Skip to content

2. Live production smoke evidence

Latest verified run: 2026-06-10 UTC
API: https://api.quantzk.com
Deploy baseline: 4a88f19 (MPC artifacts) through f67bf83 (trust surface + health JSON)
Binding version: bn128-poseidon8-v1
Railway: VDI_BILLING_INCIRCUIT_BINDING=true, NODE_ENV=production


Pre-smoke trust endpoints

EndpointHTTPNotes
GET /health200JSON; environment: production
GET /.well-known/vdi-billing-revocation.json200Revocation feed
GET /api/vdi/billing/transparency/head200Transparency tree head
GET /api/vdi/status200operational

Live health sample (2026-06-26):

json
{
  "status": "healthy",
  "service": "quantzk-verifier-api",
  "message": "QuantZK VDI Verifier API is running",
  "environment": "production",
  "version": "1.0.0",
  "timestamp": "2026-06-26T00:25:44.847Z"
}

Artifact pins (production)

FieldValue
Commit (MPC merge)4a88f19 — Merge PR #9: MPC-backed apiBillingV2 artifacts
MPC proving key (apiBillingV2_0001.zkey)13a088cce212b26e774dfaa8808f4ec77b739fdfa5da1213f4b8bd21e6315cc8
Verification key file bytes32534119df9fc82a6bbe7d0a6275bee5753646c5f325e985e01ea07fd448179f
billing_proof.vkey_hash (canonical JSON)a486fb22805a60df7608e70a2939c178c2b12d9e84a4b94152c98e4859815bcf
Ceremony transcriptverifier-api/circuits/apiBillingV2/mpc_transcript_apiBillingV2.json (3 contributors)

The smoke script pins canonical vkey hash (RFC 8785 JSON digest), not raw file bytes.


Phase-2 smoke script

bash
API=https://api.quantzk.com VDI_ATTEST_SECRET=<provided-on-request> \
  bash scripts/smoke-billing-phase2.sh

Recorded output (2026-06-10, post PR #9 deploy)

→ Health check
  ok  /health
→ Revocation feed
  ok  /.well-known/vdi-billing-revocation.json
→ Attest (Phase-2 binding expected)
  ok  [billing_proof.binding_version] bn128-poseidon8-v1
  ok  [incircuit_binding.binding_version] bn128-poseidon8-v1
  ok  [billing_proof.vkey_hash] a486fb22805a60df... (pinned manifest)
  ok  commitment_digest=160207814352478843039376...
→ Verify (valid bundle)
  ok  [verification.valid] true
  ok  [billing_check.valid] true
  ok  [incircuit_binding.valid] true
  ok  [incircuit_binding.digest_match] 16020781435247884303937610343864168998548980658231804888231541960761037890990
→ Verify (tampered commitments — must fail)
  ok  [tamper.incircuit_binding.valid] false

✅ Phase-2 in-circuit binding live on https://api.quantzk.com
   binding_version: bn128-poseidon8-v1
   event_id:        evt_smoke_1781074083_2382

Assertions verified

  1. Attest returns attestation.billing_proof.binding_version === bn128-poseidon8-v1
  2. Attest returns billing.incircuit_binding.binding_version === bn128-poseidon8-v1
  3. Attest attestation.billing_proof.vkey_hash matches manifest verification_key_canonical_sha256
  4. Attest returns non-empty commitment_digest
  5. Verify returns verification.valid === true
  6. Verify returns billing_check.valid === true
  7. Verify returns incircuit_binding_verification.valid === true
  8. Verify returns matching incircuit_binding_verification.commitment_digest
  9. Tampered commitments flip incircuit_binding_verification.valid to false

Customer surface (unchanged)

POST /api/vdi/billing/attest  →  attestation + receipt + billing (+ billing_proof additive)
POST /api/vdi/billing/verify  →  verification + incircuit_binding_verification additive

Phase-2 fields are additive only; integrators on v2 fingerprint binding are not broken.


Local test matrix (pre-push)

SuiteResult
verifier-api billing pilot15/15 (14 functional + 1 warm-attest perf budget)
protocol billing-incircuit-binding6/6
Artifact validator on boot12/12 manifest hashes

Prior run (2026-05-29, pre-MPC)

Commit a17667e. Same 8 assertions passed; event_id: evt_smoke_1780029678_7273. Commitment digest differed (expected after Groth16 key rotation).

Full technical log: protocol/docs/api-billing-smoke-evidence.md

Verification keys are embedded in attestations. The verifier is open source.