Evaluate @guardianproject/proofmode WASM package as parser/verifier replacement

[johnx25bd]

Context

We wrote a custom ProofMode bundle parser (src/parse/) that handles CSV metadata extraction, signal normalization, and bundle file categorization. Signature verification is stubbed (MVP checks format, not crypto).

Guardian Project publishes @guardianproject/proofmode (v0.5.0, npm, Jan 2026) — a Rust→WASM package that does everything our parser does plus real cryptographic verification:

• PGP signature verification (via pgp Rust crate)
• SHA-256 hash verification
• OpenTimestamps verification
• C2PA Content Credentials checking
• SafetyNet/DeviceCheck attestation validation
• EXIF metadata extraction

Source: https://gitlab.com/guardianproject/proofmode/proofmode-rust
npm: https://www.npmjs.com/package/@guardianproject/proofmode
Rust crate: https://crates.io/crates/proofmode (v0.3.2)

Task

1. Test Node.js compatibility: The README notes "runtime issues" in Node.js (WASM works in browsers). Install the package and try calling checkFiles() with a real ProofMode bundle in Node 18+. Document what works and what breaks.

2. Evaluate API surface: Their exports are checkFiles, checkCIDs, checkURLs, generate_proof_wasm, get_file_hash. Map these to our plugin interface needs:

   • Can checkFiles() output replace our parseBundle() + createStampFromBundle() pipeline?
   • Does the return value include parsed signals (lat/lon, timestamps, device info)?
   • Can we extract what we need for UnsignedLocationStamp from their result?

3. If it works: Refactor plugin-proofmode to use their package for parsing and verification, keeping our code as a thin adapter that maps their output to Astral's LocationStamp format. Our custom parser becomes a fallback or is removed.

4. If Node.js WASM doesn't work: Consider alternatives:

   • Build thin native Rust addon (their crate is on crates.io)
   • Use their Docker image as a sidecar
   • Use archived proofcheck-node (pure JS, uses openpgp v5) as reference for adding real PGP verification to our parser
   • Keep our parser for extraction, add openpgp for signature verification

Why this matters

Using their official package gives us:

• Real cryptographic verification instead of format-only stubs
• Cross-platform support maintained by the ProofMode team
• Automatic support for new ProofMode features (C2PA, etc.)
• Less code to maintain

[johnx25bd]

Spike results: @guardianproject/proofmode v0.5.0 in Node.js

Tested on Node.js v22.14.0 (macOS).

Import

• CJS require(): fails — package is "type": "module" only
• ESM import: fails with ERR_UNKNOWN_FILE_EXTENSION for .wasm
• ESM + --experimental-wasm-modules: works — all 5 exports available (checkFiles, checkCIDs, checkURLs, generate_proof_wasm, get_file_hash)

Runtime

checkFiles() expects browser File objects (with .name, .arrayBuffer(), etc.), not Uint8Array. After providing File-like shims:

PROGRESS: status
PROGRESS: status
RuntimeError: unreachable
    at wasm://wasm/01bd58ce:wasm-function[3305]:0x5722f6
    ...

The WASM binary panics (unreachable = Rust panic/abort). Likely cause: the Rust code calls browser-only APIs internally (possibly fetch, crypto.subtle, SubtleCrypto, or Web Workers) that don't exist in Node.js. No fallback — just aborts.

Conclusion

Not usable in Node.js today. The package was compiled for browser environments. It loads with an experimental flag but panics at runtime.

---

Pathways forward

Option 1: Use the Rust crate directly via native addon (recommended for production)

The proofmode crate (v0.3.2, crates.io) is the source of truth. We could:

• Build a thin Node.js native addon using napi-rs that wraps the crate's check_files function
• Publish as @astral/proofmode-node or similar
• This gives us real PGP verification, C2PA, OTS — everything the WASM has, but working in Node.js

Pros: Full verification, maintained by Guardian Project, cross-platform
Cons: Requires Rust toolchain to build, native addon distribution complexity

Option 2: Use openpgp.js for PGP verification only

The archived proofcheck-node used openpgp v5 for PGP signature verification. We could:

• Keep our current parser for bundle extraction and signal normalization
• Add openpgp (v6, MIT licensed) for real PGP signature verification
• Skip C2PA and OTS verification for now (add later)

Pros: Pure JS, no native deps, straightforward
Cons: Only covers PGP signatures, not the full verification suite

Option 3: Contribute Node.js support upstream

The proofmode-rust repo already has UniFFI bindings for Python, Ruby, and Swift. We could:

• Open an issue/MR on their GitLab to add napi-rs bindings
• Or fix the WASM build to polyfill missing browser APIs for Node.js (likely needs crypto.subtle → Node's crypto.webcrypto)

Pros: Benefits the whole ecosystem, maintained upstream
Cons: Depends on their review/merge timeline

Option 4: Docker sidecar

Run their WASM in a headless browser (Playwright/Puppeteer) or use their Docker image as a verification sidecar service.

Pros: Works today, no code changes to their package
Cons: Heavy dependency for what should be a library call, operational complexity

Recommendation

Short term (v0): Option 2 — add openpgp.js for real PGP signature verification. This covers the most important verification path for ProofMode bundles and keeps us pure JS.

Medium term (v1): Option 1 or 3 — native Rust addon or upstream contribution. This gives us the full verification suite.

[johnx25bd]

Option 5: Python UniFFI bindings (path of least resistance)

proofmode-rust already ships working Python UniFFI bindings, marked "production ready":

cd cli/python && ./setup_python_cli.sh && ./proofmode-cli

This calls the same Rust check_files as the WASM — real PGP, C2PA, OTS, hash verification — but through Python instead of a broken WASM/Node bridge.

Could be used as:

• A subprocess called from Node.js (child_process.exec)
• A small FastAPI sidecar alongside the service
• A standalone verification CLI in CI/E2E

Pros: Works today, full verification, no native addon build complexity for Node
Cons: Python runtime dependency, IPC overhead if called from Node

This may be the fastest path to real verification.