@attested-intelligence/aga-mcp-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (165) hide show
  1. package/AGA_MCP_SERVER_SPEC.md +632 -0
  2. package/LICENSE +21 -0
  3. package/README.md +42 -0
  4. package/dist/core/artifact.d.ts +19 -0
  5. package/dist/core/artifact.d.ts.map +1 -0
  6. package/dist/core/artifact.js +27 -0
  7. package/dist/core/artifact.js.map +1 -0
  8. package/dist/core/attestation.d.ts +19 -0
  9. package/dist/core/attestation.d.ts.map +1 -0
  10. package/dist/core/attestation.js +12 -0
  11. package/dist/core/attestation.js.map +1 -0
  12. package/dist/core/behavioral.d.ts +45 -0
  13. package/dist/core/behavioral.d.ts.map +1 -0
  14. package/dist/core/behavioral.js +88 -0
  15. package/dist/core/behavioral.js.map +1 -0
  16. package/dist/core/bundle.d.ts +13 -0
  17. package/dist/core/bundle.d.ts.map +1 -0
  18. package/dist/core/bundle.js +31 -0
  19. package/dist/core/bundle.js.map +1 -0
  20. package/dist/core/chain.d.ts +13 -0
  21. package/dist/core/chain.d.ts.map +1 -0
  22. package/dist/core/chain.js +63 -0
  23. package/dist/core/chain.js.map +1 -0
  24. package/dist/core/checkpoint.d.ts +8 -0
  25. package/dist/core/checkpoint.d.ts.map +1 -0
  26. package/dist/core/checkpoint.js +21 -0
  27. package/dist/core/checkpoint.js.map +1 -0
  28. package/dist/core/delegation.d.ts +37 -0
  29. package/dist/core/delegation.d.ts.map +1 -0
  30. package/dist/core/delegation.js +104 -0
  31. package/dist/core/delegation.js.map +1 -0
  32. package/dist/core/disclosure.d.ts +12 -0
  33. package/dist/core/disclosure.d.ts.map +1 -0
  34. package/dist/core/disclosure.js +25 -0
  35. package/dist/core/disclosure.js.map +1 -0
  36. package/dist/core/index.d.ts +12 -0
  37. package/dist/core/index.d.ts.map +1 -0
  38. package/dist/core/index.js +12 -0
  39. package/dist/core/index.js.map +1 -0
  40. package/dist/core/portal.d.ts +28 -0
  41. package/dist/core/portal.d.ts.map +1 -0
  42. package/dist/core/portal.js +95 -0
  43. package/dist/core/portal.js.map +1 -0
  44. package/dist/core/quarantine.d.ts +8 -0
  45. package/dist/core/quarantine.d.ts.map +1 -0
  46. package/dist/core/quarantine.js +13 -0
  47. package/dist/core/quarantine.js.map +1 -0
  48. package/dist/core/receipt.d.ts +17 -0
  49. package/dist/core/receipt.d.ts.map +1 -0
  50. package/dist/core/receipt.js +17 -0
  51. package/dist/core/receipt.js.map +1 -0
  52. package/dist/core/subject.d.ts +4 -0
  53. package/dist/core/subject.d.ts.map +1 -0
  54. package/dist/core/subject.js +9 -0
  55. package/dist/core/subject.js.map +1 -0
  56. package/dist/core/types.d.ts +167 -0
  57. package/dist/core/types.d.ts.map +1 -0
  58. package/dist/core/types.js +2 -0
  59. package/dist/core/types.js.map +1 -0
  60. package/dist/crypto/hash.d.ts +9 -0
  61. package/dist/crypto/hash.d.ts.map +1 -0
  62. package/dist/crypto/hash.js +30 -0
  63. package/dist/crypto/hash.js.map +1 -0
  64. package/dist/crypto/index.d.ts +6 -0
  65. package/dist/crypto/index.d.ts.map +1 -0
  66. package/dist/crypto/index.js +6 -0
  67. package/dist/crypto/index.js.map +1 -0
  68. package/dist/crypto/merkle.d.ts +8 -0
  69. package/dist/crypto/merkle.d.ts.map +1 -0
  70. package/dist/crypto/merkle.js +42 -0
  71. package/dist/crypto/merkle.js.map +1 -0
  72. package/dist/crypto/salt.d.ts +5 -0
  73. package/dist/crypto/salt.d.ts.map +1 -0
  74. package/dist/crypto/salt.js +14 -0
  75. package/dist/crypto/salt.js.map +1 -0
  76. package/dist/crypto/sign.d.ts +11 -0
  77. package/dist/crypto/sign.d.ts.map +1 -0
  78. package/dist/crypto/sign.js +37 -0
  79. package/dist/crypto/sign.js.map +1 -0
  80. package/dist/crypto/types.d.ts +24 -0
  81. package/dist/crypto/types.d.ts.map +1 -0
  82. package/dist/crypto/types.js +2 -0
  83. package/dist/crypto/types.js.map +1 -0
  84. package/dist/index.d.ts +3 -0
  85. package/dist/index.d.ts.map +1 -0
  86. package/dist/index.js +11 -0
  87. package/dist/index.js.map +1 -0
  88. package/dist/middleware/governance.d.ts +27 -0
  89. package/dist/middleware/governance.d.ts.map +1 -0
  90. package/dist/middleware/governance.js +65 -0
  91. package/dist/middleware/governance.js.map +1 -0
  92. package/dist/middleware/index.d.ts +2 -0
  93. package/dist/middleware/index.d.ts.map +1 -0
  94. package/dist/middleware/index.js +2 -0
  95. package/dist/middleware/index.js.map +1 -0
  96. package/dist/server.d.ts +13 -0
  97. package/dist/server.d.ts.map +1 -0
  98. package/dist/server.js +369 -0
  99. package/dist/server.js.map +1 -0
  100. package/dist/storage/index.d.ts +4 -0
  101. package/dist/storage/index.d.ts.map +1 -0
  102. package/dist/storage/index.js +3 -0
  103. package/dist/storage/index.js.map +1 -0
  104. package/dist/storage/interface.d.ts +21 -0
  105. package/dist/storage/interface.d.ts.map +1 -0
  106. package/dist/storage/interface.js +2 -0
  107. package/dist/storage/interface.js.map +1 -0
  108. package/dist/storage/memory.d.ts +26 -0
  109. package/dist/storage/memory.d.ts.map +1 -0
  110. package/dist/storage/memory.js +24 -0
  111. package/dist/storage/memory.js.map +1 -0
  112. package/dist/storage/sqlite.d.ts +25 -0
  113. package/dist/storage/sqlite.d.ts.map +1 -0
  114. package/dist/storage/sqlite.js +44 -0
  115. package/dist/storage/sqlite.js.map +1 -0
  116. package/dist/utils/canonical.d.ts +3 -0
  117. package/dist/utils/canonical.d.ts.map +1 -0
  118. package/dist/utils/canonical.js +17 -0
  119. package/dist/utils/canonical.js.map +1 -0
  120. package/dist/utils/constants.d.ts +4 -0
  121. package/dist/utils/constants.d.ts.map +1 -0
  122. package/dist/utils/constants.js +4 -0
  123. package/dist/utils/constants.js.map +1 -0
  124. package/dist/utils/timestamp.d.ts +4 -0
  125. package/dist/utils/timestamp.d.ts.map +1 -0
  126. package/dist/utils/timestamp.js +13 -0
  127. package/dist/utils/timestamp.js.map +1 -0
  128. package/dist/utils/uuid.d.ts +2 -0
  129. package/dist/utils/uuid.d.ts.map +1 -0
  130. package/dist/utils/uuid.js +3 -0
  131. package/dist/utils/uuid.js.map +1 -0
  132. package/package.json +45 -0
  133. package/src/core/artifact.ts +45 -0
  134. package/src/core/attestation.ts +33 -0
  135. package/src/core/behavioral.ts +132 -0
  136. package/src/core/bundle.ts +31 -0
  137. package/src/core/chain.ts +72 -0
  138. package/src/core/checkpoint.ts +22 -0
  139. package/src/core/delegation.ts +146 -0
  140. package/src/core/disclosure.ts +32 -0
  141. package/src/core/index.ts +11 -0
  142. package/src/core/portal.ts +96 -0
  143. package/src/core/quarantine.ts +16 -0
  144. package/src/core/receipt.ts +33 -0
  145. package/src/core/subject.ts +11 -0
  146. package/src/core/types.ts +244 -0
  147. package/src/crypto/hash.ts +33 -0
  148. package/src/crypto/index.ts +5 -0
  149. package/src/crypto/merkle.ts +43 -0
  150. package/src/crypto/salt.ts +18 -0
  151. package/src/crypto/sign.ts +35 -0
  152. package/src/crypto/types.ts +19 -0
  153. package/src/index.ts +12 -0
  154. package/src/middleware/governance.ts +95 -0
  155. package/src/middleware/index.ts +1 -0
  156. package/src/server.ts +436 -0
  157. package/src/storage/index.ts +3 -0
  158. package/src/storage/interface.ts +21 -0
  159. package/src/storage/memory.ts +27 -0
  160. package/src/storage/sqlite.ts +45 -0
  161. package/src/tools/README.md +13 -0
  162. package/src/utils/canonical.ts +14 -0
  163. package/src/utils/constants.ts +3 -0
  164. package/src/utils/timestamp.ts +12 -0
  165. package/src/utils/uuid.ts +2 -0
@@ -0,0 +1,42 @@
1
+ import { sha256Str } from './hash.js';
2
+ function pair(l, r) { return sha256Str(l + r); }
3
+ export function buildMerkleTree(leaves) {
4
+ if (!leaves.length)
5
+ throw new Error('Empty leaf set');
6
+ if (leaves.length === 1)
7
+ return { root: leaves[0], layers: [leaves] };
8
+ const layers = [[...leaves]];
9
+ let cur = leaves;
10
+ while (cur.length > 1) {
11
+ const next = [];
12
+ for (let i = 0; i < cur.length; i += 2) {
13
+ next.push(pair(cur[i], i + 1 < cur.length ? cur[i + 1] : cur[i]));
14
+ }
15
+ layers.push(next);
16
+ cur = next;
17
+ }
18
+ return { root: cur[0], layers };
19
+ }
20
+ export function inclusionProof(leaves, idx) {
21
+ if (idx < 0 || idx >= leaves.length)
22
+ throw new RangeError(`Index ${idx} out of [0,${leaves.length})`);
23
+ const { root, layers } = buildMerkleTree(leaves);
24
+ const siblings = [];
25
+ let ci = idx;
26
+ for (let L = 0; L < layers.length - 1; L++) {
27
+ const layer = layers[L];
28
+ const isRight = ci % 2 === 1;
29
+ const si = isRight ? ci - 1 : (ci + 1 < layer.length ? ci + 1 : ci);
30
+ siblings.push({ hash: layer[si], position: isRight ? 'left' : 'right' });
31
+ ci = Math.floor(ci / 2);
32
+ }
33
+ return { leafHash: leaves[idx], leafIndex: idx, siblings, root };
34
+ }
35
+ export function verifyProof(proof) {
36
+ let h = proof.leafHash;
37
+ for (const s of proof.siblings) {
38
+ h = s.position === 'left' ? pair(s.hash, h) : pair(h, s.hash);
39
+ }
40
+ return h === proof.root;
41
+ }
42
+ //# sourceMappingURL=merkle.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"merkle.js","sourceRoot":"","sources":["../../src/crypto/merkle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,SAAS,IAAI,CAAC,CAAU,EAAE,CAAU,IAAa,OAAO,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAE3E,MAAM,UAAU,eAAe,CAAC,MAAiB;IAC/C,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;IACtE,MAAM,MAAM,GAAgB,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;IAC1C,IAAI,GAAG,GAAG,MAAM,CAAC;IACjB,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,GAAc,EAAE,CAAC;QAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClB,GAAG,GAAG,IAAI,CAAC;IACb,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAiB,EAAE,GAAW;IAC3D,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,MAAM,CAAC,MAAM;QAAE,MAAM,IAAI,UAAU,CAAC,SAAS,GAAG,cAAc,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IACtG,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAqC,EAAE,CAAC;IACtD,IAAI,EAAE,GAAG,GAAG,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpE,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QACzE,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAA2B;IACrD,IAAI,CAAC,GAAG,KAAK,CAAC,QAAQ,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC/B,CAAC,GAAG,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC;AAC1B,CAAC"}
@@ -0,0 +1,5 @@
1
+ import type { SaltHex, SaltedCommitment, HashHex } from './types.js';
2
+ export declare function generateSalt(): SaltHex;
3
+ export declare function saltedCommitment(content: Uint8Array | string, salt?: SaltHex): SaltedCommitment;
4
+ export declare function verifySaltedCommitment(content: Uint8Array | string, salt: SaltHex, expected: HashHex): boolean;
5
+ //# sourceMappingURL=salt.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"salt.d.ts","sourceRoot":"","sources":["../../src/crypto/salt.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAIrE,wBAAgB,YAAY,IAAI,OAAO,CAAwC;AAE/E,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAI/F;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAE9G"}
@@ -0,0 +1,14 @@
1
+ import { randomBytes } from 'node:crypto';
2
+ import { bytesToHex } from '@noble/hashes/utils';
3
+ import { sha256Cat } from './hash.js';
4
+ const enc = new TextEncoder();
5
+ export function generateSalt() { return bytesToHex(randomBytes(16)); }
6
+ export function saltedCommitment(content, salt) {
7
+ const s = salt ?? generateSalt();
8
+ const c = typeof content === 'string' ? enc.encode(content) : content;
9
+ return { commitment: sha256Cat(c, s), salt: s };
10
+ }
11
+ export function verifySaltedCommitment(content, salt, expected) {
12
+ return saltedCommitment(content, salt).commitment === expected;
13
+ }
14
+ //# sourceMappingURL=salt.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"salt.js","sourceRoot":"","sources":["../../src/crypto/salt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,YAAY,KAAc,OAAO,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAE/E,MAAM,UAAU,gBAAgB,CAAC,OAA4B,EAAE,IAAc;IAC3E,MAAM,CAAC,GAAG,IAAI,IAAI,YAAY,EAAE,CAAC;IACjC,MAAM,CAAC,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACtE,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAA4B,EAAE,IAAa,EAAE,QAAiB;IACnG,OAAO,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,UAAU,KAAK,QAAQ,CAAC;AACjE,CAAC"}
@@ -0,0 +1,11 @@
1
+ import type { KeyPair, Signature, SignatureBase64 } from './types.js';
2
+ export declare function generateKeyPair(): KeyPair;
3
+ export declare function sign(msg: Uint8Array, sk: Uint8Array): Signature;
4
+ export declare function signStr(msg: string, sk: Uint8Array): Signature;
5
+ export declare function verify(sig: Signature, msg: Uint8Array, pk: Uint8Array): boolean;
6
+ export declare function verifyStr(sig: Signature, msg: string, pk: Uint8Array): boolean;
7
+ export declare const sigToB64: (s: Signature) => SignatureBase64;
8
+ export declare const b64ToSig: (b: SignatureBase64) => Signature;
9
+ export declare const pkToHex: (pk: Uint8Array) => string;
10
+ export declare const hexToPk: (h: string) => Uint8Array;
11
+ //# sourceMappingURL=sign.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/crypto/sign.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAatE,wBAAgB,eAAe,IAAI,OAAO,CAGzC;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAA6B;AAC7F,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAAsC;AAErG,wBAAgB,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE/E;AACD,wBAAgB,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE9E;AAED,eAAO,MAAM,QAAQ,GAAI,GAAG,SAAS,KAAG,eAAoD,CAAC;AAC7F,eAAO,MAAM,QAAQ,GAAI,GAAG,eAAe,KAAG,SAAqD,CAAC;AACpG,eAAO,MAAM,OAAO,GAAI,IAAI,UAAU,KAAG,MAAwB,CAAC;AAClE,eAAO,MAAM,OAAO,GAAI,GAAG,MAAM,KAAG,UAA2B,CAAC"}
@@ -0,0 +1,37 @@
1
+ import * as ed from '@noble/ed25519';
2
+ import { sha512 } from '@noble/hashes/sha512';
3
+ import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
4
+ // Set sha512 sync ONCE at module load
5
+ ed.etc.sha512Sync = (...m) => {
6
+ const total = m.reduce((n, a) => n + a.length, 0);
7
+ const buf = new Uint8Array(total);
8
+ let off = 0;
9
+ for (const a of m) {
10
+ buf.set(a, off);
11
+ off += a.length;
12
+ }
13
+ return sha512(buf);
14
+ };
15
+ const enc = new TextEncoder();
16
+ export function generateKeyPair() {
17
+ const secretKey = ed.utils.randomPrivateKey();
18
+ return { publicKey: ed.getPublicKey(secretKey), secretKey };
19
+ }
20
+ export function sign(msg, sk) { return ed.sign(msg, sk); }
21
+ export function signStr(msg, sk) { return sign(enc.encode(msg), sk); }
22
+ export function verify(sig, msg, pk) {
23
+ try {
24
+ return ed.verify(sig, msg, pk);
25
+ }
26
+ catch {
27
+ return false;
28
+ }
29
+ }
30
+ export function verifyStr(sig, msg, pk) {
31
+ return verify(sig, enc.encode(msg), pk);
32
+ }
33
+ export const sigToB64 = (s) => Buffer.from(s).toString('base64');
34
+ export const b64ToSig = (b) => new Uint8Array(Buffer.from(b, 'base64'));
35
+ export const pkToHex = (pk) => bytesToHex(pk);
36
+ export const hexToPk = (h) => hexToBytes(h);
37
+ //# sourceMappingURL=sign.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/crypto/sign.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAG7D,sCAAsC;AACtC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAe,EAAE,EAAE;IACzC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IACxD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,eAAe;IAC7B,MAAM,SAAS,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAC9C,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAe,EAAE,EAAc,IAAe,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAC7F,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,EAAc,IAAe,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAErG,MAAM,UAAU,MAAM,CAAC,GAAc,EAAE,GAAe,EAAE,EAAc;IACpE,IAAI,CAAC;QAAC,OAAO,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AACjE,CAAC;AACD,MAAM,UAAU,SAAS,CAAC,GAAc,EAAE,GAAW,EAAE,EAAc;IACnE,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAY,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7F,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAkB,EAAa,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpG,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,EAAc,EAAU,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;AAClE,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,CAAS,EAAc,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC"}
@@ -0,0 +1,24 @@
1
+ export type PublicKey = Uint8Array;
2
+ export type SecretKey = Uint8Array;
3
+ export interface KeyPair {
4
+ publicKey: PublicKey;
5
+ secretKey: SecretKey;
6
+ }
7
+ export type Signature = Uint8Array;
8
+ export type HashHex = string;
9
+ export type SignatureBase64 = string;
10
+ export type SaltHex = string;
11
+ export interface SaltedCommitment {
12
+ commitment: HashHex;
13
+ salt: SaltHex;
14
+ }
15
+ export interface MerkleInclusionProof {
16
+ leafHash: HashHex;
17
+ leafIndex: number;
18
+ siblings: Array<{
19
+ hash: HashHex;
20
+ position: 'left' | 'right';
21
+ }>;
22
+ root: HashHex;
23
+ }
24
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/crypto/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC;AACnC,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC;AACnC,MAAM,WAAW,OAAO;IAAG,SAAS,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,SAAS,CAAC;CAAE;AACxE,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC;AACnC,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC;AAC7B,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AACrC,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC;AAE7B,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC,CAAC;IAC/D,IAAI,EAAE,OAAO,CAAC;CACf"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/crypto/types.ts"],"names":[],"mappings":""}
@@ -0,0 +1,3 @@
1
+ #!/usr/bin/env node
2
+ export {};
3
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
package/dist/index.js ADDED
@@ -0,0 +1,11 @@
1
+ #!/usr/bin/env node
2
+ import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
3
+ import { createAGAServer } from './server.js';
4
+ async function main() {
5
+ const server = await createAGAServer();
6
+ const transport = new StdioServerTransport();
7
+ await server.connect(transport);
8
+ console.error('AGA MCP Server running on stdio');
9
+ }
10
+ main().catch(e => { console.error('Fatal:', e); process.exit(1); });
11
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,MAAM,eAAe,EAAE,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC"}
@@ -0,0 +1,27 @@
1
+ /**
2
+ * Governance Middleware — wraps every MCP tool handler.
3
+ *
4
+ * NCCoE filing Section 4: "The portal operates as a Policy Enforcement Point (PEP)...
5
+ * Every tool invocation, API call, actuator command, and data access passes through
6
+ * the portal, which evaluates it against the sealed artifact's enforcement parameters."
7
+ *
8
+ * Behavior:
9
+ * - TERMINATED state → reject all governed tools
10
+ * - PHANTOM_QUARANTINE → capture tool call as forensic input, reject
11
+ * - ACTIVE_MONITORING → allow, log to chain
12
+ * - Ungoverned tools (get_server_info, get_portal_state, list_claims) → always allow
13
+ */
14
+ import type { Portal } from '../core/portal.js';
15
+ import type { QuarantineState } from '../core/types.js';
16
+ import type { BehavioralMonitor } from '../core/behavioral.js';
17
+ export type ToolResult = {
18
+ content: Array<{
19
+ type: 'text';
20
+ text: string;
21
+ }>;
22
+ };
23
+ export type ToolHandler<T = any> = (args: T) => Promise<ToolResult>;
24
+ export declare function createGovernanceWrapper(portal: Portal, quarantine: {
25
+ current: QuarantineState | null;
26
+ }, toolName: string, behavioralMonitor?: BehavioralMonitor): <T>(handler: ToolHandler<T>) => ToolHandler<T>;
27
+ //# sourceMappingURL=governance.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../../src/middleware/governance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAI/D,MAAM,MAAM,UAAU,GAAG;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC;AAC5E,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;AAapE,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE;IAAE,OAAO,EAAE,eAAe,GAAG,IAAI,CAAA;CAAE,EAC/C,QAAQ,EAAE,MAAM,EAChB,iBAAiB,CAAC,EAAE,iBAAiB,IAIT,CAAC,EAAE,SAAS,WAAW,CAAC,CAAC,CAAC,KAAG,WAAW,CAAC,CAAC,CAAC,CAoDxE"}
@@ -0,0 +1,65 @@
1
+ import { captureInput } from '../core/quarantine.js';
2
+ import { sha256Str } from '../crypto/hash.js';
3
+ import { canonicalize } from '../utils/canonical.js';
4
+ const UNGOVERNED_TOOLS = new Set([
5
+ 'get_server_info',
6
+ 'get_portal_state',
7
+ 'get_receipts',
8
+ 'get_chain_events',
9
+ 'list_claims',
10
+ 'init_chain', // must work before attestation
11
+ 'attest_subject', // creates the governance relationship
12
+ 'verify_chain', // read-only verification
13
+ ]);
14
+ export function createGovernanceWrapper(portal, quarantine, toolName, behavioralMonitor) {
15
+ const isGoverned = !UNGOVERNED_TOOLS.has(toolName);
16
+ return function wrapHandler(handler) {
17
+ if (!isGoverned)
18
+ return handler;
19
+ return async (args) => {
20
+ const j = (x) => ({
21
+ content: [{ type: 'text', text: JSON.stringify(x, null, 2) }]
22
+ });
23
+ // TERMINATED → reject everything
24
+ if (portal.state === 'TERMINATED') {
25
+ return j({
26
+ success: false,
27
+ error: 'GOVERNANCE_BLOCKED: Portal is terminated. Agent governance has been revoked. Re-attestation required.',
28
+ portal_state: portal.state,
29
+ tool: toolName,
30
+ });
31
+ }
32
+ // PHANTOM_QUARANTINE → capture as forensic input, reject
33
+ if (portal.state === 'PHANTOM_QUARANTINE' && quarantine.current?.active) {
34
+ captureInput(quarantine.current, `tool_call:${toolName}`, {
35
+ tool: toolName,
36
+ args,
37
+ timestamp: new Date().toISOString(),
38
+ });
39
+ return j({
40
+ success: false,
41
+ error: 'GOVERNANCE_QUARANTINED: Agent is in phantom quarantine. All outputs are severed. Inputs are being captured for forensic analysis.',
42
+ portal_state: portal.state,
43
+ tool: toolName,
44
+ forensic_capture: true,
45
+ });
46
+ }
47
+ // INITIALIZATION or ARTIFACT_VERIFICATION → not yet governed
48
+ if (portal.state === 'INITIALIZATION' || portal.state === 'ARTIFACT_VERIFICATION') {
49
+ return j({
50
+ success: false,
51
+ error: 'GOVERNANCE_NOT_READY: No active policy artifact. Call attest_subject first.',
52
+ portal_state: portal.state,
53
+ tool: toolName,
54
+ });
55
+ }
56
+ // ACTIVE_MONITORING or DRIFT_DETECTED → record + allow through
57
+ if (behavioralMonitor) {
58
+ const argsHash = sha256Str(canonicalize(args));
59
+ behavioralMonitor.recordInvocation(toolName, argsHash);
60
+ }
61
+ return handler(args);
62
+ };
63
+ };
64
+ }
65
+ //# sourceMappingURL=governance.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"governance.js","sourceRoot":"","sources":["../../src/middleware/governance.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAKrD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,kBAAkB;IAClB,aAAa;IACb,YAAY,EAAS,+BAA+B;IACpD,gBAAgB,EAAK,sCAAsC;IAC3D,cAAc,EAAO,yBAAyB;CAC/C,CAAC,CAAC;AAEH,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,UAA+C,EAC/C,QAAgB,EAChB,iBAAqC;IAErC,MAAM,UAAU,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEnD,OAAO,SAAS,WAAW,CAAI,OAAuB;QACpD,IAAI,CAAC,UAAU;YAAE,OAAO,OAAO,CAAC;QAEhC,OAAO,KAAK,EAAE,IAAO,EAAuB,EAAE;YAC5C,MAAM,CAAC,GAAG,CAAC,CAAU,EAAc,EAAE,CAAC,CAAC;gBACrC,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC9D,CAAC,CAAC;YAEH,iCAAiC;YACjC,IAAI,MAAM,CAAC,KAAK,KAAK,YAAY,EAAE,CAAC;gBAClC,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,uGAAuG;oBAC9G,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC;YAED,yDAAyD;YACzD,IAAI,MAAM,CAAC,KAAK,KAAK,oBAAoB,IAAI,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;gBACxE,YAAY,CAAC,UAAU,CAAC,OAAO,EAAE,aAAa,QAAQ,EAAE,EAAE;oBACxD,IAAI,EAAE,QAAQ;oBACd,IAAI;oBACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;gBACH,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,mIAAmI;oBAC1I,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;oBACd,gBAAgB,EAAE,IAAI;iBACvB,CAAC,CAAC;YACL,CAAC;YAED,6DAA6D;YAC7D,IAAI,MAAM,CAAC,KAAK,KAAK,gBAAgB,IAAI,MAAM,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;gBAClF,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,6EAA6E;oBACpF,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAC/D,IAAI,iBAAiB,EAAE,CAAC;gBACtB,MAAM,QAAQ,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC/C,iBAAiB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACzD,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}
@@ -0,0 +1,2 @@
1
+ export * from './governance.js';
2
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC"}
@@ -0,0 +1,2 @@
1
+ export * from './governance.js';
2
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC"}
@@ -0,0 +1,13 @@
1
+ /**
2
+ * AGA MCP Server. The Portal (ref 150) as an MCP service.
3
+ *
4
+ * V3 NIST-aligned behaviors:
5
+ * 1. Every measurement generates a receipt (match OR mismatch)
6
+ * 2. TTL checked on every measurement (fail-closed)
7
+ * 3. Mid-session revocation via revoke_artifact tool
8
+ * 4. Governance middleware: portal state checked before tool execution
9
+ * 5. Auto-chaining: every operation writes to continuity chain
10
+ */
11
+ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
12
+ export declare function createAGAServer(): Promise<McpServer>;
13
+ //# sourceMappingURL=server.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAiDpE,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAwX1D"}