3. Operational readiness note
Product: api-billing-v2 pilot
Gate: cd verifier-api && npm run test:billing-pilot
Canonical env: docs/dev/verifier-api-test-setup.md
Status as of f67bf83: Production deployed; gates green
Release gates
| Gate | Status | Evidence |
|---|---|---|
| Billing pilot integration suite | 15/15 | verifier-api/tests/billing-pilot.integration.test.js |
| Warm attest perf budget | Enforced (≤ 8s default) | BILLING_ATTEST_PERF_BUDGET_MS |
| Artifact manifest validation | Boot-time, 12 artifacts | verifier-api/src/utils/artifactValidator.js |
| Production smoke | Pass (with secret) | scripts/smoke-billing-phase2.sh |
| Production health JSON | environment: production | verifier-api/src/utils/healthPayload.js |
What the pilot suite covers
- Attest + verify — standard profile two-call flow
- Deterministic billing — fingerprint and charge stability
- Replay guard — duplicate
event_id, crash recovery, concurrency race - Meter trust — external
meter_envelopeverification path - Strict profile — manifest authority + revocation when
VDI_VERIFY_STRICT_V1 - Transparency — head, checkpoint, consistency proof
- Revocation feed —
/.well-known/vdi-billing-revocation.json - Phase-2 binding — prove at attest, verify at
/billing/verify, tamper rejection - Perf budget — warm attest wall-clock ceiling (not a production SLO)
Observability at attest
stage_timings_ms returned on each attest:
| Stage | Field |
|---|---|
| Causal proof | causal_proof_ms |
| Phase-2 Groth16 | phase2_proof_ms |
| Replay DB check | db_replay_ms |
| Transparency append | transparency_append_ms |
| Receipt verify | verify_receipt_ms |
Verify is measured independently in the test suite (fingerprint tamper, commitment binding, Phase-2 mismatch).
Trusted setup — apiBillingV2 Phase-2
| Item | Status |
|---|---|
| MPC Phase-2 ceremony | Complete (3 contributors) |
| Transcript | zk-cp/build/apiBillingV2/mpc_transcript_apiBillingV2.json |
| Artifact mirrors | verifier-api/, public/, protocol/packages/vdi-prover/ |
| Manifest pins | verifier-api/circuits/apiBillingV2/ARTIFACT_MANIFEST.json |
| Rerun script | bash zk-cp/scripts/mpc-api-billing-v2.sh |
Before adversarial production trust: run contributions from independent operators (not one machine) and exercise rotation cutover per api-billing-v2 trusted setup.
Production configuration (Railway)
| Variable | Production value | Notes |
|---|---|---|
NODE_ENV | production | Health JSON reports environment: production |
VDI_BILLING_INCIRCUIT_BINDING | true | Phase-2 proofs attached at attest |
VDI_ATTEST_SECRET | Set | Required header on attest routes |
VDI_SIGNING_KEY | Stable 64+ hex | Attestation signatures survive redeploys |
VDI_BILLING_METER_* | Ed25519 meter key | Server or external envelope signing |
Deploy surfaces
| Surface | Host | Role |
|---|---|---|
| Verifier API | api.quantzk.com | Attest, verify, transparency, revocation |
| Trust index | quantzk.com/trust | Reviewer entry point |
| Billing demo | quantzk.com/vdi-billing | Live walkthrough |
| Offline verifier | quantzk.com/protocol/verify.html | Customer-side verify |
Not yet operational (disclosed)
- Independent-host MPC ceremony for adversarial Groth16 trust
- Formal third-party audit report on this surface
- Redis-backed rate limiting as hard dependency (billing pilot runs with Redis disabled in CI)
- Stripe / PSP integration (proof-of-charge layer only)
