npm - @ai-pip/core - Versions diffs - 0.2.0 → 0.4.0 - Mend

@ai-pip/core 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/CHANGELOG.md +106 -3
package/README.md +52 -951
package/dist/AAL/constants.d.ts +15 -0
package/dist/AAL/constants.d.ts.map +1 -0
package/dist/AAL/constants.js +20 -0
package/dist/AAL/constants.js.map +1 -0
package/dist/AAL/index.d.ts +5 -4
package/dist/AAL/index.d.ts.map +1 -1
package/dist/AAL/index.js +4 -2
package/dist/AAL/index.js.map +1 -1
package/dist/AAL/process/applyRemovalPlan.d.ts +23 -0
package/dist/AAL/process/applyRemovalPlan.d.ts.map +1 -0
package/dist/AAL/process/applyRemovalPlan.js +157 -0
package/dist/AAL/process/applyRemovalPlan.js.map +1 -0
package/dist/AAL/process/buildDecisionReason.d.ts.map +1 -1
package/dist/AAL/process/buildDecisionReason.js +24 -4
package/dist/AAL/process/buildDecisionReason.js.map +1 -1
package/dist/AAL/process/buildRemediationPlan.d.ts +22 -0
package/dist/AAL/process/buildRemediationPlan.d.ts.map +1 -0
package/dist/AAL/process/buildRemediationPlan.js +81 -0
package/dist/AAL/process/buildRemediationPlan.js.map +1 -0
package/dist/AAL/process/buildRemovalPlan.d.ts +27 -9
package/dist/AAL/process/buildRemovalPlan.d.ts.map +1 -1
package/dist/AAL/process/buildRemovalPlan.js +95 -29
package/dist/AAL/process/buildRemovalPlan.js.map +1 -1
package/dist/AAL/process/index.d.ts +2 -2
package/dist/AAL/process/index.d.ts.map +1 -1
package/dist/AAL/process/index.js +2 -1
package/dist/AAL/process/index.js.map +1 -1
package/dist/AAL/process/resolveAgentAction.d.ts.map +1 -1
package/dist/AAL/process/resolveAgentAction.js +13 -0
package/dist/AAL/process/resolveAgentAction.js.map +1 -1
package/dist/AAL/process/validatePolicy.d.ts +20 -0
package/dist/AAL/process/validatePolicy.d.ts.map +1 -0
package/dist/AAL/process/validatePolicy.js +40 -0
package/dist/AAL/process/validatePolicy.js.map +1 -0
package/dist/AAL/types.d.ts +18 -31
package/dist/AAL/types.d.ts.map +1 -1
package/dist/index.d.ts +9 -9
package/dist/index.d.ts.map +1 -1
package/dist/index.js +6 -6
package/dist/index.js.map +1 -1
package/dist/isl/detect/detect.d.ts +39 -0
package/dist/isl/detect/detect.d.ts.map +1 -0
package/dist/isl/detect/detect.js +369 -0
package/dist/isl/detect/detect.js.map +1 -0
package/dist/isl/detect/index.d.ts +6 -0
package/dist/isl/detect/index.d.ts.map +1 -0
package/dist/isl/detect/index.js +5 -0
package/dist/isl/detect/index.js.map +1 -0
package/dist/isl/index.d.ts +8 -1
package/dist/isl/index.d.ts.map +1 -1
package/dist/isl/index.js +5 -0
package/dist/isl/index.js.map +1 -1
package/dist/isl/process/emitSignal.d.ts +19 -10
package/dist/isl/process/emitSignal.d.ts.map +1 -1
package/dist/isl/process/emitSignal.js +25 -23
package/dist/isl/process/emitSignal.js.map +1 -1
package/dist/isl/process/index.d.ts +1 -0
package/dist/isl/process/index.d.ts.map +1 -1
package/dist/isl/riskScore/calculators.d.ts +19 -0
package/dist/isl/riskScore/calculators.d.ts.map +1 -0
package/dist/isl/riskScore/calculators.js +50 -0
package/dist/isl/riskScore/calculators.js.map +1 -0
package/dist/isl/riskScore/index.d.ts +14 -0
package/dist/isl/riskScore/index.d.ts.map +1 -0
package/dist/isl/riskScore/index.js +26 -0
package/dist/isl/riskScore/index.js.map +1 -0
package/dist/isl/riskScore/types.d.ts +20 -0
package/dist/isl/riskScore/types.d.ts.map +1 -0
package/dist/isl/riskScore/types.js +12 -0
package/dist/isl/riskScore/types.js.map +1 -0
package/dist/isl/sanitize.d.ts +8 -1
package/dist/isl/sanitize.d.ts.map +1 -1
package/dist/isl/sanitize.js +13 -5
package/dist/isl/sanitize.js.map +1 -1
package/dist/isl/signals.d.ts +16 -1
package/dist/isl/signals.d.ts.map +1 -1
package/dist/isl/signals.js +4 -2
package/dist/isl/signals.js.map +1 -1
package/dist/isl/value-objects/Pattern.d.ts +21 -0
package/dist/isl/value-objects/Pattern.d.ts.map +1 -1
package/dist/isl/value-objects/Pattern.js +36 -0
package/dist/isl/value-objects/Pattern.js.map +1 -1
package/dist/isl/value-objects/index.d.ts +2 -2
package/dist/isl/value-objects/index.d.ts.map +1 -1
package/dist/isl/value-objects/index.js +1 -1
package/dist/isl/value-objects/index.js.map +1 -1
package/dist/shared/audit.d.ts +126 -28
package/dist/shared/audit.d.ts.map +1 -1
package/dist/shared/audit.js +322 -44
package/dist/shared/audit.js.map +1 -1
package/dist/shared/envelope/envelope.d.ts +23 -0
package/dist/shared/envelope/envelope.d.ts.map +1 -0
package/dist/shared/envelope/envelope.js +58 -0
package/dist/shared/envelope/envelope.js.map +1 -0
package/dist/shared/envelope/exceptions/EnvelopeError.d.ts +8 -0
package/dist/shared/envelope/exceptions/EnvelopeError.d.ts.map +1 -0
package/dist/shared/envelope/exceptions/EnvelopeError.js +13 -0
package/dist/shared/envelope/exceptions/EnvelopeError.js.map +1 -0
package/dist/shared/envelope/exceptions/index.d.ts +2 -0
package/dist/shared/envelope/exceptions/index.d.ts.map +1 -0
package/dist/shared/envelope/exceptions/index.js +2 -0
package/dist/shared/envelope/exceptions/index.js.map +1 -0
package/dist/shared/envelope/index.d.ts +18 -0
package/dist/shared/envelope/index.d.ts.map +1 -0
package/dist/shared/envelope/index.js +15 -0
package/dist/shared/envelope/index.js.map +1 -0
package/dist/shared/envelope/types.d.ts +45 -0
package/dist/shared/envelope/types.d.ts.map +1 -0
package/dist/shared/envelope/types.js +10 -0
package/dist/shared/envelope/types.js.map +1 -0
package/dist/shared/envelope/value-objects/Metadata.d.ts +27 -0
package/dist/shared/envelope/value-objects/Metadata.d.ts.map +1 -0
package/dist/shared/envelope/value-objects/Metadata.js +57 -0
package/dist/shared/envelope/value-objects/Metadata.js.map +1 -0
package/dist/shared/envelope/value-objects/Nonce.d.ts +26 -0
package/dist/shared/envelope/value-objects/Nonce.d.ts.map +1 -0
package/dist/shared/envelope/value-objects/Nonce.js +38 -0
package/dist/shared/envelope/value-objects/Nonce.js.map +1 -0
package/dist/shared/envelope/value-objects/Signature.d.ts +28 -0
package/dist/shared/envelope/value-objects/Signature.d.ts.map +1 -0
package/dist/shared/envelope/value-objects/Signature.js +50 -0
package/dist/shared/envelope/value-objects/Signature.js.map +1 -0
package/dist/shared/envelope/value-objects/index.d.ts +9 -0
package/dist/shared/envelope/value-objects/index.d.ts.map +1 -0
package/dist/shared/envelope/value-objects/index.js +7 -0
package/dist/shared/envelope/value-objects/index.js.map +1 -0
package/dist/shared/index.d.ts +2 -2
package/dist/shared/index.d.ts.map +1 -1
package/dist/shared/index.js +1 -1
package/dist/shared/index.js.map +1 -1
package/package.json +11 -6

package/dist/shared/envelope/exceptions/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { EnvelopeError } from './EnvelopeError.js';
2	+ //# sourceMappingURL=index.js.map

package/dist/shared/envelope/exceptions/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/shared/envelope/exceptions/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA"}

package/dist/shared/envelope/index.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Envelope (transversal) – integrity and anti-replay for pipeline results
+ *
+ * @remarks
+ * CPE is a cross-cutting concern, not a layer. It wraps the output of the pipeline
+ * (e.g. ISL or AAL result) with metadata, nonce, and HMAC-SHA256 signature.
+ * Use `envelope(islResult, secretKey)` to produce a CPEResult; serialization
+ * and verification are the responsibility of the SDK.
+ */
+export { envelope } from './envelope.js';
+export { createNonce, isValidNonce, equalsNonce } from './value-objects/Nonce.js';
+export type { Nonce } from './value-objects/Nonce.js';
+export { createMetadata, isValidMetadata, CURRENT_PROTOCOL_VERSION } from './value-objects/Metadata.js';
+export { createSignature, verifySignature, isValidSignatureFormat } from './value-objects/Signature.js';
+export type { SignatureVO } from './value-objects/Signature.js';
+export { EnvelopeError } from './exceptions/index.js';
+export type { ProtocolVersion, Timestamp, NonceValue, SignatureAlgorithm, Signature, CPEMetadata, CPEEvelope, CPEResult, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/shared/envelope/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/shared/envelope/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACjF,YAAY,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAA;AACvG,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAA;AACvG,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AACrD,YAAY,EACV,eAAe,EACf,SAAS,EACT,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,WAAW,EACX,UAAU,EACV,SAAS,GACV,MAAM,YAAY,CAAA"}

package/dist/shared/envelope/index.js ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Envelope (transversal) – integrity and anti-replay for pipeline results
+ *
+ * @remarks
+ * CPE is a cross-cutting concern, not a layer. It wraps the output of the pipeline
+ * (e.g. ISL or AAL result) with metadata, nonce, and HMAC-SHA256 signature.
+ * Use `envelope(islResult, secretKey)` to produce a CPEResult; serialization
+ * and verification are the responsibility of the SDK.
+ */
+export { envelope } from './envelope.js';
+export { createNonce, isValidNonce, equalsNonce } from './value-objects/Nonce.js';
+export { createMetadata, isValidMetadata, CURRENT_PROTOCOL_VERSION } from './value-objects/Metadata.js';
+export { createSignature, verifySignature, isValidSignatureFormat } from './value-objects/Signature.js';
+export { EnvelopeError } from './exceptions/index.js';
+//# sourceMappingURL=index.js.map

package/dist/shared/envelope/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/shared/envelope/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAEjF,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAA;AACvG,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAA;AAEvG,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA"}

package/dist/shared/envelope/types.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * Envelope types (transversal) – integrity and anti-replay
+ *
+ * @remarks
+ * The envelope is a cross-cutting concern: it wraps the pipeline result
+ * (e.g. ISL or AAL output) with metadata, nonce, and HMAC signature.
+ * It is not a processing layer; it applies to the result of the pipeline.
+ */
+import type { LineageEntry } from '../../csl/value-objects/index.js';
+/** Protocol version string (e.g. "0.1.4") */
+export type ProtocolVersion = string;
+/** Unix timestamp in milliseconds */
+export type Timestamp = number;
+/** Nonce value for replay prevention */
+export type NonceValue = string;
+/** Supported signature algorithm */
+export type SignatureAlgorithm = 'HMAC-SHA256';
+/** Signature value (hex string) */
+export type Signature = string;
+/** Envelope security metadata: timestamp, nonce, protocol version, optional previous signatures */
+export interface CPEMetadata {
+    readonly timestamp: Timestamp;
+    readonly nonce: NonceValue;
+    readonly protocolVersion: ProtocolVersion;
+    readonly previousSignatures?: {
+        readonly csl?: string | undefined;
+        readonly isl?: string | undefined;
+    } | undefined;
+}
+/** Full cryptographic envelope: payload, metadata, signature, lineage */
+export interface CPEEvelope {
+    readonly payload: unknown;
+    readonly metadata: CPEMetadata;
+    readonly signature: {
+        readonly value: string;
+        readonly algorithm: string;
+    };
+    readonly lineage: readonly LineageEntry[];
+}
+/** Result of envelope generation (envelope + optional processing time) */
+export interface CPEResult {
+    readonly envelope: CPEEvelope;
+    readonly processingTimeMs?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/shared/envelope/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/shared/envelope/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAA;AAEpE,6CAA6C;AAC7C,MAAM,MAAM,eAAe,GAAG,MAAM,CAAA;AAEpC,qCAAqC;AACrC,MAAM,MAAM,SAAS,GAAG,MAAM,CAAA;AAE9B,wCAAwC;AACxC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAA;AAE/B,oCAAoC;AACpC,MAAM,MAAM,kBAAkB,GAAG,aAAa,CAAA;AAE9C,mCAAmC;AACnC,MAAM,MAAM,SAAS,GAAG,MAAM,CAAA;AAE9B,mGAAmG;AACnG,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;IAC7B,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAC1B,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACzC,QAAQ,CAAC,kBAAkB,CAAC,EAAE;QAC5B,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QACjC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;KAClC,GAAG,SAAS,CAAA;CACd;AAED,yEAAyE;AACzE,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAA;IAC9B,QAAQ,CAAC,SAAS,EAAE;QAClB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;QACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;KAC3B,CAAA;IACD,QAAQ,CAAC,OAAO,EAAE,SAAS,YAAY,EAAE,CAAA;CAC1C;AAED,0EAA0E;AAC1E,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAA;IAC7B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CACnC"}

package/dist/shared/envelope/types.js ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Envelope types (transversal) – integrity and anti-replay
+ *
+ * @remarks
+ * The envelope is a cross-cutting concern: it wraps the pipeline result
+ * (e.g. ISL or AAL output) with metadata, nonce, and HMAC signature.
+ * It is not a processing layer; it applies to the result of the pipeline.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/shared/envelope/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/shared/envelope/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/shared/envelope/value-objects/Metadata.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Envelope metadata – security metadata value object (timestamp, nonce, version).
+ *
+ * @remarks
+ * Immutable; validates timestamp (positive, not in the future) and protocol version.
+ */
+import type { CPEMetadata, ProtocolVersion, Timestamp } from '../types.js';
+import type { Nonce as NonceVO } from './Nonce.js';
+/** Current protocol version for envelope metadata */
+export declare const CURRENT_PROTOCOL_VERSION: ProtocolVersion;
+/**
+ * Creates envelope metadata (frozen).
+ *
+ * @param timestamp - Unix timestamp in ms
+ * @param nonce - Nonce value object
+ * @param protocolVersion - Protocol version (default: CURRENT_PROTOCOL_VERSION)
+ * @param previousSignatures - Optional previous layer signatures (csl, isl)
+ */
+export declare function createMetadata(timestamp: Timestamp, nonce: NonceVO, protocolVersion?: ProtocolVersion, previousSignatures?: {
+    csl?: string;
+    isl?: string;
+}): CPEMetadata;
+/**
+ * Validates metadata shape and values.
+ */
+export declare function isValidMetadata(metadata: CPEMetadata): boolean;
+//# sourceMappingURL=Metadata.d.ts.map

package/dist/shared/envelope/value-objects/Metadata.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Metadata.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC1E,OAAO,KAAK,EAAE,KAAK,IAAI,OAAO,EAAE,MAAM,YAAY,CAAA;AAElD,qDAAqD;AACrD,eAAO,MAAM,wBAAwB,EAAE,eAAyB,CAAA;AAEhE;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,SAAS,EACpB,KAAK,EAAE,OAAO,EACd,eAAe,GAAE,eAA0C,EAC3D,kBAAkB,CAAC,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAClD,WAAW,CAyBb;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,WAAW,GAAG,OAAO,CAS9D"}

package/dist/shared/envelope/value-objects/Metadata.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Envelope metadata – security metadata value object (timestamp, nonce, version).
+ *
+ * @remarks
+ * Immutable; validates timestamp (positive, not in the future) and protocol version.
+ */
+/** Current protocol version for envelope metadata */
+export const CURRENT_PROTOCOL_VERSION = '0.1.4';
+/**
+ * Creates envelope metadata (frozen).
+ *
+ * @param timestamp - Unix timestamp in ms
+ * @param nonce - Nonce value object
+ * @param protocolVersion - Protocol version (default: CURRENT_PROTOCOL_VERSION)
+ * @param previousSignatures - Optional previous layer signatures (csl, isl)
+ */
+export function createMetadata(timestamp, nonce, protocolVersion = CURRENT_PROTOCOL_VERSION, previousSignatures) {
+    if (timestamp <= 0) {
+        throw new Error('Timestamp must be a positive number');
+    }
+    const maxFutureTimestamp = Date.now() + 5 * 60 * 1000;
+    if (timestamp > maxFutureTimestamp) {
+        throw new Error('Timestamp cannot be in the future');
+    }
+    if (!protocolVersion || typeof protocolVersion !== 'string') {
+        throw new Error('Protocol version must be a non-empty string');
+    }
+    return Object.freeze({
+        timestamp,
+        nonce: nonce.value,
+        protocolVersion,
+        previousSignatures: previousSignatures
+            ? Object.freeze({
+                csl: previousSignatures.csl ?? undefined,
+                isl: previousSignatures.isl ?? undefined,
+            })
+            : undefined,
+    });
+}
+/**
+ * Validates metadata shape and values.
+ */
+export function isValidMetadata(metadata) {
+    try {
+        if (metadata.timestamp <= 0)
+            return false;
+        if (!metadata.nonce || metadata.nonce.length < 16)
+            return false;
+        if (!metadata.protocolVersion)
+            return false;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=Metadata.js.map

package/dist/shared/envelope/value-objects/Metadata.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Metadata.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,qDAAqD;AACrD,MAAM,CAAC,MAAM,wBAAwB,GAAoB,OAAO,CAAA;AAEhE;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAoB,EACpB,KAAc,EACd,kBAAmC,wBAAwB,EAC3D,kBAAmD;IAEnD,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;IACrD,IAAI,SAAS,GAAG,kBAAkB,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;IACtD,CAAC;IAED,IAAI,CAAC,eAAe,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAA;IAChE,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,SAAS;QACT,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,eAAe;QACf,kBAAkB,EAAE,kBAAkB;YACpC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;gBACZ,GAAG,EAAE,kBAAkB,CAAC,GAAG,IAAI,SAAS;gBACxC,GAAG,EAAE,kBAAkB,CAAC,GAAG,IAAI,SAAS;aACzC,CAAC;YACJ,CAAC,CAAC,SAAS;KACd,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAqB;IACnD,IAAI,CAAC;QACH,IAAI,QAAQ,CAAC,SAAS,IAAI,CAAC;YAAE,OAAO,KAAK,CAAA;QACzC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,KAAK,CAAA;QAC/D,IAAI,CAAC,QAAQ,CAAC,eAAe;YAAE,OAAO,KAAK,CAAA;QAC3C,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC"}

package/dist/shared/envelope/value-objects/Nonce.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Nonce – unique value for replay prevention. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to bind each wrapped result to a unique value;
+ * verification layer (SDK) should reject duplicate nonces within a time window.
+ */
+export type Nonce = {
+    readonly value: string;
+};
+/**
+ * Creates a unique nonce (default 16 bytes, hex-encoded).
+ *
+ * @param length - Length in bytes (8–64)
+ * @returns Frozen Nonce value object
+ */
+export declare function createNonce(length?: number): Nonce;
+/**
+ * Validates that a string is a valid nonce format (hex, 16–128 chars).
+ */
+export declare function isValidNonce(value: string): boolean;
+/**
+ * Compares two nonces for equality.
+ */
+export declare function equalsNonce(nonce1: Nonce, nonce2: Nonce): boolean;
+//# sourceMappingURL=Nonce.d.ts.map

package/dist/shared/envelope/value-objects/Nonce.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Nonce.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Nonce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,MAAM,KAAK,GAAG;IAClB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;CACvB,CAAA;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,MAAM,GAAE,MAAW,GAAG,KAAK,CAYtD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEnD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,GAAG,OAAO,CAEjE"}

package/dist/shared/envelope/value-objects/Nonce.js ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Nonce – unique value for replay prevention. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to bind each wrapped result to a unique value;
+ * verification layer (SDK) should reject duplicate nonces within a time window.
+ */
+import { randomBytes } from 'node:crypto';
+/**
+ * Creates a unique nonce (default 16 bytes, hex-encoded).
+ *
+ * @param length - Length in bytes (8–64)
+ * @returns Frozen Nonce value object
+ */
+export function createNonce(length = 16) {
+    if (length < 8) {
+        throw new Error('Nonce length must be at least 8 bytes');
+    }
+    if (length > 64) {
+        throw new Error('Nonce length must be at most 64 bytes');
+    }
+    const bytes = randomBytes(length);
+    const value = bytes.toString('hex');
+    return Object.freeze({ value });
+}
+/**
+ * Validates that a string is a valid nonce format (hex, 16–128 chars).
+ */
+export function isValidNonce(value) {
+    return /^[a-f0-9]{16,128}$/i.test(value);
+}
+/**
+ * Compares two nonces for equality.
+ */
+export function equalsNonce(nonce1, nonce2) {
+    return nonce1.value === nonce2.value;
+}
+//# sourceMappingURL=Nonce.js.map

package/dist/shared/envelope/value-objects/Nonce.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Nonce.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Nonce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAMzC;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE;IAC7C,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAA;IAC1D,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAA;IAC1D,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAEnC,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,MAAa,EAAE,MAAa;IACtD,OAAO,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,KAAK,CAAA;AACtC,CAAC"}

package/dist/shared/envelope/value-objects/Signature.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Signature – HMAC-SHA256 cryptographic signature. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to sign payload + metadata; verification is responsibility of the SDK.
+ */
+import type { SignatureAlgorithm } from '../types.js';
+export type SignatureVO = {
+    readonly value: string;
+    readonly algorithm: SignatureAlgorithm;
+};
+/**
+ * Creates HMAC-SHA256 signature of the given content.
+ *
+ * @param content - String to sign (e.g. JSON.stringify(payload + metadata))
+ * @param secretKey - Secret key for HMAC (must not be logged or serialized)
+ * @returns Frozen Signature value object
+ */
+export declare function createSignature(content: string, secretKey: string): SignatureVO;
+/**
+ * Verifies that a signature matches the content (constant-time comparison should be used in production).
+ */
+export declare function verifySignature(content: string, signature: string, secretKey: string): boolean;
+/**
+ * Validates signature format (64 hex chars for HMAC-SHA256).
+ */
+export declare function isValidSignatureFormat(signature: string): boolean;
+//# sourceMappingURL=Signature.d.ts.map

package/dist/shared/envelope/value-objects/Signature.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Signature.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Signature.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAErD,MAAM,MAAM,WAAW,GAAG;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,SAAS,EAAE,kBAAkB,CAAA;CACvC,CAAA;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,WAAW,CAiB/E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAQT;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAEjE"}

package/dist/shared/envelope/value-objects/Signature.js ADDED Viewed

@@ -0,0 +1,50 @@
+/**
+ * Signature – HMAC-SHA256 cryptographic signature. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to sign payload + metadata; verification is responsibility of the SDK.
+ */
+import { createHmac } from 'node:crypto';
+/**
+ * Creates HMAC-SHA256 signature of the given content.
+ *
+ * @param content - String to sign (e.g. JSON.stringify(payload + metadata))
+ * @param secretKey - Secret key for HMAC (must not be logged or serialized)
+ * @returns Frozen Signature value object
+ */
+export function createSignature(content, secretKey) {
+    if (!secretKey || secretKey.length === 0) {
+        throw new Error('Secret key is required for signature generation');
+    }
+    if (typeof content !== 'string') {
+        throw new TypeError('Content must be a string');
+    }
+    const hmac = createHmac('sha256', secretKey);
+    hmac.update(content);
+    const signature = hmac.digest('hex');
+    return Object.freeze({
+        value: signature,
+        algorithm: 'HMAC-SHA256',
+    });
+}
+/**
+ * Verifies that a signature matches the content (constant-time comparison should be used in production).
+ */
+export function verifySignature(content, signature, secretKey) {
+    if (!secretKey || secretKey.length === 0)
+        return false;
+    try {
+        const expected = createSignature(content, secretKey);
+        return expected.value === signature;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Validates signature format (64 hex chars for HMAC-SHA256).
+ */
+export function isValidSignatureFormat(signature) {
+    return /^[a-f0-9]{64}$/i.test(signature);
+}
+//# sourceMappingURL=Signature.js.map

package/dist/shared/envelope/value-objects/Signature.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Signature.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Signature.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAQxC;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,SAAiB;IAChE,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,0BAA0B,CAAC,CAAA;IACjD,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IACpB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAEpC,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,KAAK,EAAE,SAAS;QAChB,SAAS,EAAE,aAAa;KACzB,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAe,EACf,SAAiB,EACjB,SAAiB;IAEjB,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACtD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QACpD,OAAO,QAAQ,CAAC,KAAK,KAAK,SAAS,CAAA;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB;IACtD,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC1C,CAAC"}

package/dist/shared/envelope/value-objects/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Envelope value objects – nonce, metadata, signature
+ */
+export type { Nonce } from './Nonce.js';
+export { createNonce, isValidNonce, equalsNonce } from './Nonce.js';
+export { createMetadata, isValidMetadata } from './Metadata.js';
+export type { SignatureVO } from './Signature.js';
+export { createSignature, verifySignature, isValidSignatureFormat } from './Signature.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/shared/envelope/value-objects/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,YAAY,EAAE,KAAK,EAAE,MAAM,YAAY,CAAA;AACvC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AACnE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAC/D,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/shared/envelope/value-objects/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Envelope value objects – nonce, metadata, signature
+ */
+export { createNonce, isValidNonce, equalsNonce } from './Nonce.js';
+export { createMetadata, isValidMetadata } from './Metadata.js';
+export { createSignature, verifySignature, isValidSignatureFormat } from './Signature.js';
+//# sourceMappingURL=index.js.map

package/dist/shared/envelope/value-objects/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AACnE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAE/D,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/shared/index.d.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  * Lineage handling and AI-PIP audit formatting for clear, flexible auditing.
  */
 export { addLineageEntry, addLineageEntries, filterLineageByStep, getLastLineageEntry } from './lineage.js';
-export { formatLineageForAudit, formatCSLForAudit, formatISLForAudit, formatISLSignalForAudit, formatAALForAudit, formatCPEForAudit, formatPipelineAudit } from './audit.js';
-export type { LineageEntryLike, CSLResultLike, ISLResultLike, ISLSignalLike, DecisionReasonLike, RemovalPlanLike, CPEResultLike } from './audit.js';
+export { formatLineageForAudit, formatCSLForAudit, formatISLForAudit, formatISLSignalForAudit, formatAALForAudit, formatCPEForAudit, formatPipelineAudit, formatPipelineAuditFull, formatPipelineAuditAsJson, createAuditRunId, buildAuditLogEntry, buildFullAuditPayload } from './audit.js';
+export type { LineageEntryLike, CSLResultLike, ISLResultLike, ISLSignalLike, DecisionReasonLike, RemediationPlanLike, CPEResultLike, AuditRunInfo, AuditLogSummary, FullPipelineAuditOptions, PipelineAuditJsonOptions } from './audit.js';
 export type { Position, SegmentRef } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/shared/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,cAAc,CAAA;AAGrB,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,~~EACpB~~,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,eAAe,EACf,~~aAAa~~,~~EACd~~,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,QAAQ,EACR,UAAU,EACX,MAAM,YAAY,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,cAAc,CAAA;AAGrB,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACtB,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,QAAQ,EACR,UAAU,EACX,MAAM,YAAY,CAAA"}

package/dist/shared/index.js CHANGED Viewed

@@ -7,5 +7,5 @@
 // Lineage
 export { addLineageEntry, addLineageEntries, filterLineageByStep, getLastLineageEntry } from './lineage.js';
 // Audit / pretty-print for AI-PIP layers (ordered, human-readable)
-export { formatLineageForAudit, formatCSLForAudit, formatISLForAudit, formatISLSignalForAudit, formatAALForAudit, formatCPEForAudit, formatPipelineAudit } from './audit.js';
+export { formatLineageForAudit, formatCSLForAudit, formatISLForAudit, formatISLSignalForAudit, formatAALForAudit, formatCPEForAudit, formatPipelineAudit, formatPipelineAuditFull, formatPipelineAuditAsJson, createAuditRunId, buildAuditLogEntry, buildFullAuditPayload } from './audit.js';
 //# sourceMappingURL=index.js.map

package/dist/shared/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,UAAU;AACV,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,cAAc,CAAA;AAErB,mEAAmE;AACnE,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,~~EACpB~~,MAAM,YAAY,CAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,UAAU;AACV,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,cAAc,CAAA;AAErB,mEAAmE;AACnE,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACtB,MAAM,YAAY,CAAA"}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@ai-pip/core",
-  "version": "0.2.0",
-  "description": "Core implementation of the AI-PIP protocol. Provides layered, zero-trust context processing (CSL, ISL, AAL, CPE)",
+  "version": "0.4.0",
+  "description": "Core implementation of the AI-PIP protocol. Provides layered, zero-trust context processing (CSL, ISL, AAL)",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -27,9 +27,9 @@
       "default": "./dist/AAL/index.js"
     },
     "./cpe": {
-      "types": "./dist/cpe/index.d.ts",
-      "import": "./dist/cpe/index.js",
-      "default": "./dist/cpe/index.js"
+      "types": "./dist/shared/envelope/index.d.ts",
+      "import": "./dist/shared/envelope/index.js",
+      "default": "./dist/shared/envelope/index.js"
     },
     "./shared": {
       "types": "./dist/shared/index.d.ts",
@@ -86,6 +86,11 @@
     "test:watch": "vitest --watch",
     "test:ui": "vitest --ui",
     "test:coverage": "vitest --coverage",
-    "test:install": "node test-package-install.js"
+    "test:install": "node test-package-install.js",
+    "verify-risk": "node scripts/verify-risk-score.mjs",
+    "demo-menu": "node scripts/interactive-risk-menu.mjs",
+    "demo-full": "node scripts/demo-full-flow.mjs",
+    "audit-report": "node scripts/audit-report.mjs",
+    "scan-removal": "node scripts/scan-removal.mjs"
   }
 }