Reproducibility & open-source plan
OpenReceipt specification
| Item | Status |
|---|---|
| Spec document | Published — signedreceipts.org/spec |
| Extension registry | Published — signedreceipts.org/spec/extensions |
| Spec source archive | Published — signedreceipts.org/source/spec |
| Version | OpenReceipt v3 (client-signed + gateway-countersigned; legacy v1/v2 continue to verify) |
The OpenReceipt wire format is the envelope used by CloakAPI for all signed receipts. The published specification defines the JSON envelope, the canonicalisation rules (RFC 8785 JCS), the signing procedure (ECDSA P-256 over the canonical serialised body), the chain-linking structure, the three trust tiers (gateway-countersigned / beacon-anchored / local-only), and the gateway countersignature. The current envelope version is v3: the receipt is signed by the client that performed the tokenisation before egress, and optionally countersigned by the gateway. Legacy v1/v2 receipts remain verifiable indefinitely.
Reference verifiers
| Item | Status |
|---|---|
| Live browser verifier | Published — app.cloakapi.io/receipt-verifier (runs entirely in your browser) |
| JavaScript reference verifier | Published — signedreceipts.org/verifier + source at /source/reference-typescript |
| Python reference verifier | Published — signedreceipts.org/source/reference-python |
| Rust reference implementation | Published — signedreceipts.org/source/reference-rust |
| Verifier CLI | Published — signedreceipts.org/source/verifier-cli |
| Verification guide | Verifying a receipt |
The reference verifiers are standalone (no CloakAPI SDK dependency). Any third party can verify a receipt given only:
- The receipt JSON envelope. v3 receipts are self-contained — the attester public key is embedded, so verification works fully offline.
- For gateway countersignatures: the JWKS from
https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks. - (Optionally) the transparency seed feed.
Reference sources are published as versioned tarballs under signedreceipts.org/source — the project is developed in a private tree and published there, not on GitHub. The verify receipt guide documents the manual steps.
Conformance test suite
| Item | Status |
|---|---|
| Conformance test suite | Published — signedreceipts.org/conformance |
| Test vectors | Published — fixtures + self-run instructions at /source/conformance |
The conformance suite defines canonical test vectors for:
- Valid receipt verification (positive cases).
- Invalid signature rejection (tampered body, wrong key, expired kid).
- Chain hash validation (gapless
seq,prev_hashcontinuity, fork rejection). - JWKS resolution and
revoked: truehandling.
Third parties implementing an OpenReceipt verifier can run this suite to confirm conformance and claim the badge.
SLSA build provenance
| SLSA level | Description | CloakAPI status |
|---|---|---|
| L0 | No provenance | Current |
| L1 | Provenance exists (unsigned) | Not yet |
| L2 | Signed provenance, hosted build | Not yet |
| L3 | Hermetic, reproducible builds; signed provenance | Roadmap |
What SLSA L3 would provide
- Build recipes are verifiably complete — no implicit inputs.
- Build environment is hermetic — network access blocked during build.
- Provenance is generated and signed by the build platform.
- Consumers can verify that a published artifact matches a specific source commit.
Roadmap path
- Add SLSA L1 provenance generation to CI (next milestone).
- Adopt hermetic build environments (L2).
- Publish signed provenance bundles alongside container images and gateway releases (L3 target).
Summary table
| Artifact | Published today | Where |
|---|---|---|
| OpenReceipt spec (v3) | Yes | signedreceipts.org/spec |
| Extension registry | Yes | signedreceipts.org/spec/extensions |
| Live browser verifier | Yes | app.cloakapi.io/receipt-verifier |
| Python reference verifier | Yes | signedreceipts.org/source/reference-python |
| JS/TS reference verifier | Yes | signedreceipts.org/source/reference-typescript |
| Conformance test suite | Yes | signedreceipts.org/conformance |
| SLSA L1 provenance | No | Next milestone |
| SLSA L3 provenance | No | Roadmap |
| JWKS endpoint | Yes | https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks |
| Transparency seed feed | Yes (opt-in) | https://api.cloakapi.io/api/v1/transparency/seeds.jsonl |
| Receipt verification guide | Yes | Verifying a receipt |