Artifact hash commands
Reproducible commands to pin api-billing-v2 and protocol circuit artifacts.
Canonical pins live in protocol/conformance/billing-v2-conformance.json and per-circuit ARTIFACT_MANIFEST.json files.
One command (recommended)
From repo root:
bash
bash scripts/verify-artifact-hashes.shExits non-zero on mismatch. Safe for CI and auditor reproduction.
api-billing-v2 (Phase-2 binding)
Manifest: verifier-api/circuits/apiBillingV2/ARTIFACT_MANIFEST.json
WASM
bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2_js/apiBillingV2.wasm | awk '{print $1}'
# expected: a1b1898a9e24021943711c3eb292fb704d4ae19e8c57fa00679a8859d70bb727Proving key (zkey)
bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2_0001.zkey | awk '{print $1}'
# expected: 13a088cce212b26e774dfaa8808f4ec77b739fdfa5da1213f4b8bd21e6315cc8Verification key (raw file SHA-256)
bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2.vkey.json | awk '{print $1}'
# expected: 32534119df9fc82a6bbe7d0a6275bee5753646c5f325e985e01ea07fd448179fVerification key (canonical — attestation pin)
RFC 8785 canonical JSON over the vkey object (matches billing_proof.vkey_hash):
bash
node scripts/compute-billing-vkey-canonical-hash.mjs \
verifier-api/circuits/apiBillingV2/ARTIFACT_MANIFEST.json
# expected: a486fb22805a60df7608e70a2939c178c2b12d9e84a4b94152c98e4859815bcfR1CS + source
bash
shasum -a 256 verifier-api/circuits/apiBillingV2/apiBillingV2.r1cs | awk '{print $1}'
shasum -a 256 zk-cp/circuits/apiBillingV2.circom | awk '{print $1}'Protocol circuit registry (VDI policy circuits)
bash
cd protocol && npm run artifact:status
cd protocol && npm run manifest:generate # regenerate protocol/ARTIFACT_MANIFEST.jsonRegistry pins for strict-profile circuit governance:
bash
shasum -a 256 protocol/conformance/circuit-registry.example.json
# Compare wasm_sha256 entries to protocol/ARTIFACT_MANIFEST.jsonMirrored artifact paths
The same apiBillingV2 build is mirrored at:
| Path | Role |
|---|---|
zk-cp/build/apiBillingV2/ | Source build output |
verifier-api/circuits/apiBillingV2/ | API boot validation |
public/circuits/apiBillingV2/ | Browser offline verifier |
After recompiling (zk-cp/scripts/compile-api-billing-v2.sh), refresh manifests and re-run:
bash
bash scripts/verify-artifact-hashes.sh
cd protocol && node --test test/conformance-billing-v2.test.jsProduction smoke pin
Post-deploy, smoke script checks live canonical vkey hash:
bash
API=https://api.quantzk.com bash scripts/smoke-billing-phase2.sh