcelId/sender/recipient) is **UNTRUSTED self-asserted metadata** that
is NOT bound into the root. This build ships the **FORMAT, the offline VERIFIER, AND the `vh parcel sign`
command** (proved with throwaway test keys); `vh parcel sign` reads a key the sender PROVISIONED outside the
loop (never generates/persists/logs one), so the human's P-3 step collapses to "provision a key, run
`vh parcel sign --key-env `." Full buyer-facing spec, command table, and worked example:
[`docs/PROOFPARCEL.md`](docs/PROOFPARCEL.md).
### Evidence packets (`vh evidence`)
A **product-agnostic, license-gated, tamper-evident evidence packet** for any directory of files — the
**second vertical** built on the SAME provenance core, with its OWN sellable license. `vh evidence seal`
binds a whole folder into one content-addressed `*.vhevidence.json`; `vh evidence verify` re-derives the
root from the bytes you hold and localizes any tamper to the exact file. Both are **offline, no network**.
vh evidence seal [--out ] [--license --vendor <0xaddr>] [--sign --key-env |--key-file ] [--json] # build the packet over cli/core/packetseal.js (generic kind, NO trust-reconcile vocabulary); default PRINTS the seal + writes NOTHING; exit 0 ok / 3 seal-build-error / 2 usage / 1 IO
vh evidence verify
[--dir ] [--json] # read-only, NO key: RE-DERIVE the root from the bytes referenced + report OK / which file CHANGED/MISSING/UNEXPECTED; exit 0 OK / 3 REJECTED / 2 usage / 1 IO
The seal proves **TAMPER-EVIDENCE + OFFLINE-RECOMPUTE, NOT a trusted timestamp** ("sealed at T" rides the
human trust-root, P-3); the packet is an **UNTRUSTED transport container** verify never trusts. The **FREE**
tier — an unsigned baseline seal of up to **25 files** + verify — stays open so a buyer can try before
buying. The **PAID** surface (the `--sign` signed-attestation wrap; sealing **> 25 files**) is gated behind
a valid `--license --vendor <0xaddr>` verified OFFLINE via `cli/core/license.js` against a **distinct
evidence-product entitlement table** (`kind: vh-evidence-license`, **not** `trustledger-license`), reusing
the SAME `verifyLicense` / named-reject posture as the TrustLedger CLI (a wrong/expired/under-entitled
license is a hard refuse, never a silent downgrade). Full schema, free-vs-paid surface, a worked
seal → hand over → verify example, and the core-reuse map: [`docs/EVIDENCE.md`](docs/EVIDENCE.md). The
vendor keypair, price, and first design partner are human steps (STRATEGY.md › **P-7**).
### Agent-session evidence (`vh agent`) — AgentTrace
**Tamper-evident, selectively-REDACTABLE, independently-verifiable AI-agent session records** — the
agent-evidence vertical for the record-keeping / audit / incident-forensics buyer. `vh agent seal` turns
an ordered session event log (prompts, completions, tool calls/results, notes) into ONE
`*.vhagent.json` packet under an RFC-6962-style ordered Merkle head with **redaction-safe** leaves:
withhold any payload behind its hash commitment and the packet **still verifies with the identical
head**; disclose + check any ONE event offline; prove a later packet extends a mid-session checkpoint
**append-only** (a rewritten past is a REJECT naming the seq). All **offline, no network**.
vh agent seal [--out ] [--sign --license --vendor <0xaddr> ...] [--json] # free unsigned; --sign is the PAID surface
vh agent verify [--vendor <0xaddr>] [--json] # re-derive every leaf + the root; exit 0 ACCEPTED / 3 named REJECT (+ seq)
vh agent redact --seq --out # withhold payloads; head UNCHANGED — redaction is not tamper
vh agent prove / verify-proof / checkpoint / verify-growth # single-event disclosure + append-only growth, offline
The honest boundary, carried **in-band** in every packet's trust note: it proves the LOG is unaltered
since seal, any disclosed event verbatim as recorded, append-only growth across checkpoints, and that
redaction can only withhold — **NOT** that the log faithfully records what the agent actually did
(garbage-in is out of scope), `ts` fields are self-asserted, and it is **NOT** a trusted timestamp
without the human-owned trust-root (P-3). Verify/redact/prove are FREE; `--sign` (a detached head
attestation one signature of which stays valid across every redacted copy) is license-gated via the
DRAFT `agent_signed` capability — the same fail-closed mechanism as `vh evidence`. A counterparty
verifies with the independent `verify-vh` (CLI, zero-install bundle, or the offline browser page —
[`verifier/README.md`](verifier/README.md) §2c). Buyer-facing spec:
[`docs/AGENTTRACE.md`](docs/AGENTTRACE.md); a committed third-party-transcript example proving adoption
is a ~20-line mapping: [`examples/agent-session/`](examples/agent-session/).
**Commit-bound sessions** — `vh agent commit-claim` emits ONE ordinary claim event binding the session
to exactly one git commit (the oid + the `vh hash --git` tracked-set root), sealed under the same head;
`vh agent verify-commit --repo ` is the auditor leg: full packet verification FIRST, then
BOTH facts re-derived from the auditor's OWN clone, with every REJECT named (`packet-invalid` /
`no-disclosed-claim` / `oid-mismatch` / `root-mismatch`). Both FREE, read-only, key-less; redact every
other payload and the claim stays checkable. **Containment, NOT causation** — it does NOT prove the
session's events produced the commit. Spec + honest boundary: [`docs/AGENTTRACE.md`](docs/AGENTTRACE.md)
› *Binding a session to a git commit*; the scripted flow (map → commit-claim → seal →
redact-all-but-claim → verify-commit):
[`examples/agent-session/commit-bound-session.js`](examples/agent-session/commit-bound-session.js).
### Producer identity card (`vh identity`)
A **signed, offline-verifiable "who is this vendor, and what exactly do they attest?"** card — the
recipient's / **cold prospect's** pin-point. Every other artifact pins its producer by a vendor **address**
the recipient must learn out of band; the identity card is the **one** artifact whose job is to answer,
verifiably, "**does this 0x-address really belong to THIS vendor, and what do they attest / NOT?**" The
vendor SIGNS — with the **same key** that signs their evidence/licenses — a card binding their
`vendorAddress` to a bounded `claims[]` set + an honest `nonClaims[]` set.
vh identity publish --address <0xaddr> --product-line --claim --non-claim (--key-env |--key-file ) [--out
] [--json] # mint the card; signs with a key YOU provisioned, mints ONLY when the key controls --address; default PRINTS + writes NOTHING; offline
vh identity verify [--signer <0xaddr>] [--json] # OFFLINE/key-free: recover the signer, require it to BE the card's vendorAddress, optionally pin --signer; exit 0 ACCEPTED / 3 REJECTED / 2 usage / 1 IO
**Pin once, trust across handoffs.** The recipient does the address-to-vendor trust step **ONCE**
(`vh identity verify vendor.vhidentity.json --signer ` → ACCEPTED), then reuses that
pinned `vendorAddress` across every later signed handoff (`vh evidence verify-signed --signer `,
etc.) — no new out-of-band step. A **forged / tampered / wrong-vendor card, or a wrong `--signer`, is a
clean REJECTED — never a silent pass**. The card proves **IDENTITY + the claim SET only**: **NOT** any
specific packet's truth (each packet carries its own proof), **NOT** a trusted timestamp (P-3), and
**NOT** a legal opinion. Full flow + the pin-once-trust-across-handoffs model:
[`docs/IDENTITY.md`](docs/IDENTITY.md). Publishing the card uses the same vendor key provisioned for signed
evidence/licenses (STRATEGY.md › **P-7 step 1** / **P-6 step 1**).
### Revoking a key (`vh revocation`)
A key has a lifecycle: it is generated, **published** (the identity card), pinned, used to sign — and
eventually **rotated, retired, or compromised**. `vh revocation` is how a vendor honestly **retires** that
pinned key: they SIGN — with the **same key** — a self-describing revocation marking their own
`vendorAddress` revoked as of a date for a bounded reason (and optionally a `supersededBy` successor).
vh revocation publish --address <0xaddr> --reason (--key-env |--key-file ) [--superseded-by <0xaddr>] [--revoked-at ] [--out ] [--json] # mint the revocation; signs with a key YOU provisioned, mints ONLY when the key controls --address (a key revokes ITSELF); default PRINTS + writes NOTHING; offline
vh revocation verify [--signer <0xaddr>] [--json] # OFFLINE/key-free: recover the signer, require it to BE the revocation's vendorAddress, optionally pin --signer; exit 0 ACCEPTED / 3 REJECTED / 2 usage / 1 IO
**A key revokes ITSELF.** `verify` recovers the signer and REQUIRES it to equal the revocation's own
`vendorAddress` — a **third party cannot revoke a key it does not control**, so a planted "revocation" can
never grief a vendor (it is a clean **REJECTED**, never a silent pass). Recipients pin the revocation next to
the identity card and pass it to any signed-verify command via **`--revocations `** `[--as-of ]`: an
exhibit signed under a key that was **revoked-before-as-of** downgrades from ACCEPTED to **REVOKED**, while an
exhibit signed while the key was still good keeps its ACCEPTED verdict. It is **strictly optional and
non-loosening** (with no `--revocations`, every verify command is byte-for-byte what it is today). The
boundary: a revocation is a **signed CLAIM** by the key-holder (`revokedAt` is self-asserted), **NOT a
trusted timestamp** without P-3, and **NOT a legal opinion**. Full publish → pin → verify lifecycle:
[`docs/KEY-LIFECYCLE.md`](docs/KEY-LIFECYCLE.md).
### The 60-second cold-prospect challenge (zero-install, zero-trust)
The fastest way for someone who owes us **nothing** — no account, no `npm install`, no repo build, no
key, no network — to believe a verifyhash seal is to *test* it on their own machine in under a minute.
[`challenge/`](challenge/) is that entry point: a real pre-sealed sample packet + its seal + a one-command
`run.sh`. They VERIFY it (exit 0), TAMPER one byte, and watch the committed standalone verifier REJECT it
(exit 3) and **name the file they changed** — trusting no server, no producer software, and not us. The
challenge is the **FREE, UNSIGNED** verify end and points free-verify → free-produce → **paid-produce**
(signing + unlimited sealing). The boundary is the same one stated everywhere: the seal proves
tamper-evidence + signer-pin, **NOT** a trusted "sealed at T" (that still requires P-3), and the unsigned
sample has no signer to pin. Walkthrough: [`challenge/README.md`](challenge/README.md).
### The independent verifier (`verify-vh`) — a buyer deliverable
A counterparty who is **not** a customer can check any sealed artifact themselves, **offline and for
free**, without our `ethers`/`hardhat` stack: the standalone [`verifier/`](verifier/) tree
(`verify-vh`) re-derives the keccak Merkle root from the bytes they hold, recovers the EIP-191
secp256k1 signer, and pins it to a `--vendor` address they supply out-of-band — near-zero dependencies
(`js-sha3` only), no network, read-only. Its independence is **mechanically proven**, not just
promised: [`test/verifier.isolation.test.js`](test/verifier.isolation.test.js) statically greps every
`require(` in the tree (never `ethers`/`hardhat`/`@nomicfoundation/*`/`cli/`/`trustledger/`) and runs a
real verify under a poisoned network to assert **no socket is opened**. The trust boundary is honest:
tamper-evidence + offline-recompute + signer-pin, **NOT** a trusted "sealed at T" (that rides the
human trust-root, P-3) and **NOT** a legal opinion. Counterparty quickstart + worked
`seal → hand over → verify-vh` example: [`verifier/README.md`](verifier/README.md); full spec:
[`docs/INDEPENDENT-VERIFICATION.md`](docs/INDEPENDENT-VERIFICATION.md).
### Run the design-partner pilot in one command (offline, no key, no network)
The single artifact you hand a prospective design partner is the **pilot kit**. It drives **both**
sellable buyer journeys — the **evidence packet** and the **TrustLedger reconciliation seal** — end to
end against committed sample data, **offline, with no real key, no TSA, no RPC, no network**, and
prints **one combined PASS/FAIL verdict**:
node pilot/run-pilot.js
It issues an ephemeral-key licence, proves the paid surface is **really** licence-gated (refused with
no licence and with the wrong vendor), hands the artifact to the **independent** `verify-vh` (ACCEPT),
then **tampers** to prove REJECT — writing only to a throwaway workspace, never the repo. The trust
boundary is honest: tamper-evidence + signer-pin, **NOT** a trusted "sealed at T" (that rides the
human-owned trust-root, P-3). The buyer-facing runbook — what each artifact proves, where a partner
independently verifies it, and the consolidated go-to-market ask (**P-8**) — is
[`docs/PILOT.md`](docs/PILOT.md); the operator quick reference is [`pilot/README.md`](pilot/README.md).
The journey and the runbook are both test-gated, so they can never silently rot.
### Embed it: the programmatic API (SDK)
Everything the CLI does is available as a library. `require("verifyhash")` (or `require("../index.js")`
from a checkout) exposes a single, documented, semver-guarded entrypoint — a **thin re-export** of the
exact same functions `vh` runs (no fork, no second implementation, no new crypto). The embedded seal
path is byte-identical to `vh evidence seal` / `vh evidence verify`: build a seal, verify it (ACCEPT),
and a one-byte tamper is REJECTED.
const vh = require("verifyhash"); // from a checkout: require("./index.js")
// Build a tamper-evident seal over an in-memory { relPath, bytes } file set.
const entries = [
{ relPath: "data/a.txt", bytes: Buffer.from("alpha\n") },
{ relPath: "data/b.txt", bytes: Buffer.from("bravo\n") },
];
const seal = vh.buildSeal(entries);
// Verify the SAME bytes: ACCEPTED (root re-derived from the bytes you hold, not the seal's own hashes).
console.log(vh.verifySeal(seal, entries).verdict); // "ACCEPTED"
// Tamper one byte and re-verify: REJECTED.
const tampered = [entries[0], { relPath: "data/b.txt", bytes: Buffer.from("bravX\n") }];
console.log(vh.verifySeal(seal, tampered).verdict); // "REJECTED"
// Serialize to canonical, byte-deterministic JSON you can hand to a counterparty:
const json = vh.serializeSeal(seal);
console.log(vh.readSeal(json).root === seal.root); // true
The surface also re-exports the **signed / vendor-pinned verify path** (the `signed` namespace:
`signSealWith`, `validateSignedSeal`, `verifySignedSeal`, `verifySignedSealAttestation`, `recoverSigner`,
`verifySignedAttestation`) — the embedded twin of `vh evidence verify-signed`. So an embedder can verify a
**signed, address-pinned** seal in-process (ACCEPT under the matching `--signer`; REJECT under a wrong
expected signer or a one-byte-tampered container) with **no shell-out** to the `vh` binary. A valid
signature proves *who* vouched, not *when* (a trusted timestamp still rides the human-owned trust-root,
STRATEGY.md P-3). It also re-exports the receipt codec (`buildReceipt`, `readReceipt`, `diffManifest`, …),
the keccak/Merkle hashing primitives (`hashBytes`, `hashEntries`, `buildTree`, …), and `apiVersion` (the
semver-guarded stability marker, mirroring `package.json`). Symbols **not** re-exported from the
package root (deep `cli/…` internals) carry no stability guarantee. This example is test-gated
([`test/sdk.index.test.js`](test/sdk.index.test.js)); the signed path is gated by
[`test/sdk.signed.test.js`](test/sdk.signed.test.js), so it can never silently rot.
### Verify continuously over time (`vh journal`)
Every verify above answers *"do these bytes match RIGHT NOW?"* and exits. The **integrity journal** proves an
artifact has verified **continuously across runs**: an **append-only, hash-chained** log of verify verdicts
that is **itself tamper-evident** — a deleted / edited / reordered / inserted past entry **breaks the chain**
and `vh journal verify` **localizes the first break**.
vh journal append --to [--dir ] [--ts ] # record ONE verdict (strictly additive)
vh journal verify # exit 0 PASS (unbroken + every observation ACCEPTED) / 3 broken-or-drifted / 2 usage / 1 IO
Each CI run appends this build's verdict, then verifies the whole chain — a green pipeline MEANS "the artifact
has verified continuously across every recorded run, and the record itself is tamper-evident." It reuses the
**same** keccak hash-chain the project already trusts for seals (no new crypto). The `ts` on each entry is
**self-asserted** (the verifier's own wall clock), **NOT a trusted timestamp** — the journal never claims
*"unaltered since date T"* on its own; that claim rides the human-owned trust-root (STRATEGY.md **P-3**).
Schema, chain guarantee, the 0/3 contract, and the honesty boundary:
[`docs/INTEGRITY-JOURNAL.md`](docs/INTEGRITY-JOURNAL.md); drop-in CI recipes in
[`examples/journal-ci.js`](examples/journal-ci.js) and
[`verifier/ci/journal.generic.sh`](verifier/ci/journal.generic.sh).
The journal also carries **transparency-log proofs** (RFC-6962 / Certificate-Transparency lineage):
`vh journal tree-head` publishes a single `{ size, root }` head committing to the whole ordered log,
`prove-inclusion` / `prove-consistency` emit compact self-contained proof artifacts, and
`vh journal check-proof` lets a third-party auditor verify them **offline** — no journal, no key, no
network (though today via the **producer package**, which installs ethers — **not** the standalone,
zero-dependency `verifier/` bundle a seal enjoys). The head is **self-asserted** until a P-3 trust-root
signs it. See
[`docs/INTEGRITY-JOURNAL.md`](docs/INTEGRITY-JOURNAL.md) § "Transparency-log proofs (publish a tree head;
auditors verify offline)".
## Develop
npm install
npx hardhat compile
npx hardhat test
Local hardhat / in-memory EVM only. Deployment to any real network is a human checkpoint
(see `BACKLOG.md`, EPIC-4); never run automatically.
## Docs
- [`docs/DECIDE.md`](docs/DECIDE.md) — **the one human decision, on one screen.** The single recommended
pilot (EVIDENCE / P-7), the 3 verbatim first actions, the exact `node pilot/run-pilot.js --certificate
` command, the time box / stop criterion, and the revenue-integrity boundary. Read this first; it
adds no new ask beyond P-8.
- [`docs/DATALEDGER.md`](docs/DATALEDGER.md) — the buyer-facing DataLedger product spec: what a dataset
manifest PROVES (file names + bytes, offline set-membership, version diff, license roll-up) and does
NOT (not a timestamp; untrusted source/license hints), the build→diff→summary→prove→verify-proof
workflow with a worked example, and the auditor / EU-AI-Act evidence mapping.
- [`docs/PROOFPARCEL.md`](docs/PROOFPARCEL.md) — the buyer-facing ProofParcel product spec (B2B
proof-of-delivery): the command table (build/verify/attest/verify-attest with the offline, no key, no
network, CI-gateable exit 0/3 property), a worked sender → [signs, P-3] → recipient verify-attests
example, and the SAME honest trust posture as DataLedger (binds the file SET, signable, NOT a delivery
timestamp; parcel metadata is untrusted self-asserted).
- [`docs/EVIDENCE.md`](docs/EVIDENCE.md) — the buyer-facing Evidence-packet product spec (the second
vertical, with its OWN license): the `*.vhevidence.json` schema (every field UNTRUSTED transport —
verification re-derives), the free-vs-paid surface (free unsigned baseline of up to 25 files + verify;
paid `--sign` wrap and over-sample sealing gated by `vh-evidence-license` entitlements), a worked
seal → hand over → verify example, and how it reuses the shared packetseal/license/attestation cores.
- [`docs/AGENTTRACE.md`](docs/AGENTTRACE.md) — the buyer-facing AgentTrace product spec (`vh agent`,
`*.vhagent.json`): what a packet PROVES (log unaltered since seal; disclosed events verbatim;
append-only growth across checkpoints; redaction withholds — never silently alters) and does NOT
(garbage-in out of scope; `ts` self-asserted; not a trusted timestamp without P-3), the free-vs-paid
line (`--sign` gated by the DRAFT `agent_signed` capability), where a counterparty independently
verifies, the commit-binding leg (`commit-claim` / `verify-commit` — containment, not causation),
and the committed [`examples/agent-session/`](examples/agent-session/) worked example
(a third-party OpenAI-style transcript mapped in ~20 lines, then map → seal → redact → verify → prove).
- [`docs/ANCHORING.md`](docs/ANCHORING.md) — anchoring ANY sealed artifact on-chain (`vh anchor-artifact` /
`vh verify-anchored`): the closed six-kind digest table, the `vh-anchored-receipt@1` container, what an
anchored receipt PROVES (an on-chain registry record binds this exact digest at a block whose timestamp
BOUNDS existence — as trustworthy as the chain + YOUR pinned contract address; `--author-bound` =
front-run-resistant first-claimant attribution per D-1) and does NOT (a receipt from a LOCAL dev chain
proves MECHANISM only — worth nothing publicly until a human deploys per STRATEGY.md P-2; not the
artifact's truth; not attribution beyond the anchoring key; not legal advice), the free line (both verbs
FREE; gas is your own), and the worked local flow with committed offline fixtures
([`examples/anchoring/`](examples/anchoring/)).
- [`docs/KEY-LIFECYCLE.md`](docs/KEY-LIFECYCLE.md) — the producer-key lifecycle: publish → pin → verify, and
how a vendor honestly RETIRES a pinned key with a signed `vh revocation publish|verify` (a key revokes
ITSELF; a third party cannot revoke a key it does not control). The recipient `--revocations `
`[--as-of ]` downgrade rule (revoked-before-as-of → REVOKED; strictly optional + non-loosening), and
the verbatim boundary — a revocation is a SIGNED CLAIM, NOT a trusted wall-clock timestamp without P-3.
- [`docs/INDEPENDENT-VERIFICATION.md`](docs/INDEPENDENT-VERIFICATION.md) — the counterparty-facing spec
for the standalone `verify-vh` verifier: the exact bytes verified (keccak content hash → Merkle root →
EIP-191 personal-sign signature), the FREE/no-network/no-back-edge posture, the trust boundary
(tamper-evidence + offline-recompute + signer-pin, NOT a trusted "sealed at T"), a worked
producer-seals → counterparty-runs-`verify-vh` example, and how isolation is proven mechanically.
- [`docs/TRUST-BOUNDARIES.md`](docs/TRUST-BOUNDARIES.md) — what each record field proves and does not,
plus "Authenticating the registry you read from" (why read commands authenticate the registry before
believing it, and why the `REGISTRY_ID` is a "right interface" signal, not a sole root of trust).
- [`docs/MERKLE-LEAVES.md`](docs/MERKLE-LEAVES.md) — what a directory root commits to (paths + bytes),
including the `--git` scope note (same leaf formula, reproducible git-tracked file set).
- [`docs/PROOFS.md`](docs/PROOFS.md) — the portable proof-artifact schema (every field UNTRUSTED
transport), the offline-fold + on-chain-check verification steps, and a worked
prove → hand over → `vh verify-proof` example (read-only, no key, no repo needed).
- [`docs/RECEIPTS.md`](docs/RECEIPTS.md) — the receipt JSON schema (trusted vs hints), the
commit→reveal resume lifecycle, and the directory-manifest diff semantics.
- [`docs/LINEAGE.md`](docs/LINEAGE.md) — the contribution lineage graph: the immutable `parent` edge
(acyclic-by-construction, O(1), a CLAIM that proves no ancestry/authorship), the `Linked` log an
indexer reconstructs the graph from, the `--parent` write flow, and the `vh lineage`/`vh show` read
flow with a worked anchor-root → anchor-revision → walk-lineage example.
- [`docs/REPUTATION.md`](docs/REPUTATION.md) — the contribution score: its exact definition (the single
`getRecordsByContributor` walk it aggregates, with `contributorRecordCount` the companion O(1) count,
the authorBound/anchor-only
and root/revision breakdowns, the block/time bounds), why it is a non-transferable derived view (NOT a
token — any tradeable layer is D-2/P-1, human-only), what it does NOT prove, and the anti-sybil note
(the meaningful signal is the authorBound count).
- [`docs/TRUSTLEDGER.md`](docs/TRUSTLEDGER.md) — the buyer-facing TrustLedger product spec (automated
three-way trust-account reconciliation for small residential property managers): the three balances
that must legally agree, the PASS/FAIL exit contract, the per-state policy + period-close-continuity
layers, the tamper-evident packet seal, and the **web front-door** (`vh trust serve`) — including the
**in-browser inspect/map onboarding flow** (drop a file → if it won't load, see its columns and map
them from a dropdown → reconcile), so a non-technical broker never needs a terminal. It also covers
the **Entitlements & licensing** model: the signed, offline-verifiable `*.vhlicense.json`, the
free-vs-paid surface, the closed entitlement table, and how a customer verifies a license offline
against the pinned vendor address (CLI **and** web honour the same gate). Hosting, the CPA review, the
per-state policy table, license issuance, and pricing all stay human steps (STRATEGY.md › P-5/P-6).
- [`docs/PILOT.md`](docs/PILOT.md) — the buyer-facing pilot runbook: how a non-author runs
[`pilot/run-pilot.js`](pilot/run-pilot.js), what each artifact (evidence packet, reconciliation seal,
licence) PROVES and where a partner independently verifies it with `verify-vh`, the honest trust
boundary (tamper-evidence + signer-pin, **no trusted "sealed at T" without P-3**), and the
consolidated go-to-market ask (**P-8**). Operator quick reference: [`pilot/README.md`](pilot/README.md).
- [`docs/AUDIT.md`](docs/AUDIT.md) — security audit findings and the fix tasks they spawned.
© 2026 verifyhash.com · Licensed under Apache-2.0 (SPDX-License-Identifier: Apache-2.0) — see the [LICENSE](https://verifyhash.com/LICENSE) and [NOTICE](https://verifyhash.com/NOTICE) served with this file.