Skip to content

Build @certifieddata/verify CLI v0.1.0#1

Merged
dkitchell merged 3 commits intomainfrom
claude/quality-gate-summary-xQBV3
May 6, 2026
Merged

Build @certifieddata/verify CLI v0.1.0#1
dkitchell merged 3 commits intomainfrom
claude/quality-gate-summary-xQBV3

Conversation

@dkitchell
Copy link
Copy Markdown
Contributor

@dkitchell dkitchell commented May 6, 2026

Summary

Initial scaffold of @certifieddata/verify — an audit-friendly Ed25519 verifier for cert.v1 documents, intentionally built with zero third-party crypto dependencies so the verification path can be reviewed end-to-end in under 100 lines.

  • src/canonicalize.ts — RFC 8785 JCS canonicalizer, hand-written (~90 lines).
  • src/verify.ts — core verifier using node:crypto directly: crypto.verify('ed25519', canonicalBytes, publicKey, sigBytes). 117 total / 97 content lines.
  • src/cli.ts — full flag handling (--dataset, --json, --offline, --keys, --no-cache), six exit codes (0 VALID, 1 INVALID/DATASET_MISMATCH, 2 UNKNOWN_KEY, 3 MALFORMED, 4 NETWORK, 64 USAGE).
  • Trusted-keys loader with TTL cache at ~/.certifieddata/keys.json (--no-cache and --offline overrides).
  • Fixture generator — produces a real Ed25519 keypair, signs the four canonical test cases (valid, tampered, unknown-key, malformed), commits them so reviewers can verify the verifier against real signatures.
  • CI: matrix build on Node 20/22 × {linux, macos, windows}.
  • Publish workflow uses npm OIDC trusted publishing with --provenance; no NPM_TOKEN secret.

Quality gate

  • npm run lint — clean
  • npm run typecheck — clean
  • npm test — 34/34 passing (canonicalize 14, verify 7, cli 13)
  • npm pack --dry-run — 35 files, only dist/, README.md, LICENSE (test artifacts excluded via negation)
  • src/verify.ts reads top-to-bottom in under 100 content lines
  • All four CLI verdicts confirmed against fixtures (VALID, INVALID, UNKNOWN_KEY, MALFORMED)

Test plan

  • Reviewer reads src/verify.ts top-to-bottom and confirms the verification path is genuinely Ed25519-over-JCS-canonicalized payload.
  • Reviewer regenerates fixtures locally with npm run fixtures and re-runs npm test against fresh keys.
  • Drew configures npm OIDC trusted publisher on npmjs.com pointing at certifieddata/verify.
  • Cut a v0.1.0 GitHub release — publish.yml fires automatically.

Out of scope (deferred)

  • Adding npm + CI badges to the README — pending first successful publish/CI run.
  • Switching reference-impl from npm install to npm ci — pending the first published @certifieddata/verify@0.1.0 on npm.

Generated by Claude Code

claude added 2 commits May 6, 2026 15:15
@claude
Build @certifieddata/verify CLI v0.1.0
d9f8fb9 
- RFC 8785 JCS canonicalizer (hand-written, ~90 lines, audit-friendly)
- Ed25519 verifier in src/verify.ts using node:crypto only — no
  third-party crypto deps; whole verification path under 100 lines
- CLI with --dataset, --json, --offline, --keys, --no-cache flags
  and six documented exit codes
- Trusted-keys loader with TTL cache at ~/.certifieddata/keys.json
- Fixture generator produces a real Ed25519 keypair and signs the
  four canonical test cases (valid, tampered, unknown-key, malformed)
- 34 tests across canonicalize, verify, and CLI suites
- CI matrix: Node 20/22 × {linux,macos,windows}
- Publish workflow uses npm OIDC trusted publishing with provenance
@claude
Fix Windows CI: portable script-entry guard, chmod, and CRLF-safe fix…
c6a0e6e 
…tures

The cli.ts entry guard `import.meta.url === \`file://${process.argv[1]}\``
never matches on Windows, where import.meta.url is `file:///C:/...` but
process.argv[1] is `C:\...`. Use pathToFileURL to produce a comparable
file URL.

Replace `chmod +x` in the build script with a node one-liner so it works
on Windows shells that lack chmod. Add .gitattributes to keep the CSV
and JSON fixtures byte-identical across platforms (CRLF would change
the dataset SHA-256).
@dkitchell dkitchell marked this pull request as ready for review May 6, 2026 16:17
@claude
docs(readme): add npm + CI + license + Node badges
908f5d5 
The npm badge will render "no version found" until @certifieddata/verify
v0.1.0 publishes; once the publish workflow fires on a v0.1.0 release,
the badge auto-updates without further changes. CI badge tracks the
ci.yml workflow on main; license badge is static MIT; Node badge reads
the engines.node range from package.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dkitchell dkitchell merged commit e85dbe6 into main May 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dkitchell @claude