Install
openclaw skills install @nutstrut/settlement-witnessVerify signed SAR v0.1 settlement receipts locally with Ed25519 and RFC 8785 canonicalization. Use when you need to confirm a receipt is cryptographically valid before trusting a task-complete claim, chaining to another agent output, using a receipt as evidence, or acting on a settlement-adjacent claim. Optionally request DefaultVerifier-signed receipts for remote issuance.
openclaw skills install @nutstrut/settlement-witnessNew in 0.1.0: local-first verification. Receipt cryptography is verified entirely on your machine — no network required. Network is optional and only used when you explicitly request remote receipt issuance or resolution.
Verify SAR v0.1 settlement receipts locally. Optionally request DefaultVerifier-signed receipts.
Run the self-test against all bundled fixtures:
python3 scripts/verify_receipt.py --self-test
Expected output: self_test_passed: true with all four fixtures [OK].
python3 scripts/verify_receipt.py fixtures/sar-v0.1-pass.json
Returns JSON:
{
"valid": true,
"receipt_id": "sha256:...",
"kid": "sar-prod-ed25519-01",
"verdict": "PASS",
"errors": []
}
python3 scripts/verify_receipt.py fixtures/tampered-receipt.json
Returns valid: false with errors listing the digest mismatch and signature
failure. This proves the verifier actually rejects tampered receipts.
| Field | Meaning |
|---|---|
valid: true | Receipt digest and Ed25519 signature both verified |
valid: false | Receipt failed cryptographic verification |
verdict: PASS | The signed outcome claims the spec was met |
verdict: FAIL | The signed outcome claims the spec was not met |
verdict: INDETERMINATE | The issuer signed an honest uncertainty state |
errors: [...] | What specifically failed |
PASS, FAIL, and INDETERMINATE are all valid signed outcomes when
valid: true — they represent what the issuer attested, not post-hoc
interpretation.
Fully offline (no network):
receipt_id matches the digest--self-test)Optional network (only when you explicitly ask):
If DefaultVerifier is offline, local verification of existing receipts still works. The service being unavailable does not invalidate receipts you already have.
To request a signed receipt from DefaultVerifier (requires network):
curl -sS https://defaultverifier.com/settlement-witness \
-H "Content-Type: application/json" \
-d '{"task_id":"your-task-id","spec":{"expected":"value"},"output":{"expected":"value"}}'
The REST endpoint returns a signed SAR v0.1 receipt. You can then verify it
locally with scripts/verify_receipt.py.
Public key registry: https://defaultverifier.com/.well-known/sar-keys.json
Receipt explorer: https://defaultverifier.com/verified
DefaultVerifier issues signed evidence about whether a receipt is cryptographically valid. It does not:
Acting on a verified receipt is the responsibility of the system or agent that reads it.
Override the public key registry path if needed:
SAR_KEYS_REGISTRY_PATH=/path/to/keys.json python3 scripts/verify_receipt.py receipt.json
Operator: Default Settlement Verifier
Repository: https://github.com/nutstrut/default-settlement-verifier
Homepage: https://defaultverifier.com