Compatibility
What CI proves — per runtime, per algorithm.
Every claim below is exercised by CI on every commit.
| Runtime | SHA-256 | Ed25519 | ECDSA P-256 | JCS |
|---|---|---|---|---|
| Node ≥ 20 | ✓ Web Crypto | ✓ Web Crypto | ✓ Web Crypto | ✓ RFC 8785 |
| Modern browsers | ✓ Web Crypto | ✓ Chromium 137+, Firefox 129+, Safari 17+ | ✓ Web Crypto | ✓ RFC 8785 |
| Ed25519 signatures may be hedged (Safari) — vectors pin verify direction only. | ||||
| Edge runtimes (Deno, Bun, Workers) | ✓ Web Crypto | ✓ where Web Crypto Ed25519 is enabled | ✓ Web Crypto | ✓ RFC 8785 |
| The recorder and verifier are runtime-agnostic; no Node built-ins. | ||||
Pinned vectors
The v1 test vectors are byte-pinned for every deterministic surface: canonicalization, commitments, tree structure, header leaves, receipt serialization. Signatures are pinned in the verify direction only — Ed25519 signatures may not be byte-identical across engines (WebKit hedges as side-channel hardening), but the pinned signature must verify everywhere.
Any implementation, in any language, that claims specification 1.0 conformance must recompute these vectors.