C2PA v2.3: actions v2 + byte-offset exclusions

Author: erik-sv

README.md

@@ -56,7 +56,7 @@ Our implementation uses the official `c2pa-text` library to encode C2PA manifest
 
 Learn more about [Encypher's relationship with C2PA](https://docs.encypherai.com/package/user-guide/c2pa-relationship/) in our documentation.
 
-### C2PA `@context` compatibility configuration (v3.0.3+)
+### C2PA `@context` compatibility configuration (v3.0.4+)
 
 `encypher-ai` allows production services to control the emitted and accepted C2PA schema contexts via environment variables:
 

docs/package/changelog.md

@@ -2,6 +2,15 @@
 
 This document provides a chronological list of notable changes for each version of Encypher.
 
+## 3.0.4 (2026-01-30)
+
+### Fixed
+- Verified C2PA hard binding exclusions using byte offsets from the text wrapper instead of codepoint positions.
+- Accepted `c2pa.actions.v2` assertions during verification (v1 or v2 allowed).
+
+### Changed
+- Confirmed claim label emission as `c2pa.claim.v2` for v2.3 manifests.
+
 ## 3.0.3 (2026-01-16)
 
 ### Fixed

encypher/__init__.py

@@ -6,7 +6,7 @@
 This package provides tools for invisible metadata encoding in AI-generated text.
 """
 
-__version__ = "3.0.3"
+__version__ = "3.0.4"
 
 from encypher.config.settings import Settings
 from encypher.core.unicode_metadata import MetadataTarget, UnicodeMetadata

encypher/core/payloads.py

@@ -67,6 +67,7 @@ class C2PAAssertion(TypedDict):
         "@context": str,
         "instance_id": str,
         "claim_generator": str,
+        "claim_label": str,
         "assertions": list[C2PAAssertion],
         "ingredients": list[dict[str, Any]],
     },

encypher/core/unicode_metadata.py

@@ -11,7 +11,6 @@
 import hashlib
 import json
 import re
-import unicodedata
 import uuid
 from datetime import date, datetime, timezone
 from typing import Any, Callable, Literal, Optional, Union, cast
@@ -403,6 +402,7 @@ def embed_metadata(
                 distribute_across_targets=distribute_across_targets,
                 add_hard_binding=add_hard_binding,
                 custom_assertions=custom_assertions,
+                custom_metadata=custom_metadata,
             )
         # --- Start: Input Validation ---
         if not isinstance(text, str):
@@ -758,6 +758,7 @@ def _embed_c2pa(
         claim_generator: Optional[str],
         actions: Optional[list[dict[str, Any]]],
         ingredients: Optional[list[dict[str, Any]]],
+        custom_metadata: Optional[dict[str, Any]],
         iso_timestamp: Optional[str],
         target: Optional[Union[str, MetadataTarget]],
         distribute_across_targets: bool,
@@ -779,6 +780,7 @@ def _embed_c2pa(
             claim_generator: A string identifying the software agent creating the claim.
             actions: A list of action dictionaries to include in the manifest.
             ingredients: A list of ingredient dictionaries for provenance chain.
+            custom_metadata: Custom metadata to emit as a c2pa.metadata assertion.
             iso_timestamp: The ISO 8601 formatted timestamp for the actions.
             target: The embedding target strategy.
             distribute_across_targets: If True, distribute bits across multiple targets.
@@ -837,15 +839,32 @@ def _embed_c2pa(
                 "@context": c2pa_context_url,
                 "instance_id": instance_id,
                 "claim_generator": claim_gen,
+                "claim_label": "c2pa.claim.v2",
                 "assertions": [],
             }
 
             # Add ingredients for provenance chain (if provided)
             if ingredients:
                 c2pa_manifest["ingredients"] = ingredients
+                c2pa_manifest["assertions"].append(
+                    {
+                        "label": "c2pa.ingredient.v3",
+                        "data": {"ingredients": copy.deepcopy(ingredients)},
+                        "kind": "Ingredient",
+                    }
+                )
 
             actions_data: dict[str, Any] = {"actions": copy.deepcopy(base_actions)}
-            c2pa_manifest["assertions"].append({"label": "c2pa.actions.v1", "data": actions_data, "kind": "Actions"})
+            c2pa_manifest["assertions"].append({"label": "c2pa.actions.v2", "data": actions_data, "kind": "Actions"})
+
+            if custom_metadata:
+                c2pa_manifest["assertions"].append(
+                    {
+                        "label": "c2pa.metadata",
+                        "data": copy.deepcopy(custom_metadata),
+                        "kind": "Metadata",
+                    }
+                )
 
             # Add custom assertions if provided
             if custom_assertions:
@@ -883,7 +902,7 @@ def _embed_c2pa(
             manifest_for_hashing["assertions"].append(placeholder_soft_binding)
 
             actions_data_copy = next(
-                (a["data"] for a in manifest_for_hashing["assertions"] if a.get("label") == "c2pa.actions.v1"),
+                (a["data"] for a in manifest_for_hashing["assertions"] if a.get("label") == "c2pa.actions.v2"),
                 None,
             )
             if actions_data_copy and isinstance(actions_data_copy.get("actions"), list):
@@ -1007,23 +1026,13 @@ def verify_metadata(
                 logger.warning("C2PA format indicated but no text wrapper found.")
                 return False, signer_id, None
 
-            wrapper_segment = text[span[0] : span[1]]
-            normalized_full_text = unicodedata.normalize("NFC", text)
-            normalized_index = normalized_full_text.rfind(wrapper_segment)
-            if normalized_index < 0:
-                logger.warning("Unable to locate wrapper segment in normalized text during verification.")
-                return False, signer_id, None
-
-            exclusion_start = len(normalized_full_text[:normalized_index].encode("utf-8"))
-            exclusion_length = len(wrapper_segment.encode("utf-8"))
-
             return cls._verify_c2pa(
                 original_text=text,
                 outer_payload=outer_payload,
                 public_key_resolver=public_key_resolver,
                 return_payload_on_failure=return_payload_on_failure,
                 require_hard_binding=require_hard_binding,
-                wrapper_exclusion=(exclusion_start, exclusion_length),
+                wrapper_exclusion=span,
             )
 
         # --- Legacy Format Verification ('basic', 'manifest', 'cbor_manifest') ---
@@ -1222,14 +1231,18 @@ def _verify_c2pa(
         # b) Check for mandatory assertions
         assertions = c2pa_manifest.get("assertions", [])
         assertion_labels = {a.get("label") for a in assertions if isinstance(a, dict)}
-        required_assertions = {"c2pa.actions.v1", "c2pa.soft_binding.v1"}
+        required_assertions = {"c2pa.soft_binding.v1"}
         if require_hard_binding:
             required_assertions.add("c2pa.hash.data.v1")
         if not required_assertions.issubset(assertion_labels):
             missing = required_assertions - assertion_labels
             logger.warning(f"C2PA verification: Manifest missing required assertions: {missing}")
             return False, signer_id, c2pa_manifest
 
+        if not ("c2pa.actions.v1" in assertion_labels or "c2pa.actions.v2" in assertion_labels):
+            logger.warning("C2PA verification: Manifest missing actions assertion (v1 or v2).")
+            return False, signer_id, c2pa_manifest
+
         # --- 3. Soft Binding Verification (Deterministic Hashing) ---
         soft_binding_assertion = next((a for a in assertions if isinstance(a, dict) and a.get("label") == "c2pa.soft_binding.v1"), None)
         if soft_binding_assertion is None:

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "encypher-ai"
-version = "3.0.3"
+version = "3.0.4"
 description = "Embed invisible metadata in AI-generated text using zero-width characters."
 readme = "README.md"
 authors = [{name = "Encypher Team"}]

tests/core/test_unicode_metadata.py

@@ -602,6 +602,36 @@ def test_unicode_metadata_verify_with_manifest(self, manifest_metadata, key_pair
         assert manifest_payload.get("ai_info") == manifest_metadata.get("ai_info")
         assert manifest_payload.get("custom_claims") == manifest_metadata.get("custom_claims")
 
+    def test_c2pa_manifest_uses_v2_actions_and_metadata(self, key_pair_1, sample_text):
+        """C2PA manifests should emit v2 actions and metadata assertions for v2.3 compliance."""
+        private_key, _ = key_pair_1
+        signer_id = "signer_1"
+        now = datetime.now(timezone.utc)
+
+        embedded_text = UnicodeMetadata.embed_metadata(
+            text=sample_text,
+            private_key=private_key,
+            signer_id=signer_id,
+            metadata_format="c2pa",
+            actions=[
+                {
+                    "label": "c2pa.created",
+                    "when": now.isoformat(),
+                    "softwareAgent": "pytest",
+                }
+            ],
+            custom_metadata={"title": "C2PA v2.3 metadata", "description": "Test metadata assertion"},
+        )
+
+        extracted_manifest = UnicodeMetadata.extract_metadata(embedded_text)
+        assert isinstance(extracted_manifest, dict)
+        assertions = extracted_manifest.get("assertions", [])
+        assertion_labels = {assertion.get("label") for assertion in assertions if isinstance(assertion, dict)}
+
+        assert "c2pa.actions.v2" in assertion_labels
+        assert "c2pa.metadata" in assertion_labels
+        assert extracted_manifest.get("claim_label") == "c2pa.claim.v2"
+
     def test_embed_metadata_omit_keys(self, key_pair_1, sample_text, public_key_provider):
         private_key, _ = key_pair_1
         signer_id = "signer_1"