Skip to content

Third-party review (NCC track)

Single entry point for independent reviewers reproducing QuantZK checks without hunting the tree.

Prerequisites

ToolVersionUsed for
Node.js≥ 18Protocol packages, JS verifier, tests
npm9+Installs protocol/ workspaces
Go≥ 1.21protocol/packages/vdi-verifier-go tests
Python≥ 3.10protocol/packages/vdi-verifier-python golden vectors

Optional: Docker for verifier-api local PostgreSQL/Redis; Circom/snarkjs only if recompiling circuits.

One command (protocol audit suite)

From the repository root after git clone:

bash
make ncc-review

Equivalent: bash scripts/ncc-review.sh

Runs protocol install, VDI audit suite (JS conformance, Go verifier, Python golden vectors), and MPC policy E2E integrity gate.

API billing pilot gate

With PostgreSQL available:

bash
cd verifier-api
DATABASE_URL="postgresql://zkcaptcha:development@localhost:5432/zkcaptcha" \
REDIS_ENABLED="false" REDIS_DISABLED="true" NODE_ENV=test DB_SSL=false \
npm run test:billing-pilot

Expect 15/15 passing tests.

Production smoke (live)

bash
API=https://api.quantzk.com VDI_ATTEST_SECRET=<secret> \
bash scripts/smoke-billing-phase2.sh

Pins billing_proof.vkey_hash against ARTIFACT_MANIFEST.json. See Production smoke evidence.

Manual protocol steps

bash
cd protocol
npm install --legacy-peer-deps
npm run test:audit-suite
npm run mpc:e2e-check -- --environment ncc-review-gate --output audit-logs/mpc-e2e-check.ncc-review.json
CommandWhat it does
npm run test:audit-suitePrimary NCC bar: conformance + Go + Python
npm run artifact:statusArtifact authority + MPC provenance (JSON)
npm run mpc:e2e-checkProve/verify + hash alignment for MPC circuits
npm run docs:check-termsMode terminology drift guard

Artifact expectations

SuitePrebuilt WASM/zkey required?
npm run test:audit-suiteNo — fixtures under protocol/fixtures/
npm test (full)Partially — some policy-circuit tests need protocol/build/
npm run test:examplesYes — needs zk-cp/build/ (Groth16)

Full reviewer README in repo root: NCC_REVIEW.md.

Verification keys are embedded in attestations. The verifier is open source.