The hash and signature engine behind the Bedrock immutable advice ledger.
@bedrockcompliance/notary contains the canonical JSON serialiser, the
record and chain hash functions, and the ECDSA P-256 signature
verifier that underpin the Bedrock ledger. The Bedrock platform
imports it on both the write path (computing hashes when records
are created) and the verify path (checking signatures when
certificates are verified), so there is no internal copy of the
algorithm — anyone running this package is running the same code
that runs in production.
No signing implementations, no private keys, no networking.
npm install @bedrockcompliance/notaryimport { computeRecordHash, computeChainHash, GENESIS_HASH } from '@bedrockcompliance/notary';
const recordHash = computeRecordHash(payload);
const chainHash = computeChainHash(recordHash, previousHash ?? GENESIS_HASH);import { verifyCertificate } from '@bedrockcompliance/notary';
const response = await fetch(
`https://api.bedrockcompliance.co.uk/v1/verify/${certificateId}`,
);
const { certificate, record } = await response.json();
const result = verifyCertificate({ certificate, record });
if (!result.valid) {
throw new Error(`Certificate invalid: ${result.reason}`);
}import { verifyChain } from '@bedrockcompliance/notary';
const result = verifyChain(records, firmId);Compute:
canonicalise(value)— Bedrock's canonical JSON serialiser.sha256(string)/sha256Buffer(buffer)— SHA-256 helpers.computeRecordHash(payload)—sha256(canonicalise(payload)).computeChainHash(recordHash, previousHash)— chain binding.
Verify:
verifyChain(records, firmId)— full chain integrity check.verifySignature(record, options?)— ECDSA P-256 verification with optionaltrustedPublicKeypinning.verifyCertificate(input, options?)— end-to-end certificate check.
Constants:
GENESIS_HASH,SIGNING_ALGORITHM,ChainInvalidReason,Signer.
Apache 2.0. See SECURITY.md for
vulnerability reporting.