🚧 Reference implementation of the CBDO Core Engine (spec v0.1) — not production-ready
Consent-Based Data Object Core Engine — the active execution layer that transforms W3C Verifiable Credentials into policy-enforced, query-responsive verification systems.
Verifiers ask questions. The engine answers them. Credential data never leaves.
Author: William Brian Williams / Applicert
License: Apache 2.0 (code) | CC0 (specification)
Status: v0.1 — Reference Implementation (stub proof generator)
Spec: /spec/CBDO-Core-Engine-Spec-v0.1.md
Whitepaper: /docs/CBDO-Whitepaper-v4.1.pdf
The Core Engine is the middleware between a user's verifiable credential and any external party that wants to ask a question about it.
Instead of exposing a credential field (e.g. date of birth), a verifier submits a structured query (e.g. "is this person over 18?"). The engine evaluates it internally and returns only a minimized, cryptographically provable answer: true or false + a proof.
The date of birth never appears in any response. Ever.
Current verification systems require exposing raw data to prove simple claims — creating unnecessary privacy risk, storage liability, and regulatory burden.
The CBDO Core Engine demonstrates an alternative model:
- Verifiers receive only the answer they need (e.g.
true/false) - Raw credential data never leaves the user's control
- Every interaction is enforced by policy, consent, and cryptographic proof
This repository provides a working reference implementation of that model.
node demo/agepass-demo.jsNo dependencies required for the demo — the stub proof generator uses Node's built-in crypto module.
CoreEngine (orchestrator)
├── ProfileLoader — loads and validates profile schemas
├── QueryValidator — validates queries before any data access
├── ConsentEngine — state machine: UNKNOWN→PENDING→GRANTED/DENIED
├── ResponseMinimizer — strips responses to permitted fields only
├── ProofGenerator — ⚠ STUB: replace with BBS+/ZKP library
└── AuditLogger — append-only cryptographically chained log
Every query follows this exact sequence (never skipped or reordered):
- Receive query
- Load profile
- Validate query against profile schema
- Evaluate consent state
- Execute query against credential data internally
- Minimize response to permitted fields only
- Generate cryptographic proof
- Log to audit trail
- Return minimized response + proof
Credential data is accessed only in step 5. It never appears in output.
A profile defines what questions can be asked about a CBDO and how answers must be returned. Currently included:
| Profile | File | Status |
|---|---|---|
| AgePass v1 | src/profiles/agepass-v1.json |
✓ Complete |
| CareerPass v1 | — | Planned |
| MedPass v1 | — | Planned |
This is a reference implementation. The following components require replacement before production deployment:
src/engine/ProofGenerator.js contains a stub that produces non-cryptographic proofs. Replace with:
- BBS+ selective disclosure:
@mattrglobal/bbs-signaturesor W3C Data Integrity BBS cryptosuite - ZKP range proofs:
noble-curves(Bulletproofs) orsnarkjs(Groth16)
The choice of ZKP scheme requires cryptographic expert review. Do not self-select.
src/engine/QueryValidator.js stubs verifier signature verification. Production requires:
- DID resolution via
did-resolver - Verification method extraction from DID documents
- Signature verification over canonical query body
Current nonce store is in-memory. Production requires:
- Persistent backing store (Redis recommended)
- TTL-based expiry aligned with 24-hour window
The full technical specification is at /spec/CBDO-Core-Engine-Spec-v0.1.md.
It covers:
- Profile definition schema
- Query validation rules
- Consent state machine
- Response minimization rules
- Proof generation interface contract
- Audit log chain structure
- Controlled override protocol
- Security considerations
- Open questions for community review
The specification is released under CC0 1.0 (public domain) as a prior art disclosure and contribution toward an open Internet Standard.
This project is open source. The specification and all concepts are published as prior art under CC0. The code is Apache 2.0.
Contributions especially welcome for:
- ZKP scheme selection and implementation
- DID resolver integration
- Additional profile definitions
- Test suite expansion
- W3C Verifiable Credentials Data Model v2.0
- W3C Data Integrity BBS Cryptosuite
- Decentralized Identifiers (DIDs) v1.0
- W3C Credentials Community Group
This project is licensed under the Apache License 2.0.
© 2026 William Brian Williams / Applicert.
