Specificatio Protocolli qub

qub est protocollum obligationum temporalium cryptographicarum: systema verba ad diem futuram signandi et, cum dies advenerit, exacte probandi quid dictum sit et quando.

Tria primordia hoc opus efficiunt. drand est signum fortuiti decentralizatum — dies revelationis physica vi exigitur, non ulla partis benignitate. Memoria perpetua publica est tabula publica infalsificabilis — nemo qub semel signatum vel emendare vel delere potest. ML-DSA-65 est subscriptio digitalis post-quantum — quodque qub paribus clavium adligatur quarum arcanum numquam ex auctoris machina exit.

Haec primordia coniuncta sententiam efficiunt temporalibus claustris obligatam, manifestam si violetur, et auctori attribuibilem — apocha cuius valor crescit dum mundi facultas praeterita fingendi melior fit.

Reliqua huius documenti est specificatio normativa quae implementationibus inter se cohaerentibus requiritur.

Specificatio Protocolli qub

Hoc documentum est specificatio normativa protocolli pro systemate obligationum temporalium qub. Definit structuras datorum, regulas seriationis, formulas derivationis, et procedurae verificationis quae implementationibus inter se cohaerentibus requiruntur.

Ambitus: stratum protocolli consulto neutrum est quoad linguam — corpus qub est opacus textus simplex / markdown / octeta pacti, et redditio locali apta est munus spectatoris (applicatio web qub.social, involucrum <qub-embed>, clientes MCP, et cetera).

1. Notatio et Conventiones

Omnes integri in constructionibus praeimaginis ut series octetorum big-endian latitudinis fixae codificantur (i64 → 8 octeta, u8 → 1 octetum) nisi aliter specificatum est.

Omnia tempora sunt secunda Unix in UTC.

2. Structurae Datorum

2.1 ComposeQub (Status In-Memoria Creatoris)

Non seriatur in CBOR. Non in memoria perpetua conditur. Localis applicationi creatoris.

ComposeQub {
    draft_id:       [u8; 16],        // Random, generated locally
    created_at:     i64,             // Unix seconds UTC
    unlock_at:      Option<i64>,     // Unix seconds UTC; None while composing
    visibility:     u8,              // 0x01 = public (only value in MVP)
    content_type:   u8,              // 0x01 = text (only value in MVP)
    plaintext:      Vec<u8>,         // UTF-8 qub body
    sender_label:   Option<String>,  // Decorative display name; not authenticated
    status:         DraftStatus,     // Composing | Sealed | Uploaded | Failed
}

2.2 QubEnvelope (Onus Decifratum)

Seriatum CBOR canonico (§3). Cifratum intra SealedQub. Haec structura integritatem contenti post decifrationem probat.

QubEnvelope {
    version:             u8,              // Protocol major version (0x01 for v1)
    qub_id:              [u8; 32],        // Derived (see §4.1)
    content_type:        u8,              // Content type registry (see §6)
    created_at:          i64,             // Unix seconds UTC
    unlock_at:           i64,             // Unix seconds UTC
    outcome_at:          Option<i64>,     // V1.1 — when reality renders judgment (verdict-uplift-plan §3.1)
    sender_label:        Option<String>,  // Decorative; not authenticated in MVP
    reply_to:            Option<[u8; 32]>,// Parent qub_id for reply chains; not in qub_id preimage; not signed (see §9.3)
    body:                Vec<u8>,         // Content payload (UTF-8 for text, CBOR for pact)
    body_hash:           [u8; 32],        // SHA3-256(body) (see §4.2)
    sig_alg:             u8,              // Signature algorithm (see §9.2)
    author_signature:    Option<Vec<u8>>, // Set when sig_alg != 0x00
    author_pubkey:       Option<Vec<u8>>, // Set when sig_alg != 0x00
    cosigner_pubkey:     Option<Vec<u8>>, // Set for cosigned pact bilateral agreements
    cosigner_signature:  Option<Vec<u8>>, // Set for cosigned pact bilateral agreements
}

Linea basilica (qub textuale non subscriptum): version = 0x01, content_type = 0x01, sig_alg = 0x00, omnes campi Option absentes.

Aliae configurationes v1: content_type = 0x03 (corpus pacti, vide §6.1); sig_alg = 0x01 (ML-DSA-65) cum author_signature et author_pubkey praesentibus (vide §9.3); cosigner_pubkey et cosigner_signature simul praesentes pro pactis consubscriptis (vide §9.7); reply_to ad qub_id qub parentis positum pro qub catenae responsorum (vide §9.3 pro implicationibus ambitus subscriptionis).

2.3 SealedQub (Forma Canonica Filiformis)

Seriatum CBOR canonico (§3). In memoria perpetua imponitur. Hoc est artefactum in catena.

SealedQub {
    version:           u8,              // Protocol major version (0x01 for v1)
    qub_id:            [u8; 32],        // Same as QubEnvelope.qub_id
    visibility:        u8,              // 0x01 = public; v1 viewers reject other values
    unlock_at:         i64,             // Unix seconds UTC
    outcome_at:        Option<i64>,     // V1.1 — surfaced on the verdict-watch CTA
                                        //   before reveal; mirrors QubEnvelope.outcome_at;
                                        //   bound to qub_id via the §4.1 preimage.
    drand_chain_id:    String,          // drand chain hash (hex string)
    drand_round:       u64,             // Target drand round number
    tlock_ciphertext:  Vec<u8>,         // tlock-encrypted QubEnvelope CBOR bytes
    recipient_pubkey:  Option<[u8; 32]>,// Reserved field; accepted by canonical CBOR
                                        //   but not interpreted by the v1 reference viewer
    title:             Option<String>,  // Plaintext title surfaced on the viewer
                                        //   countdown before reveal. Bound to qub_id
                                        //   via title_hash (§4.1). 1..=100 NFC code
                                        //   points, no control characters.
}

2.4 RevealedQub (Status Applicationis Spectatoris)

Non seriatur in CBOR. Localis applicationi spectatoris. Construitur post decifrationem et verificationem prosperam.

RevealedQub {
    qub_id:              [u8; 32],
    arweave_tx_id:       String,
    visibility:          u8,
    content_type:        u8,
    created_at:          i64,
    unlock_at:           i64,
    outcome_at:          Option<i64>,       // V1.1 — ex QubEnvelope.outcome_at / SealedQub.outcome_at translatum; impellit cellam sententiae-exspectandae paginae revelationis (verdict-uplift-plan §5.1)
    drand_chain_id:      String,
    drand_round:         u64,
    sender_label:        Option<String>,
    title:               Option<String>,    // Carried forward from SealedQub.title
    reply_to:            Option<[u8; 32]>,
    body:                Vec<u8>,
    body_hash:           [u8; 32],
    body_hash_verified:  bool,
    author_signature:    Option<Vec<u8>>,
    author_pubkey:       Option<Vec<u8>>,
    signature_verified:  Option<bool>,
    cosigner_pubkey:     Option<Vec<u8>>,
    cosigner_signature:  Option<Vec<u8>>,
    cosigner_verified:   Option<bool>,
}

3. Profilum CBOR Canonicum

Omnis seriatio SealedQub et QubEnvelope huic profilo DEBET conformare. Duae implementationes data eadem structura logica octeta identica DEBENT producere.

3.1 Regulae Codificationis

3.2 Ordines Clavium Canonici Verificati

Hi ordines clavium normativi sunt. Implementationes DEBENT claves exacte hoc ordine emittere. Assertiones diagnosticae ordinem in compilationibus non-emissionis verificare OPORTET.

QubEnvelope (versio 0x01, non subscripta, omnes campi optionales absentes):

"body"                (5 encoded bytes)
"qub_id"              (7 encoded bytes)
"sig_alg"             (8 encoded bytes)
"version"             (8 encoded bytes)
"reply_to"            (9 encoded bytes)   ← only if present (reply chains)
"body_hash"           (10 encoded bytes)
"unlock_at"           (10 encoded bytes)
"created_at"          (11 encoded bytes)
"outcome_at"          (11 encoded bytes) ← only if present (V1.1 verdict mechanic)
"content_type"        (13 encoded bytes)
"sender_label"        (13 encoded bytes)  ← only if present
"author_pubkey"       (14 encoded bytes)  ← only if present
"cosigner_pubkey"     (16 encoded bytes)  ← only if present (pact cosign)
"author_signature"    (17 encoded bytes)  ← only if present
"cosigner_signature"  (19 encoded bytes)  ← only if present (pact cosign)

Derivatio ordinis clavium QubEnvelope: quaeque clavis est series textus CBOR. Longitudo codificata = 1 octetum capitis + longitudo seriei (pro seriebus sub 24 octetis). Primum secundum longitudinem codificatam totalem ordina, deinde lexicographice pro clavibus eiusdem longitudinis.

SealedQub (versio 0x01, publica, sine recipiente):

"title"             (6 encoded bytes)   ← only if present
"qub_id"            (7 encoded bytes)
"version"           (8 encoded bytes)
"unlock_at"         (10 encoded bytes)
"outcome_at"        (11 encoded bytes) ← only if present (V1.1 verdict mechanic)
"visibility"        (11 encoded bytes)
"drand_round"       (12 encoded bytes)
"drand_chain_id"    (15 encoded bytes)
"recipient_pubkey"  (17 encoded bytes)  ← only if present
"tlock_ciphertext"  (17 encoded bytes)

PactTerms (corpus pacti, content_type 0x03):

"notes"         (6 encoded bytes)  ← only if present
"terms"         (6 encoded bytes)
"title"         (6 encoded bytes)
"party_a"       (8 encoded bytes)
"party_b"       (8 encoded bytes)
"pact_version"  (13 encoded bytes)

PactTerm (linea seriei terms):

"key"    (4 encoded bytes)
"value"  (6 encoded bytes)

PartyIdentifier (mappa party_a / party_b):

"label"    (6 encoded bytes)
"contact"  (8 encoded bytes)  ← only if present

3.3 Tabula Codificationis Octetorum

4. Derivationes Normativae

4.1 qub_id

qub_id qub unice identificat et QubEnvelope ad SealedQub alligat. Deterministice ex contento involucri derivatur.

qub_id = SHA3-256(
    "QUB_ID_V2"    ||    // domain separator: ASCII bytes [0x51 0x55 0x42 0x5F 0x49 0x44 0x5F 0x56 0x32] (9 bytes) + 0x00 padding (1 byte) = 10 bytes
    version        ||    // u8 (1 byte)
    content_type   ||    // u8 (1 byte)
    created_at     ||    // i64 big-endian (8 bytes)
    unlock_at      ||    // i64 big-endian (8 bytes)
    outcome_at_or_zero || // i64 big-endian (8 bytes; 0 when outcome_at is absent)
    drand_round    ||    // u64 big-endian (8 bytes)
    body_hash      ||    // [u8; 32] (32 bytes)
    title_hash           // [u8; 32] (32 bytes; absent-sentinel = [0u8; 32])
)
// Total preimage: 108 bytes → 32-byte output

Codificatio separatoris dominii: Series "QUB_ID_V2" est 9 octeta ASCII. Singulum octetum farciminis 0x00 adicitur ut 10 octeta ob alignmentum attingantur. Implementationes haec 10 octeta exacta DEBENT adhibere: [0x51, 0x55, 0x42, 0x5F, 0x49, 0x44, 0x5F, 0x56, 0x32, 0x00].

Codificatio outcome_at: V1.1 praeimaginem ex 92 ad 100 octeta extendit ut campum optionalem outcome_at in adligationem complicaret. outcome_at absens ut 8 octeta nulla codificatur; validatores protocolli outcome_at <= 0 ubique reiciunt, ita ut haec sentinella cum valore legitimo collidi non possit. Vide §3.2 (forma filiformis) et tasks/verdict-uplift-plan.md intra arborem pro mechanica sententiae quae hunc campum movet.

Codificatio drand_round: V1.2 praeimaginem ex 100 ad 108 octeta extendit ut drand_round (cyclum drand destinatum, §4.3) in adligationem complicaret, et separatorem dominii ad QUB_ID_V2 auxit. Hoc cyclum clausurae temporalis in identitatem qub adligat: porta textum cifratum ad cyclum diversum (e.g. iam praeteritum) quam unlock_at ostensum implicat readligare non potest. Procedura reserationis (§8) insuper verificat cyclum in stanza textus cifrati tlock impressum cum unlock_round(unlock_at) congruere, ita ut tempus reserationis ostensum probabiliter sit cyclus qui decifrationem regit.

Proprietates:

• Mutatio cuiusvis campi in QubEnvelope (body, tempora, typus contenti, versio) qub_id diversum producit.
• qub_id ante cifrationem computatur. Et QubEnvelope et SealedQub idem qub_id ferunt. Spectator post decifrationem eos congruere verificat.
• qub_id non pendet ex sender_label, author_signature, vel author_pubkey. Hoc significat idem contentum eodem tempore signatum idem qub_id producere, cuiuscumque sit qui subscribit.
• Mutatio title SealedQub (omnibus aliis fixis) qub_id mutat per title_hash. Porta itaque titulum textus simplicis in chronometro inverso ostentum permutare non potest sine identitate qub invalidanda.
• Mutatio outcome_at SealedQub (omnibus aliis fixis) qub_id mutat per praeimaginem. Porta diem sententiae ante revelationem in chronometro inverso ostentum permutare non potest sine identitate qub invalidanda.
• Mutatio drand_round (omnibus aliis fixis) qub_id mutat per praeimaginem. Porta textum cifratum clausurae temporalis ad cyclum diversum sine identitate qub invalidanda readligare non potest; cum verificatione cycli-stanza tempore reserationis (§8) coniuncta, unlock_at ostensum est cyclus qui re vera decifrationem regit.

4.2 body_hash

body_hash = SHA3-256(body)

Ubi body est Vec<u8> crudum onus contenti. Pro qub textualibus, hoc est corpus qub UTF-8 codificatum.

4.2.1 title_hash

title_hash = SHA3-256(NFC(title).utf8_bytes)   if title is present
title_hash = [0u8; 32]                         if title is absent

Ubi title est optionalis titulus textus simplicis in chronometro spectatoris ante revelationem ostensus (vide §3.2). Normalizatio NFC tempore spargmenti executatur ita ut digestum stabile sit per sequentias punctorum codicis visualiter aequivalentes. Sentinella omnium nullorum casui absenti reservatur; series vacua in confinio CBOR canonico ut codificatio non-canonica "absentis" reicitur (codificatio canonica campum omnino omittit).

4.3 Mappa Cycli-Reserationis

drand_round = ceil((unlock_at - chain_genesis_time) / chain_period_seconds)

Operatio ceil() primum cyclum drand cuius tempus revelationis est ≥ unlock_at seligit. Hoc cavet ne qub decifrabile fiat ante tempus reserationis electum.

Casus marginalis: si (unlock_at - chain_genesis_time) exacte per chain_period_seconds dividitur, exitus est ille exactus cyclus — qub praecise tempore revelationis illius cycli reseratur.

Validatio: unlock_at in futuro tempore signandi esse DEBET. unlock_at plus quam 10 annos a created_at distare NON DEBET (ut periculum dependentiae longi-horizontis a drand limitetur; interfacies pro diebus reserationis ultra 2 annos monere OPORTET).

5. Newtypi Formae Filiformis

Newtypi formae filiformis securitatem compilationis temporis contra octeta CBOR cum JSON, textu simplici crudo, vel aliis codificationibus octetorum confundenda praebent.

5.1 Regulae Constructionis

// Production code — only through CBOR serialisers:
let sealed = SealedQubCbor::from_encoded(cbor_bytes);

// There is deliberately NO From<Vec<u8>> implementation.
// You cannot accidentally wrap arbitrary bytes in a wire format type.

// Accessing raw bytes:
let bytes: &[u8] = sealed.as_bytes();
let bytes: Vec<u8> = sealed.into_bytes();

5.2 Validatio in Constructione

from_encoded() OPORTET validare ingressum cum capite mappae CBOR valido incipere. Validatio structuralis plena tempore lectionis fit, non tempore constructionis, ut duplex lectio vitetur.

6. Tabula Typorum Contenti

Spectatores typos contenti ignotos cum errore claro usuario visibili reicere DEBENT. Spectatores typos ignotos ut textum reddere conari NON DEBENT.

6.1 Corpus Pacti (content_type = 0x03)

Corpus pacti est codificatio CBOR canonica valoris PactTerms:

PactTerms {
    pact_version:  u8,                    // 0x01 for structured/v1
    title:         String,                // ≤ 200 bytes, NFC
    terms:         Vec<PactTerm>,         // ≤ 20 rows
    party_a:       PartyIdentifier,       // initiator
    party_b:       PartyIdentifier,       // counter-signer
    notes:         Option<String>,        // ≤ 5,000 bytes, NFC; absent key if none
}

PactTerm       { key: String (≤ 100), value: String (≤ 2,000) }   // NFC on both sides
PartyIdentifier{ label: String (≤ 100), contact: Option<String (≤ 320)> }

Ordines clavium CBOR canonici pro omnibus tribus mappis in §3.2 dantur. CBOR pacti seriatum totale 100 KB non excedere DEBET (concordat cum §6).

Discriminator schematis. Prima linea in terms pro pacto structured/v1 esse DEBET { key: "pact_schema", value: "structured/v1" }. Lineae sine hoc indice sunt pacta "consuetudinaria" et nullam validationem structuratam vel redditionem schematis consciam recipiunt.

Receptacula agnitionis fixa. Pacta structured/v1 exacte quattuor lineas agnitionis sub his clavibus ferunt:

"initiator_standard_terms"
"initiator_capacity_terms"
"counterparty_standard_terms"
"counterparty_capacity_terms"

value cuiusque est una ex octo seriebus Anglicis fixis per par (role, kind) electis, ubi role ∈ { seller, buyer, provider, client } et kind ∈ { standard, capacity }. Series ipsae sunt data protocolli normativa — utriusque partis subscriptiones ML-DSA-65 ad exacta octeta per body_hash se obligant. NON localizantur; corpus subscriptum linguae neutrum est. Quaevis mutatio verborum versionem schematis novam exigit (structured/v2).

Octo series, earum quaesitio (acknowledgement_for(role, kind)), et ratio cuiusque ab implementatione referente affixae sunt. Implementationes conformes valores agnitionis octetis identicos DEBENT emittere; probationes spargminis-corporis SHA3-256 cum fixurae auratis omnes quattuor combinationes ruolorum tegentes ullam deviationem capiunt.

Ordo ostensionis spectatoris. Series agnitionis phrases continent ut "supra descriptum", quae praesumunt lineas descriptionis / ambitus ante agnitiones reddi. Spectatores seriem terms in ordine CBOR reddere DEBENT; reordinatio semanticam prosae rumpit.

Contactus contrapartis. Cum contact Partis B est inscriptio electronica valida, servitium onerationis qub epistulam invitationis recognitionis / consubscriptionis tempore stationis automatice mittit et consubscriptionem eventualem ad verificationem eiusdem inscriptionis adligat (§9.7). Pacta quorum contactus Partis B abest adhuc consubscribi possunt, sed solum per canalem extra-bandam — servitium petitiones consubscriptionis recusat quae notam verificationis electronicae 15 minutorum congruentem producere non possunt.

6.2 Corpus Sententiae (content_type = 0x04)

Corpus sententiae est codificatio CBOR canonica valoris VerdictBody:

VerdictBody {
    verdict_version: u8,                  // 0x01 for structured/v1
    outcome:         u8,                  // 1=Right · 2=Partial · 3=Wrong · 4=Unfalsifiable
    reflection:      Option<String>,      // ≤ 2,000 bytes NFC; "what changed, what did you learn"
    evidence_url:    Option<String>,      // ≤ 2,048 bytes; HTTPS only; absent key when omitted
}

Ordo clavium CBOR canonicus:

"outcome"          (8 encoded bytes)
"reflection"       (11 encoded bytes)  ← only if present
"evidence_url"     (13 encoded bytes)  ← only if present
"verdict_version"  (16 encoded bytes)

CBOR sententiae seriatum totale 8 KB non excedere DEBET (concordat cum linea tabulae supra).

Enumeratio exitus. Octetum filiforme intentui neutrum est; quattuor receptacula Right / Partial / Wrong / Unfalsifiable omne spatium exitus cuiusque intenti sententiam ferentis tegunt. Notae per intentum (e.g. "Praedixi recte" / "Servavi illud" / "Edidi" / "Confirmata" pro Right) sunt res redditionis a parte spectatoris, contra intentum qub parentis resolutae — forma filiformis lingua- et intentu-neutralis manet. Valores extra 1..=4 ad decodificationem reici DEBENT.

Nexus parentalis. qub sententiae referentiam parentalem in corpore suo NON fert. Identitas transactionis Arweave qub parentis ut index Parent-Tx-Id repositionis tempore onerationis emittitur (§7 stratum indicum repositionis). Hoc corpus servat ut declarationem subscriptam autoaestimationis sui contentam; catena auditionis ("recte de quo?") per inquisitionem indicis Arweave constituitur.

Securitas nexus argumenti (normativa). Cum evidence_url adest, validatores (parte compositionis, parte filiformi, margine Operarii) hoc imponere DEBENT:

1. Solum HTTPS. Filum cum sequentia octetorum https:// incipere DEBET. Quaevis alia schema — http, ftp, javascript, data, file, etc. — reicitur.
2. Limen longitudinis. ≤ 2,048 octeta (limen practicum URL navigatoris).
3. NFC + inspectio codepoint hostilium. Eadem regula ac title et reflection — codepoint bidi-override / latitudinis nullae / indicis tag / BOM / C0 / C1 reiciuntur. Definitio congruit cum Rust crate::handle::contains_hostile_text_codepoint et TS workers/api/src/utils/unicode.ts::isHostileCodepoint (in eodem gradu serventur).
4. Nullum spatium, nulli moderatores ASCII. Spatium / DEL / octeta infra-0x20 ubicumque in URL reiciuntur — viam iniectionis \n/\t claudit quam regula bidi non tegit.
5. Segmentum hospitis non vacuum. Omnia inter https:// et primum /, ?, vel # non vacua esse DEBENT.

Nulla petitio a parte servitoris. Operarius URL procurare, petere, vel praevidere NON DEBET. Protocollum filum servat; redditio a parte spectatoris fit cum rel="nofollow noopener noreferrer" target="_blank" et hospite visibili iuxta textum nexus ostento.

Consideratio. Textus considerationis a creatore scriptae optionalis ("quid mutatum est, quid didicisti"). Eadem validatio NFC + codepoint hostilium ac title. Introitus vacuus / solum spatium tempore constructionis ad absentem decidit.

Versio schematis. v1 solum verdict_version = 0x01 sustinet. Revisiones schematis futurae hoc octetum augent et iuxta novam versionem protocolli per §12 perveniunt.

7. Protocollum Signandi

Sequentia signandi completa. Quisque gradus normativus est.

 1. User composes plaintext and metadata in ComposeQub.
 2. Validate:
    a. body is non-empty.
    b. body size ≤ max for content_type and user tier (see §6).
    c. unlock_at is in the future.
    d. unlock_at ≤ created_at + 10 years.
    e. content_type is a known, supported value.
 3. Compute body_hash = SHA3-256(body).
 4. Set created_at = current Unix seconds UTC.
 5. Select drand chain. Load chain_genesis_time and chain_period_seconds, and
    compute drand_round = ceil((unlock_at - chain_genesis_time) / chain_period_seconds).
    (Computed here, before qub_id, because drand_round is bound into the qub_id
    preimage — §4.1, V1.2.)
 6. Compute qub_id (see §4.1), folding in drand_round from step 5.
 7. Construct QubEnvelope with all fields.
 8. Serialise QubEnvelope using canonical CBOR → bytes B.
    Assert: serialised output matches canonical profile (§3).
 9. Compute C = tlock_encrypt(B, drand_round, drand_chain_public_key).
10. Construct SealedQub with tlock_ciphertext = C, and matching qub_id, version,
    unlock_at, drand_chain_id, drand_round.
12. Serialise SealedQub using canonical CBOR → SealedQubCbor.
12a. Generate K = 32 random bytes (CSPRNG) and N = 12 random bytes (CSPRNG).
     Compute W = wrap_sealed_qub(SealedQubCbor, qub_id=qub_id, key=K, nonce=N)
     per §13. The bytes uploaded to permanent storage are the OuterWrapper CBOR W,
     never the bare SealedQubCbor. K leaves the device only as the URL
     fragment in step 16.
13. Display seal-time disclosure. User confirms.
14. Validate upload eligibility via the qub upload service (bot-detection, entitlement, rate limits).
15. Submit W (the OuterWrapper bytes) to the qub upload service; the service
    signs and uploads to permanent storage. The service is byte-blind to the inner
    SealedQubCbor and never receives K.
16. Receive arweave_tx_id from the service. Construct delivery URL as
    `<origin>/c/<arweave_tx_id>#<base64url(K)>` (or `<origin>/s/<short_code>#<base64url(K)>`
    when a short code is allocated). Browsers do not transmit URL fragments
    to servers, so K is never observed by qub.social or any storage gateway.

Stratum etiquettarum memoriae (extra-bandam). Servitium onerationis qub modicum consulto numerum etiquettarum transactionum memoriae apud onus involutum apponit. Content-Type=application/octet-stream normative requiritur. Servitium referens insuper tres etiquettas optionales apponit cum creator eas ostentare eligit: Intent (intentio compositionis allowlist-validata — e.g., quote, reply, commitment), Author (digitus pubkey §9.3 creatoris ut 64-character hex minusculus), et Parent-Tx-Id (ID transactionis memoriae qub parentis pro catenis responsorum, 43-character base64url).

Etiquetta Author est electio per qub: applicatio creatoris referens eam apponit solum cum usuarius explicite attributionem publicam tempore signandi habilitat. Cum repagulum off est — quod est defalcum — nulla etiquetta Author scribitur et qub in catena sine attributione est: nihil in memoria perpetua onerationem ad creatoris manibrium, inscriptionem electronicam, vel alia qub adligat. Cum repagulum on est, digitus Author ad @manibrium ab creatore electum per catenam attestationis §9.5 resolvitur. Relationes catenae responsorum et Intent non-identificantes sunt. Involucrum externum (§13) corpus internum a correlatione textus cifrati tuetur — impediens ne metalator onerationes qub-formatas agnoscat et postquam cyclus drand emittitur in bulkis decifret.

Servitium referens consulto NON apponit etiquettas App-Name, App-Version, vel Type: quivis talis filtrum unius valoris totum corpus qub ad interrogationem GraphQL redderet, quod inconsistens est cum ambitu confidentialitatis corporis-soli involucri.

Verificator conformis NON DEBET ab ulla etiquetta memoriae dependere pro verificatione tertiae partis §11; spargmen corporis / qub_id / subscriptio se ad CBOR internum solum obligant, numquam ad complexum etiquettarum.

8. Protocollum Reserationis

Sequentia reserationis completa. Quisque gradus normativus est.

 1. Viewer opens delivery URL. Extract arweave_tx_id from path AND
    K = base64url_decode(fragment) from the URL fragment. If the fragment
    is absent or malformed → display "this URL is missing its decryption
    key" and stop; the viewer MUST NOT contact the storage gateway
    without K, since fetching wrapped bytes the viewer cannot decrypt
    serves no purpose and only leaks the access attempt.
 2. Check denylist. If tx_id is denylisted → display block message. Stop.
 3. Fetch OuterWrapper bytes from permanent storage (with multi-gateway fallback).
 3a. Unwrap: parse the bytes as OuterWrapper (§13), verify the wrapper
    `version` byte is `0x01`, and compute SealedQubCbor =
    unwrap_sealed_qub(OuterWrapper, key=K). Any AEAD authentication
    failure (wrong K, tampered ciphertext, swapped qub_id-as-AAD,
    swapped nonce) → display "this URL's decryption key does not match
    the stored qub" and stop. Authentication failures are
    indistinguishable to the viewer per §13.5.
 4. Parse SealedQubCbor → SealedQub.
 5. Validate: SealedQub.version is known (0x01). Reject unknown versions.
 6. If current time < SealedQub.unlock_at → display countdown. Poll or wait.
 6a. Round-binding check (V1.2). Recompute expected_round =
    ceil((SealedQub.unlock_at - chain_genesis_time) / chain_period_seconds).
    Reject unless SealedQub.drand_round == expected_round AND the round baked
    into the tlock ciphertext stanza (read via the age/tlock header, no signature
    required) == expected_round. The stanza round is the one that actually gates
    decryption; without this check a malicious creator could bind the ciphertext
    to an already-past round while displaying a future countdown, so anyone
    reading the stored bytes could decrypt before unlock_at. Implementations with
    no chain identity (test mocks) skip this check.
 7. Once current time ≥ SealedQub.unlock_at:
    a. Fetch drand round signature for SealedQub.drand_round from drand network.
    b. Compute B = tlock_decrypt(SealedQub.tlock_ciphertext, round_signature).
 8. Parse B → QubEnvelope.
 9. Validate QubEnvelope.version is known.
10. Verify: SHA3-256(QubEnvelope.body) == QubEnvelope.body_hash.
    Fail → integrity error.
11. Verify: QubEnvelope.qub_id == SealedQub.qub_id.
    Fail → integrity error.
12. Verify: QubEnvelope.unlock_at == SealedQub.unlock_at.
    Fail → integrity error.
13. Verify: QubEnvelope.content_type is known and renderable.
    Known values: 0x01 (text), 0x03 (pact). Unknown → display error.
14. If QubEnvelope.sig_alg != 0x00 → verify author signature (see §9.4).
15. If cosigner_pubkey or cosigner_signature present → verify cosigner (see §9.7).
16. Render content using appropriate renderer (see §10 for text, §6 for pact).
17. Construct RevealedQub for display.

9. Subscriptio Auctoritatis

9.1 Ratio

Perpetue in memoria perpetua qub conduntur. Subscriptiones auctoritatis indefinite infalsificabiles manere debent, quare v1.0 schema post-quantum ML-DSA-65 (FIPS 204) potius adhibet quam schema classicum cuius securitas intra vitam perpetuam qub degradari possit.

9.2 Tabula Algorithmorum

Spectatores valores sig_alg ignotos reicere DEBENT.

9.3 Constructio Praeimaginis Subscriptae

sig_input = SHA3-256(
    "QUB_AUTHOR_SIG_V1"  ||    // domain separator (17 bytes)
    version              ||    // u8 (1 byte)
    qub_id               ||    // [u8; 32] (32 bytes)
    body_hash            ||    // [u8; 32] (32 bytes)
    unlock_at            ||    // i64 big-endian (8 bytes)
    0x00                       // u8 (1 byte): MUST be 0x00 in v1.0
)

// Total preimage: 91 bytes → 32-byte hash

signature = Sign(author_secret_key, sig_input)

Separator dominii: "QUB_AUTHOR_SIG_V1" est 17 octeta ASCII: [0x51, 0x55, 0x42, 0x5F, 0x41, 0x55, 0x54, 0x48, 0x4F, 0x52, 0x5F, 0x53, 0x49, 0x47, 0x5F, 0x56, 0x31]. Nullum farciminis.

Octetum extremum: octetum 91um praeimaginis esse DEBET 0x00. Implementatio referens hoc ut constantem ORG_ID_PRESENT_INDIVIDUAL = 0x00 in crates/qub-core/src/signing.rs exponit; spectatores sig_input pro verificatione reconstruentes idem octetum emittere DEBENT.

Ambitus subscriptionis — quod tegitur et quod non. sig_input ad quattuor campos involucri se obligat: version, qub_id, body_hash, unlock_at (plus separator dominii fixus et octetum org_id_present). Trium ex illis quattuor sunt invariantes structurales: qub_id ipse derivatur ex version, content_type, created_at, unlock_at, outcome_at, drand_round, et body_hash per praeimaginem §4.1, ita ut quaevis mutatio in illis campis qub_id diversum producat et subscriptionem transitive invalidet. Superficies directe authenticata itaque est:

Implicationes securitatis camporum non-authenticatorum.

• Pars cum accessu scribendi ad octeta condita posset sender_label ("Alice" → "Mallory") permutare sine subscriptione auctoris invalidanda. author_pubkey intra involucrum manet anchora identitatis vera — spectatores identitatem ostentatam ex author_pubkey (per stratum attestationis §9.5) derivare DEBENT potius quam sender_label fidere.
• Campus reply_to similiter post subscriptionem emendari potest. Quia qub_id contento-adressatus est, oppugnator non potest reply_to ad finem non-existentem dirigere, sed tacite responsum ad alium qub existentem re-parentare potest.

Implementationes quae sender_label aut reply_to usuariis finalibus ostentant identitatem authenticatam (digitum pubkey, attestationem) ut signum identitatis primarium ostendere DEBENT, non capsam.

9.4 Procedura Verificationis

1. Read sig_alg from QubEnvelope.
2. If sig_alg == 0x00 → unsigned. No verification. Display "unsigned qub."
3. If sig_alg is unknown → reject. Display "unrecognised signature scheme."
4. Extract author_signature and author_pubkey. If either is absent → integrity error.
5. Reconstruct sig_input using fields from QubEnvelope (same formula as §9.3).
6. Verify(author_pubkey, sig_input, author_signature).
7. If verification succeeds → display "signed by [key fingerprint]."
8. If verification fails → display "signature verification failed."

Verificatio subscriptionis est operatio sumptuosissima (praesertim ML-DSA-65). Post omnes verificationes minoris pretii (spargmen, qub_id, unlock_at) peractas fieri OPORTET.

9.5 Attestationes Identitatis

Attestationes identitatis — mappa author_pubkey ad postulationes identitatis hominibus agnoscibiles ut manibrium qub, inscriptionem electronicam, manibrium sociale, vel litteras passkey — sunt augmentum progressivum a parte spectatoris et non requiruntur pro verificatione subscriptionis. Spectatores qui attestationes ad identitatem ostentatam resolvunt praecedentiam DEBENT applicare:

handle > email > social > fingerprint

Defalcum digiti est hex minusculus SHA3-256(author_pubkey); semper disponibile est pro quovis qub subscripto. Spectatores id pro exhibitione abbreviare POSSUNT — spectator referens qub: sequente primis et ultimis quattuor octetis reddit (qub:<8 hex>…<8 hex>).

Verificator conformis quamque verificationem in §9.4 perficere potest sine API qub contingendo, sine ulla rete praeter memoriam perpetuam et drand, et sine ulla quaesitione a parte servitoris. Resolutio attestationis est gradus separatus optimi conatus solum post verificationem subscriptionis prosperam peractus.

9.6 Impactus Magnitudinis

Pro qub textuali 500–2,000 octetorum, ML-DSA-65 fere triplicat magnitudinem conditam. Sumptus absolutus negligibilis est.

9.7 Verificatio Consubscriptoris (Pacta Bilateralia)

Pro pactis bilateralibus (content_type = 0x03), secundum stratum subscriptionis probat utramque partem in eosdem terminos consensisse.

Campi involucri:

• cosigner_pubkey: Clavis publica ML-DSA-65 contra-subscriptoris (Pars B).
• cosigner_signature: Subscriptio super eundem sig_input quam auctor (§9.3).

Utrique campi simul praesentes esse aut utrique absentes DEBENT. Si exacte unus praesens est, spectatores errorem integritatis nuntiare DEBENT.

Procedura verificationis:

1. If cosigner_pubkey absent and cosigner_signature absent → no cosigner. Done.
2. If exactly one is present → integrity error.
3. Verify cosigner_pubkey != author_pubkey (prevent self-cosigning).
   Fail → display "cosigner pubkey must differ from author."
4. Reconstruct sig_input using the same formula as §9.3.
5. Verify(cosigner_pubkey, sig_input, cosigner_signature).
6. Success → display "co-signed by [cosigner fingerprint]."
7. Failure → display "co-signature verification failed."

Proprietates:

• Consubscriptor sig_input identicum cum auctore subscribit — utraeque partes ad eundem qub_id, body_hash, et unlock_at se obligant.
• Derivatio qub_id (§4.1) campos consubscriptoris NON includit. Consubscriptorem ad involucrum existens adicere qub_id non mutat.
• Pactum potest auctore solo subscribi (obligatio unilateralis), consubscriptore solo (insolitum), aut utroque (proba bilateralis plena).

Cancellum-electronicae-adligationis (operationale). Cum pactum stationatum contactum electronicum Partis B fert (§6.1), servitium onerationis qub petitionem consubscriptionis recusare DEBET nisi nota verificationis electronicae brevis durationis exsistit utrique id stationis et spargmini-electronicae-normalizatae illius contactus congruens. Nota a /api/v1/auth/verify scribitur cum signum magici nexus staging_id fert et inscriptio verificata SHA-256(normalise_email(party_b.contact)) congruit — ubi normalise_email(addr) casum partis-localis servat et solum partem dominii minuscularizat (per RFC 5321 §2.3.11), et SHA-256 hic est spargmen NIST FIPS 180-4 (distinctum a SHA3-256 in derivationibus §4 adhibito) — et 900 secundis (15 minutis) post emissionem exspirat. Hoc est cancellum operationale anti-impersonationis, NON pars probae qub in catena — verificator tertiae partis §11 retegens solum memoriam perpetuam et drand opus habet, sine ulla quaesitione a parte servitoris. Nota a parte servitoris solum existit et numquam pars corporis subscripti est.

Impactus magnitudinis (ML-DSA-65 auctor + consubscriptor):

10. Redditio et Mundatio Markdown

Haec sectio securitate critica est. Spectator qub textualia (content_type = 0x01) per Markdown subset restrictum reddit.

10.1 Elementa Permissa

• Capita: # per #### (non ##### aut ######)
• Emphasis: bold (**), italicum (*), strikethrough (~~)
• Series: ordinatae (1.) et non-ordinatae (-, *)
• Allegationes (>)
• Codex: spatia inlinea (```) et fenestratae compages (`````)
• Regulae horizontales (---)
• Fractiones lineae (duo spatia extrema vel linea vacua)
• Paragraphi

10.2 Elementa Vetita

10.3 Implementatio

Implementationes lectorem stricti allowlist adhibere DEBENT, non blocklist. Approchatio commendata:

1. Markdown per pulldown-cmark (vel aequivalentem) legere.
2. AST ambulare et quemvis nodum non in allowlist (§10.1) demittere.
3. Pro nodis nexuum: URL ut textum visibilem emittere, non ut elementum <a> clickabile.
4. AST filtratum in repraesentationem intermediam typizatam convertere (e.g., enumeratio MarkdownNode cum solis variantibus tutis). HTML crudum in hac IR structuraliter inrepresentabile est.
5. Ex IR typizata ad stratum visus targetis reddere (e.g., componentia visus reactiva, nodos DOM). Nulla concatenatio textus HTML aut innerHTML ullo loco.

Approchationes blocklist fragiles sunt quia novae extensiones Markdown aut quirka lectoris elementa infiltrata invehere possunt. Approchatio AST-typizata XSS structuraliter impossibilem efficit — nulla variants existit quae HTML arbitrarium ferre possit.

10.4 Limites Magnitudinis et Structurae

• Profunditas maxima capitis redditi: #### (H4). ##### et profundiores ut textus bold redduntur.
• Nullus limes numero paragraphorum (limites magnitudinis corporis in §6 constrictio sunt).
• Compages codicis fenestratae: nullum illuminatio syntaxis in MVP. Ut textus praeformatus monospace redduntur.

11. Verificatio Tertiae Partis

Quaevis tertia pars qub publicum verificare potest sine cooperatione qub. Procedura verificationis:

1. Obtain arweave_tx_id (from delivery URL or direct knowledge).
2. Fetch SealedQubCbor from any storage gateway.
3. Confirm storage block inclusion (block height, block timestamp).
4. Parse SealedQubCbor → SealedQub.
5. Fetch drand round signature for SealedQub.drand_round.
6. tlock_decrypt(tlock_ciphertext, round_signature) → QubEnvelope CBOR bytes.
7. Parse → QubEnvelope.
8. Verify SHA3-256(body) == body_hash.
9. Verify QubEnvelope.qub_id == SealedQub.qub_id.
10. Verify QubEnvelope.unlock_at == SealedQub.unlock_at.
11. If sig_alg != 0x00: verify author_signature (see §9.4).
12. All checks pass → qub is verified.

Quid verificatio probat:

Quid verificatio NON probat:

12. Versionatio

12.1 Versio Protocolli

Campus version (u8) in utroque SealedQub et QubEnvelope versionem maiorem protocolli identificat.

• Spectatores versiones maiores ignotas cum errore claro reicere DEBENT.
• Versiones maiores notae campos optionales ignotos tolerare POSSUNT si regulae compatibilitatis prospicientis permittunt (campi optionales ex ordine clavium canonico absentes ignorantur).
• Typi contenti (content_type) et schemata subscriptionum (sig_alg) versione-cancellati sunt: novi valores solum cum nova versione protocolli aut renovatione tabulae explicita inveheri possunt.

12.2 Historia Versionum

12.3 Compatibilitas Prospiciens

Spectator v1 occurrens QubEnvelope cum clavibus mappae CBOR optionalibus ignotis (claves non in ordine canonico §3.2) illas claves ignorare et cum verificatione utens campis notis procedere OPORTET. Hoc additiones futuras minores (e.g., novae metadata) sine bumpio versionis maioris requirendo permittit.

Spectator v1 occurrens sig_alg = 0x01 (ML-DSA-65) sed cum supporto verificationis ML-DSA-65 carens contentum qub cum notitia "subscriptio praesens sed non verificabilis" ostentare OPORTET, non qub omnino reicere. Implementatio referens hodie omnem valorem sig_alg praeter 0x00 et 0x01 reicit quia tabula v1 nullum alium algorithmum validum continet — reiectio stricta et soft-fail observationaliter identicae sunt usque ad tertium algorithmum registratum. Comportamentum soft-fail supra onus-portans fit cum §9.2 novum ingressum admittit, et spectator referens eo puncto ad soft-fail renovabitur.

12.4 Versio Involucri Externi

OuterWrapper in §13 descriptum suum octetum version fert, independens ab SealedQub.version et QubEnvelope.version. Spatia versionum duo separatim evolvuntur: substitutio symmetrica post-quantum-tuta futura octetum involucri inscandit sine versione protocolli interni tangenda, et additio strati-protocolli futura (e.g., novus campus involucri) versionem internam inscandit sine octeto involucri tangendo.

Spectatores versiones involucri ignotas cum errore claro reicere DEBENT. Protocollum consulto spatium versionum involucri angustum servat usque ad agentem migrationis concretum apparentem (e.g., normam NIST aliud AEAD favens); receptaculum 0x02 in eadem revisione qua algorithmus invehetur allocabitur.

13. Involucrum Cifrationis Externum

13.1 Ratio

Strata protocolli (QubEnvelope → tlock → SealedQub) qub signatum temporalibus claustris obligatum efficiunt: corpus illegibile est usque ad unlock_at et subscriptio cycli drand publicata est. Post reserationem tamen, subscriptio cycli publica est et figura CBOR canonica SealedQub agnoscibilis est, ita ut metalator qui transactiones memoriae perpetuae indexavit totum corpus qub in bulkis decifrare possit.

Involucrum cifrationis externum hoc canale claudit interponendo additionale stratum symmetricum AEAD inter SealedQubCbor canonicum et octeta in memoria perpetua imposita. Clavis 256-bitorum K solum in URL fragmento URL traditionis et in machinis usuariorum vivit; navigatores fragmenta URL ad servitores non transmittunt, ita ut qub.social, omnis porta memoriae perpetuae, et omnis CDN ante alterutram observationaliter ad K caecae sint. Omne qub in memoria perpetua itaque est textus cifratus opacus cuius textus simplex sine URL quem creator communicare elegit irrecuperabilis est.

Effectus retis:

• Immunitas enumerationis ex defalco. Octeta involuta in memoria perpetua sunt octetum-indistinguibilia ab textu cifrato arbitrario. Strategia metalatoris "GraphQL-interrogare onerationes qub-formatas, in bulkis decifrare cum subscriptionibus publicis drand" non terminat cum textu simplici.

• Habitus privatas cripto-tritae. qub.social proprium corpus litteraliter decifrare non potest. Subpoena textum cifratum attingit, non textum simplicem.

• Scala bilevel confidentialitatis. Defalcum = accessus nexu-controllatus (haec sectio). Privata qub recipientiam-cifrata (facultas gradus secundi reservata, nondum specificata) ut secundus gradus desuper struuntur.

13.2 Stratificatio

plaintext body                       ← QubEnvelope.body (§2.2)
  ↓ canonical CBOR (§3)
envelope CBOR
  ↓ tlock encrypt to drand round (§7 step 10)
tlock_ciphertext (inside SealedQub) (§2.3)
  ↓ canonical CBOR (§3)
SealedQubCbor bytes                  ← inner wire artifact
  ↓ AES-256-GCM(K, nonce, AAD=qub_id) (§7 step 12a, this section)
OuterWrapper CBOR bytes              ← uploaded to permanent storage (§7 step 15)

Signare et reserare in strato protocolli (§7, §8) immutata sunt infra confinium involucri; involucrum se ad locum vocationis seal() attingit et se ad locum vocationis unlock() separat.

13.3 Structura Datorum OuterWrapper

struct OuterWrapper {
    version:    u8,           // 0x01, see §12.4
    qub_id:     [u8; 32],     // copied from inner SealedQub; AEAD AAD
    nonce:      [u8; 12],     // 96-bit AEAD nonce
    ciphertext: Vec<u8>,      // AES-256-GCM(K, nonce, SealedQubCbor, AAD=qub_id) || 16-byte tag
}

Invariantes camporum.

• version 0x01 aequare DEBET pro octetis involucri v1.0.
• qub_id campum qub_id SealedQub post unwrappingem recuperati aequare DEBET. Gradus unwrapping hoc directe non exigit (adligatio AAD AEAD octetum-nivelo violationem impossibilem efficit), sed stratum reserationis relationem transitive verificat: si creator SealedQubCbor involucrat cuius qub_id internus qub_id involucri non congruit, §8 gradus 11 fallit.
• nonce 96-bita (12 octeta) esse DEBET, recenter a CSPRNG pro omni operatione involucrationis generata. Reusus nonce sub eadem clave permittit oppugnationes AEAD nonce-reusus quae textum simplicem recuperant; productores paria (key, nonce) ut unius usus tractare DEBENT.
• ciphertext exitus AES-256-GCM est: octeta textus cifrati cum etiquetta authenticationis 16-octetorum concatenata. ciphertext.len() == SealedQubCbor.len() + 16 exacte.

Codificatio CBOR. CBOR canonicum per §3, cum eadem regula ordinis clavium (per longitudinem octetorum codificatorum ascendentem, deinde lexicographice). Quattuor claves sunt:

Primum octetum OuterWrapper CBOR itaque est caput mappae longitudinis definitae pro mappa 4-ingressuum (0xA4).

13.4 Adligatio AAD ad qub_id

Involucrum qub_id ut AEAD additional authenticated data adligat. Hoc est defensio structuralis onus-portans contra tres classes oppugnationis:

Ferre qub_id in textu simplici involucri immunitatem enumerationis significanter non infirmat — qub_id ipse est spargmen SHA3-256 praeimaginis §4.1 sine praeimagine recuperabili ex digesto, et enumerator qui iam octeta involucri metavit nihil discit ex qub_id visibili quod ex existentia onerationis ipsius inferre non potuisset.

13.5 Algorithmi Involucrandi et Disinvolucrandi

wrap_sealed_qub(SealedQubCbor S, qub_id Q, key K, nonce N):
    require K.len() == 32 and N.len() == 12 and Q.len() == 32
    C := AES_256_GCM_encrypt(key=K, nonce=N, msg=S, aad=Q)
    // C includes the 16-byte authentication tag at the end
    return canonical_cbor_encode(OuterWrapper{
        version:    0x01,
        qub_id:     Q,
        nonce:      N,
        ciphertext: C,
    })

unwrap_sealed_qub(OuterWrapper bytes W, key K):
    require K.len() == 32
    O := canonical_cbor_decode(W) as OuterWrapper
    require O.version == 0x01           // §12.4
    P := AES_256_GCM_decrypt(
            key=K, nonce=O.nonce, ciphertext=O.ciphertext, aad=O.qub_id
         )
    // any AEAD failure → DECRYPT_FAILED, indistinguishable to caller
    return P                            // P is the inner SealedQubCbor

Collapsus modi-fallendi. K falsum, nonce falsum, discordantia AAD, et textus cifratus violatus omnia eundem errorem DECRYPT_FAILED producunt. Hoc est proprietas AEAD consulta: distinguere modum fallendi canalem lateralem crearet quem oppugnator remotus probare posset mittendo involucra malformata et tempus responsi metiendo. Implementationes referentes omnes failurae AEAD ad unam errorem formam collapsare DEBENT.

13.6 Materia Clavis et Distributio

Clavis involucrandi K est valor random uniformis 256-bitorum per qub a CSPRNG generatus. Implementationes referentes eum ex his fontibus haurient:

• Creator WASM: getrandom (WebCrypto sub backend wasm_js).
• Iter signandi servitoris-Worker: crypto.getRandomValues.

Distributio: K ut base64 URL-tuta codificari DEBET (RFC 4648 §5, sine farcimine) et ad URL traditionis ut componens fragmenti adici:

delivery_url = <origin>/c/<arweave_tx_id>#<base64url(K)>

Fragmentum a navigatore conformi ad nullum servitorem umquam transmittitur. Canales recuperationis (index historiae a parte servitoris, auto-missio per inscriptionem electronicam optionalis) qui plenum URL traditionis — fragmentum inclusum — ultra machinam usuarii persistunt sunt commercium explicitum contra habitum defalci cripto-tritae et a consensu usuarii explicito pendere DEBENT.

Amissio fragmenti. Si usuarius fragmentum URL amittit et nullum canalem recuperationis habet, qub illegibile est. Hoc est commercium onus-portans designi et usuario tempore signandi divulgari DEBET. MVP divulgationem tempore signandi cum copia "serva hoc URL" explicita et canale recuperationis inscriptionis-electronicae-verificatae pro usuariis qui optant fortificat.

13.7 Extra Ambitum Huius Sectionis

• Subscriptio auctoritatis (§9) immutata est: subscriptiones intra QubEnvelope internum computantur et post unwrap → tlock decryp → CBOR lectionem recuperantur.
• Privata qub recipientiam-cifrata (facultas gradus secundi reservata, nondum specificata) super hoc involucrum ut secundus gradus confidentialitatis componuntur; utrique gradus simul activi esse possunt.
• Pacta (§6, content_type 0x03) exacte ut qub textualia involucruntur; involucrum octetum-caecum est ad typum contenti internum.

13.8 qub publica (omissio involucri)

Involucrum externum optionale in strato traditionis est. Creator qub ut publicum signare potest, quo casu SealedQubCbor canonicum directe in memoriam perpetuam scribitur, sine ullo strato OuterWrapper et sine clave K:

SealedQubCbor bytes  ──(public)──▶  uploaded to permanent storage as-is
SealedQubCbor bytes  ──(private)─▶  AES-256-GCM(K, …) ▶ OuterWrapper ▶ uploaded

qub publicum temporalibus claustris obligatum est sed nexu non controllatum: illegibile manet usque ad cyclum drand suum publicatum (stratum tlock immutatum est), sed post reserationem quivis qui arweave_tx_id habet illud decifrare potest — nullum fragmentum URL requiritur, quia nulla K est. Hoc est commercium consultum pro superficiebus quas servitor agere DEBET: epistulae nuntiationis tempore revelationis, involucra tertiae partis, et SEO ditior post revelationem omnia nexum requirunt qui sine arcano quod servitor numquam tenet operatur (§13.6).

Effectus quos productor in computum ducere DEBET:

• Nulla immunitas enumerationis. qub publica proprietatem immunitatis enumerationis §13.1 ex constructione abdicant. Servitium onerationis referens etiquettam memoriae perpetuae Visibility: public illis (et illis solis) imprimit ita ut consulto reperibilia sint; privata qub nullam talem etiquettam ferunt et octetum-indistinguibilitatem suam retinent.
• Titulus textus simplicis tempore signandi expositus. Campus title §3.2 textus simplex intra SealedQubCbor est. Sub involucro absconditus est usque ad spectatorem qui K praebet; sine involucro in memoria perpetua mundo-legibilis est ex momento onerationis, ante reserationem. Applicationes creatoris conformes hoc tempore signandi divulgare DEBENT.
• Detectio structuralis est. Spectator/involucrum conforme duas figuras per analysin distinguit: octeta quae ut OuterWrapper analyzantur iter disinvolucrandi-cum-K capiunt; octeta quae ut SealedQubCbor nudum analyzantur directe accipiuntur. Nulla signa in linea requiruntur, et qub_id visibilitatem non adligat — idem contentum octetum-identicum est in strato SealedQub sive publicum sive privatum signatum.

Privatum (involutum) defalcum manet; publicum est electio creatoris explicita per qub.

14. Vectores Probationis

14.1 Derivatio qub_id

Input:
  version      = 0x01
  content_type = 0x01
  created_at   = 1735689600 (2025-01-01 00:00:00 UTC)
  unlock_at    = 1736294400 (2025-01-08 00:00:00 UTC)
  outcome_at   = absent
  drand_round  = 4695445  (= (1736294400 - 1595431050) / 30, drand mainnet params §14.2)
  body         = "Hello, future."  (UTF-8, 14 bytes)
  title        = absent

Intermediate:
  body_hash  = SHA3-256("Hello, future.")
             = 76ab8b3f843c6ed4f2d0fd75b9f457b4
               ad49dd4450f9c22723ae430e3af3211d
  title_hash = [0u8; 32]   (title absent — §4.2.1 sentinel)

Domain separator (10 bytes):
  [0x51, 0x55, 0x42, 0x5F, 0x49, 0x44, 0x5F, 0x56, 0x32, 0x00]

Preimage (108 bytes — V1.2):
  domain_separator   ||  // 10 bytes
  0x01               ||  // version
  0x01               ||  // content_type
  0x0000000067748580 ||  // created_at as i64 big-endian (1735689600)
  0x00000000677DC000 ||  // unlock_at as i64 big-endian (1736294400)
  0x0000000000000000 ||  // outcome_at_or_zero (outcome_at absent)
  0x000000000047A595 ||  // drand_round as u64 big-endian (4695445)
  body_hash          ||  // 32 bytes
  title_hash             // 32 bytes (all-zeros sentinel; title absent)

Expected output:
  qub_id = SHA3-256(preimage)
         = 3a9fcb31b750d985c262fada6d4f777f
           d6a28be831d941d85c131f5a4bbaf8a4

Implementationes valores body_hash et qub_id identicos pro hoc ingressu producere DEBENT. Hic vector probationis primus unitatis probationis scriptus esse OPORTET. Valores canonici supra ab implementatione referente computati sunt et bit-per-bit congruere DEBENT. Dispositiones praeimaginis historicae (ante immissionem — nulla qub viva ex his pendebant): qub_id V1.0 92-octetorum erat 3d9fc2390eab043d38a1669ed3b71be76f9eefe872b9569ab1aaa027b88392b0; qub_id V1.1 100-octetorum (post outcome_at_or_zero complicatum) erat b0d032898ad629795150fdcb3f84e518f59ed05b7a2a82bc24ebdb87f52144ed. V1.2 drand_round complicat et separatorem dominii ad QUB_ID_V2 auget.

14.2 Mappa Cycli-Reserationis

Input:
  unlock_at           = 1735689600
  chain_genesis_time  = 1595431050
  chain_period_seconds = 30

Calculation:
  (1735689600 - 1595431050) / 30 = 4675285.0
  ceil(4675285.0) = 4675285

drand_round = 4675285

14.3 Iter Vicissim CBOR Canonicum

Implementationes verificare DEBENT serialize(parse(serialize(qub))) == serialize(qub) pro omnibus ingressibus validis. Haec est probatio proprietatum, non vector singulus.

14.4 PactTerms CBOR (content_type 0x03)

Input:
  pact_version = 1
  title        = "Scooter deposit"
  terms        = [
    { key: "Item",    value: "Honda Metropolitan scooter" },
    { key: "Price",   value: "$100" },
    { key: "Deposit", value: "$10" }
  ]
  party_a      = { label: "Alice" }
  party_b      = { label: "Bob", contact: "bob@example.com" }
  notes        = absent

Canonical CBOR key order (PactTerms):
  "notes"(6) < "terms"(6) < "title"(6) < "party_a"(8) < "party_b"(8) < "pact_version"(13)

Canonical CBOR key order (PactTerm):
  "key"(4) < "value"(6)

Canonical CBOR key order (PartyIdentifier):
  "label"(6) < "contact"(8)

Octeta CBOR canonica et body_hash SHA3-256 ab implementatione referente computantur. Implementationes CBOR octetum-identicum pro hoc ingressu producere DEBENT.

Implementationes etiam verificare DEBENT serialize(parse(serialize(pact))) == serialize(pact) pro omnibus ingressibus PactTerms validis (probatio proprietatum).

14.5 Vectores Cross-Linguistici Involucri Externi

Involucrum externum (§13) habet fixuram canonicam separatam apud crates/qub-core/tests/vectors/wrapper_v1.json. Quisque casus fixit tuplum (key, nonce, qub_id, sealed_cbor) ut ingressus hex opacos et exitum specificum expected_wrapper_hex asserit. Utraeque implementationes referentes idem ipsum file JSON consumunt:

• Rust: crates/qub-core/tests/wrapper_vectors.rs (cargo test -p qub-core --test wrapper_vectors).
• TypeScript: workers/api/src/crypto/__tests__/wrapper.test.ts (npm test).

Fixura currenter tres casus affigit:

Implementationes expected_wrapper_hex octetum-identicum pro ingressibus recordatis producere DEBENT. Regenerare fixuram requirit QUB_REGEN_VECTORS=1 cargo test -p qub-core --test wrapper_vectors et mutationibus formae consultis reservatur.

15. Gubernatio Profili Cryptographici (Futurum)

Haec sectio informativa est pro v1 et normativa fit prima vice qua secundus algorithmus in ullum primordium cryptographicum qub ingreditur.

15.1 Habitus Currens

Protocollum v1 exacte unum algorithmum per primordium adligat:

• Subscriptio: ML-DSA-65 (sig_alg = 0x01; clavis publica 1952-octetorum, subscriptio 3309-octetorum) et insubscriptum (sig_alg = 0x00). Tabula §9.2 nullos alios valores definit; verificator v1 omnem sig_alg extra {0x00, 0x01} reicere DEBET. Ingressus Ed25519 futurus anticipatur (§15.3) sed in v1 non allocatur.
• Clausura temporalis: drand quicknet solum — spargmen catenae, clavis publica, tempus geneseos, et periodus sunt parametri retis fixi a referente DrandTimelockProvider::quicknet() (crates/qub-core/src/tlock.rs) et config/drand-endpoints.json lati.
• Involucrum externum: AES-256-GCM v1 solum (§13).

Verificatores currenter longitudines clavium et subscriptionum per primordium duro-codificant. Nulla superficies agilitatis a forma filiformi exponitur.

15.2 Figura Intenta

Cum secundus algorithmus protocollum ingreditur, verificator pro CryptoProfile nominato configurabitur (e.g., ExqubV1) complexum exactum valorum permissorum per primordium enumerans — sig_alg, catenae drand, versiones involucri, typi contenti. Profilum tempore verificationis fixum est, numquam intra-bandam negotiatum. Quivis valor extra profilum activum reicitur.

Hoc cavet ne addere ML-DSA-87 aut activare Ed25519 retroactive configurationes verificatorum existentes infirmare possit: verificator v1 verificator v1 manet etiam postquam profilum v2 publicatum est.

15.3 Condiciones Pellentes

Promove §15 ad statum normativum cum quidvis horum proponitur:

• Secundus octetum sig_alg (activatio Ed25519, ML-DSA-87, aut quivis novus ingressus in tabula §9).
• Secunda catena drand in usu productionis.
• Secunda versio involucri externi.

Usque tunc §15 est receptaculum quod figuram migrationis affixit ita ut PR futurae contra target notum cadunt potius quam superficiem negotiationis ex integro re-litigando.