power_house 0.3.7

Deterministic verification and provenance system for portable computational identities using .pha artifacts and Rootprint graphs.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

# Identity Layer

Status: normative for Power House v0.3.7.

The identity layer is an immutable abstraction over existing `.pha` and
Rootprint primitives. It does not replace Rootprint and does not require the
`net` feature.

## Rust API

```rust
use power_house::{identity::Identity, provenance::PhaArtifact};
use serde_json::json;

let artifact = PhaArtifact::new(
    json!({"producer": "example"}),
    "power-house/example/v1",
    json!({"claim": 7}),
    json!({"accepted": true}),
)?;
let (identity, graph) = Identity::create("main", artifact)?;
identity.verify(&graph)?;
# Ok::<(), Box<dyn std::error::Error>>(())
```

`Identity` stores a `PhaArtifact` and `RootprintId`. Its fields are private and
exposed through `pha()` and `rootprint_id()` so a created identity cannot be
altered in place. `fork` and `merge` return new identities.

| Identity API | Rootprint primitive |
| --- | --- |
| `Identity::create` | `Rootprint::new` |
| `Identity::fork` | `Rootprint::fork` |
| `Identity::merge` | `Rootprint::merge` |
| `Identity::verify` | artifact verification, graph verification, and node resolution |
| `Identity::replay` | `Rootprint::replay` |
| `Identity::equivalent` | `Rootprint::equivalent` |

## JULIAN CLI

```bash
julian identity create main.pha \
  --label main \
  --identity-output main.identity.json \
  --rootprint-output identity.rootprint.json \
  --artifact-output main-bound.pha

julian identity fork main.identity.json identity.rootprint.json candidate.pha \
  --label candidate \
  --identity-output candidate.identity.json

julian identity merge candidate.identity.json audit.identity.json \
  identity.rootprint.json accepted.pha \
  --label accepted \
  --identity-output accepted.identity.json

julian identity verify accepted.identity.json identity.rootprint.json
julian identity replay accepted.identity.json identity.rootprint.json \
  --output accepted.replay.json
julian identity equivalent candidate.identity.json audit.identity.json \
  identity.rootprint.json
```

CLI operations read existing identities and emit new identity files. They never
rewrite a source identity.

## Identity-Aware `.pha`

The v1 schema gains one optional top-level field:

```json
{
  "schema": "power-house/pha/v1",
  "provenance": {},
  "embedded_proof": {
    "protocol": "power-house/example/v1",
    "public_inputs": {},
    "proof": {}
  },
  "identity_root": "sha256:<64 lowercase hex characters>",
  "phx_fingerprint": "sha256:<64 lowercase hex characters>"
}
```

The Rust declaration is:

```rust
#[serde(default, skip_serializing_if = "Option::is_none")]
pub identity_root: Option<RootprintId>
```

Legacy artifacts omit the field and retain exactly the same fingerprint.
`identity_root` is intentionally outside the established v1 fingerprint. A
Rootprint branch ID already commits to the artifact fingerprint, so including
the branch ID in that same fingerprint would create an unsatisfiable circular
hash. Identity verification binds the two values in graph context instead.

## Verification Workflow

`Identity::verify` performs all of the following without network access:

1. validates the `.pha` schema and core fingerprint;
2. verifies the complete Rootprint DAG;
3. requires the artifact `identity_root` to equal the envelope `rootprint_id`;
4. resolves that exact node in the graph;
5. requires the graph node to bind back to the same identifier;
6. requires the graph node and identity artifact to share the same core
   fingerprint.

Missing, malformed, unresolved, or mismatched identity roots fail
verification.

## Replay Workflow

Rootprint replay verifies the graph, derives canonical depth from parent links,
sorts nodes by `(canonical_depth, branch_id)`, and reconstructs a state
containing:

- root branch;
- ordered branch projections;
- sorted graph tips;
- a domain-separated SHA-256 state fingerprint.

The projection contains only graph structure and `.pha` core fingerprints.
External proof attachments and `identity_root` transport pointers cannot alter
the replay result. Rust and Python produce byte-compatible JSON values and the
same replay fingerprint.

## Python API

```python
from power_house import (
    create_identity,
    equivalent_identity,
    fork_identity,
    merge_identity,
    replay_identity,
    verify_identity,
)
```

The shared vectors in `conformance/identity-v1` define the required identity,
Rootprint, and replay outputs for both SDKs.

## Network Isolation

Identity, `.pha`, Rootprint, replay, merge, and equivalence compile with default
features and remain fully available offline. Networking, peer discovery,
distributed synchronization, and quorum reconciliation remain gated behind
`--features net`. Network state is not an input to any local verification
result.