Skip to content

Universal JS verifier + static browser verify page (SC6 browser path)#29

Merged
thequantumfalcon merged 1 commit into
mainfrom
phase1-browser-verify
Jul 6, 2026
Merged

Universal JS verifier + static browser verify page (SC6 browser path)#29
thequantumfalcon merged 1 commit into
mainfrom
phase1-browser-verify

Conversation

@thequantumfalcon

Copy link
Copy Markdown
Owner

Completes Phase 1's stranger-UX half (SC6 browser path) by making the SC2 verifier run in a browser.

What changed

  • verifiers/js/verify.mjs is now environment-agnostic: pure-JS SHA-256 (validated against node:crypto on 20k+ inputs), a number-preserving JSON parser, and no Node/DOM APIs — so the same file runs under Node, Deno, and in a browser. Exports verdict(text).
  • verifiers/js/cli.mjs (new): the Node CLI + corpus runner (--vectors, --batch, single-file), split out of the verifier.
  • verifiers/web/index.html (new): a static, self-contained, view-source-auditable page that verifies a pasted receipt entirely client-side — no server, nothing to trust. Paste → VALID, tamper → INVALID, malformed → PARSE_ERROR (all instant). This is the SC6 "static browser page".

Verification

  • Corpus: 28/28 via cli.mjs --vectors.
  • Differential fuzz re-run with the pure-SHA-256 verifier: N=1,000,000 → 0 divergences (SC2 still holds after the crypto swap).
  • Page logic tested through the real verify.mjs (embedded sample → VALID, tamper → INVALID, malformed → PARSE_ERROR; inlined multiplier set matches the corpus).
  • ruff-clean; no shipping code touched this PR.

Design note

One ~300-line file is now simultaneously the SC2 second implementation and the SC6 stranger-facing verifier, because the security core is language-neutral by design (canon_f64). The only non-neutral surface is the outer attestation_hash (raw floats), handled by the number-preserving parser — still the case for migrating it to canon_f64 in a future spec revision.

Remaining

The pipx run <dist> verify CLI path + a formal timed cold-start transcript (rest of SC6), and an optional Go/Rust static-binary third impl if a toolchain lands.

… path)

Refactor verifiers/js/verify.mjs into an environment-agnostic module (pure-JS
SHA-256 validated against node:crypto on 20k+ inputs, number-preserving parser,
no Node/DOM APIs) so the same verifier runs under Node, Deno, and in a browser.
Move the Node CLI + corpus runner to verifiers/js/cli.mjs.

Add verifiers/web/index.html: a static, self-contained, view-source-auditable
page that verifies a pasted receipt entirely client-side (no server) -- the SC6
browser path. Paste -> VALID, tamper -> INVALID, malformed -> PARSE_ERROR.

Re-ran the 10^6 differential fuzz with the pure-SHA-256 verifier: still 0
divergences. Corpus 28/28. ruff-clean.
@thequantumfalcon thequantumfalcon merged commit 62d8dca into main Jul 6, 2026
10 checks passed
@thequantumfalcon thequantumfalcon deleted the phase1-browser-verify branch July 6, 2026 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant