Add receive ownership layer: receiveSig, owner ΦKey derivation, and provenance handling #272
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c6675aa5f9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
547
to
+550
| alg: "webauthn-es256", | ||
| nonce, | ||
| binds: { bundleHash }, | ||
| createdAtPulse: receivePulse, |
There was a problem hiding this comment.
Here the receive signature is bound to the pre-receive bundleHash, but the receive bundle you emit later stores receiveBundleHash as the newly computed bundle hash (see VerifierStamper.tsx ~2511–2512), and VerifyPage’s ownership check requires receiveSig.binds.bundleHash === receiveBundleHash before it derives/accepts ownerPhiKey. In the common case where the receive bundle hash differs from the origin hash (because mode, originBundleHash, receivePulse, etc. are added), every received SVG produced by this flow will fail ownership attestation. The receive signature needs to be computed against the same hash that is persisted in receiveBundleHash (or the stored hash needs to match what was signed).
Useful? React with 👍 / 👎.
kojibai
merged commit 4da37ea
into
codex/implement-opengraph-image-rendering-for-verified-glyphs-zhhgfy
2 checks passed
kojibai
added a commit
that referenced
this pull request
Jan 26, 2026
# Φ Network (PHI_NETWORK) — v42.0.0
**Release date:** 2026-01-25 (America/New_York)
**Baseline:** v41.2.0 (tag: `41.2.0`, commit: `f955135`) → HEAD :contentReference[oaicite:1]{index=1}
## Executive summary
v42.0.0 is a major capability release for the ΦNet Sovereign Gate focused on **shareable verification**, **receive-ownership**, and **offline-first integrity**. This release introduces a deterministic **VERIFIED OpenGraph (OG) card pipeline** (server-rendered + client fallback), adds a **receive ownership layer** (receive signature + owner ΦKey derivation + provenance handling), and hardens the verification bundle schema/hashing so **offline verification remains final and spoof-resistant**. :contentReference[oaicite:2]{index=2}
---
## Highlights
### 1) Deterministic VERIFIED OG cards + /og route (shareable verification)
- Added deterministic **VERIFIED OG card renderer**, **/og route**, SSR metadata, and a client download fallback. :contentReference[oaicite:3]{index=3}
- Hardened OG not-found handling + share text, and tightened OG metadata ordering for receive signatures. :contentReference[oaicite:4]{index=4}
- Added **verifiedAtPulse** to verified OG cards and added verification pulse into proof bundles so each verification is uniquely stamped. :contentReference[oaicite:5]{index=5}
### 2) Receive ownership layer (receiveSig + owner ΦKey derivation + provenance)
- Implemented a receive ownership layer including **receiveSig**, **owner ΦKey derivation**, and provenance handling. :contentReference[oaicite:6]{index=6}
- Fixed receive signature lookup issues and improved verification snapshot/KAS fallback behavior around receive flows. :contentReference[oaicite:7]{index=7}
- Allowed chained receives and surfaced owner ΦKey display. :contentReference[oaicite:8]{index=8}
### 3) Verifier artifact packaging (ZIP bundles) + segmented verification robustness
- Added **bundle ZIP downloads** for VerifierStamper receive + segment flows. :contentReference[oaicite:9]{index=9}
- Fixed segmented glyph verification and ensured archive-on-seal correctness; fixed sendLock typing when sealing segments. :contentReference[oaicite:10]{index=10}
### 4) Valuation integrity (minted snapshot + receipt binding) + receive USD chart correctness
- Minted valuation snapshot + bound it to receipts; fixed receive-signature bundle hash, and corrected USD chart behavior for receive glyphs. :contentReference[oaicite:11]{index=11}
### 5) SSR + offline-first performance (snapshot seeding/caching, preload/header, lazy-loading)
- SSR/offline: use `/` as shell, add SSR preloads/header, and lazy-load heavy browser libs. :contentReference[oaicite:12]{index=12}
- Added SSR snapshot seeding + caching and short-circuited SSR loaders when cached. :contentReference[oaicite:13]{index=13}
- Multiple Vercel SSR hardening iterations (render invocation, render fn signature, HTML fallback). :contentReference[oaicite:14]{index=14}
---
## Breaking changes / upgrade notes
- **Verification bundle schema** has been expanded/clarified with explicit binding fields (origin/receive mode, bundle hashes, receiveSig, receivePulse, ownerPhiKey, derivation, etc.). Consumers should treat the bundle as forward-compatible and prefer the explicit fields when present. :contentReference[oaicite:15]{index=15}
- Tooling note: repository package manager metadata was updated (`pnpm@10.28.1`) alongside related build metadata changes. :contentReference[oaicite:16]{index=16}
---
## Security & Integrity
- Hardened verification cache + receipts; tightened proof bundle contracts and normalized ZK curve metadata for consistency. :contentReference[oaicite:17]{index=17}
- Fixed verify bundle hash parity (including legacy proofs) and aligned ZK hash with payload hash. :contentReference[oaicite:18]{index=18}
- Persisted KAS author signatures in the sigil registry + hardened WebAuthn signing flows (PWA stability + cross-session recall). :contentReference[oaicite:19]{index=19}
---
## Performance & Reliability
- Improved SSR/offline shell behavior and lazy loading for heavier client libraries to reduce initial load and improve time-to-interactive without sacrificing offline operation. :contentReference[oaicite:20]{index=20}
- Fixed app loading issues on Vercel by correcting SSR invocation/signatures and HTML fallbacks. :contentReference[oaicite:21]{index=21}
- Mobile export hardening: fixed PNG export fidelity, ensured img onload is registered before src assignment, and clamped PNG export sizes for mobile constraints. :contentReference[oaicite:22]{index=22}
---
## Full “Today / last 24h” commit list (GitHub date buckets)
> Note: GitHub groups these as **Jan 25–26, 2026** (often UTC-skewed vs local time). :contentReference[oaicite:23]{index=23}
### Jan 26, 2026
- Merge PR #256 — Add deterministic VERIFIED OG card renderer, /og route, SSR meta, and client download fallback (`d646d44`) :contentReference[oaicite:24]{index=24}
- Merge PR #279 — Add bundle ZIP downloads for VerifierStamper receive and segment flows (`4cdfc14`) :contentReference[oaicite:25]{index=25}
- Add bundle zip downloads for verifier actions (`44b819e`) :contentReference[oaicite:26]{index=26}
- Merge PR #278 — Fix segmented glyph verification and archive on seal (`ba519b5`) :contentReference[oaicite:27]{index=27}
- update (`146ac52`) :contentReference[oaicite:28]{index=28}
- Fix sendLock type when sealing segments (`0027102`) :contentReference[oaicite:29]{index=29}
- Fix segmented glyph verification and archive on seal (`68edd9f`) :contentReference[oaicite:30]{index=30}
- Merge PR #273 — Mint valuation snapshot + bind to receipt; fix receive-signature bundle hash; USD chart for receive glyphs (`f7d225a`) :contentReference[oaicite:31]{index=31}
- Merge PR #276 — fix infinite receives and verification display (`2c73fde`) :contentReference[oaicite:32]{index=32}
- Merge PR #277 — fix unused variable warnings (`2a1994a`) :contentReference[oaicite:33]{index=33}
- update verifypage (`a66c624`) :contentReference[oaicite:34]{index=34}
- Use receive bundle hash from embedded proof (`eea658d`) :contentReference[oaicite:35]{index=35}
- Use receive bundle root and lock helper (`c94496f`) :contentReference[oaicite:36]{index=36}
### Jan 25, 2026
- Allow repeat receive claims per upload (`a5793b5`) :contentReference[oaicite:37]{index=37}
- Fix verify OG meta ordering for receive sig (`90b8572`) :contentReference[oaicite:38]{index=38}
- Allow chained receives and show owner PhiKey (`6872a65`) :contentReference[oaicite:39]{index=39}
- Merge PR #275 — Fix receive signature storage key mismatch (`fd528a3`) :contentReference[oaicite:40]{index=40}
- Fix receive signature lookup and USD chart scaling (`54b08ef`) :contentReference[oaicite:41]{index=41}
- Merge PR #274 — Fix TypeScript type errors on VerifyPage (`4d43a9f`) :contentReference[oaicite:42]{index=42}
- Tighten KAS author-sig fallback (`c66e34e`) :contentReference[oaicite:43]{index=43}
- Fix verification snapshot and KAS fallback (`8595b42`) :contentReference[oaicite:44]{index=44}
- Add receive-bound valuation and signature fixes (`fe54c2d`) :contentReference[oaicite:45]{index=45}
- Merge PR #272 — Add receive ownership layer: receiveSig, owner ΦKey derivation, and provenance handling (`4da37ea`) :contentReference[oaicite:46]{index=46}
- update verifypage fixed linter errors (`888515c`) :contentReference[oaicite:47]{index=47}
- Add receive ownership metadata and verification (`c6675aa`) :contentReference[oaicite:48]{index=48}
- Merge PR #270 — default cache version to verification_bundle_version (`d5c44d6`) :contentReference[oaicite:49]{index=49}
- Use verifier bundle version for cache fallback (`29fc43f`) :contentReference[oaicite:50]{index=50}
- Merge PR #268 — harden sigil proof bundle for invariants (`ec5f7cf`) :contentReference[oaicite:51]{index=51}
- Merge PR #269 — finalize verifier audit hardening (`8c8f218`) :contentReference[oaicite:52]{index=52}
- update verifier proof verifier stamper and verifypage for lint errrors (`fd80430`) :contentReference[oaicite:53]{index=53}
- Harden verification cache and receipts (`0ffd781`) :contentReference[oaicite:54]{index=54}
- Harden sigil proof bundle contracts (`beec7ed`) :contentReference[oaicite:55]{index=55}
- Merge PR #267 — fix proof bundle curve metadata consistency (`f4a8587`) :contentReference[oaicite:56]{index=56}
- Normalize zk curve metadata in proof bundles (`23ddb86`) :contentReference[oaicite:57]{index=57}
- Merge PR #266 — escape capsulehash in svg text (`04d9a92`) :contentReference[oaicite:58]{index=58}
- Merge PR #258 — fix corrupted PNG image on VerifyPage (`cabfee1`) :contentReference[oaicite:59]{index=59}
- Fix bundle hash parity and PNG filename (`674b964`) :contentReference[oaicite:60]{index=60}
- Fix bundle hash parity for legacy proofs (`9c96fcd`) :contentReference[oaicite:61]{index=61}
- Use phi.svg in verified card (`7db9cb2`) :contentReference[oaicite:62]{index=62}
- Fix VerifyPage pulse initialization (`ff4892f`) :contentReference[oaicite:63]{index=63}
- Fix verifier PNG download and unique URLs (`53b9812`) :contentReference[oaicite:64]{index=64}
- Fix PNG download handling (`21689a9`) :contentReference[oaicite:65]{index=65}
- Merge PR #257 — add verification timing marker to card (`0a908f0`) :contentReference[oaicite:66]{index=66}
- Fix verifiedAtPulse type in bundle seed (`47579f8`) :contentReference[oaicite:67]{index=67}
- Fix verification metadata order and OG description (`1c4ae9e`) :contentReference[oaicite:68]{index=68}
- Add verification pulse to proof bundles (`507e5a3`) :contentReference[oaicite:69]{index=69}
- Add verifiedAtPulse to verified OG cards (`bc30b46`) :contentReference[oaicite:70]{index=70}
- Add verified OG card rendering (`548f807`) :contentReference[oaicite:71]{index=71}
- create phi_og_verified_template (`2311fd6`) :contentReference[oaicite:72]{index=72}
- Preserve badge styles on button variants (`ea60d43`) + official seal popovers + copy refinements :contentReference[oaicite:73]{index=73}
- SSR fixes: render invocation/signature + loader declaration + caching short-circuit + HTML fallback :contentReference[oaicite:74]{index=74}
---
## Full changelog (since v41.2.0)
Baseline tag: `41.2.0` — “Bump app version to 41.2.0 and update sigil file naming” (`f955135`). :contentReference[oaicite:75]{index=75}
### v41.3.0 → v41.6.x (Jan 12–13)
- v41.3.0 Update build artifacts and SigilModal component (`e498c3f`) :contentReference[oaicite:76]{index=76}
- Bump app version to 41.5.0 and update Sigil file naming (`3c858ef`) :contentReference[oaicite:77]{index=77}
- v41.6.0 Update baseName format in SigilModal export (`e5fbe8a`) :contentReference[oaicite:78]{index=78}
- Store KAS auth in sigil registry (`fff9e79`) + Fix WebAuthn allowCredentials buffer (`464fd40`) :contentReference[oaicite:79]{index=79}
- Merge PR #226 — Persist KAS author signatures in sigil registry and harden WebAuthn signing (`87ff285`) :contentReference[oaicite:80]{index=80}
- Reload detection: Add reload detective and harden KaiVoh reload safety (`228a735`), PR #228 (`5d8c524`) :contentReference[oaicite:81]{index=81}
### v41.6.8 → v41.7.x (Jan 24)
- Merge PR #229 — implement SSR and optimize performance (`d96d955`) + SSR entrypoints/perf instrumentation (`ad71837`) :contentReference[oaicite:82]{index=82}
- Export + proof bundle: Enhance sigil export with proof bundle (`11e6433`), Match SigilPage export proof bundle to SealMoment (`aeb1339`), Align exported SVG hashing with verifier (`2602cdf`) :contentReference[oaicite:83]{index=83}
- Offline correctness: Ensure sigil page and exports work offline (`93ec687`), Keep JSZip bundled for offline exports (`7f1f2d0`) :contentReference[oaicite:84]{index=84}
- Mobile PNG stability: Clamp PNG export size for mobile (`c539f9c`), Fix fallback image loading (`6457adc`), Fix mobile PNG export fidelity (`56e6906`) :contentReference[oaicite:85]{index=85}
### v41.8.x → v41.9.x (Jan 25)
- SSR/offline hardening: PR #237 (`b56ad55`) + SSR snapshot cache/loader short-circuit (`2b36112`) + Vercel SSR invocation/signature fixes (`c17a987`, `8e55600`) :contentReference[oaicite:86]{index=86}
- Verify UX: live chart popover on verify price (`7c88c05`) + badge/seal popovers and copy updates :contentReference[oaicite:87]{index=87}
- Verified OG groundwork: create template (`2311fd6`), add verified OG rendering (`548f807`), add verification pulse fields (`507e5a3`, `bc30b46`) :contentReference[oaicite:88]{index=88}
- Hash parity hardening: multiple fixes for verify bundle hash parity + legacy proofs + PNG download correctness :contentReference[oaicite:89]{index=89}
### v41.9.9 → v42.0.0 (Jan 25–26)
- Receive ownership layer (PR #272) + receive valuation/signature correctness and chained-receive display improvements :contentReference[oaicite:90]{index=90}
- Valuation snapshot minting + receipt binding (PR #273) :contentReference[oaicite:91]{index=91}
- Segmented verification fixes (PR #278) + ZIP bundle downloads (PR #279) :contentReference[oaicite:92]{index=92}
- Deterministic VERIFIED OG cards end-to-end (PR #256) :contentReference[oaicite:93]{index=93}
---
## Credits
- Primary author: @kojibai :contentReference[oaicite:94]{index=94}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Description
ReceiveSig.createdAtPulse, optionalnonce, and strictisReceiveSigguards, and wire receive verification viawebauthnReceiveutilities to the UI verification flow.ownerPhiKeyderivation utilities (deriveOwnerPhiKeyFromReceive/buildOwnerKeyDerivation) insrc/utils/ownerPhiKey.tsand mint/storeownerPhiKey+ownerKeyDerivationwhen a receiver accepts a glyph.verifierProof.tsandsigilMetadata.ts) to includemode,originBundleHash,receiveBundleHash,originAuthorSig,receiveSig,receivePulse,ownerPhiKey, andownerKeyDerivation, and updatebuildBundleUnsigned/normalizeBundleto preserve/export these fields while excluding them from canonical hash inputs.VerifyPagenow reads/verifiesreceiveSig, computes/validatesownerPhiKeyagainst derived value, surfaces separate provenance vs ownership seals, and exposes a "Receive / Accept Glyph" action;VerifierStamperproduces receive-mode bundles (setsmode: "receive",originBundleHash,receiveBundleHash,receivePulse,ownerPhiKey, andownerKeyDerivation) when claiming receive.authorSigverification when origin-specific fields are absent, and marking ownership attestation as "missing" (not failing ZK verification) whenreceiveSig/ownerPhiKeyare absent.tests/receive_bundle.test.mjs) that validate: author signature binding to bundle hash (legacy), receive signature verification and deterministic owner ΦKey derivation, and legacy receive bundles marking ownership as missing.Testing
node --test tests/receive_bundle.test.mjs, which executed 3 tests (authorSig binding, receive provenance/ownership, and legacy-compat ownership-missing) and all tests passed.Codex Task