inherence-verifier
Reference verifier for Inherence receipts — implements verification protocol v1 (see spec/receipts/v1/SPEC.md — published alongside this crate).
This is the Rust core. The same logic is also distributed as:
@inherencelabs/verifier— WASM bindings for JavaScript/TypeScript (Node + browser)inherence-verifier— PyO3 bindings for Python
All three pass the same 22-vector conformance suite. A bug in one is a bug in all three.
What this crate is
A standalone library that verifies Inherence receipts offline. Given:
- a receipt (a signed JWT)
- a pinned authority public key
- a pinned set of acceptable Groth16 verifying keys
…it returns VALID or INVALID:{failure_code} with no network I/O.
What this crate is NOT
This crate contains no policy-compilation logic, no proving logic, and no circuit-construction logic. Those run behind the hosted gate that issues receipts; they are not necessary to verify a receipt and they're not in this dependency tree.
Install
[]
= "0.1"
Usage
use ;
let cfg = new
.pin_authority_jwk?
.pin_vk;
match verify_receipt
The failure codes come from a fixed controlled vocabulary:
schema_violation, signature_invalid, wrong_signer, expired, not_yet_valid, wrong_issuer, wrong_audience, principal_signature_invalid:principal, principal_signature_invalid:agent, state_invalid, decision_bit_mismatch, unknown_vk, internal_inconsistency, proof_invalid.
Verifying keys
VKs are content-addressed. Fetch them from https://vk.inherencelabs.com/v1/keys/{vk_hash} — the URL contains no customer identifier. The verifier's pin_vk(vk_hash, bytes) re-hashes the bytes and refuses to use them if the hash doesn't match.
Test
Runs the 22 conformance vectors. A passing run is sufficient to claim v1 conformance.
License
Apache-2.0.