Skip to content

Artifact hash commands

Reproducible commands to pin api-billing-v2 and protocol circuit artifacts.
Canonical pins live in protocol/conformance/billing-v2-conformance.json and per-circuit ARTIFACT_MANIFEST.json files.

From repo root:

bash
bash scripts/verify-artifact-hashes.sh

Exits non-zero on mismatch. Safe for CI and auditor reproduction.


api-billing-v2 (Phase-2 binding)

Manifest: verifier-api/circuits/apiBillingV2/ARTIFACT_MANIFEST.json

WASM

bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2_js/apiBillingV2.wasm | awk '{print $1}'
# expected: a1b1898a9e24021943711c3eb292fb704d4ae19e8c57fa00679a8859d70bb727

Proving key (zkey)

bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2_0001.zkey | awk '{print $1}'
# expected: 13a088cce212b26e774dfaa8808f4ec77b739fdfa5da1213f4b8bd21e6315cc8

Verification key (raw file SHA-256)

bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2.vkey.json | awk '{print $1}'
# expected: 32534119df9fc82a6bbe7d0a6275bee5753646c5f325e985e01ea07fd448179f

Verification key (canonical — attestation pin)

RFC 8785 canonical JSON over the vkey object (matches billing_proof.vkey_hash):

bash
node scripts/compute-billing-vkey-canonical-hash.mjs \
  verifier-api/circuits/apiBillingV2/ARTIFACT_MANIFEST.json
# expected: a486fb22805a60df7608e70a2939c178c2b12d9e84a4b94152c98e4859815bcf

R1CS + source

bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2.r1cs | awk '{print $1}'
shasum -a 256 zk-cp/circuits/apiBillingV2.circom | awk '{print $1}'

Protocol circuit registry (VDI policy circuits)

bash
cd protocol && npm run artifact:status
cd protocol && npm run manifest:generate   # regenerate protocol/ARTIFACT_MANIFEST.json

Registry pins for strict-profile circuit governance:

bash
shasum -a 256 protocol/conformance/circuit-registry.example.json
# Compare wasm_sha256 entries to protocol/ARTIFACT_MANIFEST.json

Mirrored artifact paths

The same apiBillingV2 build is mirrored at:

PathRole
zk-cp/build/apiBillingV2/Source build output
verifier-api/circuits/apiBillingV2/API boot validation
public/circuits/apiBillingV2/Browser offline verifier

After recompiling (zk-cp/scripts/compile-api-billing-v2.sh), refresh manifests and re-run:

bash
bash scripts/verify-artifact-hashes.sh
cd protocol && node --test test/conformance-billing-v2.test.js

Production smoke pin

Post-deploy, smoke script checks live canonical vkey hash:

bash
API=https://api.quantzk.com bash scripts/smoke-billing-phase2.sh

See API billing smoke evidence.

Verification keys are embedded in attestations. The verifier is open source.