2.0.0 docs update (#34)

* 2.0.0 docs update

* ballotClosePayloads

Author: Tenemo

README.md

@@ -94,7 +94,7 @@ The cryptographic threshold is derived internally from the accepted registration
 
 There is no supported `n-of-n` mode and no supported public `k-of-n` configuration.
 
-Transcript verification requires key-derivation confirmations from every qualified participant.
+Transcript verification requires `key-derivation-confirmation` payloads from every qualified participant. In the current design those unanimous confirmations are part of verifier soundness: the library does not implement a public post-Feldman complaint/reconstruction phase, so the DKG verifier is participant-confirmed rather than fully public-data-only. Lowering confirmation acceptance to threshold-many is out of scope unless that missing public consistency machinery is added.
 
 See [Honest-majority voting flow](https://tenemo.github.io/threshold-elgamal/guides/three-participant-voting-flow/) for the full phase-by-phase transcript.
 
@@ -130,7 +130,7 @@ const rosterHash = await hashRosterEntries([
 const manifest = createElectionManifest({
     rosterHash,
     optionList: ["Option A", "Option B"],
-    scoreRange: { min: 1, max: 10 },
+    scoreRange: { min: 0, max: 5 },
 });
 
 const manifestHash = await hashElectionManifest(manifest);
@@ -145,6 +145,10 @@ console.log(majorityThreshold(3)); // 2
 console.log(sessionId.length); // 64
 ```
 
+The example uses `0..5` only as one concrete score range. The supported rule is
+one manifest-declared contiguous range with non-negative bounds and
+`scoreRange.max <= 100`.
+
 If your application consumes a complete public board, start with [Verifying a public board](https://tenemo.github.io/threshold-elgamal/guides/verifying-a-public-board/) and then move directly to the verifier entry point:
 
 ```typescript
@@ -158,7 +162,7 @@ const bundle: VerifyElectionCeremonyInput = {
     sessionId,
     dkgTranscript,
     ballotPayloads,
-    ballotClosePayload,
+    ballotClosePayloads: [ballotClosePayload],
     decryptionSharePayloads,
     tallyPublications,
 };
@@ -173,6 +177,8 @@ if (!result.ok) {
 }
 ```
 
+Pass the full published `ballot-close` slot in `ballotClosePayloads`, even when the normal case is one organizer payload. The verifier audits that slot, collapses only exact retransmissions, and requires exactly one accepted close record.
+
 The root package exposes the builders and lower-level helpers required for the documented ceremony, including:
 
 - manifest publication

docs/src/content/docs/guides/browser-and-worker-usage.md

@@ -57,7 +57,7 @@ const rosterHash = await hashRosterEntries(
 const manifest = createElectionManifest({
     rosterHash,
     optionList: ["Budget", "Hiring"],
-    scoreRange: { min: 1, max: 10 },
+    scoreRange: { min: 0, max: 5 },
 });
 
 const manifestHash = await hashElectionManifest(manifest);
@@ -128,6 +128,9 @@ console.log(acceptance.payload.messageType);
 console.log(new TextDecoder().decode(decrypted));
 ```
 
+This example uses `0..5` only as sample data. The supported rule is still one
+manifest-declared contiguous score range with `scoreRange.max <= 100`.
+
 This covers the browser-native pieces most applications need first:
 
 - auth and transport key generation

docs/src/content/docs/guides/getting-started.md

@@ -36,7 +36,7 @@ const bundle: VerifyElectionCeremonyInput = {
     sessionId,
     dkgTranscript,
     ballotPayloads,
-    ballotClosePayload,
+    ballotClosePayloads: [ballotClosePayload],
     decryptionSharePayloads,
     tallyPublications,
 };
@@ -53,7 +53,7 @@ if (!result.ok) {
 }
 ```
 
-Use `verifyElectionCeremony(...)` when you want the same checks but prefer exceptions over a structured result.
+Use `verifyElectionCeremony(...)` when you want the same checks but prefer exceptions over a structured result. Pass the full published `ballot-close` slot in `ballotClosePayloads`, even when that slot only contains one organizer payload.
 
 ## What to persist in your application
 

docs/src/content/docs/guides/three-participant-voting-flow.md

@@ -58,7 +58,7 @@ const rosterHash = await hashRosterEntries([
 const manifest = createElectionManifest({
     rosterHash,
     optionList: ["Option A", "Option B", "Option C"],
-    scoreRange: { min: 1, max: 10 },
+    scoreRange: { min: 0, max: 5 },
 });
 
 const manifestHash = await hashElectionManifest(manifest);
@@ -72,6 +72,10 @@ const sessionId = await deriveSessionId(
 console.log(majorityThreshold(3)); // 2
 ```
 
+This example uses `0..5` only as sample data. The supported rule is one
+manifest-declared contiguous score range with non-negative bounds and
+`scoreRange.max <= 100`.
+
 The manifest does not carry `participantCount`, `reconstructionThreshold`, publication floors, or deadline metadata. It does carry one explicit global `scoreRange`. The verifier derives `n` from the accepted registration roster and derives `k` internally as `ceil(n / 2)`.
 
 ## Supported public flow helpers

docs/src/content/docs/guides/verifying-a-public-board.md

@@ -15,10 +15,12 @@ The full verifier consumes one `VerifyElectionCeremonyInput` bundle:
 - `sessionId`
 - `dkgTranscript`
 - `ballotPayloads`
-- `ballotClosePayload`
+- `ballotClosePayloads`
 - `decryptionSharePayloads`
 - `tallyPublications` if you want published tally records checked against the recomputed tallies
 
+`ballotClosePayloads` must contain the full published `ballot-close` board slot, not a prefiltered close record. The verifier audits that slot, collapses only exact retransmissions, and requires exactly one accepted close payload after audit.
+
 If `tallyPublications` is omitted or empty, the verifier still replays the DKG, ballot, and decryption-share flow and still recomputes per-option tallies locally.
 
 ## Use the non-throwing verifier first
@@ -34,7 +36,7 @@ const bundle: VerifyElectionCeremonyInput = {
     sessionId,
     dkgTranscript,
     ballotPayloads,
-    ballotClosePayload,
+    ballotClosePayloads,
     decryptionSharePayloads,
     tallyPublications,
 };
@@ -55,6 +57,15 @@ console.log(result.verified.boardAudit.overall.fingerprint);
 
 This is usually the best application entry point because it gives you a stable `stage`, `code`, and `reason` without exception handling.
 
+## What the DKG verifier assumes
+
+`verifyElectionCeremony(...)` delegates DKG validation to `verifyDKGTranscript(...)`, which currently consumes:
+
+- the public signed DKG transcript
+- `key-derivation-confirmation` payloads from every qualified participant
+
+This verifier does not implement a public post-Feldman complaint/reconstruction phase. That means the current DKG check is participant-confirmed transcript verification, not the stronger fully public-data-only variant sometimes described in the GJKR literature. Lowering confirmation acceptance to threshold-many is out of scope unless that missing public consistency machinery is added.
+
 ## Use the throwing verifier when failure should abort immediately
 
 ```typescript

src/dkg/verification.ts

@@ -1487,10 +1487,17 @@ const verifyCheckpointedDKGTranscript = async (
 /**
  * Verifies a DKG transcript, its signatures, Feldman extraction proofs, the
  * exact claimed threshold degree, accepted complaint outcomes, the DKG
- * transcript hash, and the announced joint public key.
+ * transcript hash, the announced joint public key, and unanimous qualified
+ * participant key confirmations.
  *
  * This is the DKG-specific verifier that the full ceremony verifier delegates
- * to before it touches ballots or tally material.
+ * to before it touches ballots or tally material. It consumes a public signed
+ * transcript plus `key-derivation-confirmation` payloads from every qualified
+ * participant. It does not implement a public post-Feldman
+ * complaint/reconstruction phase, so it is a participant-confirmed transcript
+ * verifier rather than a fully public-data-only GJKR verifier. Lowering this
+ * requirement to threshold-many confirmations is out of scope unless that
+ * missing public consistency machinery is added.
  */
 export const verifyDKGTranscript = async (
     input: VerifyDKGTranscriptInput,

src/protocol/types.ts

@@ -173,7 +173,7 @@ export type FeldmanCommitmentPayload = BaseProtocolPayload & {
 };
 
 /**
- * Final key-derivation confirmation payload for the derived joint key.
+ * Final participant confirmation payload for the derived joint key.
  */
 export type KeyDerivationConfirmation = BaseProtocolPayload & {
     readonly messageType: 'key-derivation-confirmation';
@@ -348,14 +348,15 @@ export type VerifyDecryptionSharePayloadsByOptionInput = {
  * Input bundle for full ceremony verification across all published options.
  *
  * This is the top-level verifier input that an auditor or bulletin-board
- * reader supplies when replaying a full ceremony.
+ * reader supplies when replaying a full ceremony from the published board,
+ * including the full ballot-close slot instead of a preselected close record.
  */
 export type VerifyElectionCeremonyInput = {
     readonly manifest: ElectionManifest;
     readonly sessionId: string;
     readonly dkgTranscript: readonly SignedPayload[];
     readonly ballotPayloads: readonly SignedPayload<BallotSubmissionPayload>[];
-    readonly ballotClosePayload: SignedPayload<BallotClosePayload>;
+    readonly ballotClosePayloads: readonly SignedPayload<BallotClosePayload>[];
     readonly decryptionSharePayloads: readonly SignedPayload<DecryptionSharePayload>[];
     readonly tallyPublications?: readonly SignedPayload<TallyPublicationPayload>[];
 };

src/protocol/voting-ballots.ts

@@ -76,9 +76,10 @@ const verifyAuditedBallotSubmissionPayloadsByOption = async (input: {
  * Verifies typed ballot-submission payloads and recomputes one aggregate tally
  * ciphertext per manifest option.
  *
- * This is the public entry point for applications that already have
- * signature-checked ballot payloads and want the per-option verified
- * ciphertext aggregates that feed threshold decryption.
+ * This is the public entry point for applications that already collected
+ * signed ballot payloads and want the per-option verified ciphertext
+ * aggregates that feed threshold decryption. The helper re-audits the signed
+ * payloads before it decodes and aggregates them.
  */
 export const verifyBallotSubmissionPayloadsByOption = async (
     input: VerifyBallotSubmissionPayloadsByOptionInput,

src/protocol/voting-decryption.ts

@@ -189,7 +189,8 @@ const verifyAuditedDecryptionSharePayloadsByOption = async (input: {
  *
  * This is the public entry point for applications that have already accepted a
  * DKG transcript and verified ballot aggregates and now need to validate the
- * published threshold shares.
+ * published threshold shares. The helper re-audits the signed share payloads
+ * before it groups and verifies them.
  */
 export const verifyDecryptionSharePayloadsByOption = async (
     input: VerifyDecryptionSharePayloadsByOptionInput,

src/protocol/voting-verification.ts

@@ -3,7 +3,7 @@
  *
  * This module is the shortest path for auditors and bulletin-board readers who
  * want one call that replays manifest validation, board audit, DKG, ballots,
- * decryption shares, and tally checks.
+ * the full ballot-close slot, decryption shares, and tally checks.
  */
 import { InvalidPayloadError } from '../core/index';
 import { decodeScalar } from '../core/ristretto';
@@ -364,8 +364,8 @@ const verifyBallotClosePayload = (input: {
 
 /**
  * Replays the published ceremony from manifest to tally, including board audit,
- * DKG verification, ballot verification, decryption-share verification, and
- * per-option tally checks.
+ * DKG verification, full ballot-close-slot audit, ballot verification,
+ * decryption-share verification, and per-option tally checks.
  *
  * This is the main verifier entry point for callers that want failures to
  * abort immediately.
@@ -392,9 +392,7 @@ export const verifyElectionCeremony = async (
     try {
         dkgAudit = await auditSignedPayloads(input.dkgTranscript);
         ballotAudit = await auditSignedPayloads(input.ballotPayloads);
-        ballotCloseAudit = await auditSignedPayloads([
-            input.ballotClosePayload,
-        ]);
+        ballotCloseAudit = await auditSignedPayloads(input.ballotClosePayloads);
         decryptionAudit = await auditSignedPayloads(
             input.decryptionSharePayloads,
         );