From e920e1127f0b291fa1235a104ce431c4c5361f0d Mon Sep 17 00:00:00 2001
From: Vault Sovereign <guardian@vaultmesh.org>
Date: Fri, 26 Dec 2025 22:56:00 +0000
Subject: [PATCH] Fix receipt hash script idempotency

---
 package-lock.json       | 27 +++++++++++++++++++++++++--
 scripts/hash-receipt.ts | 24 +++++++++++++++++++++---
 2 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 14bf42c..9f7e922 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,14 +1,16 @@
 {
   "name": "vm-cloud",
-  "version": "0.0.1",
+  "version": "0.2.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "vm-cloud",
-      "version": "0.0.1",
+      "version": "0.2.0",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.0.0",
+        "@noble/ed25519": "^2.1.0",
+        "@noble/hashes": "^1.4.0",
         "commander": "^12.0.0",
         "dotenv": "^16.0.0"
       },
@@ -514,6 +516,27 @@
         }
       }
     },
+    "node_modules/@noble/ed25519": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@noble/ed25519/-/ed25519-2.3.0.tgz",
+      "integrity": "sha512-M7dvXL2B92/M7dw9+gzuydL8qn/jiqNHaoR3Q+cb1q1GHV7uwE17WCyFMG+Y+TZb5izcaXk5TdJRrDUxHXL78A==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
+    "node_modules/@noble/hashes": {
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
+      "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==",
+      "license": "MIT",
+      "engines": {
+        "node": "^14.21.3 || >=16"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
     "node_modules/@types/node": {
       "version": "20.19.27",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.27.tgz",
diff --git a/scripts/hash-receipt.ts b/scripts/hash-receipt.ts
index 162f384..4ee72bc 100644
--- a/scripts/hash-receipt.ts
+++ b/scripts/hash-receipt.ts
@@ -1,17 +1,35 @@
 import { hashBlake3Hex, hashSha256Hex } from "../src/lib/hash.js";
 import fs from "fs";
 
-const body = JSON.parse(fs.readFileSync("outputs/receipts/test-receipt.json", "utf8"));
+const path = "outputs/receipts/test-receipt.json";
+const env = JSON.parse(fs.readFileSync(path, "utf8"));
+
+const {
+  hash_alg: _hash_alg,
+  blake3: _blake3,
+  sha256: _sha256,
+  sig_alg: _sig_alg,
+  signer_pub: _signer_pub,
+  signature: _signature,
+  signed_at: _signed_at,
+  ...body
+} = env;
+
 const blake3 = hashBlake3Hex(body);
 const sha256 = hashSha256Hex(body);
 
-const envelope = {
+const envelope: typeof env = {
   ...body,
   hash_alg: "blake3+sha256",
   blake3,
   sha256
 };
 
-fs.writeFileSync("outputs/receipts/test-receipt.json", JSON.stringify(envelope, null, 2));
+if (_sig_alg !== undefined) envelope.sig_alg = _sig_alg;
+if (_signer_pub !== undefined) envelope.signer_pub = _signer_pub;
+if (_signature !== undefined) envelope.signature = _signature;
+if (_signed_at !== undefined) envelope.signed_at = _signed_at;
+
+fs.writeFileSync(path, JSON.stringify(envelope, null, 2));
 console.log("blake3:", blake3);
 console.log("sha256:", sha256);