@attested-intelligence/aga-mcp-server 2.0.1 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (241) hide show
  1. package/README.md +197 -124
  2. package/SECURITY.md +59 -0
  3. package/dist/adapters/openclaw.d.ts +43 -0
  4. package/dist/adapters/openclaw.d.ts.map +1 -0
  5. package/dist/adapters/openclaw.js +86 -0
  6. package/dist/adapters/openclaw.js.map +1 -0
  7. package/dist/core/bundle.d.ts +9 -2
  8. package/dist/core/bundle.d.ts.map +1 -1
  9. package/dist/core/bundle.js +16 -2
  10. package/dist/core/bundle.js.map +1 -1
  11. package/dist/core/identity.d.ts +19 -10
  12. package/dist/core/identity.d.ts.map +1 -1
  13. package/dist/core/identity.js +45 -11
  14. package/dist/core/identity.js.map +1 -1
  15. package/dist/core/portal.d.ts +10 -1
  16. package/dist/core/portal.d.ts.map +1 -1
  17. package/dist/core/portal.js +16 -12
  18. package/dist/core/portal.js.map +1 -1
  19. package/dist/core/types.d.ts +29 -2
  20. package/dist/core/types.d.ts.map +1 -1
  21. package/dist/crypto/index.d.ts +5 -6
  22. package/dist/crypto/index.d.ts.map +1 -1
  23. package/dist/crypto/index.js +5 -6
  24. package/dist/crypto/index.js.map +1 -1
  25. package/dist/crypto/sign.d.ts +2 -0
  26. package/dist/crypto/sign.d.ts.map +1 -1
  27. package/dist/crypto/sign.js +6 -0
  28. package/dist/crypto/sign.js.map +1 -1
  29. package/dist/index.js +1 -1
  30. package/dist/index.js.map +1 -1
  31. package/dist/middleware/governance.d.ts +7 -1
  32. package/dist/middleware/governance.d.ts.map +1 -1
  33. package/dist/middleware/governance.js +18 -11
  34. package/dist/middleware/governance.js.map +1 -1
  35. package/dist/proxy/evaluator.d.ts +14 -0
  36. package/dist/proxy/evaluator.d.ts.map +1 -0
  37. package/dist/proxy/evaluator.js +141 -0
  38. package/dist/proxy/evaluator.js.map +1 -0
  39. package/dist/proxy/index.d.ts +22 -0
  40. package/dist/proxy/index.d.ts.map +1 -0
  41. package/dist/proxy/index.js +230 -0
  42. package/dist/proxy/index.js.map +1 -0
  43. package/dist/proxy/profiles.d.ts +16 -0
  44. package/dist/proxy/profiles.d.ts.map +1 -0
  45. package/dist/proxy/profiles.js +43 -0
  46. package/dist/proxy/profiles.js.map +1 -0
  47. package/dist/proxy/server.d.ts +106 -0
  48. package/dist/proxy/server.d.ts.map +1 -0
  49. package/dist/proxy/server.js +389 -0
  50. package/dist/proxy/server.js.map +1 -0
  51. package/dist/proxy/stdio-bridge.d.ts +42 -0
  52. package/dist/proxy/stdio-bridge.d.ts.map +1 -0
  53. package/dist/proxy/stdio-bridge.js +142 -0
  54. package/dist/proxy/stdio-bridge.js.map +1 -0
  55. package/dist/proxy/types.d.ts +36 -0
  56. package/dist/proxy/types.d.ts.map +1 -0
  57. package/dist/proxy/types.js +11 -0
  58. package/dist/proxy/types.js.map +1 -0
  59. package/dist/proxy/verify.d.ts +29 -0
  60. package/dist/proxy/verify.d.ts.map +1 -0
  61. package/dist/proxy/verify.js +183 -0
  62. package/dist/proxy/verify.js.map +1 -0
  63. package/dist/server.d.ts +7 -3
  64. package/dist/server.d.ts.map +1 -1
  65. package/dist/server.js +342 -214
  66. package/dist/server.js.map +1 -1
  67. package/dist/storage/sqlite.js +6 -6
  68. package/independent-verifier/README.md +31 -0
  69. package/independent-verifier/package.json +18 -0
  70. package/independent-verifier/verify.ts +211 -0
  71. package/package.json +97 -71
  72. package/src/adapters/openclaw.ts +125 -0
  73. package/src/core/artifact.ts +45 -0
  74. package/src/core/attestation.ts +33 -0
  75. package/src/core/behavioral.ts +132 -0
  76. package/src/core/bundle.ts +45 -0
  77. package/src/core/chain.ts +72 -0
  78. package/src/core/checkpoint.ts +22 -0
  79. package/src/core/delegation.ts +146 -0
  80. package/src/core/disclosure.ts +32 -0
  81. package/src/core/identity.ts +62 -0
  82. package/src/core/index.ts +14 -0
  83. package/src/core/portal.ts +117 -0
  84. package/src/core/quarantine.ts +16 -0
  85. package/src/core/receipt.ts +33 -0
  86. package/src/core/subject.ts +11 -0
  87. package/src/core/types.ts +285 -0
  88. package/src/crypto/hash.ts +33 -0
  89. package/src/crypto/index.ts +5 -0
  90. package/src/crypto/merkle.ts +43 -0
  91. package/src/crypto/salt.ts +18 -0
  92. package/src/crypto/sign.ts +42 -0
  93. package/src/crypto/types.ts +19 -0
  94. package/src/index.ts +12 -0
  95. package/src/middleware/governance.ts +95 -0
  96. package/src/middleware/index.ts +1 -0
  97. package/src/proxy/evaluator.ts +176 -0
  98. package/src/proxy/index.ts +259 -0
  99. package/src/proxy/profiles.ts +48 -0
  100. package/src/proxy/server.ts +499 -0
  101. package/src/proxy/stdio-bridge.ts +171 -0
  102. package/src/proxy/types.ts +40 -0
  103. package/src/proxy/verify.ts +202 -0
  104. package/src/server.ts +435 -0
  105. package/src/storage/index.ts +3 -0
  106. package/src/storage/interface.ts +21 -0
  107. package/src/storage/memory.ts +27 -0
  108. package/src/storage/sqlite.ts +45 -0
  109. package/src/tools/README.md +13 -0
  110. package/src/utils/canonical.ts +14 -0
  111. package/src/utils/constants.ts +3 -0
  112. package/src/utils/timestamp.ts +12 -0
  113. package/src/utils/uuid.ts +2 -0
  114. package/dist/context.d.ts +0 -39
  115. package/dist/context.d.ts.map +0 -1
  116. package/dist/context.js +0 -113
  117. package/dist/context.js.map +0 -1
  118. package/dist/core/measurement.d.ts +0 -16
  119. package/dist/core/measurement.d.ts.map +0 -1
  120. package/dist/core/measurement.js +0 -18
  121. package/dist/core/measurement.js.map +0 -1
  122. package/dist/crypto/canonicalize.d.ts +0 -7
  123. package/dist/crypto/canonicalize.d.ts.map +0 -1
  124. package/dist/crypto/canonicalize.js +0 -21
  125. package/dist/crypto/canonicalize.js.map +0 -1
  126. package/dist/crypto/keys.d.ts +0 -10
  127. package/dist/crypto/keys.d.ts.map +0 -1
  128. package/dist/crypto/keys.js +0 -19
  129. package/dist/crypto/keys.js.map +0 -1
  130. package/dist/prompts/drift-analysis.d.ts +0 -13
  131. package/dist/prompts/drift-analysis.d.ts.map +0 -1
  132. package/dist/prompts/drift-analysis.js +0 -43
  133. package/dist/prompts/drift-analysis.js.map +0 -1
  134. package/dist/prompts/governance-report.d.ts +0 -7
  135. package/dist/prompts/governance-report.d.ts.map +0 -1
  136. package/dist/prompts/governance-report.js +0 -26
  137. package/dist/prompts/governance-report.js.map +0 -1
  138. package/dist/prompts/nccoe-demo.d.ts +0 -14
  139. package/dist/prompts/nccoe-demo.d.ts.map +0 -1
  140. package/dist/prompts/nccoe-demo.js +0 -47
  141. package/dist/prompts/nccoe-demo.js.map +0 -1
  142. package/dist/resources/cosai-mapping.d.ts +0 -24
  143. package/dist/resources/cosai-mapping.d.ts.map +0 -1
  144. package/dist/resources/cosai-mapping.js +0 -127
  145. package/dist/resources/cosai-mapping.js.map +0 -1
  146. package/dist/resources/crypto-primitives.d.ts +0 -3
  147. package/dist/resources/crypto-primitives.d.ts.map +0 -1
  148. package/dist/resources/crypto-primitives.js +0 -52
  149. package/dist/resources/crypto-primitives.js.map +0 -1
  150. package/dist/resources/sample-bundle.d.ts +0 -6
  151. package/dist/resources/sample-bundle.d.ts.map +0 -1
  152. package/dist/resources/sample-bundle.js +0 -58
  153. package/dist/resources/sample-bundle.js.map +0 -1
  154. package/dist/resources/specification.d.ts +0 -3
  155. package/dist/resources/specification.d.ts.map +0 -1
  156. package/dist/resources/specification.js +0 -161
  157. package/dist/resources/specification.js.map +0 -1
  158. package/dist/tools/create-artifact.d.ts +0 -25
  159. package/dist/tools/create-artifact.d.ts.map +0 -1
  160. package/dist/tools/create-artifact.js +0 -85
  161. package/dist/tools/create-artifact.js.map +0 -1
  162. package/dist/tools/delegate-subagent.d.ts +0 -18
  163. package/dist/tools/delegate-subagent.d.ts.map +0 -1
  164. package/dist/tools/delegate-subagent.js +0 -50
  165. package/dist/tools/delegate-subagent.js.map +0 -1
  166. package/dist/tools/disclose-claim.d.ts +0 -14
  167. package/dist/tools/disclose-claim.d.ts.map +0 -1
  168. package/dist/tools/disclose-claim.js +0 -23
  169. package/dist/tools/disclose-claim.js.map +0 -1
  170. package/dist/tools/export-bundle.d.ts +0 -8
  171. package/dist/tools/export-bundle.d.ts.map +0 -1
  172. package/dist/tools/export-bundle.js +0 -25
  173. package/dist/tools/export-bundle.js.map +0 -1
  174. package/dist/tools/full-lifecycle.d.ts +0 -16
  175. package/dist/tools/full-lifecycle.d.ts.map +0 -1
  176. package/dist/tools/full-lifecycle.js +0 -121
  177. package/dist/tools/full-lifecycle.js.map +0 -1
  178. package/dist/tools/generate-receipt.d.ts +0 -16
  179. package/dist/tools/generate-receipt.d.ts.map +0 -1
  180. package/dist/tools/generate-receipt.js +0 -31
  181. package/dist/tools/generate-receipt.js.map +0 -1
  182. package/dist/tools/get-chain.d.ts +0 -14
  183. package/dist/tools/get-chain.d.ts.map +0 -1
  184. package/dist/tools/get-chain.js +0 -45
  185. package/dist/tools/get-chain.js.map +0 -1
  186. package/dist/tools/get-portal-state.d.ts +0 -8
  187. package/dist/tools/get-portal-state.d.ts.map +0 -1
  188. package/dist/tools/get-portal-state.js +0 -15
  189. package/dist/tools/get-portal-state.js.map +0 -1
  190. package/dist/tools/init-chain.d.ts +0 -10
  191. package/dist/tools/init-chain.d.ts.map +0 -1
  192. package/dist/tools/init-chain.js +0 -13
  193. package/dist/tools/init-chain.js.map +0 -1
  194. package/dist/tools/measure-behavior.d.ts +0 -12
  195. package/dist/tools/measure-behavior.d.ts.map +0 -1
  196. package/dist/tools/measure-behavior.js +0 -29
  197. package/dist/tools/measure-behavior.js.map +0 -1
  198. package/dist/tools/measure-subject.d.ts +0 -15
  199. package/dist/tools/measure-subject.d.ts.map +0 -1
  200. package/dist/tools/measure-subject.js +0 -106
  201. package/dist/tools/measure-subject.js.map +0 -1
  202. package/dist/tools/quarantine-status.d.ts +0 -8
  203. package/dist/tools/quarantine-status.d.ts.map +0 -1
  204. package/dist/tools/quarantine-status.js +0 -16
  205. package/dist/tools/quarantine-status.js.map +0 -1
  206. package/dist/tools/revoke-artifact.d.ts +0 -13
  207. package/dist/tools/revoke-artifact.d.ts.map +0 -1
  208. package/dist/tools/revoke-artifact.js +0 -24
  209. package/dist/tools/revoke-artifact.js.map +0 -1
  210. package/dist/tools/rotate-keys.d.ts +0 -13
  211. package/dist/tools/rotate-keys.d.ts.map +0 -1
  212. package/dist/tools/rotate-keys.js +0 -39
  213. package/dist/tools/rotate-keys.js.map +0 -1
  214. package/dist/tools/server-info.d.ts +0 -8
  215. package/dist/tools/server-info.d.ts.map +0 -1
  216. package/dist/tools/server-info.js +0 -23
  217. package/dist/tools/server-info.js.map +0 -1
  218. package/dist/tools/set-verification-tier.d.ts +0 -11
  219. package/dist/tools/set-verification-tier.d.ts.map +0 -1
  220. package/dist/tools/set-verification-tier.js +0 -31
  221. package/dist/tools/set-verification-tier.js.map +0 -1
  222. package/dist/tools/start-monitoring.d.ts +0 -12
  223. package/dist/tools/start-monitoring.d.ts.map +0 -1
  224. package/dist/tools/start-monitoring.js +0 -17
  225. package/dist/tools/start-monitoring.js.map +0 -1
  226. package/dist/tools/trigger-measurement.d.ts +0 -15
  227. package/dist/tools/trigger-measurement.d.ts.map +0 -1
  228. package/dist/tools/trigger-measurement.js +0 -86
  229. package/dist/tools/trigger-measurement.js.map +0 -1
  230. package/dist/tools/verify-artifact.d.ts +0 -13
  231. package/dist/tools/verify-artifact.d.ts.map +0 -1
  232. package/dist/tools/verify-artifact.js +0 -6
  233. package/dist/tools/verify-artifact.js.map +0 -1
  234. package/dist/tools/verify-bundle.d.ts +0 -13
  235. package/dist/tools/verify-bundle.d.ts.map +0 -1
  236. package/dist/tools/verify-bundle.js +0 -6
  237. package/dist/tools/verify-bundle.js.map +0 -1
  238. package/dist/types.d.ts +0 -261
  239. package/dist/types.d.ts.map +0 -1
  240. package/dist/types.js +0 -8
  241. package/dist/types.js.map +0 -1
@@ -1,16 +1,50 @@
1
1
  /**
2
- * Identity operations: key fingerprinting, validation, rotation.
2
+ * Identity and Key Lifecycle.
3
+ *
4
+ * Non-biometric cryptographic identity: agent identity derived from
5
+ * cryptographic key pair bound to append-only attestation history in
6
+ * continuity chain. Authority from valid signature history, not biometric traits.
7
+ *
8
+ * Functions:
9
+ * - keyFingerprint: re-exported from crypto/sign.ts for convenience
10
+ * - isKeyValid: check key TTL expiry
11
+ * - rotateKeyPair: generate new key pair for rotation
12
+ * - recordKeyRotation: append KEY_ROTATION event to chain
3
13
  */
4
- import { keyFingerprint, isKeyValid, rotateKeyPair } from '../crypto/keys.js';
5
- import { pkToHex } from '../crypto/sign.js';
6
- export { keyFingerprint, isKeyValid };
7
- export function rotateKeys(oldKP) {
8
- const newKP = rotateKeyPair();
9
- return {
10
- newKeyPair: newKP,
11
- newPublicKeyHex: pkToHex(newKP.publicKey),
12
- oldPublicKeyHex: pkToHex(oldKP.publicKey),
13
- rotatedAt: new Date().toISOString(),
14
+ import { generateKeyPair } from '../crypto/sign.js';
15
+ import { isExpired } from '../utils/timestamp.js';
16
+ import { appendEvent } from './chain.js';
17
+ // Re-export keyFingerprint for identity module consumers (NCCoE §2)
18
+ export { keyFingerprint } from '../crypto/sign.js';
19
+ /**
20
+ * Check whether a key is still valid given its issuance time and TTL.
21
+ * NCCoE §2: non-biometric identity validity check.
22
+ */
23
+ export function isKeyValid(issuedAt, ttlSeconds) {
24
+ return !isExpired(issuedAt, ttlSeconds);
25
+ }
26
+ /**
27
+ * Generate a new key pair for rotation, returning both old and new for
28
+ * a transition period defined by policy. NCCoE §3: key rotation.
29
+ */
30
+ export function rotateKeyPair(currentKeyPair) {
31
+ const newKeyPair = generateKeyPair();
32
+ return { oldKeyPair: currentKeyPair, newKeyPair };
33
+ }
34
+ /**
35
+ * Record a key rotation event on the continuity chain.
36
+ * NCCoE §3: "Key rotation is handled by including both old and new public keys
37
+ * during a transition period defined by policy."
38
+ */
39
+ export function recordKeyRotation(prevEvent, keypairType, oldPublicKeyHex, newPublicKeyHex, reason, signingKeyPair) {
40
+ const payload = {
41
+ keypair_type: keypairType,
42
+ old_public_key: oldPublicKeyHex,
43
+ new_public_key: newPublicKeyHex,
44
+ reason,
45
+ rotation_timestamp: new Date().toISOString(),
46
+ chain_sequence: prevEvent.sequence_number + 1,
14
47
  };
48
+ return appendEvent('KEY_ROTATION', payload, prevEvent, signingKeyPair);
15
49
  }
16
50
  //# sourceMappingURL=identity.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAC9E,OAAO,EAAmB,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAG7D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AAStC,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,eAAe,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;QACzC,eAAe,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;QACzC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,eAAe,EAA2B,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAIzC,oEAAoE;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,UAAkB;IAC7D,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,cAAuB;IACnD,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAA0B,EAC1B,WAAmB,EACnB,eAAuB,EACvB,eAAuB,EACvB,MAAc,EACd,cAAuB;IAEvB,MAAM,OAAO,GAAsB;QACjC,YAAY,EAAE,WAAW;QACzB,cAAc,EAAE,eAAe;QAC/B,cAAc,EAAE,eAAe;QAC/B,MAAM;QACN,kBAAkB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5C,cAAc,EAAE,SAAS,CAAC,eAAe,GAAG,CAAC;KAC9C,CAAC;IACF,OAAO,WAAW,CAAC,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;AACzE,CAAC"}
@@ -8,6 +8,14 @@ export interface MeasurementResult {
8
8
  expectedMetaHash: HashHex;
9
9
  ttl_ok: boolean;
10
10
  revoked: boolean;
11
+ degraded?: boolean;
12
+ }
13
+ /** Degradation event record for the continuity chain. */
14
+ export interface DegradationEvent {
15
+ reason: string;
16
+ timestamp: string;
17
+ artifact_reference: HashHex;
18
+ previous_state: string;
11
19
  }
12
20
  export declare class Portal {
13
21
  state: PortalState;
@@ -15,13 +23,14 @@ export declare class Portal {
15
23
  sequenceCounter: number;
16
24
  lastLeafHash: HashHex | null;
17
25
  revocations: Set<string>;
26
+ degradationLog: DegradationEvent[];
18
27
  loadArtifact(artifact: PolicyArtifact, pinnedPkHex: string): {
19
28
  ok: boolean;
20
29
  error?: string;
21
30
  };
22
31
  measure(subjectBytes: Uint8Array, meta: SubjectMetadata): MeasurementResult;
23
32
  enforce(action: EnforcementAction): void;
24
- revoke(sealedHash: string, transitionTo?: 'TERMINATED' | 'SAFE_STATE'): void;
33
+ revoke(sealedHash: string): void;
25
34
  isRevoked(sealedHash: string): boolean;
26
35
  reset(): void;
27
36
  }
@@ -1 +1 @@
1
- {"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IAErC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IA6B3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAWxC,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,YAAY,GAAG,YAAY,GAAG,IAAI;IAO5E,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
1
+ {"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,yDAAyD;AACzD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IACrC,cAAc,EAAE,gBAAgB,EAAE,CAAM;IAExC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IAuC3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAUxC,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKhC,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
@@ -13,6 +13,7 @@ export class Portal {
13
13
  sequenceCounter = 0;
14
14
  lastLeafHash = null;
15
15
  revocations = new Set();
16
+ degradationLog = [];
16
17
  loadArtifact(artifact, pinnedPkHex) {
17
18
  this.state = 'ARTIFACT_VERIFICATION';
18
19
  const { signature, ...unsigned } = artifact;
@@ -37,16 +38,22 @@ export class Portal {
37
38
  throw new Error('No artifact loaded');
38
39
  if (this.state === 'TERMINATED')
39
40
  throw new Error('Portal is terminated');
40
- if (this.state === 'SAFE_STATE')
41
- throw new Error('Portal is in safe state - artifact revoked');
41
+ // SAFE_STATE allows continued measurement for logging
42
42
  const empty = { currentBytesHash: '', currentMetaHash: '',
43
43
  expectedBytesHash: this.artifact.subject_identifier.bytes_hash,
44
44
  expectedMetaHash: this.artifact.subject_identifier.metadata_hash };
45
- // Fail-closed: TTL check
45
+ // Graceful degradation: TTL expiry -> SAFE_STATE + DEGRADATION event + continued logging
46
46
  const ttl_ok = !isExpired(this.artifact.issued_timestamp, this.artifact.enforcement_parameters.ttl_seconds);
47
47
  if (!ttl_ok) {
48
- this.state = 'TERMINATED';
49
- return { match: false, ttl_ok: false, revoked: false, ...empty };
48
+ const prevState = this.state;
49
+ this.state = 'SAFE_STATE';
50
+ this.degradationLog.push({
51
+ reason: 'TTL_EXPIRED',
52
+ timestamp: utcNow(),
53
+ artifact_reference: this.artifact.sealed_hash,
54
+ previous_state: prevState,
55
+ });
56
+ return { match: false, ttl_ok: false, revoked: false, degraded: true, ...empty };
50
57
  }
51
58
  // Fail-closed: revocation check
52
59
  if (this.revocations.has(this.artifact.sealed_hash)) {
@@ -69,10 +76,8 @@ export class Portal {
69
76
  throw new Error(`Cannot enforce in state ${this.state}`);
70
77
  switch (action) {
71
78
  case 'TERMINATE':
72
- this.state = 'TERMINATED';
73
- break;
74
79
  case 'SAFE_STATE':
75
- this.state = 'SAFE_STATE';
80
+ this.state = 'TERMINATED';
76
81
  break;
77
82
  case 'QUARANTINE':
78
83
  this.state = 'PHANTOM_QUARANTINE';
@@ -83,11 +88,10 @@ export class Portal {
83
88
  default: break;
84
89
  }
85
90
  }
86
- revoke(sealedHash, transitionTo) {
91
+ revoke(sealedHash) {
87
92
  this.revocations.add(sealedHash);
88
- if (this.artifact?.sealed_hash === sealedHash) {
89
- this.state = transitionTo === 'SAFE_STATE' ? 'SAFE_STATE' : 'TERMINATED';
90
- }
93
+ if (this.artifact?.sealed_hash === sealedHash)
94
+ this.state = 'TERMINATED';
91
95
  }
92
96
  isRevoked(sealedHash) { return this.revocations.has(sealedHash); }
93
97
  reset() {
@@ -1 +1 @@
1
- {"version":3,"file":"portal.js","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAc1E,MAAM,OAAO,MAAM;IACjB,KAAK,GAAgB,gBAAgB,CAAC;IACtC,QAAQ,GAA0B,IAAI,CAAC;IACvC,eAAe,GAAG,CAAC,CAAC;IACpB,YAAY,GAAmB,IAAI,CAAC;IACpC,WAAW,GAAgB,IAAI,GAAG,EAAE,CAAC;IAErC,YAAY,CAAC,QAAwB,EAAE,WAAmB;QACxD,IAAI,CAAC,KAAK,GAAG,uBAAuB,CAAC;QACrC,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC;QAC5C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QAC1F,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,mBAAmB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3F,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;QAC9F,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QACtF,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,YAAwB,EAAE,IAAqB;QACrD,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAC1D,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACzE,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC/F,MAAM,KAAK,GAAG,EAAE,gBAAgB,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE;YACvD,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,EAAE,CAAC;QAErE,yBAAyB;QACzB,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAC5G,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,KAAK,EAAE,CAAC;QAAC,CAAC;QAE7G,gCAAgC;QAChC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,EAAE,CAAC;QAC5F,CAAC;QAED,MAAM,gBAAgB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,gBAAgB,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAChE,eAAe,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,CAAC;QAEjF,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,mBAAmB;YAAE,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,eAAe;YAC/C,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa;YAChE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,CAAC,MAAyB;QAC/B,IAAI,IAAI,CAAC,KAAK,KAAK,gBAAgB;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9F,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,WAAW;gBAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;gBAAC,MAAM;YACnD,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;gBAAC,MAAM;YACpD,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,oBAAoB,CAAC;gBAAC,MAAM;YAC5D,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;gBAAC,MAAM;YAC3D,OAAO,CAAC,CAAC,MAAM;QACjB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,UAAkB,EAAE,YAA0C;QACnE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,EAAE,WAAW,KAAK,UAAU,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,GAAG,YAAY,KAAK,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,SAAS,CAAC,UAAkB,IAAa,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEnF,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;QAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IACrD,CAAC;CACF"}
1
+ {"version":3,"file":"portal.js","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAuB1E,MAAM,OAAO,MAAM;IACjB,KAAK,GAAgB,gBAAgB,CAAC;IACtC,QAAQ,GAA0B,IAAI,CAAC;IACvC,eAAe,GAAG,CAAC,CAAC;IACpB,YAAY,GAAmB,IAAI,CAAC;IACpC,WAAW,GAAgB,IAAI,GAAG,EAAE,CAAC;IACrC,cAAc,GAAuB,EAAE,CAAC;IAExC,YAAY,CAAC,QAAwB,EAAE,WAAmB;QACxD,IAAI,CAAC,KAAK,GAAG,uBAAuB,CAAC;QACrC,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC;QAC5C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QAC1F,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,mBAAmB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3F,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;QAC9F,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QACtF,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,YAAwB,EAAE,IAAqB;QACrD,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAC1D,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACzE,sDAAsD;QACtD,MAAM,KAAK,GAAG,EAAE,gBAAgB,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE;YACvD,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,EAAE,CAAC;QAErE,yFAAyF;QACzF,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAC5G,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC;YAC7B,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAC1B,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;gBACvB,MAAM,EAAE,aAAa;gBACrB,SAAS,EAAE,MAAM,EAAE;gBACnB,kBAAkB,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW;gBAC7C,cAAc,EAAE,SAAS;aAC1B,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,KAAK,EAAE,CAAC;QACnF,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;YAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,EAAE,CAAC;QAC5F,CAAC;QAED,MAAM,gBAAgB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,gBAAgB,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAChE,eAAe,KAAK,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa,CAAC;QAEjF,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,mBAAmB;YAAE,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,eAAe;YAC/C,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,UAAU;YAC9D,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,aAAa;YAChE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,CAAC,MAAyB;QAC/B,IAAI,IAAI,CAAC,KAAK,KAAK,gBAAgB;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9F,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,WAAW,CAAC;YAAC,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;gBAAC,MAAM;YACtE,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,oBAAoB,CAAC;gBAAC,MAAM;YAC5D,KAAK,YAAY;gBAAE,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC;gBAAC,MAAM;YAC3D,OAAO,CAAC,CAAC,MAAM;QACjB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,UAAkB;QACvB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,EAAE,WAAW,KAAK,UAAU;YAAE,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;IAC3E,CAAC;IAED,SAAS,CAAC,UAAkB,IAAa,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEnF,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,gBAAgB,CAAC;QAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;QAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IACrD,CAAC;CACF"}
@@ -1,6 +1,6 @@
1
1
  /**
2
2
  * V3: Aligned with NIST-2025-0035 and NCCoE AI Agent Identity filings.
3
- */
3
+ */
4
4
  import type { HashHex, SignatureBase64, SaltHex, MerkleInclusionProof } from '../crypto/types.js';
5
5
  export interface SubjectIdentifier {
6
6
  bytes_hash: HashHex;
@@ -22,6 +22,13 @@ export interface EnforcementParams {
22
22
  enforcement_triggers: EnforcementAction[];
23
23
  re_attestation_required: boolean;
24
24
  measurement_types: MeasurementType[];
25
+ behavioral_baseline?: BehavioralBaselineRef;
26
+ }
27
+ /** Inline behavioral baseline reference for EnforcementParams (NCCoE §6, CAISI §1a) */
28
+ export interface BehavioralBaselineRef {
29
+ permitted_tools: string[];
30
+ forbidden_sequences: string[][];
31
+ rate_limits: Record<string, number>;
25
32
  }
26
33
  export type Sensitivity = 'S1_LOW' | 'S2_MODERATE' | 'S3_HIGH' | 'S4_CRITICAL';
27
34
  export type DisclosureMode = 'PROOF_ONLY' | 'REVEAL_MIN' | 'REVEAL_FULL';
@@ -78,7 +85,7 @@ export interface SignedReceipt {
78
85
  previous_leaf_hash: HashHex | null;
79
86
  portal_signature: SignatureBase64;
80
87
  }
81
- export type EventType = 'GENESIS' | 'POLICY_ISSUANCE' | 'INTERACTION_RECEIPT' | 'REVOCATION' | 'ATTESTATION' | 'ANCHOR_BATCH' | 'DISCLOSURE' | 'SUBSTITUTION' | 'KEY_ROTATION' | 'BEHAVIORAL_DRIFT' | 'DELEGATION' | 'RE_ATTESTATION';
88
+ export type EventType = 'GENESIS' | 'POLICY_ISSUANCE' | 'INTERACTION_RECEIPT' | 'REVOCATION' | 'ATTESTATION' | 'ANCHOR_BATCH' | 'DISCLOSURE' | 'SUBSTITUTION' | 'KEY_ROTATION' | 'BEHAVIORAL_DRIFT' | 'DELEGATION' | 'DEGRADATION' | 'RE_ATTESTATION';
82
89
  export interface GenesisPayload {
83
90
  protocol_version: string;
84
91
  taxonomy_version: string;
@@ -127,6 +134,7 @@ export interface EvidenceBundle {
127
134
  checkpoint_reference: CheckpointReference;
128
135
  public_key: string;
129
136
  bundle_signature: SignatureBase64;
137
+ verification_tier?: VerificationTier;
130
138
  }
131
139
  export interface DisclosureRequest {
132
140
  requested_claim_id: string;
@@ -162,5 +170,24 @@ export interface QuarantineState {
162
170
  type: string;
163
171
  data: unknown;
164
172
  }>;
173
+ forensic_receipts?: string[];
174
+ }
175
+ export interface DelegationRecord {
176
+ sub_agent_id: string;
177
+ parent_artifact_reference: HashHex;
178
+ child_artifact: PolicyArtifact;
179
+ permitted_tools: string[];
180
+ ttl_seconds: number;
181
+ delegation_timestamp: string;
182
+ chain_sequence: number;
183
+ }
184
+ export interface KeyRotationRecord {
185
+ keypair_type: string;
186
+ old_public_key: string;
187
+ new_public_key: string;
188
+ reason: string;
189
+ rotation_timestamp: string;
190
+ chain_sequence: number;
165
191
  }
192
+ export type SensitivityLevel = 'S1' | 'S2' | 'S3' | 'S4';
166
193
  //# sourceMappingURL=types.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAIlG,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,YAAY,GACZ,kBAAkB,GAClB,qBAAqB,GACrB,YAAY,CAAC;AAEjB,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAAG,gBAAgB,GAAG,iBAAiB,GACzD,iBAAiB,GAAI,MAAM,GAAa,WAAW,GACnD,gBAAgB,GAAK,cAAc,GAAK,mBAAmB,GAC3D,gBAAgB,CAAC;AAErB,MAAM,WAAW,iBAAiB;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;IAC1C,uBAAuB,EAAE,OAAO,CAAC;IACjC,iBAAiB,EAAE,eAAe,EAAE,CAAC;CACtC;AAID,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,aAAa,CAAC;AAC/E,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAEzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;CACxC;AAID,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAID,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,iBAAiB,CAAC;IAC1C,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,oBAAoB,EAAE,wBAAwB,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kBAAkB,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC7C,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,iBAAiB,GACjB,qBAAqB,GACrB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,YAAY,GACZ,gBAAgB,CAAC;AAErB,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;CACpC;AAID,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,eAAe,CAAC;CAC5B;AAID,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,uBAAuB,GACvB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,YAAY,GACZ,YAAY,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAM5D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC5E"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;EAEE;AACF,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAIlG,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,YAAY,GACZ,kBAAkB,GAClB,qBAAqB,GACrB,YAAY,CAAC;AAEjB,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAAG,gBAAgB,GAAG,iBAAiB,GACzD,iBAAiB,GAAI,MAAM,GAAa,WAAW,GACnD,gBAAgB,GAAK,cAAc,GAAK,mBAAmB,GAC3D,gBAAgB,CAAC;AAErB,MAAM,WAAW,iBAAiB;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;IAC1C,uBAAuB,EAAE,OAAO,CAAC;IACjC,iBAAiB,EAAE,eAAe,EAAE,CAAC;IACrC,mBAAmB,CAAC,EAAE,qBAAqB,CAAC;CAC7C;AAED,uFAAuF;AACvF,MAAM,WAAW,qBAAqB;IACpC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,mBAAmB,EAAE,MAAM,EAAE,EAAE,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAID,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,aAAa,CAAC;AAC/E,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAEzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;CACxC;AAID,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAID,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,iBAAiB,CAAC;IAC1C,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,oBAAoB,EAAE,wBAAwB,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kBAAkB,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC7C,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,iBAAiB,GACjB,qBAAqB,GACrB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,YAAY,GACZ,aAAa,GACb,gBAAgB,CAAC;AAErB,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;CACpC;AAID,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;IAClC,iBAAiB,CAAC,EAAE,gBAAgB,CAAC;CACtC;AAID,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,eAAe,CAAC;CAC5B;AAID,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,uBAAuB,GACvB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,YAAY,GACZ,YAAY,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAM5D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC3E,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAID,MAAM,WAAW,gBAAgB;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,yBAAyB,EAAE,OAAO,CAAC;IACnC,cAAc,EAAE,cAAc,CAAC;IAC/B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;CACxB;AAID,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;CACxB;AAID,MAAM,MAAM,gBAAgB,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC"}
@@ -1,7 +1,6 @@
1
- export { sha256Bytes, sha256Str, blake2b256, sha256Cat, sha256HexCat } from './hash.js';
2
- export { generateKeyPair, sign, signStr, verify, verifyStr, sigToB64, b64ToSig, pkToHex, hexToPk } from './sign.js';
3
- export { generateSalt, saltedCommitment, verifySaltedCommitment } from './salt.js';
4
- export { buildMerkleTree, inclusionProof, verifyProof } from './merkle.js';
5
- export { canonicalize, deepSortKeys } from './canonicalize.js';
6
- export { keyFingerprint, isKeyValid, rotateKeyPair } from './keys.js';
1
+ export * from './types.js';
2
+ export * from './hash.js';
3
+ export * from './sign.js';
4
+ export * from './salt.js';
5
+ export * from './merkle.js';
7
6
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACxF,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpH,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
@@ -1,7 +1,6 @@
1
- export { sha256Bytes, sha256Str, blake2b256, sha256Cat, sha256HexCat } from './hash.js';
2
- export { generateKeyPair, sign, signStr, verify, verifyStr, sigToB64, b64ToSig, pkToHex, hexToPk } from './sign.js';
3
- export { generateSalt, saltedCommitment, verifySaltedCommitment } from './salt.js';
4
- export { buildMerkleTree, inclusionProof, verifyProof } from './merkle.js';
5
- export { canonicalize, deepSortKeys } from './canonicalize.js';
6
- export { keyFingerprint, isKeyValid, rotateKeyPair } from './keys.js';
1
+ export * from './types.js';
2
+ export * from './hash.js';
3
+ export * from './sign.js';
4
+ export * from './salt.js';
5
+ export * from './merkle.js';
7
6
  //# sourceMappingURL=index.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACxF,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpH,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
@@ -8,4 +8,6 @@ export declare const sigToB64: (s: Signature) => SignatureBase64;
8
8
  export declare const b64ToSig: (b: SignatureBase64) => Signature;
9
9
  export declare const pkToHex: (pk: Uint8Array) => string;
10
10
  export declare const hexToPk: (h: string) => Uint8Array;
11
+ /** Key fingerprint: SHA-256 prefix of public key hex, 16-char hex identifier. */
12
+ export declare function keyFingerprint(publicKeyHex: string): string;
11
13
  //# sourceMappingURL=sign.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/crypto/sign.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAatE,wBAAgB,eAAe,IAAI,OAAO,CAGzC;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAA6B;AAC7F,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAAsC;AAErG,wBAAgB,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE/E;AACD,wBAAgB,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE9E;AAED,eAAO,MAAM,QAAQ,GAAI,GAAG,SAAS,KAAG,eAAoD,CAAC;AAC7F,eAAO,MAAM,QAAQ,GAAI,GAAG,eAAe,KAAG,SAAqD,CAAC;AACpG,eAAO,MAAM,OAAO,GAAI,IAAI,UAAU,KAAG,MAAwB,CAAC;AAClE,eAAO,MAAM,OAAO,GAAI,GAAG,MAAM,KAAG,UAA2B,CAAC"}
1
+ {"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/crypto/sign.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAatE,wBAAgB,eAAe,IAAI,OAAO,CAGzC;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAA6B;AAC7F,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAAsC;AAErG,wBAAgB,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE/E;AACD,wBAAgB,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE9E;AAED,eAAO,MAAM,QAAQ,GAAI,GAAG,SAAS,KAAG,eAAoD,CAAC;AAC7F,eAAO,MAAM,QAAQ,GAAI,GAAG,eAAe,KAAG,SAAqD,CAAC;AACpG,eAAO,MAAM,OAAO,GAAI,IAAI,UAAU,KAAG,MAAwB,CAAC;AAClE,eAAO,MAAM,OAAO,GAAI,GAAG,MAAM,KAAG,UAA2B,CAAC;AAEhE,iFAAiF;AACjF,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAG3D"}
@@ -1,4 +1,5 @@
1
1
  import * as ed from '@noble/ed25519';
2
+ import { sha256 } from '@noble/hashes/sha256';
2
3
  import { sha512 } from '@noble/hashes/sha512';
3
4
  import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
4
5
  // Set sha512 sync ONCE at module load
@@ -34,4 +35,9 @@ export const sigToB64 = (s) => Buffer.from(s).toString('base64');
34
35
  export const b64ToSig = (b) => new Uint8Array(Buffer.from(b, 'base64'));
35
36
  export const pkToHex = (pk) => bytesToHex(pk);
36
37
  export const hexToPk = (h) => hexToBytes(h);
38
+ /** Key fingerprint: SHA-256 prefix of public key hex, 16-char hex identifier. */
39
+ export function keyFingerprint(publicKeyHex) {
40
+ const hash = bytesToHex(sha256(new TextEncoder().encode(publicKeyHex)));
41
+ return hash.slice(0, 16);
42
+ }
37
43
  //# sourceMappingURL=sign.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/crypto/sign.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAG7D,sCAAsC;AACtC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAe,EAAE,EAAE;IACzC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IACxD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,eAAe;IAC7B,MAAM,SAAS,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAC9C,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAe,EAAE,EAAc,IAAe,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAC7F,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,EAAc,IAAe,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAErG,MAAM,UAAU,MAAM,CAAC,GAAc,EAAE,GAAe,EAAE,EAAc;IACpE,IAAI,CAAC;QAAC,OAAO,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AACjE,CAAC;AACD,MAAM,UAAU,SAAS,CAAC,GAAc,EAAE,GAAW,EAAE,EAAc;IACnE,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAY,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7F,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAkB,EAAa,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpG,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,EAAc,EAAU,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;AAClE,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,CAAS,EAAc,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC"}
1
+ {"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/crypto/sign.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAG7D,sCAAsC;AACtC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAe,EAAE,EAAE;IACzC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IACxD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,eAAe;IAC7B,MAAM,SAAS,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAC9C,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAe,EAAE,EAAc,IAAe,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAC7F,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,EAAc,IAAe,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAErG,MAAM,UAAU,MAAM,CAAC,GAAc,EAAE,GAAe,EAAE,EAAc;IACpE,IAAI,CAAC;QAAC,OAAO,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AACjE,CAAC;AACD,MAAM,UAAU,SAAS,CAAC,GAAc,EAAE,GAAW,EAAE,EAAc;IACnE,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAY,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7F,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAkB,EAAa,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpG,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,EAAc,EAAU,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;AAClE,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,CAAS,EAAc,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AAEhE,iFAAiF;AACjF,MAAM,UAAU,cAAc,CAAC,YAAoB;IACjD,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC"}
package/dist/index.js CHANGED
@@ -5,7 +5,7 @@ async function main() {
5
5
  const server = await createAGAServer();
6
6
  const transport = new StdioServerTransport();
7
7
  await server.connect(transport);
8
- console.error('AGA MCP Server v2.0.0 running on stdio');
8
+ console.error('AGA MCP Server running on stdio');
9
9
  }
10
10
  main().catch(e => { console.error('Fatal:', e); process.exit(1); });
11
11
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,MAAM,eAAe,EAAE,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;AAC1D,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,MAAM,eAAe,EAAE,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC"}
@@ -1,9 +1,15 @@
1
1
  /**
2
- * Governance Middleware: wraps every MCP tool handler.
2
+ * Governance Middleware - wraps every MCP tool handler.
3
3
  *
4
4
  * NCCoE filing Section 4: "The portal operates as a Policy Enforcement Point (PEP)...
5
5
  * Every tool invocation, API call, actuator command, and data access passes through
6
6
  * the portal, which evaluates it against the sealed artifact's enforcement parameters."
7
+ *
8
+ * Behavior:
9
+ * - TERMINATED state → reject all governed tools
10
+ * - PHANTOM_QUARANTINE → capture tool call as forensic input, reject
11
+ * - ACTIVE_MONITORING → allow, log to chain
12
+ * - Ungoverned tools (get_server_info, get_portal_state, list_claims) → always allow
7
13
  */
8
14
  import type { Portal } from '../core/portal.js';
9
15
  import type { QuarantineState } from '../core/types.js';
@@ -1 +1 @@
1
- {"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../../src/middleware/governance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAI/D,MAAM,MAAM,UAAU,GAAG;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC;AAC5E,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;AAYpE,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE;IAAE,OAAO,EAAE,eAAe,GAAG,IAAI,CAAA;CAAE,EAC/C,QAAQ,EAAE,MAAM,EAChB,iBAAiB,CAAC,EAAE,iBAAiB,IAIT,CAAC,EAAE,SAAS,WAAW,CAAC,CAAC,CAAC,KAAG,WAAW,CAAC,CAAC,CAAC,CA8CxE"}
1
+ {"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../../src/middleware/governance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAI/D,MAAM,MAAM,UAAU,GAAG;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC;AAC5E,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;AAapE,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE;IAAE,OAAO,EAAE,eAAe,GAAG,IAAI,CAAA;CAAE,EAC/C,QAAQ,EAAE,MAAM,EAChB,iBAAiB,CAAC,EAAE,iBAAiB,IAIT,CAAC,EAAE,SAAS,WAAW,CAAC,CAAC,CAAC,KAAG,WAAW,CAAC,CAAC,CAAC,CAoDxE"}
@@ -2,13 +2,14 @@ import { captureInput } from '../core/quarantine.js';
2
2
  import { sha256Str } from '../crypto/hash.js';
3
3
  import { canonicalize } from '../utils/canonical.js';
4
4
  const UNGOVERNED_TOOLS = new Set([
5
- // V1 names (backward compat)
6
- 'get_server_info', 'get_portal_state', 'get_receipts', 'get_chain_events',
7
- 'list_claims', 'init_chain', 'attest_subject', 'verify_chain',
8
- // V2 names
9
- 'aga_server_info', 'aga_get_portal_state', 'aga_init_chain', 'aga_create_artifact',
10
- 'aga_verify_artifact', 'aga_verify_bundle', 'aga_get_chain', 'aga_quarantine_status',
11
- 'aga_set_verification_tier', 'aga_demonstrate_lifecycle', 'aga_measure_behavior',
5
+ 'get_server_info',
6
+ 'get_portal_state',
7
+ 'get_receipts',
8
+ 'get_chain_events',
9
+ 'list_claims',
10
+ 'init_chain', // must work before attestation
11
+ 'attest_subject', // creates the governance relationship
12
+ 'verify_chain', // read-only verification
12
13
  ]);
13
14
  export function createGovernanceWrapper(portal, quarantine, toolName, behavioralMonitor) {
14
15
  const isGoverned = !UNGOVERNED_TOOLS.has(toolName);
@@ -19,17 +20,21 @@ export function createGovernanceWrapper(portal, quarantine, toolName, behavioral
19
20
  const j = (x) => ({
20
21
  content: [{ type: 'text', text: JSON.stringify(x, null, 2) }]
21
22
  });
22
- if (portal.state === 'TERMINATED' || portal.state === 'SAFE_STATE') {
23
+ // TERMINATED reject everything
24
+ if (portal.state === 'TERMINATED') {
23
25
  return j({
24
26
  success: false,
25
- error: `GOVERNANCE_BLOCKED: Portal is ${portal.state.toLowerCase()}. Agent governance has been revoked. Re-attestation required.`,
27
+ error: 'GOVERNANCE_BLOCKED: Portal is terminated. Agent governance has been revoked. Re-attestation required.',
26
28
  portal_state: portal.state,
27
29
  tool: toolName,
28
30
  });
29
31
  }
32
+ // PHANTOM_QUARANTINE → capture as forensic input, reject
30
33
  if (portal.state === 'PHANTOM_QUARANTINE' && quarantine.current?.active) {
31
34
  captureInput(quarantine.current, `tool_call:${toolName}`, {
32
- tool: toolName, args, timestamp: new Date().toISOString(),
35
+ tool: toolName,
36
+ args,
37
+ timestamp: new Date().toISOString(),
33
38
  });
34
39
  return j({
35
40
  success: false,
@@ -39,14 +44,16 @@ export function createGovernanceWrapper(portal, quarantine, toolName, behavioral
39
44
  forensic_capture: true,
40
45
  });
41
46
  }
47
+ // INITIALIZATION or ARTIFACT_VERIFICATION → not yet governed
42
48
  if (portal.state === 'INITIALIZATION' || portal.state === 'ARTIFACT_VERIFICATION') {
43
49
  return j({
44
50
  success: false,
45
- error: 'GOVERNANCE_NOT_READY: No active policy artifact. Call aga_create_artifact first.',
51
+ error: 'GOVERNANCE_NOT_READY: No active policy artifact. Call attest_subject first.',
46
52
  portal_state: portal.state,
47
53
  tool: toolName,
48
54
  });
49
55
  }
56
+ // ACTIVE_MONITORING or DRIFT_DETECTED → record + allow through
50
57
  if (behavioralMonitor) {
51
58
  const argsHash = sha256Str(canonicalize(args));
52
59
  behavioralMonitor.recordInvocation(toolName, argsHash);
@@ -1 +1 @@
1
- {"version":3,"file":"governance.js","sourceRoot":"","sources":["../../src/middleware/governance.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAKrD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,6BAA6B;IAC7B,iBAAiB,EAAE,kBAAkB,EAAE,cAAc,EAAE,kBAAkB;IACzE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,cAAc;IAC7D,WAAW;IACX,iBAAiB,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,qBAAqB;IAClF,qBAAqB,EAAE,mBAAmB,EAAE,eAAe,EAAE,uBAAuB;IACpF,2BAA2B,EAAE,2BAA2B,EAAE,sBAAsB;CACjF,CAAC,CAAC;AAEH,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,UAA+C,EAC/C,QAAgB,EAChB,iBAAqC;IAErC,MAAM,UAAU,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEnD,OAAO,SAAS,WAAW,CAAI,OAAuB;QACpD,IAAI,CAAC,UAAU;YAAE,OAAO,OAAO,CAAC;QAEhC,OAAO,KAAK,EAAE,IAAO,EAAuB,EAAE;YAC5C,MAAM,CAAC,GAAG,CAAC,CAAU,EAAc,EAAE,CAAC,CAAC;gBACrC,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC9D,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,KAAK,KAAK,YAAY,IAAI,MAAM,CAAC,KAAK,KAAK,YAAY,EAAE,CAAC;gBACnE,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,iCAAiC,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,+DAA+D;oBACjI,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC;YAED,IAAI,MAAM,CAAC,KAAK,KAAK,oBAAoB,IAAI,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;gBACxE,YAAY,CAAC,UAAU,CAAC,OAAO,EAAE,aAAa,QAAQ,EAAE,EAAE;oBACxD,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBAC1D,CAAC,CAAC;gBACH,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,mIAAmI;oBAC1I,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;oBACd,gBAAgB,EAAE,IAAI;iBACvB,CAAC,CAAC;YACL,CAAC;YAED,IAAI,MAAM,CAAC,KAAK,KAAK,gBAAgB,IAAI,MAAM,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;gBAClF,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,kFAAkF;oBACzF,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC;YAED,IAAI,iBAAiB,EAAE,CAAC;gBACtB,MAAM,QAAQ,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC/C,iBAAiB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACzD,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"governance.js","sourceRoot":"","sources":["../../src/middleware/governance.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAKrD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,kBAAkB;IAClB,aAAa;IACb,YAAY,EAAS,+BAA+B;IACpD,gBAAgB,EAAK,sCAAsC;IAC3D,cAAc,EAAO,yBAAyB;CAC/C,CAAC,CAAC;AAEH,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,UAA+C,EAC/C,QAAgB,EAChB,iBAAqC;IAErC,MAAM,UAAU,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEnD,OAAO,SAAS,WAAW,CAAI,OAAuB;QACpD,IAAI,CAAC,UAAU;YAAE,OAAO,OAAO,CAAC;QAEhC,OAAO,KAAK,EAAE,IAAO,EAAuB,EAAE;YAC5C,MAAM,CAAC,GAAG,CAAC,CAAU,EAAc,EAAE,CAAC,CAAC;gBACrC,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC9D,CAAC,CAAC;YAEH,iCAAiC;YACjC,IAAI,MAAM,CAAC,KAAK,KAAK,YAAY,EAAE,CAAC;gBAClC,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,uGAAuG;oBAC9G,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC;YAED,yDAAyD;YACzD,IAAI,MAAM,CAAC,KAAK,KAAK,oBAAoB,IAAI,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;gBACxE,YAAY,CAAC,UAAU,CAAC,OAAO,EAAE,aAAa,QAAQ,EAAE,EAAE;oBACxD,IAAI,EAAE,QAAQ;oBACd,IAAI;oBACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;gBACH,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,mIAAmI;oBAC1I,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;oBACd,gBAAgB,EAAE,IAAI;iBACvB,CAAC,CAAC;YACL,CAAC;YAED,6DAA6D;YAC7D,IAAI,MAAM,CAAC,KAAK,KAAK,gBAAgB,IAAI,MAAM,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;gBAClF,OAAO,CAAC,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,6EAA6E;oBACpF,YAAY,EAAE,MAAM,CAAC,KAAK;oBAC1B,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAC/D,IAAI,iBAAiB,EAAE,CAAC;gBACtB,MAAM,QAAQ,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC/C,iBAAiB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACzD,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}
@@ -0,0 +1,14 @@
1
+ /**
2
+ * AGA Governance Proxy - Tool Policy Evaluator
3
+ * Ported from aga-mcp-gateway/src/governance/policy.ts with rate limiting.
4
+ *
5
+ * Patent: USPTO App. No. 19/433,835
6
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
7
+ * SPDX-License-Identifier: MIT
8
+ */
9
+ import type { ToolPolicy, ToolCallDecision } from './types.js';
10
+ export declare function resetRateLimits(): void;
11
+ export declare function cleanPath(p: string): string;
12
+ export declare function matchesPrefix(prefix: string, candidate: string): boolean;
13
+ export declare function evaluate(policy: ToolPolicy, toolName: string, args?: Record<string, unknown>): ToolCallDecision;
14
+ //# sourceMappingURL=evaluator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/proxy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AA6B/D,wBAAgB,eAAe,IAAI,IAAI,CAEtC;AAID,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAwB3C;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAOxE;AAyCD,wBAAgB,QAAQ,CACtB,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,gBAAgB,CAqDlB"}