@attested-intelligence/aga-mcp-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (165) hide show
  1. package/AGA_MCP_SERVER_SPEC.md +632 -0
  2. package/LICENSE +21 -0
  3. package/README.md +42 -0
  4. package/dist/core/artifact.d.ts +19 -0
  5. package/dist/core/artifact.d.ts.map +1 -0
  6. package/dist/core/artifact.js +27 -0
  7. package/dist/core/artifact.js.map +1 -0
  8. package/dist/core/attestation.d.ts +19 -0
  9. package/dist/core/attestation.d.ts.map +1 -0
  10. package/dist/core/attestation.js +12 -0
  11. package/dist/core/attestation.js.map +1 -0
  12. package/dist/core/behavioral.d.ts +45 -0
  13. package/dist/core/behavioral.d.ts.map +1 -0
  14. package/dist/core/behavioral.js +88 -0
  15. package/dist/core/behavioral.js.map +1 -0
  16. package/dist/core/bundle.d.ts +13 -0
  17. package/dist/core/bundle.d.ts.map +1 -0
  18. package/dist/core/bundle.js +31 -0
  19. package/dist/core/bundle.js.map +1 -0
  20. package/dist/core/chain.d.ts +13 -0
  21. package/dist/core/chain.d.ts.map +1 -0
  22. package/dist/core/chain.js +63 -0
  23. package/dist/core/chain.js.map +1 -0
  24. package/dist/core/checkpoint.d.ts +8 -0
  25. package/dist/core/checkpoint.d.ts.map +1 -0
  26. package/dist/core/checkpoint.js +21 -0
  27. package/dist/core/checkpoint.js.map +1 -0
  28. package/dist/core/delegation.d.ts +37 -0
  29. package/dist/core/delegation.d.ts.map +1 -0
  30. package/dist/core/delegation.js +104 -0
  31. package/dist/core/delegation.js.map +1 -0
  32. package/dist/core/disclosure.d.ts +12 -0
  33. package/dist/core/disclosure.d.ts.map +1 -0
  34. package/dist/core/disclosure.js +25 -0
  35. package/dist/core/disclosure.js.map +1 -0
  36. package/dist/core/index.d.ts +12 -0
  37. package/dist/core/index.d.ts.map +1 -0
  38. package/dist/core/index.js +12 -0
  39. package/dist/core/index.js.map +1 -0
  40. package/dist/core/portal.d.ts +28 -0
  41. package/dist/core/portal.d.ts.map +1 -0
  42. package/dist/core/portal.js +95 -0
  43. package/dist/core/portal.js.map +1 -0
  44. package/dist/core/quarantine.d.ts +8 -0
  45. package/dist/core/quarantine.d.ts.map +1 -0
  46. package/dist/core/quarantine.js +13 -0
  47. package/dist/core/quarantine.js.map +1 -0
  48. package/dist/core/receipt.d.ts +17 -0
  49. package/dist/core/receipt.d.ts.map +1 -0
  50. package/dist/core/receipt.js +17 -0
  51. package/dist/core/receipt.js.map +1 -0
  52. package/dist/core/subject.d.ts +4 -0
  53. package/dist/core/subject.d.ts.map +1 -0
  54. package/dist/core/subject.js +9 -0
  55. package/dist/core/subject.js.map +1 -0
  56. package/dist/core/types.d.ts +167 -0
  57. package/dist/core/types.d.ts.map +1 -0
  58. package/dist/core/types.js +2 -0
  59. package/dist/core/types.js.map +1 -0
  60. package/dist/crypto/hash.d.ts +9 -0
  61. package/dist/crypto/hash.d.ts.map +1 -0
  62. package/dist/crypto/hash.js +30 -0
  63. package/dist/crypto/hash.js.map +1 -0
  64. package/dist/crypto/index.d.ts +6 -0
  65. package/dist/crypto/index.d.ts.map +1 -0
  66. package/dist/crypto/index.js +6 -0
  67. package/dist/crypto/index.js.map +1 -0
  68. package/dist/crypto/merkle.d.ts +8 -0
  69. package/dist/crypto/merkle.d.ts.map +1 -0
  70. package/dist/crypto/merkle.js +42 -0
  71. package/dist/crypto/merkle.js.map +1 -0
  72. package/dist/crypto/salt.d.ts +5 -0
  73. package/dist/crypto/salt.d.ts.map +1 -0
  74. package/dist/crypto/salt.js +14 -0
  75. package/dist/crypto/salt.js.map +1 -0
  76. package/dist/crypto/sign.d.ts +11 -0
  77. package/dist/crypto/sign.d.ts.map +1 -0
  78. package/dist/crypto/sign.js +37 -0
  79. package/dist/crypto/sign.js.map +1 -0
  80. package/dist/crypto/types.d.ts +24 -0
  81. package/dist/crypto/types.d.ts.map +1 -0
  82. package/dist/crypto/types.js +2 -0
  83. package/dist/crypto/types.js.map +1 -0
  84. package/dist/index.d.ts +3 -0
  85. package/dist/index.d.ts.map +1 -0
  86. package/dist/index.js +11 -0
  87. package/dist/index.js.map +1 -0
  88. package/dist/middleware/governance.d.ts +27 -0
  89. package/dist/middleware/governance.d.ts.map +1 -0
  90. package/dist/middleware/governance.js +65 -0
  91. package/dist/middleware/governance.js.map +1 -0
  92. package/dist/middleware/index.d.ts +2 -0
  93. package/dist/middleware/index.d.ts.map +1 -0
  94. package/dist/middleware/index.js +2 -0
  95. package/dist/middleware/index.js.map +1 -0
  96. package/dist/server.d.ts +13 -0
  97. package/dist/server.d.ts.map +1 -0
  98. package/dist/server.js +369 -0
  99. package/dist/server.js.map +1 -0
  100. package/dist/storage/index.d.ts +4 -0
  101. package/dist/storage/index.d.ts.map +1 -0
  102. package/dist/storage/index.js +3 -0
  103. package/dist/storage/index.js.map +1 -0
  104. package/dist/storage/interface.d.ts +21 -0
  105. package/dist/storage/interface.d.ts.map +1 -0
  106. package/dist/storage/interface.js +2 -0
  107. package/dist/storage/interface.js.map +1 -0
  108. package/dist/storage/memory.d.ts +26 -0
  109. package/dist/storage/memory.d.ts.map +1 -0
  110. package/dist/storage/memory.js +24 -0
  111. package/dist/storage/memory.js.map +1 -0
  112. package/dist/storage/sqlite.d.ts +25 -0
  113. package/dist/storage/sqlite.d.ts.map +1 -0
  114. package/dist/storage/sqlite.js +44 -0
  115. package/dist/storage/sqlite.js.map +1 -0
  116. package/dist/utils/canonical.d.ts +3 -0
  117. package/dist/utils/canonical.d.ts.map +1 -0
  118. package/dist/utils/canonical.js +17 -0
  119. package/dist/utils/canonical.js.map +1 -0
  120. package/dist/utils/constants.d.ts +4 -0
  121. package/dist/utils/constants.d.ts.map +1 -0
  122. package/dist/utils/constants.js +4 -0
  123. package/dist/utils/constants.js.map +1 -0
  124. package/dist/utils/timestamp.d.ts +4 -0
  125. package/dist/utils/timestamp.d.ts.map +1 -0
  126. package/dist/utils/timestamp.js +13 -0
  127. package/dist/utils/timestamp.js.map +1 -0
  128. package/dist/utils/uuid.d.ts +2 -0
  129. package/dist/utils/uuid.d.ts.map +1 -0
  130. package/dist/utils/uuid.js +3 -0
  131. package/dist/utils/uuid.js.map +1 -0
  132. package/package.json +45 -0
  133. package/src/core/artifact.ts +45 -0
  134. package/src/core/attestation.ts +33 -0
  135. package/src/core/behavioral.ts +132 -0
  136. package/src/core/bundle.ts +31 -0
  137. package/src/core/chain.ts +72 -0
  138. package/src/core/checkpoint.ts +22 -0
  139. package/src/core/delegation.ts +146 -0
  140. package/src/core/disclosure.ts +32 -0
  141. package/src/core/index.ts +11 -0
  142. package/src/core/portal.ts +96 -0
  143. package/src/core/quarantine.ts +16 -0
  144. package/src/core/receipt.ts +33 -0
  145. package/src/core/subject.ts +11 -0
  146. package/src/core/types.ts +244 -0
  147. package/src/crypto/hash.ts +33 -0
  148. package/src/crypto/index.ts +5 -0
  149. package/src/crypto/merkle.ts +43 -0
  150. package/src/crypto/salt.ts +18 -0
  151. package/src/crypto/sign.ts +35 -0
  152. package/src/crypto/types.ts +19 -0
  153. package/src/index.ts +12 -0
  154. package/src/middleware/governance.ts +95 -0
  155. package/src/middleware/index.ts +1 -0
  156. package/src/server.ts +436 -0
  157. package/src/storage/index.ts +3 -0
  158. package/src/storage/interface.ts +21 -0
  159. package/src/storage/memory.ts +27 -0
  160. package/src/storage/sqlite.ts +45 -0
  161. package/src/tools/README.md +13 -0
  162. package/src/utils/canonical.ts +14 -0
  163. package/src/utils/constants.ts +3 -0
  164. package/src/utils/timestamp.ts +12 -0
  165. package/src/utils/uuid.ts +2 -0
@@ -0,0 +1 @@
1
+ {"version":3,"file":"delegation.js","sourceRoot":"","sources":["../../src/core/delegation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AA4BlD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,cAA8B,EAC9B,OAA0B,EAC1B,QAAiB;IAEjB,MAAM,UAAU,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;IAEhD,iCAAiC;IACjC,IAAI,SAAS,CAAC,cAAc,CAAC,gBAAgB,EAAE,cAAc,CAAC,sBAAsB,CAAC,WAAW,CAAC,EAAE,CAAC;QAClG,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;IACxG,CAAC;IAED,iCAAiC;IACjC,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;IACnE,MAAM,eAAe,GAAG,cAAc,GAAG,CAAC,cAAc,CAAC,sBAAsB,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IACpG,MAAM,WAAW,GAAG,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACjD,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC;IAErE,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,gBAAgB,CAAC,CAAC;IAC/E,IAAI,YAAY,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;IACrG,CAAC;IAED,yCAAyC;IACzC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,CAAC;IAC3F,MAAM,eAAe,GAAG,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,kCAAkC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;IACpJ,CAAC;IAED,kDAAkD;IAClD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAS,cAAc,CAAC,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,2CAA2C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;IAC1J,CAAC;IAED,mCAAmC;IACnC,MAAM,aAAa,GAAG,gBAAgB,CAAC;QACrC,kBAAkB,EAAE,cAAc,CAAC,kBAAkB;QACrD,gBAAgB,EAAE,cAAc,CAAC,gBAAgB;QACjD,cAAc,EAAE,cAAc,CAAC,cAAc;QAC7C,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,SAAS,EAAE,cAAc,CAAC,SAAS;QACnC,sBAAsB,EAAE;YACtB,sBAAsB,EAAE,cAAc,CAAC,sBAAsB,CAAC,sBAAsB;YACpF,WAAW,EAAE,YAAY;YACzB,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;YAClD,uBAAuB,EAAE,cAAc,CAAC,sBAAsB,CAAC,uBAAuB;YACtF,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;SAC7C;QACD,iBAAiB,EAAE,cAAc,CAAC,iBAAiB,EAAG,gBAAgB;QACtE,oBAAoB,EAAE,cAAc,CAAC,oBAAoB;QACzD,cAAc,EAAE,QAAQ;KACzB,CAAC,CAAC;IAEH,wBAAwB;IACxB,MAAM,eAAe,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAsB,CAAC,CAAC,CAAC;IACxH,MAAM,YAAY,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAoB,CAAC,CAAC,CAAC;IAE7G,OAAO;QACL,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,aAAa;QAC7B,mBAAmB,EAAE,YAAY,CAAC,aAAa,CAAC;QAChD,oBAAoB,EAAE,UAAU;QAChC,qBAAqB,EAAE,YAAY;QACnC,eAAe,EAAE;YACf,gBAAgB,EAAE,eAAe;YACjC,yBAAyB,EAAE,YAAY;SACxC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAsB,EAAE,KAAqB;IAC9E,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,4BAA4B;IAC5B,IAAI,KAAK,CAAC,sBAAsB,CAAC,WAAW,GAAG,MAAM,CAAC,sBAAsB,CAAC,WAAW,EAAE,CAAC;QACzF,MAAM,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,sBAAsB,CAAC,WAAW,sBAAsB,MAAM,CAAC,sBAAsB,CAAC,WAAW,IAAI,CAAC,CAAC;IACzI,CAAC;IAED,0BAA0B;IAC1B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,CAAC;IACtF,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAClE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,uBAAuB,CAAC,CAAC;IACjF,CAAC;IAED,mCAAmC;IACnC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAChF,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,iBAAiB,EAAE,CAAC;QAC/D,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,uBAAuB,CAAC,CAAC;IACvF,CAAC;IAED,qBAAqB;IACrB,IAAI,KAAK,CAAC,kBAAkB,CAAC,UAAU,KAAK,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACjF,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC"}
@@ -0,0 +1,12 @@
1
+ import type { KeyPair } from '../crypto/types.js';
2
+ import type { DisclosureRequest, DisclosurePolicy, SubstitutionReceipt, DisclosureMode } from './types.js';
3
+ export interface DisclosureResult {
4
+ permitted: boolean;
5
+ disclosed_claim_id: string | null;
6
+ disclosed_value: unknown;
7
+ mode: DisclosureMode;
8
+ was_substituted: boolean;
9
+ substitution_receipt: SubstitutionReceipt | null;
10
+ }
11
+ export declare function processDisclosure(req: DisclosureRequest, policy: DisclosurePolicy, values: Record<string, unknown>, policyVersion: number, chainSeq: number, kp: KeyPair): DisclosureResult;
12
+ //# sourceMappingURL=disclosure.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"disclosure.d.ts","sourceRoot":"","sources":["../../src/core/disclosure.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE3G,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,OAAO,CAAC;IAAC,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,eAAe,EAAE,OAAO,CAAC;IAChF,IAAI,EAAE,cAAc,CAAC;IAAC,eAAe,EAAE,OAAO,CAAC;IAAC,oBAAoB,EAAE,mBAAmB,GAAG,IAAI,CAAC;CAClG;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,iBAAiB,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,GAAG,gBAAgB,CAa3L"}
@@ -0,0 +1,25 @@
1
+ import { signStr, sigToB64 } from '../crypto/sign.js';
2
+ import { canonicalize } from '../utils/canonical.js';
3
+ import { utcNow } from '../utils/timestamp.js';
4
+ import { uuid } from '../utils/uuid.js';
5
+ export function processDisclosure(req, policy, values, policyVersion, chainSeq, kp) {
6
+ const claim = policy.claims_taxonomy.find(c => c.claim_id === req.requested_claim_id);
7
+ if (!claim)
8
+ return { permitted: false, disclosed_claim_id: null, disclosed_value: null, mode: req.mode, was_substituted: false, substitution_receipt: null };
9
+ if (claim.permitted_modes.includes(req.mode))
10
+ return { permitted: true, disclosed_claim_id: claim.claim_id, disclosed_value: fv(values[claim.claim_id], req.mode), mode: req.mode, was_substituted: false, substitution_receipt: null };
11
+ for (const subId of claim.substitutes) {
12
+ const sub = policy.claims_taxonomy.find(c => c.claim_id === subId);
13
+ if (sub?.permitted_modes.includes(req.mode) && !sub.inference_risks.includes(req.requested_claim_id))
14
+ return { permitted: true, disclosed_claim_id: subId, disclosed_value: fv(values[subId], req.mode), mode: req.mode, was_substituted: true,
15
+ substitution_receipt: sr(req.requested_claim_id, subId, policyVersion, 'SENSITIVITY_DENIED', chainSeq, kp) };
16
+ }
17
+ return { permitted: false, disclosed_claim_id: null, disclosed_value: null, mode: req.mode, was_substituted: false,
18
+ substitution_receipt: sr(req.requested_claim_id, null, policyVersion, 'NO_PERMITTED_SUBSTITUTE', chainSeq, kp) };
19
+ }
20
+ function fv(v, m) { return m === 'PROOF_ONLY' ? v != null : v; }
21
+ function sr(orig, sub, pv, reason, seq, kp) {
22
+ const u = { receipt_id: uuid(), original_claim_id: orig, substitute_claim_id: sub, policy_version: pv, reason_code: reason, timestamp: utcNow(), chain_sequence_ref: seq };
23
+ return { ...u, signature: sigToB64(signStr(canonicalize(u), kp.secretKey)) };
24
+ }
25
+ //# sourceMappingURL=disclosure.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"disclosure.js","sourceRoot":"","sources":["../../src/core/disclosure.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AASxC,MAAM,UAAU,iBAAiB,CAAC,GAAsB,EAAE,MAAwB,EAAE,MAA+B,EAAE,aAAqB,EAAE,QAAgB,EAAE,EAAW;IACvK,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACtF,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IAC7J,IAAI,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;QAC1C,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,CAAC,QAAQ,EAAE,eAAe,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IAC5L,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC;QACnE,IAAI,GAAG,EAAE,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC;YAClG,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,IAAI;gBACtI,oBAAoB,EAAE,EAAE,CAAC,GAAG,CAAC,kBAAkB,EAAE,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC;IACnH,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK;QAChH,oBAAoB,EAAE,EAAE,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,aAAa,EAAE,yBAAyB,EAAE,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC;AACrH,CAAC;AAED,SAAS,EAAE,CAAC,CAAU,EAAE,CAAiB,IAAa,OAAO,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClG,SAAS,EAAE,CAAC,IAAY,EAAE,GAAkB,EAAE,EAAU,EAAE,MAAc,EAAE,GAAW,EAAE,EAAW;IAChG,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,mBAAmB,EAAE,GAAG,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,kBAAkB,EAAE,GAAG,EAAE,CAAC;IAC3K,OAAO,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AAC/E,CAAC"}
@@ -0,0 +1,12 @@
1
+ export * from './types.js';
2
+ export * from './subject.js';
3
+ export * from './attestation.js';
4
+ export * from './artifact.js';
5
+ export * from './receipt.js';
6
+ export * from './chain.js';
7
+ export * from './portal.js';
8
+ export * from './quarantine.js';
9
+ export * from './checkpoint.js';
10
+ export * from './bundle.js';
11
+ export * from './disclosure.js';
12
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC"}
@@ -0,0 +1,12 @@
1
+ export * from './types.js';
2
+ export * from './subject.js';
3
+ export * from './attestation.js';
4
+ export * from './artifact.js';
5
+ export * from './receipt.js';
6
+ export * from './chain.js';
7
+ export * from './portal.js';
8
+ export * from './quarantine.js';
9
+ export * from './checkpoint.js';
10
+ export * from './bundle.js';
11
+ export * from './disclosure.js';
12
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC"}
@@ -0,0 +1,28 @@
1
+ import type { PolicyArtifact, PortalState, EnforcementAction, SubjectMetadata } from './types.js';
2
+ import type { HashHex } from '../crypto/types.js';
3
+ export interface MeasurementResult {
4
+ match: boolean;
5
+ currentBytesHash: HashHex;
6
+ currentMetaHash: HashHex;
7
+ expectedBytesHash: HashHex;
8
+ expectedMetaHash: HashHex;
9
+ ttl_ok: boolean;
10
+ revoked: boolean;
11
+ }
12
+ export declare class Portal {
13
+ state: PortalState;
14
+ artifact: PolicyArtifact | null;
15
+ sequenceCounter: number;
16
+ lastLeafHash: HashHex | null;
17
+ revocations: Set<string>;
18
+ loadArtifact(artifact: PolicyArtifact, pinnedPkHex: string): {
19
+ ok: boolean;
20
+ error?: string;
21
+ };
22
+ measure(subjectBytes: Uint8Array, meta: SubjectMetadata): MeasurementResult;
23
+ enforce(action: EnforcementAction): void;
24
+ revoke(sealedHash: string): void;
25
+ isRevoked(sealedHash: string): boolean;
26
+ reset(): void;
27
+ }
28
+ //# sourceMappingURL=portal.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IAErC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IA4B3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAUxC,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKhC,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
@@ -0,0 +1,95 @@
1
+ /**
2
+ * Portal (Sentinel) — Runtime Enforcement Boundary. Ref 150, 270-280.
3
+ * V3: TTL + revocation checked every measurement. Fail-closed semantics.
4
+ * Aligned with NCCoE filing Sections 3-4 and NIST-2025-0035.
5
+ */
6
+ import { sha256Bytes, sha256Str } from '../crypto/hash.js';
7
+ import { b64ToSig, hexToPk, verifyStr } from '../crypto/sign.js';
8
+ import { canonicalize } from '../utils/canonical.js';
9
+ import { isWithinPeriod, isExpired, utcNow } from '../utils/timestamp.js';
10
+ export class Portal {
11
+ state = 'INITIALIZATION';
12
+ artifact = null;
13
+ sequenceCounter = 0;
14
+ lastLeafHash = null;
15
+ revocations = new Set();
16
+ loadArtifact(artifact, pinnedPkHex) {
17
+ this.state = 'ARTIFACT_VERIFICATION';
18
+ const { signature, ...unsigned } = artifact;
19
+ if (!verifyStr(b64ToSig(signature), canonicalize(unsigned), hexToPk(pinnedPkHex))) {
20
+ this.state = 'TERMINATED';
21
+ return { ok: false, error: 'Signature verification failed' };
22
+ }
23
+ if (!isWithinPeriod(utcNow(), artifact.effective_timestamp, artifact.expiration_timestamp)) {
24
+ this.state = 'TERMINATED';
25
+ return { ok: false, error: 'Artifact outside effective period' };
26
+ }
27
+ if (this.revocations.has(artifact.sealed_hash)) {
28
+ this.state = 'TERMINATED';
29
+ return { ok: false, error: 'Artifact has been revoked' };
30
+ }
31
+ this.artifact = artifact;
32
+ this.state = 'ACTIVE_MONITORING';
33
+ return { ok: true };
34
+ }
35
+ measure(subjectBytes, meta) {
36
+ if (!this.artifact)
37
+ throw new Error('No artifact loaded');
38
+ if (this.state === 'TERMINATED')
39
+ throw new Error('Portal is terminated');
40
+ const empty = { currentBytesHash: '', currentMetaHash: '',
41
+ expectedBytesHash: this.artifact.subject_identifier.bytes_hash,
42
+ expectedMetaHash: this.artifact.subject_identifier.metadata_hash };
43
+ // Fail-closed: TTL check
44
+ const ttl_ok = !isExpired(this.artifact.issued_timestamp, this.artifact.enforcement_parameters.ttl_seconds);
45
+ if (!ttl_ok) {
46
+ this.state = 'TERMINATED';
47
+ return { match: false, ttl_ok: false, revoked: false, ...empty };
48
+ }
49
+ // Fail-closed: revocation check
50
+ if (this.revocations.has(this.artifact.sealed_hash)) {
51
+ this.state = 'TERMINATED';
52
+ return { match: false, ttl_ok: true, revoked: true, ...empty };
53
+ }
54
+ const currentBytesHash = sha256Bytes(subjectBytes);
55
+ const currentMetaHash = sha256Str(canonicalize(meta));
56
+ const match = currentBytesHash === this.artifact.subject_identifier.bytes_hash &&
57
+ currentMetaHash === this.artifact.subject_identifier.metadata_hash;
58
+ if (!match && this.state === 'ACTIVE_MONITORING')
59
+ this.state = 'DRIFT_DETECTED';
60
+ return { match, currentBytesHash, currentMetaHash,
61
+ expectedBytesHash: this.artifact.subject_identifier.bytes_hash,
62
+ expectedMetaHash: this.artifact.subject_identifier.metadata_hash,
63
+ ttl_ok: true, revoked: false };
64
+ }
65
+ enforce(action) {
66
+ if (this.state !== 'DRIFT_DETECTED')
67
+ throw new Error(`Cannot enforce in state ${this.state}`);
68
+ switch (action) {
69
+ case 'TERMINATE':
70
+ case 'SAFE_STATE':
71
+ this.state = 'TERMINATED';
72
+ break;
73
+ case 'QUARANTINE':
74
+ this.state = 'PHANTOM_QUARANTINE';
75
+ break;
76
+ case 'ALERT_ONLY':
77
+ this.state = 'ACTIVE_MONITORING';
78
+ break;
79
+ default: break;
80
+ }
81
+ }
82
+ revoke(sealedHash) {
83
+ this.revocations.add(sealedHash);
84
+ if (this.artifact?.sealed_hash === sealedHash)
85
+ this.state = 'TERMINATED';
86
+ }
87
+ isRevoked(sealedHash) { return this.revocations.has(sealedHash); }
88
+ reset() {
89
+ this.state = 'INITIALIZATION';
90
+ this.artifact = null;
91
+ this.sequenceCounter = 0;
92
+ this.lastLeafHash = null;
93
+ }
94
+ }
95
+ //# sourceMappingURL=portal.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"portal.js","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAc1E,MAAM,OAAO,MAAM;IACjB,KAAK,GAAgB,gBAAgB,CAAC;IACtC,QAAQ,GAA0B,IAAI,CAAC;IACvC,eAAe,GAAG,CAAC,CAAC;IACpB,YAAY,GAAmB,IAAI,CAAC;IACpC,WAAW,GAAgB,IAAI,GAAG,EAAE,CAAC;IAErC,YAAY,CAAC,QAAwB,EAAE,WAAmB;QACxD,IAAI,CAAC,KAAK,GAAG,uBAAuB,CAAC;QACrC,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC;QAC5C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QAC1F,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,mBAAmB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3F,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;QAC9F,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QACtF,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,YAAwB,EAAE,IAAqB;QACrD,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAC1D,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,EAAE,gBAAgB,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE;YACvD,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,EAAE,CAAC;QAErE,yBAAyB;QACzB,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAC5G,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,KAAK,EAAE,CAAC;QAAC,CAAC;QAE7G,gCAAgC;QAChC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,EAAE,CAAC;QAC5F,CAAC;QAED,MAAM,gBAAgB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,gBAAgB,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAChE,eAAe,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,CAAC;QAEjF,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,mBAAmB;YAAE,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,eAAe;YAC/C,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa;YAChE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,CAAC,MAAyB;QAC/B,IAAI,IAAI,CAAC,KAAK,KAAK,gBAAgB;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9F,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,WAAW,CAAC;YAAC,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;gBAAC,MAAM;YACtE,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,oBAAoB,CAAC;gBAAC,MAAM;YAC5D,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;gBAAC,MAAM;YAC3D,OAAO,CAAC,CAAC,MAAM;QACjB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,UAAkB;QACvB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,EAAE,WAAW,KAAK,UAAU;YAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;IAC3E,CAAC;IAED,SAAS,CAAC,UAAkB,IAAa,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEnF,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;QAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IACrD,CAAC;CACF"}
@@ -0,0 +1,8 @@
1
+ import type { QuarantineState } from './types.js';
2
+ export declare function initQuarantine(): QuarantineState;
3
+ export declare function captureInput(q: QuarantineState, inputType: string, data: unknown): void;
4
+ export declare function releaseQuarantine(q: QuarantineState): {
5
+ duration_ms: number;
6
+ total_captures: number;
7
+ };
8
+ //# sourceMappingURL=quarantine.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"quarantine.d.ts","sourceRoot":"","sources":["../../src/core/quarantine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,wBAAgB,cAAc,IAAI,eAAe,CAEhD;AAED,wBAAgB,YAAY,CAAC,CAAC,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,IAAI,CAGvF;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAGrG"}
@@ -0,0 +1,13 @@
1
+ import { utcNow } from '../utils/timestamp.js';
2
+ export function initQuarantine() {
3
+ return { active: true, started_at: utcNow(), inputs_captured: 0, outputs_severed: true, forensic_buffer: [] };
4
+ }
5
+ export function captureInput(q, inputType, data) {
6
+ q.forensic_buffer.push({ timestamp: utcNow(), type: inputType, data });
7
+ q.inputs_captured++;
8
+ }
9
+ export function releaseQuarantine(q) {
10
+ q.active = false;
11
+ return { duration_ms: q.started_at ? Date.now() - Date.parse(q.started_at) : 0, total_captures: q.inputs_captured };
12
+ }
13
+ //# sourceMappingURL=quarantine.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"quarantine.js","sourceRoot":"","sources":["../../src/core/quarantine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAG/C,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,eAAe,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;AAChH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,CAAkB,EAAE,SAAiB,EAAE,IAAa;IAC/E,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC,CAAC,eAAe,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,CAAkB;IAClD,CAAC,CAAC,MAAM,GAAG,KAAK,CAAC;IACjB,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,eAAe,EAAE,CAAC;AACtH,CAAC"}
@@ -0,0 +1,17 @@
1
+ import type { KeyPair, HashHex } from '../crypto/types.js';
2
+ import type { SignedReceipt, SubjectIdentifier, EnforcementAction } from './types.js';
3
+ export interface ReceiptInput {
4
+ subjectId: SubjectIdentifier;
5
+ artifactRef: HashHex;
6
+ currentHash: string;
7
+ sealedHash: string;
8
+ driftDetected: boolean;
9
+ driftDescription: string | null;
10
+ action: EnforcementAction | null;
11
+ measurementType: string;
12
+ seq: number;
13
+ prevLeaf: HashHex | null;
14
+ portalKP: KeyPair;
15
+ }
16
+ export declare function generateReceipt(input: ReceiptInput): SignedReceipt;
17
+ //# sourceMappingURL=receipt.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"receipt.d.ts","sourceRoot":"","sources":["../../src/core/receipt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEtF,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,OAAO,CAAC;IACvB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAAC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,YAAY,GAAG,aAAa,CAUlE"}
@@ -0,0 +1,17 @@
1
+ /** V3: measurement_type field. Receipts generated for EVERY measurement. */
2
+ import { signStr, sigToB64 } from '../crypto/sign.js';
3
+ import { canonicalize } from '../utils/canonical.js';
4
+ import { utcNow } from '../utils/timestamp.js';
5
+ import { uuid } from '../utils/uuid.js';
6
+ export function generateReceipt(input) {
7
+ const unsigned = {
8
+ receipt_id: uuid(), subject_identifier: input.subjectId,
9
+ artifact_reference: input.artifactRef, current_hash: input.currentHash,
10
+ sealed_hash: input.sealedHash, drift_detected: input.driftDetected,
11
+ drift_description: input.driftDescription, enforcement_action: input.action,
12
+ measurement_type: input.measurementType, timestamp: utcNow(),
13
+ sequence_number: input.seq, previous_leaf_hash: input.prevLeaf,
14
+ };
15
+ return { ...unsigned, portal_signature: sigToB64(signStr(canonicalize(unsigned), input.portalKP.secretKey)) };
16
+ }
17
+ //# sourceMappingURL=receipt.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"receipt.js","sourceRoot":"","sources":["../../src/core/receipt.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAkBxC,MAAM,UAAU,eAAe,CAAC,KAAmB;IACjD,MAAM,QAAQ,GAAG;QACf,UAAU,EAAE,IAAI,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,SAAS;QACvD,kBAAkB,EAAE,KAAK,CAAC,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC,WAAW;QACtE,WAAW,EAAE,KAAK,CAAC,UAAU,EAAE,cAAc,EAAE,KAAK,CAAC,aAAa;QAClE,iBAAiB,EAAE,KAAK,CAAC,gBAAgB,EAAE,kBAAkB,EAAE,KAAK,CAAC,MAAM;QAC3E,gBAAgB,EAAE,KAAK,CAAC,eAAe,EAAE,SAAS,EAAE,MAAM,EAAE;QAC5D,eAAe,EAAE,KAAK,CAAC,GAAG,EAAE,kBAAkB,EAAE,KAAK,CAAC,QAAQ;KAC/D,CAAC;IACF,OAAO,EAAE,GAAG,QAAQ,EAAE,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AAChH,CAAC"}
@@ -0,0 +1,4 @@
1
+ import type { SubjectIdentifier, SubjectMetadata } from './types.js';
2
+ export declare function computeSubjectId(bytes: Uint8Array, meta: SubjectMetadata): SubjectIdentifier;
3
+ export declare function computeSubjectIdFromString(content: string, meta: SubjectMetadata): SubjectIdentifier;
4
+ //# sourceMappingURL=subject.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"subject.d.ts","sourceRoot":"","sources":["../../src/core/subject.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAErE,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB,CAE5F;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB,CAEpG"}
@@ -0,0 +1,9 @@
1
+ import { sha256Bytes, sha256Str } from '../crypto/hash.js';
2
+ import { canonicalize } from '../utils/canonical.js';
3
+ export function computeSubjectId(bytes, meta) {
4
+ return { bytes_hash: sha256Bytes(bytes), metadata_hash: sha256Str(canonicalize(meta)) };
5
+ }
6
+ export function computeSubjectIdFromString(content, meta) {
7
+ return computeSubjectId(new TextEncoder().encode(content), meta);
8
+ }
9
+ //# sourceMappingURL=subject.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"subject.js","sourceRoot":"","sources":["../../src/core/subject.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAGrD,MAAM,UAAU,gBAAgB,CAAC,KAAiB,EAAE,IAAqB;IACvE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAe,EAAE,IAAqB;IAC/E,OAAO,gBAAgB,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,CAAC;AACnE,CAAC"}
@@ -0,0 +1,167 @@
1
+ /**
2
+ * V3: Aligned with NIST-2025-0035 and NCCoE AI Agent Identity filings.
3
+ * Every interface annotated with patent reference numeral.
4
+ */
5
+ import type { HashHex, SignatureBase64, SaltHex, MerkleInclusionProof } from '../crypto/types.js';
6
+ export interface SubjectIdentifier {
7
+ bytes_hash: HashHex;
8
+ metadata_hash: HashHex;
9
+ }
10
+ export interface SubjectMetadata {
11
+ filename?: string;
12
+ creation_timestamp?: string;
13
+ author?: string;
14
+ version?: string;
15
+ content_type?: string;
16
+ [key: string]: unknown;
17
+ }
18
+ export type EnforcementAction = 'TERMINATE' | 'QUARANTINE' | 'NETWORK_ISOLATE' | 'SAFE_STATE' | 'KEY_REVOKE' | 'TOKEN_INVALIDATE' | 'ACTUATOR_DISCONNECT' | 'ALERT_ONLY';
19
+ export type MeasurementType = 'EXECUTABLE_IMAGE' | 'LOADED_MODULES' | 'CONTAINER_IMAGE' | 'CONFIG_MANIFEST' | 'SBOM' | 'TEE_QUOTE' | 'MEMORY_REGIONS' | 'CONTROL_FLOW' | 'FILE_SYSTEM_STATE' | 'NETWORK_CONFIG';
20
+ export interface EnforcementParams {
21
+ measurement_cadence_ms: number;
22
+ ttl_seconds: number;
23
+ enforcement_triggers: EnforcementAction[];
24
+ re_attestation_required: boolean;
25
+ measurement_types: MeasurementType[];
26
+ }
27
+ export type Sensitivity = 'S1_LOW' | 'S2_MODERATE' | 'S3_HIGH' | 'S4_CRITICAL';
28
+ export type DisclosureMode = 'PROOF_ONLY' | 'REVEAL_MIN' | 'REVEAL_FULL';
29
+ export interface ClaimRecord {
30
+ claim_id: string;
31
+ sensitivity: Sensitivity;
32
+ substitutes: string[];
33
+ inference_risks: string[];
34
+ permitted_modes: DisclosureMode[];
35
+ }
36
+ export interface SubstitutionRule {
37
+ original_claim_id: string;
38
+ substitute_claim_id: string;
39
+ conditions: Record<string, unknown>;
40
+ }
41
+ export interface DisclosurePolicy {
42
+ claims_taxonomy: ClaimRecord[];
43
+ substitution_rules: SubstitutionRule[];
44
+ }
45
+ export interface EvidenceCommitmentRecord {
46
+ commitment: HashHex;
47
+ salt: SaltHex;
48
+ label: string;
49
+ }
50
+ export interface PolicyArtifact {
51
+ schema_version: string;
52
+ protocol_version: string;
53
+ subject_identifier: SubjectIdentifier;
54
+ policy_reference: HashHex;
55
+ policy_version: number;
56
+ sealed_hash: HashHex;
57
+ seal_salt: SaltHex;
58
+ issued_timestamp: string;
59
+ effective_timestamp: string;
60
+ expiration_timestamp: string | null;
61
+ issuer_identifier: string;
62
+ enforcement_parameters: EnforcementParams;
63
+ disclosure_policy: DisclosurePolicy;
64
+ evidence_commitments: EvidenceCommitmentRecord[];
65
+ signature: SignatureBase64;
66
+ }
67
+ export interface SignedReceipt {
68
+ receipt_id: string;
69
+ subject_identifier: SubjectIdentifier;
70
+ artifact_reference: HashHex;
71
+ current_hash: string;
72
+ sealed_hash: string;
73
+ drift_detected: boolean;
74
+ drift_description: string | null;
75
+ enforcement_action: EnforcementAction | null;
76
+ measurement_type: string;
77
+ timestamp: string;
78
+ sequence_number: number;
79
+ previous_leaf_hash: HashHex | null;
80
+ portal_signature: SignatureBase64;
81
+ }
82
+ export type EventType = 'GENESIS' | 'POLICY_ISSUANCE' | 'INTERACTION_RECEIPT' | 'REVOCATION' | 'ATTESTATION' | 'ANCHOR_BATCH' | 'DISCLOSURE' | 'SUBSTITUTION' | 'KEY_ROTATION';
83
+ export interface GenesisPayload {
84
+ protocol_version: string;
85
+ taxonomy_version: string;
86
+ root_fingerprint: string;
87
+ specification_hash: HashHex;
88
+ marker: 'GENESIS';
89
+ }
90
+ export interface ContinuityEvent {
91
+ schema_version: string;
92
+ protocol_version: string;
93
+ event_type: EventType;
94
+ event_id: string;
95
+ sequence_number: number;
96
+ timestamp: string;
97
+ previous_leaf_hash: HashHex | null;
98
+ leaf_hash: HashHex;
99
+ payload: unknown;
100
+ payload_hash: HashHex;
101
+ event_signature: SignatureBase64;
102
+ }
103
+ export interface StructuralMetadata {
104
+ schema_version: string;
105
+ protocol_version: string;
106
+ event_type: EventType;
107
+ event_id: string;
108
+ sequence_number: number;
109
+ timestamp: string;
110
+ previous_leaf_hash: HashHex | null;
111
+ }
112
+ export interface CheckpointReference {
113
+ merkle_root: HashHex;
114
+ batch_start_sequence: number;
115
+ batch_end_sequence: number;
116
+ anchor_network: string;
117
+ transaction_id: string;
118
+ timestamp: string;
119
+ }
120
+ export interface AnchorBatchPayload {
121
+ checkpoint_reference: CheckpointReference;
122
+ leaf_count: number;
123
+ }
124
+ export interface EvidenceBundle {
125
+ artifact: PolicyArtifact;
126
+ receipts: SignedReceipt[];
127
+ merkle_proofs: MerkleInclusionProof[];
128
+ checkpoint_reference: CheckpointReference;
129
+ public_key: string;
130
+ bundle_signature: SignatureBase64;
131
+ }
132
+ export interface DisclosureRequest {
133
+ requested_claim_id: string;
134
+ requester_id: string;
135
+ mode: DisclosureMode;
136
+ timestamp: string;
137
+ }
138
+ export interface SubstitutionReceipt {
139
+ receipt_id: string;
140
+ original_claim_id: string;
141
+ substitute_claim_id: string | null;
142
+ policy_version: number;
143
+ reason_code: string;
144
+ timestamp: string;
145
+ chain_sequence_ref: number;
146
+ signature: SignatureBase64;
147
+ }
148
+ export type PortalState = 'INITIALIZATION' | 'ARTIFACT_VERIFICATION' | 'ACTIVE_MONITORING' | 'DRIFT_DETECTED' | 'PHANTOM_QUARANTINE' | 'TERMINATED';
149
+ export type VerificationTier = 'BRONZE' | 'SILVER' | 'GOLD';
150
+ export interface RevocationRecord {
151
+ artifact_sealed_hash: HashHex;
152
+ reason: string;
153
+ revoked_by: string;
154
+ timestamp: string;
155
+ }
156
+ export interface QuarantineState {
157
+ active: boolean;
158
+ started_at: string | null;
159
+ inputs_captured: number;
160
+ outputs_severed: boolean;
161
+ forensic_buffer: Array<{
162
+ timestamp: string;
163
+ type: string;
164
+ data: unknown;
165
+ }>;
166
+ }
167
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAIlG,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,YAAY,GACZ,kBAAkB,GAClB,qBAAqB,GACrB,YAAY,CAAC;AAEjB,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAAG,gBAAgB,GAAG,iBAAiB,GACzD,iBAAiB,GAAI,MAAM,GAAa,WAAW,GACnD,gBAAgB,GAAK,cAAc,GAAK,mBAAmB,GAC3D,gBAAgB,CAAC;AAErB,MAAM,WAAW,iBAAiB;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;IAC1C,uBAAuB,EAAE,OAAO,CAAC;IACjC,iBAAiB,EAAE,eAAe,EAAE,CAAC;CACtC;AAID,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,aAAa,CAAC;AAC/E,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAEzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;CACxC;AAID,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAID,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,iBAAiB,CAAC;IAC1C,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,oBAAoB,EAAE,wBAAwB,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kBAAkB,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC7C,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,iBAAiB,GACjB,qBAAqB,GACrB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,cAAc,GACd,cAAc,CAAC;AAEnB,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;CACpC;AAID,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,eAAe,CAAC;CAC5B;AAID,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,uBAAuB,GACvB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,YAAY,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAM5D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC5E"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":""}
@@ -0,0 +1,9 @@
1
+ import type { HashHex } from './types.js';
2
+ export declare function sha256Bytes(data: Uint8Array): HashHex;
3
+ export declare function sha256Str(data: string): HashHex;
4
+ export declare function blake2b256(data: Uint8Array): HashHex;
5
+ /** Concatenate inputs (NO delimiter) and SHA-256. Patent Section D: "no delimiters." */
6
+ export declare function sha256Cat(...parts: (Uint8Array | string)[]): HashHex;
7
+ /** Concatenate hex strings as text (no decode) and hash. For sealed_hash computation. */
8
+ export declare function sha256HexCat(...hexes: string[]): HashHex;
9
+ //# sourceMappingURL=hash.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAI1C,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAErD;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAEpD;AAED,wFAAwF;AACxF,wBAAgB,SAAS,CAAC,GAAG,KAAK,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,OAAO,CAOpE;AAED,yFAAyF;AACzF,wBAAgB,YAAY,CAAC,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAExD"}
@@ -0,0 +1,30 @@
1
+ import { sha256 } from '@noble/hashes/sha256';
2
+ import { blake2b } from '@noble/hashes/blake2b';
3
+ import { bytesToHex } from '@noble/hashes/utils';
4
+ const enc = new TextEncoder();
5
+ export function sha256Bytes(data) {
6
+ return bytesToHex(sha256(data));
7
+ }
8
+ export function sha256Str(data) {
9
+ return sha256Bytes(enc.encode(data));
10
+ }
11
+ export function blake2b256(data) {
12
+ return bytesToHex(blake2b(data, { dkLen: 32 }));
13
+ }
14
+ /** Concatenate inputs (NO delimiter) and SHA-256. Patent Section D: "no delimiters." */
15
+ export function sha256Cat(...parts) {
16
+ const bufs = parts.map(p => typeof p === 'string' ? enc.encode(p) : p);
17
+ const total = bufs.reduce((n, b) => n + b.length, 0);
18
+ const combined = new Uint8Array(total);
19
+ let off = 0;
20
+ for (const b of bufs) {
21
+ combined.set(b, off);
22
+ off += b.length;
23
+ }
24
+ return sha256Bytes(combined);
25
+ }
26
+ /** Concatenate hex strings as text (no decode) and hash. For sealed_hash computation. */
27
+ export function sha256HexCat(...hexes) {
28
+ return sha256Str(hexes.join(''));
29
+ }
30
+ //# sourceMappingURL=hash.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,WAAW,CAAC,IAAgB;IAC1C,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAgB;IACzC,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,SAAS,CAAC,GAAG,KAA8B;IACzD,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IAChE,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,YAAY,CAAC,GAAG,KAAe;IAC7C,OAAO,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;AACnC,CAAC"}
@@ -0,0 +1,6 @@
1
+ export * from './types.js';
2
+ export * from './hash.js';
3
+ export * from './sign.js';
4
+ export * from './salt.js';
5
+ export * from './merkle.js';
6
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
@@ -0,0 +1,6 @@
1
+ export * from './types.js';
2
+ export * from './hash.js';
3
+ export * from './sign.js';
4
+ export * from './salt.js';
5
+ export * from './merkle.js';
6
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
@@ -0,0 +1,8 @@
1
+ import type { HashHex, MerkleInclusionProof } from './types.js';
2
+ export declare function buildMerkleTree(leaves: HashHex[]): {
3
+ root: HashHex;
4
+ layers: HashHex[][];
5
+ };
6
+ export declare function inclusionProof(leaves: HashHex[], idx: number): MerkleInclusionProof;
7
+ export declare function verifyProof(proof: MerkleInclusionProof): boolean;
8
+ //# sourceMappingURL=merkle.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"merkle.d.ts","sourceRoot":"","sources":["../../src/crypto/merkle.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAIhE,wBAAgB,eAAe,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAA;CAAE,CAczF;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAanF;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAMhE"}