Skip to main content

WalletWall Proof Claim Schema

Scope. This document defines the proof-claim-schema.js — the application-level typed schema for future proof artifacts. It introduces no prover, verifier, circuit, or contract code, changes no runtime behavior, and changes no Dune behavior. It is the natural next step after the proof-readiness architecture map (proof-readiness-stack.md).
See also:

1. Purpose

The proof claim schema is the stable, versioned interface between the readiness pipeline and any future proof or attestation system. It answers the question:
If a future ZK or attestation layer were to produce a claim about a readiness computation, what shape should that claim take — and what must it explicitly disclaim?
It is defined now, before any prover is built, so the app has a typed integration point and the proof system design can be scoped against a stable target rather than invented ad hoc.

2. Schema file

src/lib/proof-claim-schema.js
Pure data + pure helpers only. No I/O, no Dune execution, no clock reads, no prover or verifier code.

3. Claim types

Each claim type describes a specific readiness computation that a future proof could assert was performed correctly. The claim type does not imply the proof exists; it is the target specification.
Claim type keyLayerWhat it asserts
readiness_score_v1Readiness adapterThe readiness score was computed under the canonical model version.
vault_candidate_threshold_v1Readiness modelThe vault_candidate threshold was evaluated using the approved rules.
quantum_risk_tier_v1Quantum IntelligenceThe quantum-risk tier was derived from approved exposed-signature / dormancy / balance inputs.
packet_integrity_v1Readiness PacketThe packet summary hash corresponds to the canonical Readiness Packet fields at generation time.
adapter_recommendation_v1Readiness adapterThe recommendation state was produced by the canonical adapter, not modified post-generation.
Every claim type asserts something about a computation over committed inputs. None asserts that the source data is globally true, that funds are safe, or that readiness is guaranteed.

4. Proof systems

The schema defines six proof-system keys. The _candidate suffix signals a future design option, not a committed or implemented dependency.
Proof system keyTypeQuestion answered
noneNo proof attached; schema only.
mockDev/test fixtureDeterministic mock for tests; not a real proof.
sp1_candidateZK (candidate)Was this computation correct under the approved ruleset?
zk_candidateZK (candidate)Was this computation correct under the approved ruleset?
mldsa_attestationAttestationWho attested or signed this evidence?
external_attestationAttestationWho attested or signed this evidence?

5. ML-DSA vs ZK/SP1

These two systems answer different questions and are complementary, not a replacement for each other. See the proof-readiness architecture for the full treatment.
ML-DSA (mldsa_attestation)ZK / SP1 (sp1_candidate, zk_candidate)
QuestionWho attested or signed this evidence?Was this computation performed correctly under the approved ruleset?
PropertyAuthenticity / provenanceComputation correctness
FamilyPost-quantum signature (FIPS 204 ML-DSA-65)Zero-knowledge proof family; SP1 is one candidate zkVM
Status in WalletWallRead-only evidence shape (hash-only, public vault repo)Candidate / feasibility — not implemented in this app
isAttestation flagtruefalse
isCandidate flagfalsetrue
A mature evidence packet can carry both: an ML-DSA attestation and a ZK/SP1 proof. Neither subsumes the other. ZK is the broader proof family. SP1 is named here as a candidate proving implementation for selected readiness-computation claims — one option, not the architecture itself.

6. Verification status

The verification status is fail-closed: the default is not_applicable rather than verified.
Status keyMeaning
not_applicableNo proof system attached; verification does not apply.
pendingA proof system is intended but proof generation has not completed.
attachedA proof is attached but not yet independently verified.
verifiedA proof was independently verified under the stated system.
failedVerification was attempted and failed.
unsupportedThe proof system is a candidate only; verification is not yet possible.
Candidate proof systems (sp1_candidate, zk_candidate) are always unsupported by default and cannot be marked verified until a production verifier is implemented and explicitly authorized.

7. How it attaches to the Readiness Packet

The Readiness Packet (buildVaultReadinessPacket.js) is the single integration point where proof metadata attaches. The architecture is additive: 
Readiness Packet
  └── proofExtension (optional — present only when proofClaims passed)
        ├── proofClaims: ProofClaim[]
        ├── proofLimitations: string[]   ← mandatory limitations from schema
        └── proofReadinessVersion: string
By default, proofExtension is absent from the packet — the base packet behavior is unchanged. It is only present when the caller explicitly passes options.proofClaims to buildVaultReadinessPacket. Helper: 
// Build the optional extension block from proof claims:
import { buildProofClaimsPacketExtension } from './src/lib/proof-claim-schema.js';
const extension = buildProofClaimsPacketExtension([myClaim]);

// Attach to a packet:
import { buildVaultReadinessPacket } from './src/lib/buildVaultReadinessPacket.js';
const packet = buildVaultReadinessPacket(readiness, { proofClaims: [myClaim] });
// packet.proofExtension is now present

8. Safe limitations

Every proof claim carries a mandatory set of limitations, defined in PROOF_CLAIM_DEFAULT_LIMITATIONS. These are never relaxed by callers — the createProofClaim factory always merges them in. Key limitations:
  • A proof claim is not custody. WalletWall holds no keys, funds, or balances.
  • A proof claim produces no yield, interest, or return.
  • A proof claim is not fund protection. Readiness signals are research heuristics and do not insure or protect holdings.
  • A proof claim does not prove source-data truth. It binds a computation to committed inputs only.
  • A proof claim does not guarantee readiness, protection, safety, or any outcome.
  • A proof claim does not imply quantum resistance or quantum immunity; post-quantum verifier work is read-only research on testnet only.
  • Candidate proof systems (sp1_candidate, zk_candidate) are not implemented in production and carry no production verifier guarantee.
  • An ML-DSA attestation answers “who signed?” (authenticity) only; it is not a computation-correctness proof.
  • A ZK/SP1 candidate proof would answer “was this computation correct?” only; it says nothing about the truth of upstream source data or the identity of the signer.
  • No proof claim requires or implies that a user must connect a wallet, sign a transaction, or write to any chain.

9. Why SP1 is future / candidate only

SP1 is described throughout this schema and the architecture doc as a candidate proving implementation for selected readiness-computation claims. This framing is intentional:
  1. The claim must be stable before the prover is built. A stable claim schema is a prerequisite for scoping a prover — the claim defines what the proof must assert and what it explicitly does not.
  2. SP1 is one option, not the only option. RISC Zero or another zkVM could fill the same slot. The zk_candidate key exists for a prover-agnostic design option.
  3. No SP1 implementation is in this app. The app imports no prover, verifier, circuit, or program from the public vault research repo at runtime.
  4. Production verification is always out of scope until independently reviewed and explicitly authorized. No ProofClaim from this schema may set verificationStatus = "verified" for a candidate proof system.

10. Mock claim builder

buildMockReadinessProofClaim(readinessPacket, options) produces a deterministic mock claim for tests and future UI wiring.
  • Uses proofSystem: 'mock' by default.
  • Can produce a sp1_candidate or zk_candidate fixture if options.proofSystem is set explicitly.
  • Performs no I/O, no clock reads, and no proving.
  • Derives a stable claimId from claimType, subject address/symbol, and chain.
  • Always includes the mandatory limitations plus a mock-specific disclosure.
  • verificationStatus is not_applicable for mock, unsupported for candidates.

11. Non-goals

The proof claim schema explicitly does not:
  • Implement SP1 prover or verifier code.
  • Implement ZK circuits or programs.
  • Import contracts, ABIs, or implementation details from the public vault research repo.
  • Add custody, yield, fund movement, or wallet-signing behavior.
  • Require mainnet writes or wallet connections.
  • Prove that Dune, on-chain, or any external source data is globally true.
  • Guarantee readiness, safety, protection, or any specific outcome.
  • Provide production on-chain verification of any proof.

12. Dune / source-data boundary

This schema changes no Dune behavior:
  • No Dune queries are executed, scheduled, refreshed, or modified.
  • Proof claims reference committed inputs; they do not assert that the inputs from Dune or on-chain sources are globally true.
  • Existing Dune guardrails (assertDuneExecutionAllowed, readOrCache, getOrCache) are preserved unchanged.
This document is architecture and schema documentation only. It introduces no prover, verifier, circuit, or contract code, no runtime behavior change, and no Dune behavior change. SP1 is a candidate implementation for selected readiness- computation proofs; the Readiness Packet is the integration point where future proof artifacts attach.