feat: add grantId/budgetId chain linkage and domain-separated signing

Adds explicit ID-based linkage through the MPCP authorization chain:
- SBA now requires and stores grantId (links to PolicyGrant)
- SPA now requires and stores budgetId (links to SBA)
- Verifier checks grantId/budgetId chain integrity at each step
- Domain-separated hashing: "MPCP:SBA:1.0:" and "MPCP:SPA:1.0:" prefixes

Also regenerates all golden test vectors and updates all tests to
provide the new required fields. Adds scripts/gen-vectors.mjs for
reproducible vector regeneration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 2 people

examples/ev-charging/budget-auth.json

@@ -0,0 +1,26 @@
+{
+  "version": "1.0",
+  "budgetId": "baa7d916-a377-47ef-a0ad-ac35c748f15c",
+  "grantId": "5ad06052-234c-49e8-8719-3a6ca6b3965a",
+  "sessionId": "22222222-2222-4222-8222-222222222222",
+  "vehicleId": "ev-7890",
+  "policyHash": "a1b2c3d4e5f7",
+  "currency": "USD",
+  "minorUnit": 2,
+  "budgetScope": "SESSION",
+  "maxAmountMinor": "5000",
+  "allowedRails": [
+    "xrpl"
+  ],
+  "allowedAssets": [
+    {
+      "kind": "IOU",
+      "currency": "RLUSD",
+      "issuer": "rIssuer"
+    }
+  ],
+  "destinationAllowlist": [
+    "rChargingStation"
+  ],
+  "expiresAt": "2030-12-31T23:59:59Z"
+}

examples/ev-charging/generate.mjs

@@ -44,7 +44,7 @@ const { runVerify } = await import("../../dist/cli/verify.js");
 
 const EXPIRY = "2030-12-31T23:59:59Z";
 const SETTLEMENT_NOW = "2026-01-15T12:00:00Z";
-const policyHash = "ev-charging-policy-v1";
+const policyHash = "a1b2c3d4e5f7";
 
 // Charging station as destination
 const DESTINATION = "rChargingStation";
@@ -59,6 +59,7 @@ const policyGrant = createPolicyGrant({
 const budgetAuth = createBudgetAuthorization({
   sessionId: "22222222-2222-4222-8222-222222222222",
   vehicleId: "ev-7890",
+  grantId: policyGrant.grantId,
   policyHash,
   currency: "USD",
   maxAmountMinor: "5000",
@@ -71,6 +72,7 @@ const budgetAuth = createBudgetAuthorization({
 const signedBudgetAuth = createSignedBudgetAuthorization({
   sessionId: budgetAuth.sessionId,
   vehicleId: budgetAuth.vehicleId,
+  grantId: policyGrant.grantId,
   policyHash: budgetAuth.policyHash,
   currency: budgetAuth.currency,
   maxAmountMinor: budgetAuth.maxAmountMinor,
@@ -115,7 +117,7 @@ const paymentPolicyDecision = {
 const signedPaymentAuth = createSignedPaymentAuthorization(
   budgetAuth.sessionId,
   paymentPolicyDecision,
-  { settlementIntent: intent },
+  { settlementIntent: intent, budgetId: signedBudgetAuth.authorization.budgetId },
 );
 
 if (!signedPaymentAuth) throw new Error("Failed to create SPA");

examples/ev-charging/payment-policy-decision.json

@@ -0,0 +1,40 @@
+{
+  "decisionId": "dec-ev-1",
+  "policyHash": "a1b2c3d4e5f7",
+  "action": "ALLOW",
+  "reasons": [
+    "OK"
+  ],
+  "expiresAtISO": "2030-12-31T23:59:59Z",
+  "rail": "xrpl",
+  "asset": {
+    "kind": "IOU",
+    "currency": "RLUSD",
+    "issuer": "rIssuer"
+  },
+  "priceFiat": {
+    "amountMinor": "2500",
+    "currency": "USD"
+  },
+  "chosen": {
+    "rail": "xrpl",
+    "quoteId": "q1"
+  },
+  "settlementQuotes": [
+    {
+      "quoteId": "q1",
+      "rail": "xrpl",
+      "amount": {
+        "amount": "25000000",
+        "decimals": 6
+      },
+      "destination": "rChargingStation",
+      "expiresAt": "2030-12-31T23:59:59Z",
+      "asset": {
+        "kind": "IOU",
+        "currency": "RLUSD",
+        "issuer": "rIssuer"
+      }
+    }
+  ]
+}

examples/ev-charging/policy-grant.json

@@ -0,0 +1,15 @@
+{
+  "grantId": "5ad06052-234c-49e8-8719-3a6ca6b3965a",
+  "policyHash": "a1b2c3d4e5f7",
+  "expiresAt": "2030-12-31T23:59:59Z",
+  "allowedRails": [
+    "xrpl"
+  ],
+  "allowedAssets": [
+    {
+      "kind": "IOU",
+      "currency": "RLUSD",
+      "issuer": "rIssuer"
+    }
+  ]
+}

examples/ev-charging/settlement-bundle.json

@@ -0,0 +1,134 @@
+{
+  "settlement": {
+    "amount": "25000000",
+    "rail": "xrpl",
+    "asset": {
+      "kind": "IOU",
+      "currency": "RLUSD",
+      "issuer": "rIssuer"
+    },
+    "destination": "rChargingStation",
+    "nowISO": "2026-01-15T12:00:00Z"
+  },
+  "settlementIntent": {
+    "version": "1.0",
+    "rail": "xrpl",
+    "amount": "25000000",
+    "createdAt": "2026-01-15T12:00:00Z",
+    "destination": "rChargingStation",
+    "asset": {
+      "kind": "IOU",
+      "currency": "RLUSD",
+      "issuer": "rIssuer"
+    }
+  },
+  "spa": {
+    "authorization": {
+      "version": "1.0",
+      "decisionId": "dec-ev-1",
+      "sessionId": "22222222-2222-4222-8222-222222222222",
+      "policyHash": "a1b2c3d4e5f7",
+      "budgetId": "a3dc0432-5a64-4d64-89ea-de61a3eede3e",
+      "quoteId": "q1",
+      "rail": "xrpl",
+      "asset": {
+        "kind": "IOU",
+        "currency": "RLUSD",
+        "issuer": "rIssuer"
+      },
+      "amount": "25000000",
+      "destination": "rChargingStation",
+      "intentHash": "62b57f4ca753d014bca80b82cac2c7ca33850e3697c4707e636326e365c58687",
+      "expiresAt": "2030-12-31T23:59:59Z"
+    },
+    "signature": "+Oz+9+eGK32BeGW8FON0hj66wcPhN23TZ9xec9HZfLwC2oeKMDLBFZZCYTIh0Me8AxJbKQ0Jv+lOU6ZsIKOrDA==",
+    "keyId": "mpcp-spa-signing-key-1"
+  },
+  "sba": {
+    "authorization": {
+      "version": "1.0",
+      "budgetId": "a3dc0432-5a64-4d64-89ea-de61a3eede3e",
+      "grantId": "5ad06052-234c-49e8-8719-3a6ca6b3965a",
+      "sessionId": "22222222-2222-4222-8222-222222222222",
+      "vehicleId": "ev-7890",
+      "policyHash": "a1b2c3d4e5f7",
+      "currency": "USD",
+      "minorUnit": 2,
+      "budgetScope": "SESSION",
+      "maxAmountMinor": "5000",
+      "allowedRails": [
+        "xrpl"
+      ],
+      "allowedAssets": [
+        {
+          "kind": "IOU",
+          "currency": "RLUSD",
+          "issuer": "rIssuer"
+        }
+      ],
+      "destinationAllowlist": [
+        "rChargingStation"
+      ],
+      "expiresAt": "2030-12-31T23:59:59Z"
+    },
+    "signature": "WT0EExkYrd9KmjNtxR92YKfLOdpdLbgVAPuwZoP7+f+uioGz+N30kQICJAnIAB8mo8dacQz1otJZz17EfSCPCg==",
+    "keyId": "mpcp-sba-signing-key-1"
+  },
+  "policyGrant": {
+    "grantId": "5ad06052-234c-49e8-8719-3a6ca6b3965a",
+    "policyHash": "a1b2c3d4e5f7",
+    "expiresAt": "2030-12-31T23:59:59Z",
+    "allowedRails": [
+      "xrpl"
+    ],
+    "allowedAssets": [
+      {
+        "kind": "IOU",
+        "currency": "RLUSD",
+        "issuer": "rIssuer"
+      }
+    ]
+  },
+  "paymentPolicyDecision": {
+    "decisionId": "dec-ev-1",
+    "policyHash": "a1b2c3d4e5f7",
+    "action": "ALLOW",
+    "reasons": [
+      "OK"
+    ],
+    "expiresAtISO": "2030-12-31T23:59:59Z",
+    "rail": "xrpl",
+    "asset": {
+      "kind": "IOU",
+      "currency": "RLUSD",
+      "issuer": "rIssuer"
+    },
+    "priceFiat": {
+      "amountMinor": "2500",
+      "currency": "USD"
+    },
+    "chosen": {
+      "rail": "xrpl",
+      "quoteId": "q1"
+    },
+    "settlementQuotes": [
+      {
+        "quoteId": "q1",
+        "rail": "xrpl",
+        "amount": {
+          "amount": "25000000",
+          "decimals": 6
+        },
+        "destination": "rChargingStation",
+        "expiresAt": "2030-12-31T23:59:59Z",
+        "asset": {
+          "kind": "IOU",
+          "currency": "RLUSD",
+          "issuer": "rIssuer"
+        }
+      }
+    ]
+  },
+  "sbaPublicKeyPem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAT0Oq22kLSptosoBNSpYLDWuufSm8upVS5WTUal6d8CM=\n-----END PUBLIC KEY-----\n",
+  "spaPublicKeyPem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAy2za2OJ7PYHyQ6ARF/ynBlgmVKvH8YFEmsPCMW7jApc=\n-----END PUBLIC KEY-----\n"
+}

examples/ev-charging/settlement-intent.json

@@ -0,0 +1,12 @@
+{
+  "version": "1.0",
+  "rail": "xrpl",
+  "amount": "25000000",
+  "createdAt": "2026-01-15T12:00:00Z",
+  "destination": "rChargingStation",
+  "asset": {
+    "kind": "IOU",
+    "currency": "RLUSD",
+    "issuer": "rIssuer"
+  }
+}

examples/ev-charging/settlement.json

@@ -0,0 +1,11 @@
+{
+  "amount": "25000000",
+  "rail": "xrpl",
+  "asset": {
+    "kind": "IOU",
+    "currency": "RLUSD",
+    "issuer": "rIssuer"
+  },
+  "destination": "rChargingStation",
+  "nowISO": "2026-01-15T12:00:00Z"
+}

examples/ev-charging/signed-budget-auth.json

@@ -0,0 +1,30 @@
+{
+  "authorization": {
+    "version": "1.0",
+    "budgetId": "a3dc0432-5a64-4d64-89ea-de61a3eede3e",
+    "grantId": "5ad06052-234c-49e8-8719-3a6ca6b3965a",
+    "sessionId": "22222222-2222-4222-8222-222222222222",
+    "vehicleId": "ev-7890",
+    "policyHash": "a1b2c3d4e5f7",
+    "currency": "USD",
+    "minorUnit": 2,
+    "budgetScope": "SESSION",
+    "maxAmountMinor": "5000",
+    "allowedRails": [
+      "xrpl"
+    ],
+    "allowedAssets": [
+      {
+        "kind": "IOU",
+        "currency": "RLUSD",
+        "issuer": "rIssuer"
+      }
+    ],
+    "destinationAllowlist": [
+      "rChargingStation"
+    ],
+    "expiresAt": "2030-12-31T23:59:59Z"
+  },
+  "signature": "WT0EExkYrd9KmjNtxR92YKfLOdpdLbgVAPuwZoP7+f+uioGz+N30kQICJAnIAB8mo8dacQz1otJZz17EfSCPCg==",
+  "keyId": "mpcp-sba-signing-key-1"
+}

examples/ev-charging/spa.json

@@ -0,0 +1,22 @@
+{
+  "authorization": {
+    "version": "1.0",
+    "decisionId": "dec-ev-1",
+    "sessionId": "22222222-2222-4222-8222-222222222222",
+    "policyHash": "a1b2c3d4e5f7",
+    "budgetId": "a3dc0432-5a64-4d64-89ea-de61a3eede3e",
+    "quoteId": "q1",
+    "rail": "xrpl",
+    "asset": {
+      "kind": "IOU",
+      "currency": "RLUSD",
+      "issuer": "rIssuer"
+    },
+    "amount": "25000000",
+    "destination": "rChargingStation",
+    "intentHash": "62b57f4ca753d014bca80b82cac2c7ca33850e3697c4707e636326e365c58687",
+    "expiresAt": "2030-12-31T23:59:59Z"
+  },
+  "signature": "+Oz+9+eGK32BeGW8FON0hj66wcPhN23TZ9xec9HZfLwC2oeKMDLBFZZCYTIh0Me8AxJbKQ0Jv+lOU6ZsIKOrDA==",
+  "keyId": "mpcp-spa-signing-key-1"
+}

examples/machine-commerce/demo-fleet.mjs

@@ -88,6 +88,7 @@ const policyGrant = createPolicyGrant({
 const budgetAuth = createBudgetAuthorization({
   sessionId: "22222222-2222-4222-8222-222222222222",
   vehicleId: "veh-robotaxi-001",
+  grantId: policyGrant.grantId,
   policyHash,
   currency: "USD",
   maxAmountMinor: "3000",
@@ -104,6 +105,7 @@ log("[Vehicle Agent] Generating SettlementIntent and SPA");
 const signedBudgetAuth = createSignedBudgetAuthorization({
   sessionId: budgetAuth.sessionId,
   vehicleId: budgetAuth.vehicleId,
+  grantId: policyGrant.grantId,
   policyHash: budgetAuth.policyHash,
   currency: budgetAuth.currency,
   maxAmountMinor: budgetAuth.maxAmountMinor,
@@ -145,7 +147,7 @@ const paymentPolicyDecision = {
 const signedPaymentAuth = createSignedPaymentAuthorization(
   budgetAuth.sessionId,
   paymentPolicyDecision,
-  { settlementIntent: intent },
+  { settlementIntent: intent, budgetId: signedBudgetAuth.authorization.budgetId },
 );
 if (!signedPaymentAuth) throw new Error("Failed to create SPA");
 log(`  ✓ SPA signed: amount=${intent.amount}, destination=${intent.destination}`);