Artifact lifecycle
ProveKit is artifact-driven. A safe integration treats every generated key, proof, and recursive-verifier export as a versioned deployment object, with explicit provenance and strict pairing rules.
Artifact map
Section titled “Artifact map”| Artifact | Produced by | Consumed by | Stays paired with |
|---|---|---|---|
.pkp | provekit-cli prepare | prove, WASM/Swift/Kotlin/Rust provers | Matching .pkv, circuit source, hash choice, commit. |
.pkv | provekit-cli prepare | verify, show-inputs, generate-gnark-inputs, verifier server | Matching .pkp, the proof set, public input encoding. |
proof.np | provekit-cli prove | verify, show-inputs, generate-gnark-inputs | Matching .pkv, public inputs, witness provenance. |
params_for_recursive_verifier | generate-gnark-inputs | recursive-verifier/ | The exact .pkv and proof.np used to export it. |
r1cs.json | generate-gnark-inputs | recursive-verifier/, verifier server | The exact .pkv and proof.np used to export it. |
Lifecycle policy
Section titled “Lifecycle policy”Record provenance for every artifact set you intend to keep: branch, commit, Cargo.lock, rust-toolchain.toml, full command line, feature flags, hash choice, and checksums. That record is what lets you reproduce or audit the set later.
Verify locally before moving a proof or any artifact across a trust boundary. A verification failure at that point is a deployment-blocker, not a debugging step. Generate recursive inputs (params_for_recursive_verifier, r1cs.json) only after the base proof verifies; those exports are bound to the exact .pkv and proof.np they came from.
For the actual CLI commands, see Generate artifacts (explicit paths) or Quickstart (default paths).
When to regenerate
Section titled “When to regenerate”Regenerate every affected artifact when any of these inputs change:
- Git branch, commit, dependency lockfile, Rust toolchain, or relevant feature flags.
- Noir source, package selection, or workspace layout.
prepare --hashvalue.- Prover inputs (when a new proof is expected).
- The proof / verifier pair used for a recursive export.
- Serialization or transport changes affecting proof JSON or public input encoding.
Custody and storage
Section titled “Custody and storage”| File | Recommended handling |
|---|---|
.pkp | Restrict to trusted proving hosts. It enables proof generation for the prepared circuit. |
.pkv | Distributable to verifiers, but keep integrity-protected and versioned. |
proof.np / proof JSON | Transport through authenticated application channels; preserve public inputs byte-for-byte. |
Prover.toml / witnesses | Treat private witness values as sensitive unless your application explicitly defines them as public. |
Recursive params + r1cs.json | Keep with the exact proof / verifier pair that produced them. |
Deployment evidence
Section titled “Deployment evidence”Before publishing or accepting an artifact set, retain:
- SHA-256 checksums (or equivalent content hashes) for every file.
- The full CLI command lines used to generate them.
- A local
verifysuccess record. show-inputs --hexoutput reviewed by the application owner.- Negative-test evidence showing that mismatched or corrupted proofs are rejected.
- An owner and rotation plan for regenerating the set.