@attested-intelligence/aga-mcp-server 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGA_MCP_SERVER_SPEC.md +632 -0
- package/LICENSE +21 -0
- package/README.md +42 -0
- package/dist/core/artifact.d.ts +19 -0
- package/dist/core/artifact.d.ts.map +1 -0
- package/dist/core/artifact.js +27 -0
- package/dist/core/artifact.js.map +1 -0
- package/dist/core/attestation.d.ts +19 -0
- package/dist/core/attestation.d.ts.map +1 -0
- package/dist/core/attestation.js +12 -0
- package/dist/core/attestation.js.map +1 -0
- package/dist/core/behavioral.d.ts +45 -0
- package/dist/core/behavioral.d.ts.map +1 -0
- package/dist/core/behavioral.js +88 -0
- package/dist/core/behavioral.js.map +1 -0
- package/dist/core/bundle.d.ts +13 -0
- package/dist/core/bundle.d.ts.map +1 -0
- package/dist/core/bundle.js +31 -0
- package/dist/core/bundle.js.map +1 -0
- package/dist/core/chain.d.ts +13 -0
- package/dist/core/chain.d.ts.map +1 -0
- package/dist/core/chain.js +63 -0
- package/dist/core/chain.js.map +1 -0
- package/dist/core/checkpoint.d.ts +8 -0
- package/dist/core/checkpoint.d.ts.map +1 -0
- package/dist/core/checkpoint.js +21 -0
- package/dist/core/checkpoint.js.map +1 -0
- package/dist/core/delegation.d.ts +37 -0
- package/dist/core/delegation.d.ts.map +1 -0
- package/dist/core/delegation.js +104 -0
- package/dist/core/delegation.js.map +1 -0
- package/dist/core/disclosure.d.ts +12 -0
- package/dist/core/disclosure.d.ts.map +1 -0
- package/dist/core/disclosure.js +25 -0
- package/dist/core/disclosure.js.map +1 -0
- package/dist/core/index.d.ts +12 -0
- package/dist/core/index.d.ts.map +1 -0
- package/dist/core/index.js +12 -0
- package/dist/core/index.js.map +1 -0
- package/dist/core/portal.d.ts +28 -0
- package/dist/core/portal.d.ts.map +1 -0
- package/dist/core/portal.js +95 -0
- package/dist/core/portal.js.map +1 -0
- package/dist/core/quarantine.d.ts +8 -0
- package/dist/core/quarantine.d.ts.map +1 -0
- package/dist/core/quarantine.js +13 -0
- package/dist/core/quarantine.js.map +1 -0
- package/dist/core/receipt.d.ts +17 -0
- package/dist/core/receipt.d.ts.map +1 -0
- package/dist/core/receipt.js +17 -0
- package/dist/core/receipt.js.map +1 -0
- package/dist/core/subject.d.ts +4 -0
- package/dist/core/subject.d.ts.map +1 -0
- package/dist/core/subject.js +9 -0
- package/dist/core/subject.js.map +1 -0
- package/dist/core/types.d.ts +167 -0
- package/dist/core/types.d.ts.map +1 -0
- package/dist/core/types.js +2 -0
- package/dist/core/types.js.map +1 -0
- package/dist/crypto/hash.d.ts +9 -0
- package/dist/crypto/hash.d.ts.map +1 -0
- package/dist/crypto/hash.js +30 -0
- package/dist/crypto/hash.js.map +1 -0
- package/dist/crypto/index.d.ts +6 -0
- package/dist/crypto/index.d.ts.map +1 -0
- package/dist/crypto/index.js +6 -0
- package/dist/crypto/index.js.map +1 -0
- package/dist/crypto/merkle.d.ts +8 -0
- package/dist/crypto/merkle.d.ts.map +1 -0
- package/dist/crypto/merkle.js +42 -0
- package/dist/crypto/merkle.js.map +1 -0
- package/dist/crypto/salt.d.ts +5 -0
- package/dist/crypto/salt.d.ts.map +1 -0
- package/dist/crypto/salt.js +14 -0
- package/dist/crypto/salt.js.map +1 -0
- package/dist/crypto/sign.d.ts +11 -0
- package/dist/crypto/sign.d.ts.map +1 -0
- package/dist/crypto/sign.js +37 -0
- package/dist/crypto/sign.js.map +1 -0
- package/dist/crypto/types.d.ts +24 -0
- package/dist/crypto/types.d.ts.map +1 -0
- package/dist/crypto/types.js +2 -0
- package/dist/crypto/types.js.map +1 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +11 -0
- package/dist/index.js.map +1 -0
- package/dist/middleware/governance.d.ts +27 -0
- package/dist/middleware/governance.d.ts.map +1 -0
- package/dist/middleware/governance.js +65 -0
- package/dist/middleware/governance.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -0
- package/dist/middleware/index.js +2 -0
- package/dist/middleware/index.js.map +1 -0
- package/dist/server.d.ts +13 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +369 -0
- package/dist/server.js.map +1 -0
- package/dist/storage/index.d.ts +4 -0
- package/dist/storage/index.d.ts.map +1 -0
- package/dist/storage/index.js +3 -0
- package/dist/storage/index.js.map +1 -0
- package/dist/storage/interface.d.ts +21 -0
- package/dist/storage/interface.d.ts.map +1 -0
- package/dist/storage/interface.js +2 -0
- package/dist/storage/interface.js.map +1 -0
- package/dist/storage/memory.d.ts +26 -0
- package/dist/storage/memory.d.ts.map +1 -0
- package/dist/storage/memory.js +24 -0
- package/dist/storage/memory.js.map +1 -0
- package/dist/storage/sqlite.d.ts +25 -0
- package/dist/storage/sqlite.d.ts.map +1 -0
- package/dist/storage/sqlite.js +44 -0
- package/dist/storage/sqlite.js.map +1 -0
- package/dist/utils/canonical.d.ts +3 -0
- package/dist/utils/canonical.d.ts.map +1 -0
- package/dist/utils/canonical.js +17 -0
- package/dist/utils/canonical.js.map +1 -0
- package/dist/utils/constants.d.ts +4 -0
- package/dist/utils/constants.d.ts.map +1 -0
- package/dist/utils/constants.js +4 -0
- package/dist/utils/constants.js.map +1 -0
- package/dist/utils/timestamp.d.ts +4 -0
- package/dist/utils/timestamp.d.ts.map +1 -0
- package/dist/utils/timestamp.js +13 -0
- package/dist/utils/timestamp.js.map +1 -0
- package/dist/utils/uuid.d.ts +2 -0
- package/dist/utils/uuid.d.ts.map +1 -0
- package/dist/utils/uuid.js +3 -0
- package/dist/utils/uuid.js.map +1 -0
- package/package.json +45 -0
- package/src/core/artifact.ts +45 -0
- package/src/core/attestation.ts +33 -0
- package/src/core/behavioral.ts +132 -0
- package/src/core/bundle.ts +31 -0
- package/src/core/chain.ts +72 -0
- package/src/core/checkpoint.ts +22 -0
- package/src/core/delegation.ts +146 -0
- package/src/core/disclosure.ts +32 -0
- package/src/core/index.ts +11 -0
- package/src/core/portal.ts +96 -0
- package/src/core/quarantine.ts +16 -0
- package/src/core/receipt.ts +33 -0
- package/src/core/subject.ts +11 -0
- package/src/core/types.ts +244 -0
- package/src/crypto/hash.ts +33 -0
- package/src/crypto/index.ts +5 -0
- package/src/crypto/merkle.ts +43 -0
- package/src/crypto/salt.ts +18 -0
- package/src/crypto/sign.ts +35 -0
- package/src/crypto/types.ts +19 -0
- package/src/index.ts +12 -0
- package/src/middleware/governance.ts +95 -0
- package/src/middleware/index.ts +1 -0
- package/src/server.ts +436 -0
- package/src/storage/index.ts +3 -0
- package/src/storage/interface.ts +21 -0
- package/src/storage/memory.ts +27 -0
- package/src/storage/sqlite.ts +45 -0
- package/src/tools/README.md +13 -0
- package/src/utils/canonical.ts +14 -0
- package/src/utils/constants.ts +3 -0
- package/src/utils/timestamp.ts +12 -0
- package/src/utils/uuid.ts +2 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"delegation.js","sourceRoot":"","sources":["../../src/core/delegation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AA4BlD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,cAA8B,EAC9B,OAA0B,EAC1B,QAAiB;IAEjB,MAAM,UAAU,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;IAEhD,iCAAiC;IACjC,IAAI,SAAS,CAAC,cAAc,CAAC,gBAAgB,EAAE,cAAc,CAAC,sBAAsB,CAAC,WAAW,CAAC,EAAE,CAAC;QAClG,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;IACxG,CAAC;IAED,iCAAiC;IACjC,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;IACnE,MAAM,eAAe,GAAG,cAAc,GAAG,CAAC,cAAc,CAAC,sBAAsB,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IACpG,MAAM,WAAW,GAAG,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACjD,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC;IAErE,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,gBAAgB,CAAC,CAAC;IAC/E,IAAI,YAAY,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;IACrG,CAAC;IAED,yCAAyC;IACzC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,CAAC;IAC3F,MAAM,eAAe,GAAG,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,kCAAkC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;IACpJ,CAAC;IAED,kDAAkD;IAClD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAS,cAAc,CAAC,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,2CAA2C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;IAC1J,CAAC;IAED,mCAAmC;IACnC,MAAM,aAAa,GAAG,gBAAgB,CAAC;QACrC,kBAAkB,EAAE,cAAc,CAAC,kBAAkB;QACrD,gBAAgB,EAAE,cAAc,CAAC,gBAAgB;QACjD,cAAc,EAAE,cAAc,CAAC,cAAc;QAC7C,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,SAAS,EAAE,cAAc,CAAC,SAAS;QACnC,sBAAsB,EAAE;YACtB,sBAAsB,EAAE,cAAc,CAAC,sBAAsB,CAAC,sBAAsB;YACpF,WAAW,EAAE,YAAY;YACzB,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;YAClD,uBAAuB,EAAE,cAAc,CAAC,sBAAsB,CAAC,uBAAuB;YACtF,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;SAC7C;QACD,iBAAiB,EAAE,cAAc,CAAC,iBAAiB,EAAG,gBAAgB;QACtE,oBAAoB,EAAE,cAAc,CAAC,oBAAoB;QACzD,cAAc,EAAE,QAAQ;KACzB,CAAC,CAAC;IAEH,wBAAwB;IACxB,MAAM,eAAe,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAsB,CAAC,CAAC,CAAC;IACxH,MAAM,YAAY,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAoB,CAAC,CAAC,CAAC;IAE7G,OAAO;QACL,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,aAAa;QAC7B,mBAAmB,EAAE,YAAY,CAAC,aAAa,CAAC;QAChD,oBAAoB,EAAE,UAAU;QAChC,qBAAqB,EAAE,YAAY;QACnC,eAAe,EAAE;YACf,gBAAgB,EAAE,eAAe;YACjC,yBAAyB,EAAE,YAAY;SACxC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAsB,EAAE,KAAqB;IAC9E,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,4BAA4B;IAC5B,IAAI,KAAK,CAAC,sBAAsB,CAAC,WAAW,GAAG,MAAM,CAAC,sBAAsB,CAAC,WAAW,EAAE,CAAC;QACzF,MAAM,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,sBAAsB,CAAC,WAAW,sBAAsB,MAAM,CAAC,sBAAsB,CAAC,WAAW,IAAI,CAAC,CAAC;IACzI,CAAC;IAED,0BAA0B;IAC1B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,CAAC;IACtF,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAClE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,uBAAuB,CAAC,CAAC;IACjF,CAAC;IAED,mCAAmC;IACnC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAChF,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,iBAAiB,EAAE,CAAC;QAC/D,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,uBAAuB,CAAC,CAAC;IACvF,CAAC;IAED,qBAAqB;IACrB,IAAI,KAAK,CAAC,kBAAkB,CAAC,UAAU,KAAK,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACjF,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { KeyPair } from '../crypto/types.js';
|
|
2
|
+
import type { DisclosureRequest, DisclosurePolicy, SubstitutionReceipt, DisclosureMode } from './types.js';
|
|
3
|
+
export interface DisclosureResult {
|
|
4
|
+
permitted: boolean;
|
|
5
|
+
disclosed_claim_id: string | null;
|
|
6
|
+
disclosed_value: unknown;
|
|
7
|
+
mode: DisclosureMode;
|
|
8
|
+
was_substituted: boolean;
|
|
9
|
+
substitution_receipt: SubstitutionReceipt | null;
|
|
10
|
+
}
|
|
11
|
+
export declare function processDisclosure(req: DisclosureRequest, policy: DisclosurePolicy, values: Record<string, unknown>, policyVersion: number, chainSeq: number, kp: KeyPair): DisclosureResult;
|
|
12
|
+
//# sourceMappingURL=disclosure.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"disclosure.d.ts","sourceRoot":"","sources":["../../src/core/disclosure.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE3G,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,OAAO,CAAC;IAAC,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,eAAe,EAAE,OAAO,CAAC;IAChF,IAAI,EAAE,cAAc,CAAC;IAAC,eAAe,EAAE,OAAO,CAAC;IAAC,oBAAoB,EAAE,mBAAmB,GAAG,IAAI,CAAC;CAClG;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,iBAAiB,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,GAAG,gBAAgB,CAa3L"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { signStr, sigToB64 } from '../crypto/sign.js';
|
|
2
|
+
import { canonicalize } from '../utils/canonical.js';
|
|
3
|
+
import { utcNow } from '../utils/timestamp.js';
|
|
4
|
+
import { uuid } from '../utils/uuid.js';
|
|
5
|
+
export function processDisclosure(req, policy, values, policyVersion, chainSeq, kp) {
|
|
6
|
+
const claim = policy.claims_taxonomy.find(c => c.claim_id === req.requested_claim_id);
|
|
7
|
+
if (!claim)
|
|
8
|
+
return { permitted: false, disclosed_claim_id: null, disclosed_value: null, mode: req.mode, was_substituted: false, substitution_receipt: null };
|
|
9
|
+
if (claim.permitted_modes.includes(req.mode))
|
|
10
|
+
return { permitted: true, disclosed_claim_id: claim.claim_id, disclosed_value: fv(values[claim.claim_id], req.mode), mode: req.mode, was_substituted: false, substitution_receipt: null };
|
|
11
|
+
for (const subId of claim.substitutes) {
|
|
12
|
+
const sub = policy.claims_taxonomy.find(c => c.claim_id === subId);
|
|
13
|
+
if (sub?.permitted_modes.includes(req.mode) && !sub.inference_risks.includes(req.requested_claim_id))
|
|
14
|
+
return { permitted: true, disclosed_claim_id: subId, disclosed_value: fv(values[subId], req.mode), mode: req.mode, was_substituted: true,
|
|
15
|
+
substitution_receipt: sr(req.requested_claim_id, subId, policyVersion, 'SENSITIVITY_DENIED', chainSeq, kp) };
|
|
16
|
+
}
|
|
17
|
+
return { permitted: false, disclosed_claim_id: null, disclosed_value: null, mode: req.mode, was_substituted: false,
|
|
18
|
+
substitution_receipt: sr(req.requested_claim_id, null, policyVersion, 'NO_PERMITTED_SUBSTITUTE', chainSeq, kp) };
|
|
19
|
+
}
|
|
20
|
+
function fv(v, m) { return m === 'PROOF_ONLY' ? v != null : v; }
|
|
21
|
+
function sr(orig, sub, pv, reason, seq, kp) {
|
|
22
|
+
const u = { receipt_id: uuid(), original_claim_id: orig, substitute_claim_id: sub, policy_version: pv, reason_code: reason, timestamp: utcNow(), chain_sequence_ref: seq };
|
|
23
|
+
return { ...u, signature: sigToB64(signStr(canonicalize(u), kp.secretKey)) };
|
|
24
|
+
}
|
|
25
|
+
//# sourceMappingURL=disclosure.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"disclosure.js","sourceRoot":"","sources":["../../src/core/disclosure.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AASxC,MAAM,UAAU,iBAAiB,CAAC,GAAsB,EAAE,MAAwB,EAAE,MAA+B,EAAE,aAAqB,EAAE,QAAgB,EAAE,EAAW;IACvK,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACtF,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IAC7J,IAAI,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;QAC1C,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,CAAC,QAAQ,EAAE,eAAe,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IAC5L,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC;QACnE,IAAI,GAAG,EAAE,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC;YAClG,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,IAAI;gBACtI,oBAAoB,EAAE,EAAE,CAAC,GAAG,CAAC,kBAAkB,EAAE,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC;IACnH,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK;QAChH,oBAAoB,EAAE,EAAE,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,aAAa,EAAE,yBAAyB,EAAE,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC;AACrH,CAAC;AAED,SAAS,EAAE,CAAC,CAAU,EAAE,CAAiB,IAAa,OAAO,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClG,SAAS,EAAE,CAAC,IAAY,EAAE,GAAkB,EAAE,EAAU,EAAE,MAAc,EAAE,GAAW,EAAE,EAAW;IAChG,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,mBAAmB,EAAE,GAAG,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,kBAAkB,EAAE,GAAG,EAAE,CAAC;IAC3K,OAAO,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AAC/E,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
export * from './types.js';
|
|
2
|
+
export * from './subject.js';
|
|
3
|
+
export * from './attestation.js';
|
|
4
|
+
export * from './artifact.js';
|
|
5
|
+
export * from './receipt.js';
|
|
6
|
+
export * from './chain.js';
|
|
7
|
+
export * from './portal.js';
|
|
8
|
+
export * from './quarantine.js';
|
|
9
|
+
export * from './checkpoint.js';
|
|
10
|
+
export * from './bundle.js';
|
|
11
|
+
export * from './disclosure.js';
|
|
12
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
export * from './types.js';
|
|
2
|
+
export * from './subject.js';
|
|
3
|
+
export * from './attestation.js';
|
|
4
|
+
export * from './artifact.js';
|
|
5
|
+
export * from './receipt.js';
|
|
6
|
+
export * from './chain.js';
|
|
7
|
+
export * from './portal.js';
|
|
8
|
+
export * from './quarantine.js';
|
|
9
|
+
export * from './checkpoint.js';
|
|
10
|
+
export * from './bundle.js';
|
|
11
|
+
export * from './disclosure.js';
|
|
12
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import type { PolicyArtifact, PortalState, EnforcementAction, SubjectMetadata } from './types.js';
|
|
2
|
+
import type { HashHex } from '../crypto/types.js';
|
|
3
|
+
export interface MeasurementResult {
|
|
4
|
+
match: boolean;
|
|
5
|
+
currentBytesHash: HashHex;
|
|
6
|
+
currentMetaHash: HashHex;
|
|
7
|
+
expectedBytesHash: HashHex;
|
|
8
|
+
expectedMetaHash: HashHex;
|
|
9
|
+
ttl_ok: boolean;
|
|
10
|
+
revoked: boolean;
|
|
11
|
+
}
|
|
12
|
+
export declare class Portal {
|
|
13
|
+
state: PortalState;
|
|
14
|
+
artifact: PolicyArtifact | null;
|
|
15
|
+
sequenceCounter: number;
|
|
16
|
+
lastLeafHash: HashHex | null;
|
|
17
|
+
revocations: Set<string>;
|
|
18
|
+
loadArtifact(artifact: PolicyArtifact, pinnedPkHex: string): {
|
|
19
|
+
ok: boolean;
|
|
20
|
+
error?: string;
|
|
21
|
+
};
|
|
22
|
+
measure(subjectBytes: Uint8Array, meta: SubjectMetadata): MeasurementResult;
|
|
23
|
+
enforce(action: EnforcementAction): void;
|
|
24
|
+
revoke(sealedHash: string): void;
|
|
25
|
+
isRevoked(sealedHash: string): boolean;
|
|
26
|
+
reset(): void;
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=portal.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IAErC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IA4B3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAUxC,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKhC,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Portal (Sentinel) — Runtime Enforcement Boundary. Ref 150, 270-280.
|
|
3
|
+
* V3: TTL + revocation checked every measurement. Fail-closed semantics.
|
|
4
|
+
* Aligned with NCCoE filing Sections 3-4 and NIST-2025-0035.
|
|
5
|
+
*/
|
|
6
|
+
import { sha256Bytes, sha256Str } from '../crypto/hash.js';
|
|
7
|
+
import { b64ToSig, hexToPk, verifyStr } from '../crypto/sign.js';
|
|
8
|
+
import { canonicalize } from '../utils/canonical.js';
|
|
9
|
+
import { isWithinPeriod, isExpired, utcNow } from '../utils/timestamp.js';
|
|
10
|
+
export class Portal {
|
|
11
|
+
state = 'INITIALIZATION';
|
|
12
|
+
artifact = null;
|
|
13
|
+
sequenceCounter = 0;
|
|
14
|
+
lastLeafHash = null;
|
|
15
|
+
revocations = new Set();
|
|
16
|
+
loadArtifact(artifact, pinnedPkHex) {
|
|
17
|
+
this.state = 'ARTIFACT_VERIFICATION';
|
|
18
|
+
const { signature, ...unsigned } = artifact;
|
|
19
|
+
if (!verifyStr(b64ToSig(signature), canonicalize(unsigned), hexToPk(pinnedPkHex))) {
|
|
20
|
+
this.state = 'TERMINATED';
|
|
21
|
+
return { ok: false, error: 'Signature verification failed' };
|
|
22
|
+
}
|
|
23
|
+
if (!isWithinPeriod(utcNow(), artifact.effective_timestamp, artifact.expiration_timestamp)) {
|
|
24
|
+
this.state = 'TERMINATED';
|
|
25
|
+
return { ok: false, error: 'Artifact outside effective period' };
|
|
26
|
+
}
|
|
27
|
+
if (this.revocations.has(artifact.sealed_hash)) {
|
|
28
|
+
this.state = 'TERMINATED';
|
|
29
|
+
return { ok: false, error: 'Artifact has been revoked' };
|
|
30
|
+
}
|
|
31
|
+
this.artifact = artifact;
|
|
32
|
+
this.state = 'ACTIVE_MONITORING';
|
|
33
|
+
return { ok: true };
|
|
34
|
+
}
|
|
35
|
+
measure(subjectBytes, meta) {
|
|
36
|
+
if (!this.artifact)
|
|
37
|
+
throw new Error('No artifact loaded');
|
|
38
|
+
if (this.state === 'TERMINATED')
|
|
39
|
+
throw new Error('Portal is terminated');
|
|
40
|
+
const empty = { currentBytesHash: '', currentMetaHash: '',
|
|
41
|
+
expectedBytesHash: this.artifact.subject_identifier.bytes_hash,
|
|
42
|
+
expectedMetaHash: this.artifact.subject_identifier.metadata_hash };
|
|
43
|
+
// Fail-closed: TTL check
|
|
44
|
+
const ttl_ok = !isExpired(this.artifact.issued_timestamp, this.artifact.enforcement_parameters.ttl_seconds);
|
|
45
|
+
if (!ttl_ok) {
|
|
46
|
+
this.state = 'TERMINATED';
|
|
47
|
+
return { match: false, ttl_ok: false, revoked: false, ...empty };
|
|
48
|
+
}
|
|
49
|
+
// Fail-closed: revocation check
|
|
50
|
+
if (this.revocations.has(this.artifact.sealed_hash)) {
|
|
51
|
+
this.state = 'TERMINATED';
|
|
52
|
+
return { match: false, ttl_ok: true, revoked: true, ...empty };
|
|
53
|
+
}
|
|
54
|
+
const currentBytesHash = sha256Bytes(subjectBytes);
|
|
55
|
+
const currentMetaHash = sha256Str(canonicalize(meta));
|
|
56
|
+
const match = currentBytesHash === this.artifact.subject_identifier.bytes_hash &&
|
|
57
|
+
currentMetaHash === this.artifact.subject_identifier.metadata_hash;
|
|
58
|
+
if (!match && this.state === 'ACTIVE_MONITORING')
|
|
59
|
+
this.state = 'DRIFT_DETECTED';
|
|
60
|
+
return { match, currentBytesHash, currentMetaHash,
|
|
61
|
+
expectedBytesHash: this.artifact.subject_identifier.bytes_hash,
|
|
62
|
+
expectedMetaHash: this.artifact.subject_identifier.metadata_hash,
|
|
63
|
+
ttl_ok: true, revoked: false };
|
|
64
|
+
}
|
|
65
|
+
enforce(action) {
|
|
66
|
+
if (this.state !== 'DRIFT_DETECTED')
|
|
67
|
+
throw new Error(`Cannot enforce in state ${this.state}`);
|
|
68
|
+
switch (action) {
|
|
69
|
+
case 'TERMINATE':
|
|
70
|
+
case 'SAFE_STATE':
|
|
71
|
+
this.state = 'TERMINATED';
|
|
72
|
+
break;
|
|
73
|
+
case 'QUARANTINE':
|
|
74
|
+
this.state = 'PHANTOM_QUARANTINE';
|
|
75
|
+
break;
|
|
76
|
+
case 'ALERT_ONLY':
|
|
77
|
+
this.state = 'ACTIVE_MONITORING';
|
|
78
|
+
break;
|
|
79
|
+
default: break;
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
revoke(sealedHash) {
|
|
83
|
+
this.revocations.add(sealedHash);
|
|
84
|
+
if (this.artifact?.sealed_hash === sealedHash)
|
|
85
|
+
this.state = 'TERMINATED';
|
|
86
|
+
}
|
|
87
|
+
isRevoked(sealedHash) { return this.revocations.has(sealedHash); }
|
|
88
|
+
reset() {
|
|
89
|
+
this.state = 'INITIALIZATION';
|
|
90
|
+
this.artifact = null;
|
|
91
|
+
this.sequenceCounter = 0;
|
|
92
|
+
this.lastLeafHash = null;
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
//# sourceMappingURL=portal.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"portal.js","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAc1E,MAAM,OAAO,MAAM;IACjB,KAAK,GAAgB,gBAAgB,CAAC;IACtC,QAAQ,GAA0B,IAAI,CAAC;IACvC,eAAe,GAAG,CAAC,CAAC;IACpB,YAAY,GAAmB,IAAI,CAAC;IACpC,WAAW,GAAgB,IAAI,GAAG,EAAE,CAAC;IAErC,YAAY,CAAC,QAAwB,EAAE,WAAmB;QACxD,IAAI,CAAC,KAAK,GAAG,uBAAuB,CAAC;QACrC,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC;QAC5C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QAC1F,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,mBAAmB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3F,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;QAC9F,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QACtF,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,YAAwB,EAAE,IAAqB;QACrD,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAC1D,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,EAAE,gBAAgB,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE;YACvD,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,EAAE,CAAC;QAErE,yBAAyB;QACzB,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAC5G,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,KAAK,EAAE,CAAC;QAAC,CAAC;QAE7G,gCAAgC;QAChC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,EAAE,CAAC;QAC5F,CAAC;QAED,MAAM,gBAAgB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,gBAAgB,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAChE,eAAe,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,CAAC;QAEjF,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,mBAAmB;YAAE,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,eAAe;YAC/C,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa;YAChE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,CAAC,MAAyB;QAC/B,IAAI,IAAI,CAAC,KAAK,KAAK,gBAAgB;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9F,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,WAAW,CAAC;YAAC,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;gBAAC,MAAM;YACtE,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,oBAAoB,CAAC;gBAAC,MAAM;YAC5D,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;gBAAC,MAAM;YAC3D,OAAO,CAAC,CAAC,MAAM;QACjB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,UAAkB;QACvB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,EAAE,WAAW,KAAK,UAAU;YAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;IAC3E,CAAC;IAED,SAAS,CAAC,UAAkB,IAAa,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEnF,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;QAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IACrD,CAAC;CACF"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import type { QuarantineState } from './types.js';
|
|
2
|
+
export declare function initQuarantine(): QuarantineState;
|
|
3
|
+
export declare function captureInput(q: QuarantineState, inputType: string, data: unknown): void;
|
|
4
|
+
export declare function releaseQuarantine(q: QuarantineState): {
|
|
5
|
+
duration_ms: number;
|
|
6
|
+
total_captures: number;
|
|
7
|
+
};
|
|
8
|
+
//# sourceMappingURL=quarantine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"quarantine.d.ts","sourceRoot":"","sources":["../../src/core/quarantine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,wBAAgB,cAAc,IAAI,eAAe,CAEhD;AAED,wBAAgB,YAAY,CAAC,CAAC,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,IAAI,CAGvF;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAGrG"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { utcNow } from '../utils/timestamp.js';
|
|
2
|
+
export function initQuarantine() {
|
|
3
|
+
return { active: true, started_at: utcNow(), inputs_captured: 0, outputs_severed: true, forensic_buffer: [] };
|
|
4
|
+
}
|
|
5
|
+
export function captureInput(q, inputType, data) {
|
|
6
|
+
q.forensic_buffer.push({ timestamp: utcNow(), type: inputType, data });
|
|
7
|
+
q.inputs_captured++;
|
|
8
|
+
}
|
|
9
|
+
export function releaseQuarantine(q) {
|
|
10
|
+
q.active = false;
|
|
11
|
+
return { duration_ms: q.started_at ? Date.now() - Date.parse(q.started_at) : 0, total_captures: q.inputs_captured };
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=quarantine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"quarantine.js","sourceRoot":"","sources":["../../src/core/quarantine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAG/C,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,eAAe,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;AAChH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,CAAkB,EAAE,SAAiB,EAAE,IAAa;IAC/E,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC,CAAC,eAAe,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,CAAkB;IAClD,CAAC,CAAC,MAAM,GAAG,KAAK,CAAC;IACjB,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,eAAe,EAAE,CAAC;AACtH,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import type { KeyPair, HashHex } from '../crypto/types.js';
|
|
2
|
+
import type { SignedReceipt, SubjectIdentifier, EnforcementAction } from './types.js';
|
|
3
|
+
export interface ReceiptInput {
|
|
4
|
+
subjectId: SubjectIdentifier;
|
|
5
|
+
artifactRef: HashHex;
|
|
6
|
+
currentHash: string;
|
|
7
|
+
sealedHash: string;
|
|
8
|
+
driftDetected: boolean;
|
|
9
|
+
driftDescription: string | null;
|
|
10
|
+
action: EnforcementAction | null;
|
|
11
|
+
measurementType: string;
|
|
12
|
+
seq: number;
|
|
13
|
+
prevLeaf: HashHex | null;
|
|
14
|
+
portalKP: KeyPair;
|
|
15
|
+
}
|
|
16
|
+
export declare function generateReceipt(input: ReceiptInput): SignedReceipt;
|
|
17
|
+
//# sourceMappingURL=receipt.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"receipt.d.ts","sourceRoot":"","sources":["../../src/core/receipt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEtF,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,OAAO,CAAC;IACvB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAAC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,YAAY,GAAG,aAAa,CAUlE"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
/** V3: measurement_type field. Receipts generated for EVERY measurement. */
|
|
2
|
+
import { signStr, sigToB64 } from '../crypto/sign.js';
|
|
3
|
+
import { canonicalize } from '../utils/canonical.js';
|
|
4
|
+
import { utcNow } from '../utils/timestamp.js';
|
|
5
|
+
import { uuid } from '../utils/uuid.js';
|
|
6
|
+
export function generateReceipt(input) {
|
|
7
|
+
const unsigned = {
|
|
8
|
+
receipt_id: uuid(), subject_identifier: input.subjectId,
|
|
9
|
+
artifact_reference: input.artifactRef, current_hash: input.currentHash,
|
|
10
|
+
sealed_hash: input.sealedHash, drift_detected: input.driftDetected,
|
|
11
|
+
drift_description: input.driftDescription, enforcement_action: input.action,
|
|
12
|
+
measurement_type: input.measurementType, timestamp: utcNow(),
|
|
13
|
+
sequence_number: input.seq, previous_leaf_hash: input.prevLeaf,
|
|
14
|
+
};
|
|
15
|
+
return { ...unsigned, portal_signature: sigToB64(signStr(canonicalize(unsigned), input.portalKP.secretKey)) };
|
|
16
|
+
}
|
|
17
|
+
//# sourceMappingURL=receipt.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"receipt.js","sourceRoot":"","sources":["../../src/core/receipt.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAkBxC,MAAM,UAAU,eAAe,CAAC,KAAmB;IACjD,MAAM,QAAQ,GAAG;QACf,UAAU,EAAE,IAAI,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,SAAS;QACvD,kBAAkB,EAAE,KAAK,CAAC,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC,WAAW;QACtE,WAAW,EAAE,KAAK,CAAC,UAAU,EAAE,cAAc,EAAE,KAAK,CAAC,aAAa;QAClE,iBAAiB,EAAE,KAAK,CAAC,gBAAgB,EAAE,kBAAkB,EAAE,KAAK,CAAC,MAAM;QAC3E,gBAAgB,EAAE,KAAK,CAAC,eAAe,EAAE,SAAS,EAAE,MAAM,EAAE;QAC5D,eAAe,EAAE,KAAK,CAAC,GAAG,EAAE,kBAAkB,EAAE,KAAK,CAAC,QAAQ;KAC/D,CAAC;IACF,OAAO,EAAE,GAAG,QAAQ,EAAE,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AAChH,CAAC"}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { SubjectIdentifier, SubjectMetadata } from './types.js';
|
|
2
|
+
export declare function computeSubjectId(bytes: Uint8Array, meta: SubjectMetadata): SubjectIdentifier;
|
|
3
|
+
export declare function computeSubjectIdFromString(content: string, meta: SubjectMetadata): SubjectIdentifier;
|
|
4
|
+
//# sourceMappingURL=subject.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"subject.d.ts","sourceRoot":"","sources":["../../src/core/subject.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAErE,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB,CAE5F;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB,CAEpG"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import { sha256Bytes, sha256Str } from '../crypto/hash.js';
|
|
2
|
+
import { canonicalize } from '../utils/canonical.js';
|
|
3
|
+
export function computeSubjectId(bytes, meta) {
|
|
4
|
+
return { bytes_hash: sha256Bytes(bytes), metadata_hash: sha256Str(canonicalize(meta)) };
|
|
5
|
+
}
|
|
6
|
+
export function computeSubjectIdFromString(content, meta) {
|
|
7
|
+
return computeSubjectId(new TextEncoder().encode(content), meta);
|
|
8
|
+
}
|
|
9
|
+
//# sourceMappingURL=subject.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"subject.js","sourceRoot":"","sources":["../../src/core/subject.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAGrD,MAAM,UAAU,gBAAgB,CAAC,KAAiB,EAAE,IAAqB;IACvE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAe,EAAE,IAAqB;IAC/E,OAAO,gBAAgB,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,CAAC;AACnE,CAAC"}
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* V3: Aligned with NIST-2025-0035 and NCCoE AI Agent Identity filings.
|
|
3
|
+
* Every interface annotated with patent reference numeral.
|
|
4
|
+
*/
|
|
5
|
+
import type { HashHex, SignatureBase64, SaltHex, MerkleInclusionProof } from '../crypto/types.js';
|
|
6
|
+
export interface SubjectIdentifier {
|
|
7
|
+
bytes_hash: HashHex;
|
|
8
|
+
metadata_hash: HashHex;
|
|
9
|
+
}
|
|
10
|
+
export interface SubjectMetadata {
|
|
11
|
+
filename?: string;
|
|
12
|
+
creation_timestamp?: string;
|
|
13
|
+
author?: string;
|
|
14
|
+
version?: string;
|
|
15
|
+
content_type?: string;
|
|
16
|
+
[key: string]: unknown;
|
|
17
|
+
}
|
|
18
|
+
export type EnforcementAction = 'TERMINATE' | 'QUARANTINE' | 'NETWORK_ISOLATE' | 'SAFE_STATE' | 'KEY_REVOKE' | 'TOKEN_INVALIDATE' | 'ACTUATOR_DISCONNECT' | 'ALERT_ONLY';
|
|
19
|
+
export type MeasurementType = 'EXECUTABLE_IMAGE' | 'LOADED_MODULES' | 'CONTAINER_IMAGE' | 'CONFIG_MANIFEST' | 'SBOM' | 'TEE_QUOTE' | 'MEMORY_REGIONS' | 'CONTROL_FLOW' | 'FILE_SYSTEM_STATE' | 'NETWORK_CONFIG';
|
|
20
|
+
export interface EnforcementParams {
|
|
21
|
+
measurement_cadence_ms: number;
|
|
22
|
+
ttl_seconds: number;
|
|
23
|
+
enforcement_triggers: EnforcementAction[];
|
|
24
|
+
re_attestation_required: boolean;
|
|
25
|
+
measurement_types: MeasurementType[];
|
|
26
|
+
}
|
|
27
|
+
export type Sensitivity = 'S1_LOW' | 'S2_MODERATE' | 'S3_HIGH' | 'S4_CRITICAL';
|
|
28
|
+
export type DisclosureMode = 'PROOF_ONLY' | 'REVEAL_MIN' | 'REVEAL_FULL';
|
|
29
|
+
export interface ClaimRecord {
|
|
30
|
+
claim_id: string;
|
|
31
|
+
sensitivity: Sensitivity;
|
|
32
|
+
substitutes: string[];
|
|
33
|
+
inference_risks: string[];
|
|
34
|
+
permitted_modes: DisclosureMode[];
|
|
35
|
+
}
|
|
36
|
+
export interface SubstitutionRule {
|
|
37
|
+
original_claim_id: string;
|
|
38
|
+
substitute_claim_id: string;
|
|
39
|
+
conditions: Record<string, unknown>;
|
|
40
|
+
}
|
|
41
|
+
export interface DisclosurePolicy {
|
|
42
|
+
claims_taxonomy: ClaimRecord[];
|
|
43
|
+
substitution_rules: SubstitutionRule[];
|
|
44
|
+
}
|
|
45
|
+
export interface EvidenceCommitmentRecord {
|
|
46
|
+
commitment: HashHex;
|
|
47
|
+
salt: SaltHex;
|
|
48
|
+
label: string;
|
|
49
|
+
}
|
|
50
|
+
export interface PolicyArtifact {
|
|
51
|
+
schema_version: string;
|
|
52
|
+
protocol_version: string;
|
|
53
|
+
subject_identifier: SubjectIdentifier;
|
|
54
|
+
policy_reference: HashHex;
|
|
55
|
+
policy_version: number;
|
|
56
|
+
sealed_hash: HashHex;
|
|
57
|
+
seal_salt: SaltHex;
|
|
58
|
+
issued_timestamp: string;
|
|
59
|
+
effective_timestamp: string;
|
|
60
|
+
expiration_timestamp: string | null;
|
|
61
|
+
issuer_identifier: string;
|
|
62
|
+
enforcement_parameters: EnforcementParams;
|
|
63
|
+
disclosure_policy: DisclosurePolicy;
|
|
64
|
+
evidence_commitments: EvidenceCommitmentRecord[];
|
|
65
|
+
signature: SignatureBase64;
|
|
66
|
+
}
|
|
67
|
+
export interface SignedReceipt {
|
|
68
|
+
receipt_id: string;
|
|
69
|
+
subject_identifier: SubjectIdentifier;
|
|
70
|
+
artifact_reference: HashHex;
|
|
71
|
+
current_hash: string;
|
|
72
|
+
sealed_hash: string;
|
|
73
|
+
drift_detected: boolean;
|
|
74
|
+
drift_description: string | null;
|
|
75
|
+
enforcement_action: EnforcementAction | null;
|
|
76
|
+
measurement_type: string;
|
|
77
|
+
timestamp: string;
|
|
78
|
+
sequence_number: number;
|
|
79
|
+
previous_leaf_hash: HashHex | null;
|
|
80
|
+
portal_signature: SignatureBase64;
|
|
81
|
+
}
|
|
82
|
+
export type EventType = 'GENESIS' | 'POLICY_ISSUANCE' | 'INTERACTION_RECEIPT' | 'REVOCATION' | 'ATTESTATION' | 'ANCHOR_BATCH' | 'DISCLOSURE' | 'SUBSTITUTION' | 'KEY_ROTATION';
|
|
83
|
+
export interface GenesisPayload {
|
|
84
|
+
protocol_version: string;
|
|
85
|
+
taxonomy_version: string;
|
|
86
|
+
root_fingerprint: string;
|
|
87
|
+
specification_hash: HashHex;
|
|
88
|
+
marker: 'GENESIS';
|
|
89
|
+
}
|
|
90
|
+
export interface ContinuityEvent {
|
|
91
|
+
schema_version: string;
|
|
92
|
+
protocol_version: string;
|
|
93
|
+
event_type: EventType;
|
|
94
|
+
event_id: string;
|
|
95
|
+
sequence_number: number;
|
|
96
|
+
timestamp: string;
|
|
97
|
+
previous_leaf_hash: HashHex | null;
|
|
98
|
+
leaf_hash: HashHex;
|
|
99
|
+
payload: unknown;
|
|
100
|
+
payload_hash: HashHex;
|
|
101
|
+
event_signature: SignatureBase64;
|
|
102
|
+
}
|
|
103
|
+
export interface StructuralMetadata {
|
|
104
|
+
schema_version: string;
|
|
105
|
+
protocol_version: string;
|
|
106
|
+
event_type: EventType;
|
|
107
|
+
event_id: string;
|
|
108
|
+
sequence_number: number;
|
|
109
|
+
timestamp: string;
|
|
110
|
+
previous_leaf_hash: HashHex | null;
|
|
111
|
+
}
|
|
112
|
+
export interface CheckpointReference {
|
|
113
|
+
merkle_root: HashHex;
|
|
114
|
+
batch_start_sequence: number;
|
|
115
|
+
batch_end_sequence: number;
|
|
116
|
+
anchor_network: string;
|
|
117
|
+
transaction_id: string;
|
|
118
|
+
timestamp: string;
|
|
119
|
+
}
|
|
120
|
+
export interface AnchorBatchPayload {
|
|
121
|
+
checkpoint_reference: CheckpointReference;
|
|
122
|
+
leaf_count: number;
|
|
123
|
+
}
|
|
124
|
+
export interface EvidenceBundle {
|
|
125
|
+
artifact: PolicyArtifact;
|
|
126
|
+
receipts: SignedReceipt[];
|
|
127
|
+
merkle_proofs: MerkleInclusionProof[];
|
|
128
|
+
checkpoint_reference: CheckpointReference;
|
|
129
|
+
public_key: string;
|
|
130
|
+
bundle_signature: SignatureBase64;
|
|
131
|
+
}
|
|
132
|
+
export interface DisclosureRequest {
|
|
133
|
+
requested_claim_id: string;
|
|
134
|
+
requester_id: string;
|
|
135
|
+
mode: DisclosureMode;
|
|
136
|
+
timestamp: string;
|
|
137
|
+
}
|
|
138
|
+
export interface SubstitutionReceipt {
|
|
139
|
+
receipt_id: string;
|
|
140
|
+
original_claim_id: string;
|
|
141
|
+
substitute_claim_id: string | null;
|
|
142
|
+
policy_version: number;
|
|
143
|
+
reason_code: string;
|
|
144
|
+
timestamp: string;
|
|
145
|
+
chain_sequence_ref: number;
|
|
146
|
+
signature: SignatureBase64;
|
|
147
|
+
}
|
|
148
|
+
export type PortalState = 'INITIALIZATION' | 'ARTIFACT_VERIFICATION' | 'ACTIVE_MONITORING' | 'DRIFT_DETECTED' | 'PHANTOM_QUARANTINE' | 'TERMINATED';
|
|
149
|
+
export type VerificationTier = 'BRONZE' | 'SILVER' | 'GOLD';
|
|
150
|
+
export interface RevocationRecord {
|
|
151
|
+
artifact_sealed_hash: HashHex;
|
|
152
|
+
reason: string;
|
|
153
|
+
revoked_by: string;
|
|
154
|
+
timestamp: string;
|
|
155
|
+
}
|
|
156
|
+
export interface QuarantineState {
|
|
157
|
+
active: boolean;
|
|
158
|
+
started_at: string | null;
|
|
159
|
+
inputs_captured: number;
|
|
160
|
+
outputs_severed: boolean;
|
|
161
|
+
forensic_buffer: Array<{
|
|
162
|
+
timestamp: string;
|
|
163
|
+
type: string;
|
|
164
|
+
data: unknown;
|
|
165
|
+
}>;
|
|
166
|
+
}
|
|
167
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAIlG,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,YAAY,GACZ,kBAAkB,GAClB,qBAAqB,GACrB,YAAY,CAAC;AAEjB,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAAG,gBAAgB,GAAG,iBAAiB,GACzD,iBAAiB,GAAI,MAAM,GAAa,WAAW,GACnD,gBAAgB,GAAK,cAAc,GAAK,mBAAmB,GAC3D,gBAAgB,CAAC;AAErB,MAAM,WAAW,iBAAiB;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;IAC1C,uBAAuB,EAAE,OAAO,CAAC;IACjC,iBAAiB,EAAE,eAAe,EAAE,CAAC;CACtC;AAID,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,aAAa,CAAC;AAC/E,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAEzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;CACxC;AAID,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAID,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,iBAAiB,CAAC;IAC1C,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,oBAAoB,EAAE,wBAAwB,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kBAAkB,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC7C,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,iBAAiB,GACjB,qBAAqB,GACrB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,cAAc,GACd,cAAc,CAAC;AAEnB,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;CACpC;AAID,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,eAAe,CAAC;CAC5B;AAID,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,uBAAuB,GACvB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,YAAY,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAM5D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC5E"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import type { HashHex } from './types.js';
|
|
2
|
+
export declare function sha256Bytes(data: Uint8Array): HashHex;
|
|
3
|
+
export declare function sha256Str(data: string): HashHex;
|
|
4
|
+
export declare function blake2b256(data: Uint8Array): HashHex;
|
|
5
|
+
/** Concatenate inputs (NO delimiter) and SHA-256. Patent Section D: "no delimiters." */
|
|
6
|
+
export declare function sha256Cat(...parts: (Uint8Array | string)[]): HashHex;
|
|
7
|
+
/** Concatenate hex strings as text (no decode) and hash. For sealed_hash computation. */
|
|
8
|
+
export declare function sha256HexCat(...hexes: string[]): HashHex;
|
|
9
|
+
//# sourceMappingURL=hash.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAI1C,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAErD;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAEpD;AAED,wFAAwF;AACxF,wBAAgB,SAAS,CAAC,GAAG,KAAK,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,OAAO,CAOpE;AAED,yFAAyF;AACzF,wBAAgB,YAAY,CAAC,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAExD"}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
import { sha256 } from '@noble/hashes/sha256';
|
|
2
|
+
import { blake2b } from '@noble/hashes/blake2b';
|
|
3
|
+
import { bytesToHex } from '@noble/hashes/utils';
|
|
4
|
+
const enc = new TextEncoder();
|
|
5
|
+
export function sha256Bytes(data) {
|
|
6
|
+
return bytesToHex(sha256(data));
|
|
7
|
+
}
|
|
8
|
+
export function sha256Str(data) {
|
|
9
|
+
return sha256Bytes(enc.encode(data));
|
|
10
|
+
}
|
|
11
|
+
export function blake2b256(data) {
|
|
12
|
+
return bytesToHex(blake2b(data, { dkLen: 32 }));
|
|
13
|
+
}
|
|
14
|
+
/** Concatenate inputs (NO delimiter) and SHA-256. Patent Section D: "no delimiters." */
|
|
15
|
+
export function sha256Cat(...parts) {
|
|
16
|
+
const bufs = parts.map(p => typeof p === 'string' ? enc.encode(p) : p);
|
|
17
|
+
const total = bufs.reduce((n, b) => n + b.length, 0);
|
|
18
|
+
const combined = new Uint8Array(total);
|
|
19
|
+
let off = 0;
|
|
20
|
+
for (const b of bufs) {
|
|
21
|
+
combined.set(b, off);
|
|
22
|
+
off += b.length;
|
|
23
|
+
}
|
|
24
|
+
return sha256Bytes(combined);
|
|
25
|
+
}
|
|
26
|
+
/** Concatenate hex strings as text (no decode) and hash. For sealed_hash computation. */
|
|
27
|
+
export function sha256HexCat(...hexes) {
|
|
28
|
+
return sha256Str(hexes.join(''));
|
|
29
|
+
}
|
|
30
|
+
//# sourceMappingURL=hash.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,WAAW,CAAC,IAAgB;IAC1C,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAgB;IACzC,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,SAAS,CAAC,GAAG,KAA8B;IACzD,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IAChE,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,YAAY,CAAC,GAAG,KAAe;IAC7C,OAAO,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;AACnC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import type { HashHex, MerkleInclusionProof } from './types.js';
|
|
2
|
+
export declare function buildMerkleTree(leaves: HashHex[]): {
|
|
3
|
+
root: HashHex;
|
|
4
|
+
layers: HashHex[][];
|
|
5
|
+
};
|
|
6
|
+
export declare function inclusionProof(leaves: HashHex[], idx: number): MerkleInclusionProof;
|
|
7
|
+
export declare function verifyProof(proof: MerkleInclusionProof): boolean;
|
|
8
|
+
//# sourceMappingURL=merkle.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"merkle.d.ts","sourceRoot":"","sources":["../../src/crypto/merkle.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAIhE,wBAAgB,eAAe,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAA;CAAE,CAczF;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAanF;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAMhE"}
|