feat: add cryptographic receipt download feature

- Added `receipt` field to upload result state and API response type
- Implemented UI button to download receipt as JSON file with HMAC signature proof
- Enhances verifiability of seal creation by providing downloadable proof-of-creation receipt

Author: teycir

app/api/verify-receipt/route.ts

@@ -0,0 +1,30 @@
+import { NextRequest } from 'next/server';
+import { jsonResponse } from '@/lib/apiHandler';
+import { createAPIRoute } from '@/lib/routeHelper';
+
+export async function POST(request: NextRequest) {
+  return createAPIRoute(async ({ container }) => {
+    const body = await request.json() as { receipt: any };
+    const { receipt } = body;
+
+    if (!receipt?.sealId || !receipt?.blobHash || !receipt?.signature) {
+      return jsonResponse({ valid: false, error: 'Invalid receipt format' }, 400);
+    }
+
+    const data = `${receipt.sealId}:${receipt.blobHash}:${receipt.unlockTime}:${receipt.createdAt}`;
+    const encoder = new TextEncoder();
+    
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(container.masterKey),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+    
+    const sigBytes = new Uint8Array(receipt.signature.match(/.{1,2}/g).map((byte: string) => parseInt(byte, 16)));
+    const valid = await crypto.subtle.verify('HMAC', key, sigBytes, encoder.encode(data));
+
+    return jsonResponse({ valid, sealId: receipt.sealId });
+  })(request);
+}

app/page.tsx

@@ -80,6 +80,7 @@ export default function HomePage() {
     publicUrl: string;
     pulseUrl?: string;
     pulseToken?: string;
+    receipt?: any;
   } | null>(null);
 
   // Use a ref for file input fallback (kept even if dropzone exists for accessibility/fallback)
@@ -262,7 +263,7 @@ export default function HomePage() {
         body: formData,
       });
 
-      const data = await response.json() as { success: boolean; publicUrl: string; pulseToken?: string; error?: string };
+      const data = await response.json() as { success: boolean; publicUrl: string; pulseToken?: string; receipt?: any; error?: string };
 
       if (data.success) {
         const origin = globalThis.window ? globalThis.window.location.origin : '';
@@ -273,6 +274,7 @@ export default function HomePage() {
           publicUrl,
           pulseUrl: data.pulseToken ? `${origin}/pulse` : undefined,
           pulseToken: data.pulseToken,
+          receipt: data.receipt,
         });
         toast.dismiss(loadingToast);
         toast.success('Seal created successfully!');
@@ -355,6 +357,29 @@ export default function HomePage() {
                 </p>
               </div>
             )}
+
+            {result.receipt && (
+              <div className="border-t border-neon-green/20 pt-4">
+                <Button
+                  onClick={() => {
+                    const blob = new Blob([JSON.stringify(result.receipt, null, 2)], { type: 'application/json' });
+                    const url = URL.createObjectURL(blob);
+                    const a = document.createElement('a');
+                    a.href = url;
+                    a.download = `timeseal-receipt-${result.receipt.sealId}.json`;
+                    a.click();
+                    URL.revokeObjectURL(url);
+                    toast.success('Receipt downloaded');
+                  }}
+                  className="w-full bg-neon-green/10"
+                >
+                  📄 DOWNLOAD CRYPTOGRAPHIC RECEIPT
+                </Button>
+                <p className="text-xs text-neon-green/50 mt-2 text-center">
+                  Proof of seal creation with HMAC signature
+                </p>
+              </div>
+            )}
           </Card>
 
           <Button