Initial commit: VaultMesh Skills collection
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
135
proof-verifier/scripts/11_verify.sh
Normal file
135
proof-verifier/scripts/11_verify.sh
Normal file
@@ -0,0 +1,135 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
|
||||
source "$SCRIPT_DIR/_common.sh"
|
||||
|
||||
: "${MERKLE_RUN_DIR:=}"
|
||||
: "${RFC3161_DIR:=}"
|
||||
: "${ETH_RUN_DIR:=}"
|
||||
: "${ETH_RPC_URL:=}"
|
||||
: "${BTC_RUN_DIR:=}"
|
||||
: "${BTC_NETWORK:=testnet}"
|
||||
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
|
||||
|
||||
check_merkle() {
|
||||
local ok_root=false ok_levels=false root_hex=""
|
||||
[[ -f "$MERKLE_RUN_DIR/ROOT.txt" ]] && ok_root=true
|
||||
root_hex="$(grep '^root_hex=' "$MERKLE_RUN_DIR/ROOT.txt" | head -n1 | cut -d= -f2 || true)"
|
||||
[[ -d "$MERKLE_RUN_DIR/levels" || -d "$MERKLE_RUN_DIR/levels/" || -d "$MERKLE_RUN_DIR/levels" ]] && ok_levels=true || true
|
||||
echo "$ok_root|$ok_levels|$root_hex"
|
||||
}
|
||||
|
||||
check_rfc3161() {
|
||||
# verifies token parses; full cryptographic verification requires TSA cert chain (not provided in v1).
|
||||
local ok_req=false ok_res=false ok_parse=false msg=""
|
||||
[[ -n "${RFC3161_DIR:-}" && -f "$RFC3161_DIR/request.tsq" ]] && ok_req=true
|
||||
[[ -n "${RFC3161_DIR:-}" && -f "$RFC3161_DIR/response.tsr" ]] && ok_res=true
|
||||
if [[ "$ok_res" == "true" ]] && command -v openssl >/dev/null 2>&1; then
|
||||
if openssl ts -reply -in "$RFC3161_DIR/response.tsr" -text >/dev/null 2>&1; then
|
||||
ok_parse=true
|
||||
msg="tsr_parsed_ok"
|
||||
else
|
||||
msg="openssl_failed_to_parse_tsr"
|
||||
fi
|
||||
else
|
||||
msg="skipped_no_openssl_or_missing_tsr"
|
||||
fi
|
||||
echo "$ok_req|$ok_res|$ok_parse|$msg"
|
||||
}
|
||||
|
||||
check_eth() {
|
||||
local ok_txfile=false ok_receipt=false ok_seen=false tx=""
|
||||
if [[ -n "${ETH_RUN_DIR:-}" && -f "$ETH_RUN_DIR/tx_hash.txt" ]]; then
|
||||
ok_txfile=true
|
||||
tx="$(cat "$ETH_RUN_DIR/tx_hash.txt" | tr -d '\r\n')"
|
||||
fi
|
||||
if [[ -n "$tx" && -f "$ETH_RUN_DIR/tx_receipt.json" ]]; then ok_receipt=true; fi
|
||||
if [[ -n "$tx" && -n "${ETH_RPC_URL:-}" && command -v cast >/dev/null 2>&1 ]]; then
|
||||
if cast receipt --rpc-url "$ETH_RPC_URL" "$tx" >/dev/null 2>&1; then ok_seen=true; fi
|
||||
fi
|
||||
echo "$ok_txfile|$ok_receipt|$ok_seen|$tx"
|
||||
}
|
||||
|
||||
check_btc() {
|
||||
local ok_txidfile=false ok_seen=false txid=""
|
||||
if [[ -n "${BTC_RUN_DIR:-}" && -f "$BTC_RUN_DIR/txid.txt" ]]; then
|
||||
ok_txidfile=true
|
||||
txid="$(cat "$BTC_RUN_DIR/txid.txt" | tr -d '\r\n')"
|
||||
fi
|
||||
if [[ -n "$txid" && command -v bitcoin-cli >/dev/null 2>&1 ]]; then
|
||||
flag="$(net_flag)"
|
||||
if bitcoin-cli $flag getrawtransaction "$txid" >/dev/null 2>&1; then ok_seen=true; fi
|
||||
fi
|
||||
echo "$ok_txidfile|$ok_seen|$txid"
|
||||
}
|
||||
|
||||
main() {
|
||||
mkdir -p "$OUTPUT_DIR"
|
||||
ts="$(date -Iseconds | tr ':' '-')"
|
||||
out_dir="$OUTPUT_DIR/verify_${ts}"
|
||||
mkdir -p "$out_dir"
|
||||
|
||||
# Merkle
|
||||
IFS='|' read -r m_ok_root m_ok_levels m_root <<< "$(check_merkle)"
|
||||
# RFC3161
|
||||
IFS='|' read -r r_ok_req r_ok_res r_ok_parse r_msg <<< "$(check_rfc3161)"
|
||||
# ETH
|
||||
IFS='|' read -r e_ok_txfile e_ok_receipt e_ok_seen e_tx <<< "$(check_eth)"
|
||||
# BTC
|
||||
IFS='|' read -r b_ok_txidfile b_ok_seen b_txid <<< "$(check_btc)"
|
||||
|
||||
blockers="[]"
|
||||
if [[ "$m_ok_root" != "true" ]]; then blockers='["missing_merkle_root"]'; fi
|
||||
|
||||
warnings=()
|
||||
if [[ -n "${RFC3161_DIR:-}" && "$r_ok_res" != "true" ]]; then warnings+=("missing_rfc3161_tsr"); fi
|
||||
if [[ -n "${ETH_RUN_DIR:-}" && "$e_ok_txfile" != "true" ]]; then warnings+=("missing_eth_tx_hash"); fi
|
||||
if [[ -n "${BTC_RUN_DIR:-}" && "$b_ok_txidfile" != "true" ]]; then warnings+=("missing_btc_txid"); fi
|
||||
|
||||
# warnings json
|
||||
if [[ ${#warnings[@]} -eq 0 ]]; then warn_json="[]"
|
||||
else
|
||||
warn_json="["
|
||||
for i in "${!warnings[@]}"; do
|
||||
warn_json="${warn_json}\"${warnings[$i]}\""
|
||||
[[ $i -lt $((${#warnings[@]}-1)) ]] && warn_json="${warn_json},"
|
||||
done
|
||||
warn_json="${warn_json}]"
|
||||
fi
|
||||
|
||||
cat > "$out_dir/status_matrix.json" <<EOF
|
||||
{
|
||||
"skill": "proof-verifier",
|
||||
"timestamp": "$(date -Iseconds)",
|
||||
"inputs": {
|
||||
"merkle_run_dir": "$(json_escape "$MERKLE_RUN_DIR")",
|
||||
"rfc3161_dir": "$(json_escape "${RFC3161_DIR:-}")",
|
||||
"eth_run_dir": "$(json_escape "${ETH_RUN_DIR:-}")",
|
||||
"btc_run_dir": "$(json_escape "${BTC_RUN_DIR:-}")",
|
||||
"btc_network": "$(json_escape "$BTC_NETWORK")"
|
||||
},
|
||||
"root_hex": "$(json_escape "$m_root")",
|
||||
"checks": [
|
||||
{"name":"merkle_root_present", "ok": $m_ok_root},
|
||||
{"name":"merkle_levels_present_optional", "ok": $m_ok_levels},
|
||||
{"name":"rfc3161_request_present_optional", "ok": $r_ok_req},
|
||||
{"name":"rfc3161_response_present_optional", "ok": $r_ok_res},
|
||||
{"name":"rfc3161_tsr_parses_optional", "ok": $r_ok_parse, "note": "$(json_escape "$r_msg")"},
|
||||
{"name":"eth_tx_hash_present_optional", "ok": $e_ok_txfile, "tx": "$(json_escape "$e_tx")"},
|
||||
{"name":"eth_receipt_file_present_optional", "ok": $e_ok_receipt},
|
||||
{"name":"eth_tx_seen_by_rpc_optional", "ok": $e_ok_seen},
|
||||
{"name":"btc_txid_present_optional", "ok": $b_ok_txidfile, "txid": "$(json_escape "$b_txid")"},
|
||||
{"name":"btc_tx_seen_by_node_optional", "ok": $b_ok_seen}
|
||||
],
|
||||
"blockers": $blockers,
|
||||
"warnings": $warn_json,
|
||||
"next_steps": ["archive PROOF.json and ROOT.txt", "anchor again if needed", "store verifier output as receipt"]
|
||||
}
|
||||
EOF
|
||||
|
||||
echo "$out_dir" > "$OUTPUT_DIR/last_verify_dir.txt"
|
||||
log_info "Wrote $out_dir/status_matrix.json"
|
||||
cat "$out_dir/status_matrix.json"
|
||||
}
|
||||
main "$@"
|
||||
Reference in New Issue
Block a user