npm - 0nmcp - Versions diffs - 1.7.0 → 2.0.0 - Mend

0nmcp 1.7.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +24 -23
package/cli.js +431 -1
package/command-runner.js +224 -0
package/commands.js +115 -0
package/index.js +8 -1
package/lib/stats.json +1 -1
package/package.json +26 -3
package/vault/container.js +479 -0
package/vault/crypto-container.js +278 -0
package/vault/escrow.js +227 -0
package/vault/layers.js +254 -0
package/vault/registry.js +159 -0
package/vault/seal.js +74 -0
package/vault/tools-container.js +356 -0

package/vault/layers.js ADDED Viewed

@@ -0,0 +1,254 @@
+// ============================================================
+// 0nMCP — Vault: Semantic Layer Manager
+// ============================================================
+// 7 named layers, each independently encrypted with AES-256-GCM.
+// The credentials layer (layer 2) uses double-encryption via
+// Argon2id for maximum protection of API keys and secrets.
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { encryptAES, decryptAES, deriveKeyArgon2, encryptAESRaw, decryptAESRaw, SALT_LENGTH } from "./crypto-container.js";
+import { randomBytes } from "crypto";
+// ── Layer Definitions ────────────────────────────────────────
+export const LAYER_NAMES = [
+  "workflows",      // 1: .0n workflow definitions
+  "credentials",    // 2: API keys, tokens, secrets (double-encrypted)
+  "env_vars",       // 3: Environment variables
+  "mcp_configs",    // 4: MCP server configurations
+  "site_profiles",  // 5: CRO9/site configs
+  "ai_brain",       // 6: AI agent data, prompts, memory
+  "audit_trail",    // 7: Execution logs, timestamps (append-only)
+];
+export const LAYER_COUNT = LAYER_NAMES.length;
+/**
+ * Check if a layer name is valid.
+ * @param {string} name
+ * @returns {boolean}
+ */
+export function isValidLayer(name) {
+  return LAYER_NAMES.includes(name);
+}
+/**
+ * Get the index of a layer by name.
+ * @param {string} name
+ * @returns {number} 0-based index, or -1 if not found
+ */
+export function getLayerIndex(name) {
+  return LAYER_NAMES.indexOf(name);
+}
+// ── Layer Encryption ─────────────────────────────────────────
+/**
+ * Seal (encrypt) a single layer's data.
+ *
+ * @param {string} name - Layer name
+ * @param {any} data - Data to encrypt (will be JSON.stringify'd)
+ * @param {string} passphrase - Encryption passphrase
+ * @returns {{ name: string, ciphertext: Buffer, iv: Buffer, salt: Buffer, tag: Buffer }}
+ */
+export function sealLayer(name, data, passphrase) {
+  if (!isValidLayer(name)) {
+    throw new Error(`Invalid layer name: "${name}". Valid: ${LAYER_NAMES.join(", ")}`);
+  }
+  const plaintext = JSON.stringify(data);
+  const result = encryptAES(plaintext, passphrase);
+  return {
+    name,
+    ciphertext: result.ciphertext,
+    iv: result.iv,
+    salt: result.salt,
+    tag: result.tag,
+  };
+}
+/**
+ * Unseal (decrypt) a single layer's data.
+ *
+ * @param {string} name - Layer name
+ * @param {Buffer} ciphertext
+ * @param {string} passphrase
+ * @param {Buffer} iv
+ * @param {Buffer} salt
+ * @param {Buffer} tag
+ * @returns {any} Parsed JSON data
+ */
+export function unsealLayer(name, ciphertext, passphrase, iv, salt, tag) {
+  if (!isValidLayer(name)) {
+    throw new Error(`Invalid layer name: "${name}"`);
+  }
+  const decrypted = decryptAES(ciphertext, passphrase, iv, salt, tag);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+// ── Credentials Double-Encryption ────────────────────────────
+/**
+ * Seal credentials with double encryption:
+ * 1. First layer: AES-256-GCM with passphrase
+ * 2. Second layer: AES-256-GCM with Argon2id-derived key
+ *
+ * @param {any} data - Credentials data
+ * @param {string} passphrase - Encryption passphrase
+ * @returns {Promise<{ ciphertext: Buffer, iv: Buffer, salt: Buffer, tag: Buffer, argonSalt: Buffer, innerIv: Buffer, innerTag: Buffer }>}
+ */
+export async function sealCredentials(data, passphrase) {
+  const plaintext = Buffer.from(JSON.stringify(data), "utf8");
+  // Inner layer: Argon2id-derived key
+  const argonSalt = randomBytes(SALT_LENGTH);
+  const argonKey = await deriveKeyArgon2(passphrase, argonSalt);
+  const inner = encryptAESRaw(plaintext, argonKey);
+  // Outer layer: standard AES-256-GCM with passphrase
+  // Combine inner ciphertext + iv + tag for outer encryption
+  const innerPayload = Buffer.concat([inner.iv, inner.tag, inner.ciphertext]);
+  const outer = encryptAES(innerPayload, passphrase);
+  return {
+    ciphertext: outer.ciphertext,
+    iv: outer.iv,
+    salt: outer.salt,
+    tag: outer.tag,
+    argonSalt,
+    innerIv: inner.iv,
+    innerTag: inner.tag,
+  };
+}
+/**
+ * Unseal double-encrypted credentials.
+ *
+ * @param {Buffer} ciphertext
+ * @param {string} passphrase
+ * @param {Buffer} iv
+ * @param {Buffer} salt
+ * @param {Buffer} tag
+ * @param {Buffer} argonSalt
+ * @returns {Promise<any>} Parsed credentials
+ */
+export async function unsealCredentials(ciphertext, passphrase, iv, salt, tag, argonSalt) {
+  // Outer layer: decrypt with passphrase
+  const innerPayload = decryptAES(ciphertext, passphrase, iv, salt, tag);
+  // Extract inner components (iv:12 + tag:16 + ciphertext:rest)
+  const innerIv = innerPayload.subarray(0, 12);
+  const innerTag = innerPayload.subarray(12, 28);
+  const innerCiphertext = innerPayload.subarray(28);
+  // Inner layer: Argon2id-derived key
+  const argonKey = await deriveKeyArgon2(passphrase, argonSalt);
+  const decrypted = decryptAESRaw(innerCiphertext, argonKey, innerIv, innerTag);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+// ── Bulk Layer Operations ────────────────────────────────────
+/**
+ * Seal multiple layers at once.
+ *
+ * @param {Object<string, any>} layerData - { layerName: data }
+ * @param {string} passphrase
+ * @returns {Promise<Map<string, object>>} Sealed layers
+ */
+export async function sealAllLayers(layerData, passphrase) {
+  const sealed = new Map();
+  for (const [name, data] of Object.entries(layerData)) {
+    if (!isValidLayer(name)) {
+      throw new Error(`Invalid layer: "${name}"`);
+    }
+    if (name === "credentials") {
+      const result = await sealCredentials(data, passphrase);
+      sealed.set(name, { ...result, doubleEncrypted: true });
+    } else {
+      const result = sealLayer(name, data, passphrase);
+      sealed.set(name, result);
+    }
+  }
+  return sealed;
+}
+/**
+ * Unseal multiple layers at once.
+ *
+ * @param {Map<string, object>} sealedLayers
+ * @param {string} passphrase
+ * @param {string[]} [onlyLayers] - Optional filter: only unseal these layers
+ * @returns {Promise<Object<string, any>>} Unsealed layer data
+ */
+export async function unsealAllLayers(sealedLayers, passphrase, onlyLayers = null) {
+  const result = {};
+  for (const [name, layerInfo] of sealedLayers) {
+    if (onlyLayers && !onlyLayers.includes(name)) continue;
+    if (name === "credentials" && layerInfo.doubleEncrypted) {
+      result[name] = await unsealCredentials(
+        layerInfo.ciphertext, passphrase,
+        layerInfo.iv, layerInfo.salt, layerInfo.tag,
+        layerInfo.argonSalt
+      );
+    } else {
+      result[name] = unsealLayer(
+        name, layerInfo.ciphertext, passphrase,
+        layerInfo.iv, layerInfo.salt, layerInfo.tag
+      );
+    }
+  }
+  return result;
+}
+// ── Layer Access Matrix ──────────────────────────────────────
+/**
+ * Create a layer access matrix for escrow parties.
+ *
+ * @param {Object<string, string[]>} partyAccess - { partyId: [layerNames] }
+ * @returns {Object<string, Object<string, boolean>>} Full matrix
+ */
+export function createAccessMatrix(partyAccess) {
+  const matrix = {};
+  for (const [partyId, layers] of Object.entries(partyAccess)) {
+    matrix[partyId] = {};
+    for (const layerName of LAYER_NAMES) {
+      matrix[partyId][layerName] = layers.includes(layerName);
+    }
+  }
+  return matrix;
+}
+/**
+ * Validate an access matrix.
+ *
+ * @param {Object} matrix
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAccessMatrix(matrix) {
+  const errors = [];
+  for (const [partyId, access] of Object.entries(matrix)) {
+    for (const layerName of Object.keys(access)) {
+      if (!isValidLayer(layerName)) {
+        errors.push(`Party "${partyId}": invalid layer "${layerName}"`);
+      }
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}

package/vault/registry.js ADDED Viewed

@@ -0,0 +1,159 @@
+// ============================================================
+// 0nMCP — Vault: Transfer Registry
+// ============================================================
+// In-memory + file-backed registry for tracking vault transfers.
+// Prevents replay attacks by rejecting duplicate transfer IDs.
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+const VAULT_DIR = join(homedir(), ".0n", "vault");
+const REGISTRY_PATH = join(VAULT_DIR, "transfers.json");
+// In-memory cache
+let registry = null;
+/**
+ * Ensure vault directory exists and load registry from disk.
+ */
+function ensureRegistry() {
+  if (registry !== null) return;
+  if (!existsSync(VAULT_DIR)) {
+    mkdirSync(VAULT_DIR, { recursive: true });
+  }
+  if (existsSync(REGISTRY_PATH)) {
+    try {
+      registry = JSON.parse(readFileSync(REGISTRY_PATH, "utf-8"));
+    } catch {
+      registry = { transfers: {} };
+    }
+  } else {
+    registry = { transfers: {} };
+  }
+}
+/**
+ * Save registry to disk.
+ */
+function saveRegistry() {
+  if (!existsSync(VAULT_DIR)) {
+    mkdirSync(VAULT_DIR, { recursive: true });
+  }
+  writeFileSync(REGISTRY_PATH, JSON.stringify(registry, null, 2));
+}
+/**
+ * Register a new transfer.
+ *
+ * @param {string} transferId - UUID v4
+ * @param {string} sealHex - Seal of Truth hex string
+ * @param {Object} metadata - Additional metadata
+ * @returns {{ success: boolean, error?: string }}
+ */
+export function registerTransfer(transferId, sealHex, metadata = {}) {
+  ensureRegistry();
+  // Replay prevention
+  if (registry.transfers[transferId]) {
+    return {
+      success: false,
+      error: `Transfer ID "${transferId}" already registered — replay rejected`,
+    };
+  }
+  registry.transfers[transferId] = {
+    seal: sealHex,
+    registered_at: new Date().toISOString(),
+    status: "active",
+    ...metadata,
+  };
+  saveRegistry();
+  return { success: true, transferId };
+}
+/**
+ * Look up a transfer by ID.
+ *
+ * @param {string} transferId
+ * @returns {{ found: boolean, transfer?: Object }}
+ */
+export function lookupTransfer(transferId) {
+  ensureRegistry();
+  const transfer = registry.transfers[transferId];
+  if (!transfer) {
+    return { found: false };
+  }
+  return { found: true, transfer: { transferId, ...transfer } };
+}
+/**
+ * Revoke a transfer.
+ *
+ * @param {string} transferId
+ * @returns {{ success: boolean, error?: string }}
+ */
+export function revokeTransfer(transferId) {
+  ensureRegistry();
+  if (!registry.transfers[transferId]) {
+    return { success: false, error: `Transfer ID "${transferId}" not found` };
+  }
+  if (registry.transfers[transferId].status === "revoked") {
+    return { success: false, error: `Transfer "${transferId}" is already revoked` };
+  }
+  registry.transfers[transferId].status = "revoked";
+  registry.transfers[transferId].revoked_at = new Date().toISOString();
+  saveRegistry();
+  return { success: true, transferId, message: `Transfer "${transferId}" has been revoked` };
+}
+/**
+ * List all transfers.
+ *
+ * @param {string} [status] - Optional filter: "active", "revoked"
+ * @returns {Array<Object>}
+ */
+export function listTransfers(status = null) {
+  ensureRegistry();
+  const transfers = [];
+  for (const [id, data] of Object.entries(registry.transfers)) {
+    if (status && data.status !== status) continue;
+    transfers.push({ transferId: id, ...data });
+  }
+  return transfers;
+}
+/**
+ * Check if a transfer ID has been used (for replay prevention).
+ *
+ * @param {string} transferId
+ * @returns {boolean}
+ */
+export function isTransferUsed(transferId) {
+  ensureRegistry();
+  return !!registry.transfers[transferId];
+}
+/**
+ * Reset registry (for testing only).
+ */
+export function resetRegistry() {
+  registry = { transfers: {} };
+  saveRegistry();
+}

package/vault/seal.js ADDED Viewed

@@ -0,0 +1,74 @@
+// ============================================================
+// 0nMCP — Vault: Seal of Truth
+// ============================================================
+// SHA3-256 based content certification hash.
+// Publicly verifiable — anyone can confirm container integrity
+// without decrypting any layer data.
+//
+// Formula:
+//   SHA3-256(transfer_id || timestamp || pubkey || SHA3-256(concat(all_ciphertexts)))
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+import { sha3, sha3Hex } from "./crypto-container.js";
+/**
+ * Create a Seal of Truth for a vault container.
+ *
+ * @param {string} transferId - UUID v4 transfer ID
+ * @param {number} timestamp - Unix timestamp (ms)
+ * @param {Buffer} pubkey - Ed25519 public key (32 bytes)
+ * @param {Buffer[]} layerCiphertexts - Array of encrypted layer data
+ * @returns {{ seal: Buffer, sealHex: string }}
+ */
+export function createSeal(transferId, timestamp, pubkey, layerCiphertexts) {
+  // Hash all ciphertexts together
+  const contentHash = sha3(Buffer.concat(layerCiphertexts));
+  // Combine components: transferId || timestamp || pubkey || contentHash
+  const transferIdBuf = Buffer.from(transferId, "utf8");
+  const timestampBuf = Buffer.alloc(8);
+  timestampBuf.writeBigUInt64BE(BigInt(timestamp));
+  const sealInput = Buffer.concat([transferIdBuf, timestampBuf, pubkey, contentHash]);
+  const seal = sha3(sealInput);
+  return {
+    seal,
+    sealHex: seal.toString("hex"),
+  };
+}
+/**
+ * Verify a Seal of Truth.
+ *
+ * @param {Buffer} seal - 32-byte seal hash
+ * @param {string} transferId
+ * @param {number} timestamp
+ * @param {Buffer} pubkey
+ * @param {Buffer[]} layerCiphertexts
+ * @returns {boolean} True if seal matches
+ */
+export function verifySeal(seal, transferId, timestamp, pubkey, layerCiphertexts) {
+  const expected = createSeal(transferId, timestamp, pubkey, layerCiphertexts);
+  return Buffer.compare(seal, expected.seal) === 0;
+}
+/**
+ * Generate a human-readable seal summary.
+ *
+ * @param {Buffer} seal
+ * @param {string} transferId
+ * @param {number} timestamp
+ * @returns {string}
+ */
+export function sealSummary(seal, transferId, timestamp) {
+  return [
+    `Seal of Truth: ${seal.toString("hex")}`,
+    `Transfer ID:   ${transferId}`,
+    `Timestamp:     ${new Date(timestamp).toISOString()}`,
+    `Algorithm:     SHA3-256`,
+    `Status:        Verified ✓`,
+  ].join("\n");
+}