📦 AnonPublish (ZK-Package-Provenance)

"The Blue Checkmark for NPM Packages — Without Doxxing the Maintainer."

---

🚨 The Problem

Supply chain attacks are exploding. The XZ Utils backdoor showed us how vulnerable our software supply chain really is. We desperately need to verify who publishes code.

Current Solution: NPM Provenance / Sigstore

The industry's answer is to cryptographically sign packages and link them to identities.

❌ The Fatal Flaw

It doxxes the maintainer.

To prove a package is safe, developers must publicly reveal their personal email (e.g., alice@ethereum.org). This forces privacy-conscious developers to make an impossible choice:

Option A	Option B
🔒 Security (Verified Package)	🕵️ Privacy (Anonymous)
🚫 No Privacy	🚫 No Verification

Why not both?

---

💡 The Solution

AnonPublish is a privacy-preserving verification layer for NPM packages.

It allows developers to cryptographically prove they belong to a trusted organization (like Google, Ethereum Foundation, or a DAO) when publishing a package — without revealing their specific identity.

✅ What We Enable

Feature	Description
🛡️ Verified Publisher	Prove you're from a trusted org
🕵️ Anonymous Identity	Your personal email stays hidden
⛓️ On-Chain Attestation	Immutable, tamper-proof verification
🟢 Trust Badges	Visual verification on our frontend

---

⚙️ How It Works

┌─────────────────────────────────────────────────────────────────────────────┐
│                           AnonPublish Flow                                  │
└─────────────────────────────────────────────────────────────────────────────┘

    ┌──────────┐         ┌──────────┐         ┌──────────┐         ┌──────────┐
    │  Login   │   ──►   │ ZK-Proof │   ──►   │ On-Chain │   ──►   │  Badge   │
    │  (OIDC)  │         │   (CLI)  │         │ Registry │         │ Verified │
    └──────────┘         └──────────┘         └──────────┘         └──────────┘
         │                    │                    │                    │
         ▼                    ▼                    ▼                    ▼
   Google/GitHub         Generates ZK          Smart Contract      "Verified Org"
   Authentication        Proof Locally         Verifies Proof      on Frontend

Step-by-Step

1. 🔐 Login

   • Developer logs in via Google/GitHub (standard OIDC)
   • Obtains a signed JWT token

2. 🔮 ZK-Proof Generation

   • Our CLI takes the OIDC token and generates a Zero-Knowledge Proof
   • ✅ It proves: "I have a valid token from Google AND my email ends in @ethereum.org"
   • 🙈 It hides: The part before the @ (e.g., vitalik)

3. ⛓️ On-Chain Registry

   • The proof is submitted to and verified by a Smart Contract
   • Creates an immutable attestation linking the package to a verified org

4. 🏆 Result

   • The package gets a "Verified Org" badge on our frontend
   • The individual publisher remains completely anonymous

---

🗣️ Explain Like I'm 5

"Imagine a nightclub (NPM) that wants to keep out bad guys.

Right now, the bouncer demands to see your Full ID card (Name, Address, Photo) and posts it on the wall for everyone to see.

AnonPublish is a magic ID scanner. You scan your card, and it just flashes 'GREEN - Verified Employee', but keeps your name and photo completely invisible.

The club stays safe, and you stay private."

---

🛠️ Tech Stack

Component	Technology	Purpose
ZK Circuit	Circom + SnarkJS	Generate zero-knowledge proofs
ZK Libraries	@zk-email	OIDC token verification in ZK
CLI	Node.js / TypeScript	Wraps npm publish with ZK proof
Smart Contract	Solidity	On-chain proof verification
Frontend	Next.js	Display verification badges
Blockchain	Hardhat	Smart contract development

---

📁 Project Structure

ZK-NPM/
├── blockchain/           # Smart contracts & Hardhat config
│   ├── contracts/        # Solidity verifier contracts
│   ├── ignition/         # Deployment modules
│   └── test/             # Contract tests
│
├── frontend/             # Next.js dashboard
│   ├── src/
│   │   ├── app/          # App router pages
│   │   ├── components/   # UI components
│   │   └── lib/          # Utilities
│   └── ...
│
└── package.json          # Root package configuration

---

🚀 Getting Started

Prerequisites

• Node.js >= 18
• pnpm
• A wallet (MetaMask recommended)

Installation

# Clone the repository
git clone https://github.com/Crew-object-Object/ZK-NPM.git
cd ZK-NPM

# Install dependencies
pnpm install

# Set up environment variables
cp .env.example .env

Running Locally

# Start the blockchain (local Hardhat node)
cd blockchain
pnpm hardhat node

# Deploy contracts
pnpm hardhat ignition deploy ./ignition/modules/Lock.ts

# Start the frontend
cd ../frontend
pnpm dev

Visit http://localhost:3000 to see the dashboard.

---

🏆 Why AnonPublish Wins

Criteria	How We Deliver
🎯 Real Problem	Solves the supply chain attack crisis
🧠 Deep Tech	Zero-Knowledge Proofs (Circom + SnarkJS)
🔐 Cypherpunk Ethos	Protects developer privacy
🌍 Usefulness	Enables "Anonymous Trust"
⛓️ Web3 Native	On-chain verification

The Core Innovation

"Anonymous Trust" — Users trust the Organization, not the Individual.

---

🔮 Future Roadmap

• NPM Registry Integration (CLI plugin)
• Multi-chain deployment (Base, Arbitrum, Polygon)
• DAO membership verification
• GitHub organization attestation
• Browser extension for instant badge checking

---

👥 Team

Built with ❤️ at ETHIndia 2025 by Team [object Object]

---

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

---

🛡️ Verify Trust. Preserve Privacy. Ship Securely.