@kashscript/whiffin
v0.1.0
Published
The Settlement Protocol — rail-agnostic, purpose-bound mandates (W3C Verifiable Credentials with AP2 semantics) + signed receipts + reconciliation reports on @kashscript/attest. Payment rails (Raast/EMVCo/Safepay/SoftPOS) as adapters; chain is one optiona
Readme
@kashscript/whiffin — the Settlement Protocol (rail-agnostic)
Crypto is one optional rail, never a requirement. Commercial (SSLA Schedule B). Where money moves,
ventures consume Whiffin and never reach for raw trade-sdk.
Built in phase M4 of the protocol Manifestation
(ADR-0016). Purpose-bound mandates + signed
receipts + reconciliation reports on @kashscript/attest; payment rails
(Raast/EMVCo/Safepay/SoftPOS) as adapters. The generic machinery is derived from the Duedale
grant/report/rails seeds; SegmentPolicy content, DD_* mapping, funder/vendor UI, and the demo's
SIMULATION posture stay venture-side. Full contract:
specs/whiffin.md.
Mandate core — W3C VCs with AP2 semantics
A purpose-bound grant is an AP2 Intent Mandate: a fixed max amount, a purpose lock, an allowed-vendor set (Merkle root), an expiry/TTL, and a single-use nonce — pre-authorizing redemption.
import { issueGrant, markDelivered, redeemGrant, InMemoryGrantLedger, InMemoryNonceStore } from "@kashscript/whiffin/mandate";
import { toMandateCredential, verifyMandateCredential } from "@kashscript/whiffin/credential";
const { signed, record } = await issueGrant(req, program, operatorPriv, ledger);
const vc = toMandateCredential(signed, { issuer: operatorDid }); // W3C VC 2.0 + AP2 Intent Mandate
await verifyMandateCredential(vc, operatorPub); // proof = the kash-grant-v1 signature- Lifecycle —
issueGrant·markDelivered·redeemGrant, withGrantLedger/NonceStoreinterfaces (+ in-memory reference impls). - Policy gate (
@kashscript/whiffin/policy) — a config-driven, ordered set of named checks (signature · beneficiary binding · purpose · expiry · vendor Merkle inclusion), nonce burned LAST. Zero segment branching — reads fields only; errors are neutralWhiffinPolicyErrorcodes. - Credential (
./credential) — Intent Mandate (grant) + Cart Mandate (offer→receipt→dispute) as W3C Verifiable Credentials; the proof embeds the existing Kash-Event Ed25519 signature (no new crypto).
Rails (@kashscript/whiffin/rails)
emvco (MPM v01 + CRC-16/CCITT-FALSE), raast (P2M QR + shared-secret verifier), safepay (HMAC
verifier), softpos (bridge loader + camera scanner + reader guard), partner-ledger (interface +
SimulationPartnerLedger — every result labelled simulation: true), and chain (interface + not-wired
stub; the EVM/Solana impl is venture-wired via trade-sdk, artifacts guard applies).
Reconciliation (@kashscript/whiffin/report)
The every-rupee-style report — a pure projection (per-grant lifecycle · vendor breakdown · totals) + a
render-time SHA-256/JCS hash-chain + a kash-report-v1-signed envelope. Generalized (simulation /
settled / refunded / disclaimers / envelope-typ injected). A report generated here re-verifies
under attest's verifyDuedaleReport when the venture-branded envelope type + genesis label are passed.
Reconciliation invariant: issuedPaisa === redeemedPaisa + unspentPaisa.
Status
0.x — the API stays 0.x until duedale-angel's terminal + /report flows swap onto the published
package (consumer-as-acceptance, ADR-0016). The runtime license assertion + registry tier mapping land
in M6. Depends on @kashscript/identity-core + @kashscript/identity-zkp
(/merkle) + @kashscript/attest.
Commercial — SSLA Schedule B; see LICENSE.
