world-evr-verify
v1.0.0
Published
Independent, zero-dependency verifier for the world.evr artifact format (WORLD_EVR_PACKAGE_SPEC_V1). Re-derives every commitment and checks every mandatory binding predicate — browser + Node. Verification follows the artifact, not the platform.
Maintainers
Readme
world-evr-verify
Independent, zero-dependency verifier for the world.evr artifact format
(WORLD_EVR_PACKAGE_SPEC_V1). Runs in the browser and Node (Web Crypto, no deps).
Verification follows the artifact, not the platform. This library re-derives every commitment and checks every mandatory binding predicate from the artifact alone — no runtime code, no service. A "World Verified" result means the same thing whether it's computed in a portal, a CLI, a registry, or a third-party client. It is implemented from the published spec only, so it is independent of the software that produces world.evr artifacts.
Install
npm install world-evr-verifyUse
import { verifyPackage, verifyWorld } from "world-evr-verify";
// Verify a .evr PACKAGE — pass every package path -> exact bytes.
const verdict = await verifyPackage(files); // files: Map<string, Uint8Array>
if (verdict.accepted) showBadge();
else console.log(verdict.checks.filter(c => !c.ok)); // which predicate failed, and why
// Verify a world REPLAY package — re-derives every commitment from genesis + journal.
const w = await verifyWorld(pkg);
console.log(w.verified, w.roots);What it checks (verifyPackage, V1)
- Package hash recomputed from
hash-manifest.jsonvia the authoritative recipe (sha256overpath \0 sha256hex \n, byte-lexicographic) and matched toexpected-package-hash.txt. - Per-file integrity + no load-bearing file outside the hash-manifest.
- Mandatory semantic predicates (each survives a self-consistent hash-manifest repackage):
manifest↔genesis/runtime/contract identity + hash bindings · restore checkpoint package & world
binding ·
continuity_root == sha256(journal bytes)recompute · proof/certification bindings.
Design
- Zero runtime dependencies — Web Crypto SHA-256 only (browser + Node 20+).
- Hostile-input safe — returns a clean negative verdict, never throws on bad input.
- Independent by construction — written from the spec; no EverArcade runtime code. A second implementation (a Python CLI) verifies the same fixtures with byte-identical verdicts; cross-impl agreement is the ambiguity test.
v1.0.0 verifies WORLD_EVR_PACKAGE_SPEC_V1. MIT.
