npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

twzrd-receipt-verifier

v1.0.2

Published

Standalone offline verifier for TWZRD AO-Receipt V5 (Ed25519-signed keccak256 leaf). No trust in TWZRD servers or code.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

twzrd1111twzrd1111

Keywords

twzrdx402solanaed25519keccak256receiptverifieragentattestation

Readme

TWZRD Receipt Verifier (standalone)

Verify a TWZRD AO-Receipt V5 offline, trusting nothing from TWZRD's servers or codebase - only the receipt, TWZRD's published public key, and two widely-audited crypto libraries.

A TWZRD trust receipt has two layers:

  1. Tamper-evidence - a keccak256 leaf over the receipt's preimage fields.
  2. Authenticity - an Ed25519 signature over the leaf bytes, made with TWZRD's dedicated receipt-signing key.

This tool recomputes the leaf and checks the signature against the published key. If it says VALID, the receipt was authored by TWZRD and was not altered. Unsigned, wrong-key, or tampered receipts fail.

Where this fits: the agent trust loop

This verifier is the last step of the x402 trust rail an agent runs before and after it spends:

  1. Discover a model/provider - wzrd-client (PyPI) or @wzrd_sol/sdk (npm)
  2. Preflight the seller wallet, free - POST https://intel.twzrd.xyz/v1/intel/preflight (or MCP get_readiness_card_tool)
  3. Pay with a signed receipt - GET https://intel.twzrd.xyz/v1/intel/trust/{seller} (0.05 USDC, x402)
  4. Verify the receipt offline - this package (trust nothing but the bytes + the public key)
# zero-install: verify a receipt straight from the published package
npx twzrd-receipt-verifier receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf

The published signing key

| field | value | |-------|-------| | algorithm | ed25519 | | key_id | twzrd-receipt-ed25519-v1 | | public key (base58) | 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf |

Also published, machine-readable, at:

  • https://intel.twzrd.xyz/.well-known/x402receipt.signature.public_key
  • https://intel.twzrd.xyz/openapi.jsonx402.receipt.signature.public_key
  • the MCP card agent-intel-mcp-card.jsonreceipt_signing.public_key

Most paranoid mode: pin the key out-of-band with --pubkey instead of fetching it, so you never trust the live endpoint to tell you which key to trust.

Get a receipt to verify

Any TWZRD V5 receipt works. To mint a fresh one, pay the trust endpoint (x402, 0.05 USDC on Solana mainnet) - e.g. via AgentCash:

npx agentcash@latest fetch https://intel.twzrd.xyz/v1/intel/trust/<PUBKEY> > resp.json
# the receipt is the `twzrd_receipt` object in the response

The receipt object looks like:

{
  "version": "v5",
  "leaf": "0x...",
  "preimage": { "domain": "TWZRD:AO_REPUTATION_RECEIPT_V5", "agent_id": "...", "score": 15, "...": "..." },
  "signature": "base58 ed25519 sig",
  "signing_pubkey": "9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf",
  "key_id": "twzrd-receipt-ed25519-v1",
  "signing_alg": "ed25519"
}

Python

pip install pynacl pycryptodome     # libsodium Ed25519 + original Keccak-256

# fetch the published key and verify:
python verify_twzrd_receipt.py receipt.json

# pin the key out-of-band (recommended):
python verify_twzrd_receipt.py receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf

# also confirm a tampered copy FAILS:
python verify_twzrd_receipt.py receipt.json --self-test

# from stdin:
cat receipt.json | python verify_twzrd_receipt.py -

Node

npm install                          # tweetnacl + js-sha3 + bs58

node verify_twzrd_receipt.js receipt.json
node verify_twzrd_receipt.js receipt.json --pubkey 9V6Pn19kiUA5Rn6JpQfNduanvGt2aXGwsarosNfa2Ldf --self-test
cat receipt.json | node verify_twzrd_receipt.js -

Both exit 0 on VALID, 1 on INVALID.

What it checks (and the exact layout)

The keccak256 leaf preimage is a strict little-endian, length-prefixed concat (reproducible in any language):

domain            = "TWZRD:AO_REPUTATION_RECEIPT_V5"   (or ...ATTENTION... for attention receipts)
agent_id          = u16_le(len(utf8)) || utf8 bytes
score             = u16_le
confidence_bps    = u16_le
timestamp_unix    = u64_le
payer             = 32 bytes  (base58-decoded pubkey, or sha256(marker) for synthetic payers)
settlement_anchor = 32 bytes  (last 32 bytes of the utf-8 settlement_tx string, or 32 zero bytes)

leaf      = keccak256(domain || agent_id || score || confidence_bps || timestamp_unix || payer || settlement_anchor)
signature = Ed25519_sign(receipt_signing_key, leaf_bytes)

The verifier:

  1. recomputes leaf from the preimage and compares it to receipt.leaf,
  2. confirms receipt.signing_pubkey (if present) equals the trusted key,
  3. verifies the Ed25519 signature over the 32 leaf bytes against the trusted key.

VALID requires all three. The settlement_tx in the preimage is an on-chain Solana signature you can independently check for ground truth.

Trust assumptions

You trust: the receipt you were given, the published public key (ideally pinned), and the crypto libraries (PyNaCl/libsodium, pycryptodome; tweetnacl, js-sha3). You do not trust TWZRD's API, database, or this repository's other code. Swap the libraries for your own if you prefer - the byte layout above is the whole spec.