feat: transform ChittyProof to dual-export library + service

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test

CHARTER.md

@@ -22,7 +22,7 @@ category: infrastructure
 - **Tier**: 0 (Trust Anchors)
 - **Organization**: CHITTYOS
 - **Domain**: proof.chitty.cc
-- **Artifact Type**: Library (consumed by services, not deployed standalone)
+- **Artifact Type**: Library + Service (dual-export at proof.chitty.cc)
 
 ## Mission
 
@@ -38,6 +38,7 @@ Provide deterministic, court-grade cryptographic integrity primitives for the Ch
 - JWKS key resolution with KV caching (kid-based lookup via ChittyCert)
 - Defining the authoritative FACT v2 bundle JSON Schema
 - Providing `normalizeBundle` / `canonicalSignedPayload` / `verifyBundle` / `verifyECDSA` exports
+- Serving HTTP verification endpoints at `proof.chitty.cc` for ecosystem consumers
 
 ### IS NOT Responsible For
 - Signing bundles (signing authority lives in the minting service)
@@ -52,12 +53,16 @@ Provide deterministic, court-grade cryptographic integrity primitives for the Ch
 | Type | Service | Purpose |
 |------|---------|---------|
 | Upstream | ChittyCert | JWKS endpoint for public key resolution |
+| Upstream | ChittyAuth | Shared-secret Bearer token validation |
 | Runtime | Web Crypto API | SHA-256 digest, ECDSA verify, key import |
+| Runtime | Hono | HTTP framework for Cloudflare Workers |
 | Optional | Cloudflare KV | JWKS key caching (`PROOF_KEY_CACHE` binding) |
+| Downstream | ChittyTrack | Automatic log/trace aggregation (tail_consumers) |
+| Downstream | ChittyBeacon | Health monitoring (probes /health) |
 
 ## API Contract
 
-ChittyProof is a library — it exports functions, not HTTP endpoints.
+ChittyProof is both a library (SDK exports) and a deployed service (HTTP endpoints at proof.chitty.cc).
 
 ### Exports (`lib/chittyproof-v2-canonical.js`)
 | Export | Signature | Purpose |
@@ -80,6 +85,16 @@ ChittyProof is a library — it exports functions, not HTTP endpoints.
 | `getPublicKeyByKid` | `(kid, env, opts?) => Promise<CryptoKey>` | KV-cached JWKS key resolution |
 | `verifyECDSA` | `(bundle, env, opts?) => Promise<{ok, reason, ...}>` | Full ECDSA signature verification |
 
+### HTTP Endpoints (proof.chitty.cc)
+| Method | Path | Auth | Purpose |
+|--------|------|------|---------|
+| GET | `/health` | None | Health probe |
+| GET | `/api/v1/status` | None | Service metadata |
+| POST | `/api/v1/verify` | Bearer | Hash integrity + ECDSA verification |
+| POST | `/api/v1/canonicalize` | Bearer | Deterministic JSON canonicalization |
+| POST | `/api/v1/hash` | Bearer | SHA-256 of canonical signed payload |
+| POST | `/api/v1/validate` | Bearer | FACT v2 bundle schema validation |
+
 ### Schema
 - `etc/authority/schema/chittyproof-v2-fact-bundle.schema.json`
 - `$id`: `chittycanon://schemas/chittyproof/v2/fact-bundle`
@@ -98,7 +113,7 @@ ChittyProof is a library — it exports functions, not HTTP endpoints.
 - [x] CHARTER.md present
 - [x] CHITTY.md present
 - [x] CLAUDE.md present
-- [x] Tests passing (10/10 vitest)
+- [x] Tests passing (32/32 vitest)
 - [x] JSON Schema with canonical $id
 - [x] Canonical frontmatter with tech domain
 - [x] Package exports map defined

CHITTY.md

@@ -21,23 +21,38 @@ category: infrastructure
 
 ## What It Does
 
-Cryptographic integrity library for FACT v2 bundles. Provides deterministic JSON canonicalization, SHA-256 hashing, and ECDSA P-256 signature verification — the foundation that makes every fact in the ChittyOS ecosystem provably tamper-evident.
+Cryptographic integrity library and service for FACT v2 bundles. Provides deterministic JSON canonicalization, SHA-256 hashing, and ECDSA P-256 signature verification — the foundation that makes every fact in the ChittyOS ecosystem provably tamper-evident. Available both as a library (SDK import) and as HTTP endpoints at `proof.chitty.cc`.
 
 ## Architecture
 
-Pure JavaScript ESM library consumed by ChittyOS services. Runs anywhere the Web Crypto API is available (Cloudflare Workers, Node 20+, Deno, browsers).
+Dual-export: pure JavaScript ESM library (SDK consumers import directly) + Hono Worker deployed at `proof.chitty.cc` (HTTP consumers). Library core runs anywhere the Web Crypto API is available (Workers, Node 20+, Deno, browsers).
 
 ### Stack
 - **Language**: JavaScript (ESM)
+- **HTTP**: Hono on Cloudflare Workers
 - **Crypto**: Web Crypto API (SHA-256, ECDSA P-256)
+- **Auth**: Shared-secret Bearer token (`CHITTY_AUTH_SERVICE_TOKEN`)
 - **Testing**: Vitest
 - **Key Authority**: ChittyCert JWKS (`cert.chitty.cc/.well-known/jwks.json`)
 
 ### Key Components
+- `src/index.js` — SDK barrel export (library consumers)
+- `src/worker.js` — Hono Worker entry point (HTTP consumers)
 - `src/lib/chittyproof-v2-canonical.js` — Canonicalization, normalization, hashing
 - `src/lib/chittyproof-verify-ecdsa.js` — ECDSA P-256 verification, JWKS resolution
+- `src/routes/` — HTTP route handlers (health, verify, canonicalize, hash, validate)
+- `src/middleware/auth.js` — Shared-secret Bearer token middleware
 - `etc/authority/schema/chittyproof-v2-fact-bundle.schema.json` — FACT v2 bundle schema
-- `tests/helpers/fact-proof-bundle.js` — Test fixture factory
+
+### Endpoints
+| Method | Path | Auth | Purpose |
+|--------|------|------|---------|
+| GET | `/health` | None | Health probe |
+| GET | `/api/v1/status` | None | Service metadata |
+| POST | `/api/v1/verify` | Bearer | Hash + ECDSA verification |
+| POST | `/api/v1/canonicalize` | Bearer | Deterministic JSON |
+| POST | `/api/v1/hash` | Bearer | SHA-256 of canonical payload |
+| POST | `/api/v1/validate` | Bearer | FACT v2 schema validation |
 
 ### Design Principles
 - **Deterministic**: Same input always produces the same canonical JSON and hash, across all runtimes
@@ -53,13 +68,16 @@ Pure JavaScript ESM library consumed by ChittyOS services. Runs anywhere the Web
 - **Last Certified**: 2026-03-01
 
 ### ChittyDNA
-- **Lineage**: root (foundational library)
-- **Role**: Integrity primitive — consumed by any service that mints, seals, or verifies FACT bundles
+- **Lineage**: root (foundational library + service)
+- **Role**: Integrity primitive — consumed by any service that mints, seals, or verifies FACT bundles (SDK import or HTTP call)
 
 ### Dependencies
 | Service | Purpose |
 |---------|---------|
 | ChittyCert | JWKS public key hosting for signature verification |
+| ChittyAuth | Shared-secret Bearer token validation |
+| ChittyTrack | Log/trace aggregation (tail_consumers) |
+| ChittyBeacon | Health monitoring (probes /health) |
 
 ### Consumers
 | Service | Usage |
@@ -68,6 +86,8 @@ Pure JavaScript ESM library consumed by ChittyOS services. Runs anywhere the Web
 | ChittyEvidence | Evidence integrity checks |
 | ChittyLedger | Seal verification at ledger write |
 | ChittyCases | Bundle verification for case presentation |
+| ChittySign | Canonical hash for signing counterpart |
+| DocuMint | Bundle verification (library or HTTP) |
 
 ### Exports
 | Module | Key Functions |

CLAUDE.md

@@ -1,6 +1,6 @@
 # CLAUDE.md — ChittyProof
 
-Cryptographic integrity library for FACT v2 bundle canonicalization, hashing, and ECDSA P-256 signature verification.
+Cryptographic integrity library and service for FACT v2 bundle canonicalization, hashing, and ECDSA P-256 signature verification.
 
 **Canonical URI**: `chittycanon://core/services/chittyproof`
 **Tier**: 0 (Trust Anchors)
@@ -10,16 +10,29 @@ Cryptographic integrity library for FACT v2 bundle canonicalization, hashing, an
 
 ```bash
 npm test          # Run vitest (all tests)
-npx vitest run    # Same, explicit
+npm run dev       # Start local dev server (wrangler dev)
+npm run deploy    # Deploy to Cloudflare Workers
+npx vitest run    # Same as npm test, explicit
 npx vitest watch  # Watch mode
 ```
 
 ## Project Structure
 
 ```
-src/lib/
-  chittyproof-v2-canonical.js   # Canonicalization, normalization, SHA-256 hashing
-  chittyproof-verify-ecdsa.js   # ECDSA P-256 verification, JWKS key resolution
+src/
+  index.js                          # SDK barrel export (library consumers)
+  worker.js                         # Hono Worker entry point (HTTP consumers)
+  lib/
+    chittyproof-v2-canonical.js     # Canonicalization, normalization, SHA-256 hashing
+    chittyproof-verify-ecdsa.js     # ECDSA P-256 verification, JWKS key resolution
+  routes/
+    health.js                       # GET /health, GET /api/v1/status
+    verify.js                       # POST /api/v1/verify
+    canonicalize.js                 # POST /api/v1/canonicalize
+    hash.js                         # POST /api/v1/hash
+    validate.js                     # POST /api/v1/validate
+  middleware/
+    auth.js                         # Shared-secret Bearer token
 
 etc/authority/schema/
   chittyproof-v2-fact-bundle.schema.json   # FACT v2 bundle JSON Schema
@@ -28,11 +41,20 @@ tests/
   helpers/fact-proof-bundle.js             # Test fixture factory (makeFactProofBundle)
   lib/chittyproof-v2-canonical.test.js     # Canonicalization + hash tests
   lib/chittyproof-verify-ecdsa.test.js     # ECDSA verification tests
+  middleware/auth.test.js                  # Auth middleware tests
+  routes/                                  # Route handler tests
+  worker.test.js                           # Integration tests
 ```
 
 ## Architecture
 
-This is a **library**, not a deployable service. It exports pure functions that run on any Web Crypto API runtime (Workers, Node 20+, Deno, browsers).
+This is a **dual-export** project: a library (for in-process consumers) and a deployed service at `proof.chitty.cc` (for HTTP consumers).
+
+- `src/index.js` — SDK barrel export (library consumers import from here)
+- `src/worker.js` — Hono Worker entry point (Cloudflare Workers deployment)
+- `src/lib/` — Pure function core (unchanged from library-only days)
+- `src/routes/` — HTTP route handlers wrapping the library functions
+- `src/middleware/` — Auth middleware (shared-secret Bearer token)
 
 ### Canonicalization Pipeline
 1. `normalizeBundle` — round score/pillar fields to deterministic precision, compute `score_100`
@@ -48,7 +70,9 @@ This is a **library**, not a deployable service. It exports pure functions that
 4. `crypto.subtle.verify` ECDSA P-256 over the hash bytes
 
 ### Key Dependencies
+- **Hono** — HTTP framework for Cloudflare Workers
 - **ChittyCert** (`cert.chitty.cc/.well-known/jwks.json`) — public key authority
+- **ChittyAuth** — shared-secret Bearer token (`CHITTY_AUTH_SERVICE_TOKEN`)
 - **KV binding** (`PROOF_KEY_CACHE`) — optional JWKS cache for Workers consumers
 
 ## Patterns
@@ -58,3 +82,5 @@ This is a **library**, not a deployable service. It exports pure functions that
 - Non-finite numbers throw — no `NaN` or `Infinity` in canonical payloads
 - Base64url encoding/decoding handles padding normalization internally
 - `structuredClone` is used for immutable normalization (no mutation of input bundles)
+- Routes are thin wrappers around library functions — no business logic in route handlers
+- Auth middleware uses simple string comparison against `env.CHITTY_AUTH_SERVICE_TOKEN`