ARR SDK
Create, sign, embed, and verify ARR attestations
1. Installation
ARR packages are published to npm and available for install.
Install from npm
npm install @allrightsrespected/sdk
npm install -g @allrightsrespected/cliPackage Names
@allrightsrespected/sdk
@allrightsrespected/cliRepository Workflow (Contributors)
git clone https://github.com/kanoliban/All-Rights-Respected.git
cd All-Rights-Respected
npm install
npm run buildImplementation Location
packages/arr-core # protocol + adapters
packages/arr-cli # CLI entrypoint
fixtures/conformance/v0.1Requirements
- Node.js 18+ (Node LTS recommended)
- TypeScript 5.x
Ed25519 only. PNG/JPEG metadata and sidecar files only. No browser bundles yet.
2. Quick Start
Create and sign your first attestation in a few lines of code:
import { generateKeyPair, signAttestation, verifyAttestation } from '@allrightsrespected/sdk';
// Generate a new Ed25519 keypair
const { privateKeyPem, publicKeyPem, creator } = generateKeyPair();
// Create an attestation
const attestation = {
version: 'arr/0.1',
id: crypto.randomUUID(),
created: new Date().toISOString(),
creator: creator,
intent: 'Album cover for indie rock EP',
tool: 'midjourney/6.1',
revocable: true
};
// Sign it
const signed = signAttestation(attestation, privateKeyPem);
console.log(signed);
// {
// attestation: { version: 'arr/0.1', id: '...', ... },
// signature: 'ed25519:kF2h9Jx3mN7pQr...'
// }Verify an Attestation
import { verifyAttestation } from '@allrightsrespected/sdk';
const result = verifyAttestation(signed, publicKeyPem);
if (result.valid) {
console.log('Attestation is valid.');
console.log(`Expired: ${result.expired}`);
} else {
console.log(`Invalid: ${result.reason}`);
}3. Signing Attestations
M1 supports Ed25519 only.
3.1 Ed25519 (Recommended)
import { generateKeyPair, signAttestation } from '@allrightsrespected/sdk';
// Generate Ed25519 keypair
const keys = generateKeyPair();
// Sign with private key
const signed = signAttestation(attestation, keys.privateKeyPem);3.2 Planned Algorithms (Not in M1)
ecdsa-p256, rsa-sha256Never expose private keys in client-side code or commit them to version control. Use environment variables or secure key management systems.
4. API Reference
Attestation Object (Build Manually in M1)
M1 does not ship a createAttestation() helper. Build the unsigned attestation object directly before signing.
| Field | Type | Required | Description |
|---|---|---|---|
creator |
string | Yes | Creator identifier (hash, pubkey, DID, or URL) |
intent |
string | No | Human-readable description of creative intent |
tool |
string | No | Tool used (format: name/version) |
upstream |
string[] | No | IDs of upstream attestations |
expires |
string | Date | No | Expiration date (no automatic default is injected by M1 tooling) |
license |
string | No | SPDX license identifier or URL |
extensions |
object | No | Custom fields for platform-specific data |
signAttestation(attestation, privateKeyPem)
Signs an attestation and returns the complete signed object.
| Parameter | Type | Description |
|---|---|---|
attestation |
Attestation | Unsigned attestation object |
privateKeyPem |
string | PEM-encoded Ed25519 private key |
verifyAttestation(signed, publicKey)
Verifies a signed attestation.
interface VerificationResult {
valid: boolean;
expired?: boolean;
reason?: 'invalid_signature' | 'unsupported_version' | 'malformed' | 'missing_public_key';
}embedAttestationInMetadata(file, signed)
Embeds a signed attestation into PNG/JPEG metadata.
const embeddedFile = embedAttestationInMetadata(imageBuffer, signed);
// Write to disk
await fs.writeFile('artwork-with-arr.png', embeddedFile);extractAttestationFromMetadata(file)
Extracts an attestation from PNG/JPEG metadata.
const extracted = extractAttestationFromMetadata(imageBuffer);
const signed = extracted?.signed;
if (signed) {
console.log(signed.attestation.creator);
console.log(signed.attestation.intent);
}5. Schema Definition
The complete TypeScript type definitions for ARR attestations:
interface Attestation {
version: 'arr/0.1';
id: string; // UUID v4
created: string; // ISO-8601 timestamp
creator: string; // Creator identifier
intent?: string; // Creative intent description
tool?: string; // Tool name/version
upstream?: string[]; // Upstream attestation IDs
expires?: string; // ISO-8601 date
revocable?: boolean; // Default: true
license?: string; // SPDX identifier or URL
extensions?: Record<string, unknown>;
}
interface SignedAttestation {
attestation: Attestation;
signature: string; // algorithm:base64-signature
}
type CreatorIdentifier =
| `hash:sha256:${string}`
| `pubkey:ed25519:${string}`
| `pubkey:ecdsa-p256:${string}`
| `did:${string}`
| `https://${string}`
| `email:sha256:${string}`;The protocol schema allows broader identifier formats, but the shipped M1 verifier performs automatic key discovery only for pubkey:ed25519:....
JSON Schema
For canonical schema details, see Section 2 of SPEC.md in the repository.
6. Supported Formats
M1 format support in the shipped implementation:
| Format | Extensions | Embedding Method | Status |
|---|---|---|---|
| JPEG | .jpg, .jpeg |
XMP metadata | Supported |
| PNG | .png |
iTXt chunk (arr.attestation) |
Supported |
| WebP | .webp |
XMP metadata | Planned |
.pdf |
XMP metadata stream | Planned | |
| MP3 | .mp3 |
ID3v2 TXXX:ARR tag | Planned |
| FLAC | .flac |
Vorbis comment | Planned |
| MP4 | .mp4, .m4a |
XMP metadata | Planned |
| Any | * |
Sidecar file (.arr) |
Supported |
Sidecar Files
For formats that don't support metadata embedding, use sidecar files:
artwork.png
artwork.png.arr # JSON attestation fileimport { writeSidecar, readSidecar } from '@allrightsrespected/sdk';
// Write sidecar
await writeSidecar('./artwork.png', signed);
// Read sidecar
const attestation = await readSidecar('./artwork.png');When distributing work with sidecar attestations, include both the original file and the .arr sidecar file together. For current implementation details, see packages/arr-core and packages/arr-cli in this repository.