@attested-intelligence/aga-mcp-server 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +197 -124
- package/SECURITY.md +59 -0
- package/dist/core/bundle.d.ts +9 -2
- package/dist/core/bundle.d.ts.map +1 -1
- package/dist/core/bundle.js +16 -2
- package/dist/core/bundle.js.map +1 -1
- package/dist/core/identity.d.ts +19 -10
- package/dist/core/identity.d.ts.map +1 -1
- package/dist/core/identity.js +45 -11
- package/dist/core/identity.js.map +1 -1
- package/dist/core/portal.d.ts +10 -1
- package/dist/core/portal.d.ts.map +1 -1
- package/dist/core/portal.js +16 -12
- package/dist/core/portal.js.map +1 -1
- package/dist/core/types.d.ts +29 -2
- package/dist/core/types.d.ts.map +1 -1
- package/dist/crypto/index.d.ts +5 -6
- package/dist/crypto/index.d.ts.map +1 -1
- package/dist/crypto/index.js +5 -6
- package/dist/crypto/index.js.map +1 -1
- package/dist/crypto/sign.d.ts +2 -0
- package/dist/crypto/sign.d.ts.map +1 -1
- package/dist/crypto/sign.js +6 -0
- package/dist/crypto/sign.js.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/middleware/governance.d.ts +7 -1
- package/dist/middleware/governance.d.ts.map +1 -1
- package/dist/middleware/governance.js +18 -11
- package/dist/middleware/governance.js.map +1 -1
- package/dist/server.d.ts +7 -3
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +342 -214
- package/dist/server.js.map +1 -1
- package/dist/storage/sqlite.js +6 -6
- package/independent-verifier/README.md +31 -0
- package/independent-verifier/package.json +18 -0
- package/independent-verifier/verify.ts +211 -0
- package/package.json +97 -76
- package/src/adapters/openclaw.ts +125 -0
- package/src/core/artifact.ts +45 -0
- package/src/core/attestation.ts +33 -0
- package/src/core/behavioral.ts +132 -0
- package/src/core/bundle.ts +45 -0
- package/src/core/chain.ts +72 -0
- package/src/core/checkpoint.ts +22 -0
- package/src/core/delegation.ts +146 -0
- package/src/core/disclosure.ts +32 -0
- package/src/core/identity.ts +62 -0
- package/src/core/index.ts +14 -0
- package/src/core/portal.ts +117 -0
- package/src/core/quarantine.ts +16 -0
- package/src/core/receipt.ts +33 -0
- package/src/core/subject.ts +11 -0
- package/src/core/types.ts +285 -0
- package/src/crypto/hash.ts +33 -0
- package/src/crypto/index.ts +5 -0
- package/src/crypto/merkle.ts +43 -0
- package/src/crypto/salt.ts +18 -0
- package/src/crypto/sign.ts +42 -0
- package/src/crypto/types.ts +19 -0
- package/src/index.ts +12 -0
- package/src/middleware/governance.ts +95 -0
- package/src/middleware/index.ts +1 -0
- package/src/proxy/evaluator.ts +176 -0
- package/src/proxy/index.ts +259 -0
- package/src/proxy/profiles.ts +48 -0
- package/src/proxy/server.ts +499 -0
- package/src/proxy/stdio-bridge.ts +171 -0
- package/src/proxy/types.ts +40 -0
- package/src/proxy/verify.ts +202 -0
- package/src/server.ts +435 -0
- package/src/storage/index.ts +3 -0
- package/src/storage/interface.ts +21 -0
- package/src/storage/memory.ts +27 -0
- package/src/storage/sqlite.ts +45 -0
- package/src/tools/README.md +13 -0
- package/src/utils/canonical.ts +14 -0
- package/src/utils/constants.ts +3 -0
- package/src/utils/timestamp.ts +12 -0
- package/src/utils/uuid.ts +2 -0
- package/dist/context.d.ts +0 -39
- package/dist/context.d.ts.map +0 -1
- package/dist/context.js +0 -113
- package/dist/context.js.map +0 -1
- package/dist/core/measurement.d.ts +0 -16
- package/dist/core/measurement.d.ts.map +0 -1
- package/dist/core/measurement.js +0 -18
- package/dist/core/measurement.js.map +0 -1
- package/dist/crypto/canonicalize.d.ts +0 -7
- package/dist/crypto/canonicalize.d.ts.map +0 -1
- package/dist/crypto/canonicalize.js +0 -21
- package/dist/crypto/canonicalize.js.map +0 -1
- package/dist/crypto/keys.d.ts +0 -10
- package/dist/crypto/keys.d.ts.map +0 -1
- package/dist/crypto/keys.js +0 -19
- package/dist/crypto/keys.js.map +0 -1
- package/dist/prompts/drift-analysis.d.ts +0 -13
- package/dist/prompts/drift-analysis.d.ts.map +0 -1
- package/dist/prompts/drift-analysis.js +0 -43
- package/dist/prompts/drift-analysis.js.map +0 -1
- package/dist/prompts/governance-report.d.ts +0 -7
- package/dist/prompts/governance-report.d.ts.map +0 -1
- package/dist/prompts/governance-report.js +0 -26
- package/dist/prompts/governance-report.js.map +0 -1
- package/dist/prompts/nccoe-demo.d.ts +0 -14
- package/dist/prompts/nccoe-demo.d.ts.map +0 -1
- package/dist/prompts/nccoe-demo.js +0 -47
- package/dist/prompts/nccoe-demo.js.map +0 -1
- package/dist/resources/cosai-mapping.d.ts +0 -24
- package/dist/resources/cosai-mapping.d.ts.map +0 -1
- package/dist/resources/cosai-mapping.js +0 -127
- package/dist/resources/cosai-mapping.js.map +0 -1
- package/dist/resources/crypto-primitives.d.ts +0 -3
- package/dist/resources/crypto-primitives.d.ts.map +0 -1
- package/dist/resources/crypto-primitives.js +0 -52
- package/dist/resources/crypto-primitives.js.map +0 -1
- package/dist/resources/sample-bundle.d.ts +0 -6
- package/dist/resources/sample-bundle.d.ts.map +0 -1
- package/dist/resources/sample-bundle.js +0 -58
- package/dist/resources/sample-bundle.js.map +0 -1
- package/dist/resources/specification.d.ts +0 -3
- package/dist/resources/specification.d.ts.map +0 -1
- package/dist/resources/specification.js +0 -161
- package/dist/resources/specification.js.map +0 -1
- package/dist/tools/create-artifact.d.ts +0 -25
- package/dist/tools/create-artifact.d.ts.map +0 -1
- package/dist/tools/create-artifact.js +0 -85
- package/dist/tools/create-artifact.js.map +0 -1
- package/dist/tools/delegate-subagent.d.ts +0 -18
- package/dist/tools/delegate-subagent.d.ts.map +0 -1
- package/dist/tools/delegate-subagent.js +0 -50
- package/dist/tools/delegate-subagent.js.map +0 -1
- package/dist/tools/disclose-claim.d.ts +0 -14
- package/dist/tools/disclose-claim.d.ts.map +0 -1
- package/dist/tools/disclose-claim.js +0 -23
- package/dist/tools/disclose-claim.js.map +0 -1
- package/dist/tools/export-bundle.d.ts +0 -8
- package/dist/tools/export-bundle.d.ts.map +0 -1
- package/dist/tools/export-bundle.js +0 -25
- package/dist/tools/export-bundle.js.map +0 -1
- package/dist/tools/full-lifecycle.d.ts +0 -16
- package/dist/tools/full-lifecycle.d.ts.map +0 -1
- package/dist/tools/full-lifecycle.js +0 -121
- package/dist/tools/full-lifecycle.js.map +0 -1
- package/dist/tools/generate-receipt.d.ts +0 -16
- package/dist/tools/generate-receipt.d.ts.map +0 -1
- package/dist/tools/generate-receipt.js +0 -31
- package/dist/tools/generate-receipt.js.map +0 -1
- package/dist/tools/get-chain.d.ts +0 -14
- package/dist/tools/get-chain.d.ts.map +0 -1
- package/dist/tools/get-chain.js +0 -45
- package/dist/tools/get-chain.js.map +0 -1
- package/dist/tools/get-portal-state.d.ts +0 -8
- package/dist/tools/get-portal-state.d.ts.map +0 -1
- package/dist/tools/get-portal-state.js +0 -15
- package/dist/tools/get-portal-state.js.map +0 -1
- package/dist/tools/init-chain.d.ts +0 -10
- package/dist/tools/init-chain.d.ts.map +0 -1
- package/dist/tools/init-chain.js +0 -13
- package/dist/tools/init-chain.js.map +0 -1
- package/dist/tools/measure-behavior.d.ts +0 -12
- package/dist/tools/measure-behavior.d.ts.map +0 -1
- package/dist/tools/measure-behavior.js +0 -29
- package/dist/tools/measure-behavior.js.map +0 -1
- package/dist/tools/measure-subject.d.ts +0 -15
- package/dist/tools/measure-subject.d.ts.map +0 -1
- package/dist/tools/measure-subject.js +0 -106
- package/dist/tools/measure-subject.js.map +0 -1
- package/dist/tools/quarantine-status.d.ts +0 -8
- package/dist/tools/quarantine-status.d.ts.map +0 -1
- package/dist/tools/quarantine-status.js +0 -16
- package/dist/tools/quarantine-status.js.map +0 -1
- package/dist/tools/revoke-artifact.d.ts +0 -13
- package/dist/tools/revoke-artifact.d.ts.map +0 -1
- package/dist/tools/revoke-artifact.js +0 -24
- package/dist/tools/revoke-artifact.js.map +0 -1
- package/dist/tools/rotate-keys.d.ts +0 -13
- package/dist/tools/rotate-keys.d.ts.map +0 -1
- package/dist/tools/rotate-keys.js +0 -39
- package/dist/tools/rotate-keys.js.map +0 -1
- package/dist/tools/server-info.d.ts +0 -8
- package/dist/tools/server-info.d.ts.map +0 -1
- package/dist/tools/server-info.js +0 -23
- package/dist/tools/server-info.js.map +0 -1
- package/dist/tools/set-verification-tier.d.ts +0 -11
- package/dist/tools/set-verification-tier.d.ts.map +0 -1
- package/dist/tools/set-verification-tier.js +0 -31
- package/dist/tools/set-verification-tier.js.map +0 -1
- package/dist/tools/start-monitoring.d.ts +0 -12
- package/dist/tools/start-monitoring.d.ts.map +0 -1
- package/dist/tools/start-monitoring.js +0 -17
- package/dist/tools/start-monitoring.js.map +0 -1
- package/dist/tools/trigger-measurement.d.ts +0 -15
- package/dist/tools/trigger-measurement.d.ts.map +0 -1
- package/dist/tools/trigger-measurement.js +0 -86
- package/dist/tools/trigger-measurement.js.map +0 -1
- package/dist/tools/verify-artifact.d.ts +0 -13
- package/dist/tools/verify-artifact.d.ts.map +0 -1
- package/dist/tools/verify-artifact.js +0 -6
- package/dist/tools/verify-artifact.js.map +0 -1
- package/dist/tools/verify-bundle.d.ts +0 -13
- package/dist/tools/verify-bundle.d.ts.map +0 -1
- package/dist/tools/verify-bundle.js +0 -6
- package/dist/tools/verify-bundle.js.map +0 -1
- package/dist/types.d.ts +0 -261
- package/dist/types.d.ts.map +0 -1
- package/dist/types.js +0 -8
- package/dist/types.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,124 +1,197 @@
|
|
|
1
|
-
#
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
|
28
|
-
|
|
29
|
-
|
|
|
30
|
-
|
|
|
31
|
-
|
|
|
32
|
-
|
|
|
33
|
-
|
|
|
34
|
-
|
|
|
35
|
-
|
|
|
36
|
-
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
|
41
|
-
|
|
|
42
|
-
|
|
|
43
|
-
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
```
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
```
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
```
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
1
|
+
# AGA - Attested Governance Artifacts
|
|
2
|
+
|
|
3
|
+
Cryptographic runtime governance for AI agents and autonomous systems.
|
|
4
|
+
|
|
5
|
+
[](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
6
|
+
[](https://pypi.org/project/aga-governance/)
|
|
7
|
+
[](LICENSE)
|
|
8
|
+
[](https://github.com/attestedintelligence/AGA)
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
# Try it now
|
|
12
|
+
pip install aga-governance
|
|
13
|
+
python -m aga demo
|
|
14
|
+
python -m aga verify demo-bundle.json
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
## What This Does
|
|
18
|
+
|
|
19
|
+
AGA generates sealed, cryptographically signed Policy Artifacts that bind subject identity to authorized behavior and enforce that binding continuously at runtime. A two-process Portal architecture holds all cryptographic keys while the governed agent holds none - the agent cannot self-authorize, bypass enforcement, or forge receipts.
|
|
20
|
+
|
|
21
|
+
**Seal. Enforce. Prove.**
|
|
22
|
+
|
|
23
|
+
## Architecture
|
|
24
|
+
|
|
25
|
+
```
|
|
26
|
+
Policy Author Portal (Keys) Subject (Agent)
|
|
27
|
+
| | |
|
|
28
|
+
[Seal Artifact] ------> [Store Reference] |
|
|
29
|
+
| | |
|
|
30
|
+
| [Continuous Measurement] <---- [Runtime State]
|
|
31
|
+
| | |
|
|
32
|
+
| [Drift Detected?] |
|
|
33
|
+
| / \ |
|
|
34
|
+
| Yes / \ No |
|
|
35
|
+
| / \ |
|
|
36
|
+
| [Enforce Action] [Append Receipt] |
|
|
37
|
+
| | | |
|
|
38
|
+
| [Signed Receipt] | |
|
|
39
|
+
| | | |
|
|
40
|
+
| [Continuity Chain] <-+ |
|
|
41
|
+
| | |
|
|
42
|
+
| [Evidence Bundle] |
|
|
43
|
+
| | |
|
|
44
|
+
v [Offline Verify] v
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### Core Operations
|
|
48
|
+
|
|
49
|
+
- **Seal:** Attest subject state, compute sealed hash (SHA-256, no delimiters), sign with Ed25519 over RFC 8785 canonical JSON
|
|
50
|
+
- **Enforce:** Portal measures runtime state against sealed reference, executes enforcement on drift (7 graduated actions including phantom execution for forensic capture)
|
|
51
|
+
- **Prove:** Evidence Bundles with Merkle inclusion proofs enable offline verification by any third party using only standard cryptographic libraries
|
|
52
|
+
|
|
53
|
+
## Use with Claude Desktop
|
|
54
|
+
|
|
55
|
+
Add to your Claude Desktop MCP config (`claude_desktop_config.json`):
|
|
56
|
+
|
|
57
|
+
```json
|
|
58
|
+
{
|
|
59
|
+
"mcpServers": {
|
|
60
|
+
"aga": {
|
|
61
|
+
"command": "npx",
|
|
62
|
+
"args": ["-y", "@attested-intelligence/aga-mcp-server"]
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
Claude can then seal artifacts, measure integrity, generate evidence bundles, and verify compliance through natural language.
|
|
69
|
+
|
|
70
|
+
## MCP Tools (20)
|
|
71
|
+
|
|
72
|
+
| Category | Tools |
|
|
73
|
+
|----------|-------|
|
|
74
|
+
| **Identity** | `get_server_info`, `get_portal_state` |
|
|
75
|
+
| **Lifecycle** | `init_chain`, `attest_subject`, `revoke_artifact` |
|
|
76
|
+
| **Enforcement** | `measure_integrity`, `measure_behavior`, `verify_chain` |
|
|
77
|
+
| **Evidence** | `create_checkpoint`, `generate_evidence_bundle`, `verify_bundle_offline` |
|
|
78
|
+
| **Privacy** | `request_claim`, `list_claims` |
|
|
79
|
+
| **Delegation** | `delegate_to_subagent` |
|
|
80
|
+
| **Audit** | `get_receipts`, `get_chain_events` |
|
|
81
|
+
|
|
82
|
+
## Quick Start
|
|
83
|
+
|
|
84
|
+
```bash
|
|
85
|
+
git clone https://github.com/attestedintelligence/AGA.git
|
|
86
|
+
cd AGA
|
|
87
|
+
npm install
|
|
88
|
+
npm test
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### Python SDK
|
|
92
|
+
|
|
93
|
+
```bash
|
|
94
|
+
pip install aga-governance
|
|
95
|
+
python -m aga demo
|
|
96
|
+
python -m aga verify demo-bundle.json
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
### Generate and Verify an Evidence Bundle
|
|
100
|
+
|
|
101
|
+
```bash
|
|
102
|
+
npx tsx scripts/generate-evidence-bundle.mjs
|
|
103
|
+
node independent-verifier/verify.js aga-evidence/evidence-bundle.json
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
## MCP Governance Proxy
|
|
107
|
+
|
|
108
|
+
Run AGA as a transparent proxy between any MCP client and any MCP server. Every tool call gets evaluated against policy and produces a signed receipt.
|
|
109
|
+
|
|
110
|
+
```bash
|
|
111
|
+
# Start the proxy with an upstream MCP server
|
|
112
|
+
npx tsx src/proxy/index.ts start --upstream "npx -y @modelcontextprotocol/server-filesystem /tmp/test" --profile standard
|
|
113
|
+
|
|
114
|
+
# Export the evidence bundle
|
|
115
|
+
npx tsx src/proxy/index.ts export --output evidence.json
|
|
116
|
+
|
|
117
|
+
# Verify
|
|
118
|
+
npx tsx src/proxy/index.ts verify evidence.json
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
The proxy intercepts `tools/call` requests, evaluates them against a sealed policy artifact, and generates signed receipts. Permitted calls are forwarded to the downstream server. Denied calls return an MCP error. Every decision is hash-linked into a tamper-evident chain.
|
|
122
|
+
|
|
123
|
+
Three built-in policy profiles:
|
|
124
|
+
- **permissive** - log everything, block nothing (default)
|
|
125
|
+
- **standard** - rate limits + blocks destructive operations
|
|
126
|
+
- **restrictive** - explicit tool allowlist, all unknown tools denied
|
|
127
|
+
|
|
128
|
+
## Deployment Scenarios
|
|
129
|
+
|
|
130
|
+
| Scenario | Description | Key Feature |
|
|
131
|
+
|----------|-------------|-------------|
|
|
132
|
+
| Air-Gapped Audit | Portable evidence bundles for DDIL environments | No network connectivity required |
|
|
133
|
+
| SCADA/ICS Enforcement | Real-time integrity monitoring for industrial control | O(1) receipt generation, deterministic bounds |
|
|
134
|
+
| Autonomous Safe-State | Automatic transition to safe profiles on drift | 7 graduated enforcement actions |
|
|
135
|
+
| Model Deployment Gate | Policy-enforced model release to production | Integrity verification before execution |
|
|
136
|
+
| Cloud Governance | Cryptographic governance for cloud infrastructure | Evidence isolation, multi-tenant support |
|
|
137
|
+
| SOC/IR Evidence | Incident response bundles with chain-of-custody | Forensic-grade audit trails |
|
|
138
|
+
|
|
139
|
+
## Cryptographic Primitives
|
|
140
|
+
|
|
141
|
+
| Primitive | Purpose |
|
|
142
|
+
|-----------|---------|
|
|
143
|
+
| Ed25519 | Digital signatures (artifact sealing, receipt signing) |
|
|
144
|
+
| SHA-256 | Content integrity (sealed hash computation) |
|
|
145
|
+
| BLAKE2b-256 | Artifact fingerprinting |
|
|
146
|
+
| RFC 8785 (JCS) | Canonical JSON serialization |
|
|
147
|
+
| HKDF-SHA256 | Key derivation |
|
|
148
|
+
| Merkle Trees | Checkpoint anchoring to immutable storage |
|
|
149
|
+
|
|
150
|
+
## Test Suite
|
|
151
|
+
|
|
152
|
+
355+ automated tests (218 TypeScript + 137 Python) covering the full AGA lifecycle:
|
|
153
|
+
|
|
154
|
+
```bash
|
|
155
|
+
npm test # TypeScript tests
|
|
156
|
+
cd aga-python && python -m pytest # Python tests
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
## Project Structure
|
|
160
|
+
|
|
161
|
+
```
|
|
162
|
+
src/ # Core protocol: artifacts, receipts, chain, Merkle, crypto, portal state machine
|
|
163
|
+
core/ # Governance primitives (artifact, receipt, chain, portal, bundle)
|
|
164
|
+
crypto/ # Ed25519, SHA-256, BLAKE2b, Merkle, JCS canonicalization
|
|
165
|
+
proxy/ # MCP governance proxy (transparent interception + policy enforcement)
|
|
166
|
+
tools/ # MCP tool handlers (20 tools)
|
|
167
|
+
middleware/ # Zero-trust governance enforcement wrapper
|
|
168
|
+
aga-python/ # Python SDK with @governed decorator (PyPI: aga-governance)
|
|
169
|
+
independent-verifier/ # Standalone verifier with zero AGA imports
|
|
170
|
+
scenarios/ # Deployment scenarios (SCADA, drone, AI agent)
|
|
171
|
+
tests/ # TypeScript test suite (218 tests)
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
## Links
|
|
175
|
+
|
|
176
|
+
- [Website](https://attestedintelligence.com)
|
|
177
|
+
- [Technology](https://attestedintelligence.com/technology)
|
|
178
|
+
- [Diligence Materials](https://attestedintelligence.com/diligence)
|
|
179
|
+
- [MCP Server (npm)](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
180
|
+
- [Python SDK (PyPI)](https://pypi.org/project/aga-governance/)
|
|
181
|
+
- [Interactive Verifier](https://attestedintelligence.com/verify)
|
|
182
|
+
|
|
183
|
+
## Security
|
|
184
|
+
|
|
185
|
+
See [SECURITY.md](SECURITY.md) for vulnerability reporting.
|
|
186
|
+
|
|
187
|
+
## Contributing
|
|
188
|
+
|
|
189
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
|
|
190
|
+
|
|
191
|
+
## License
|
|
192
|
+
|
|
193
|
+
[BUSL-1.1](LICENSE) - Business Source License 1.1
|
|
194
|
+
|
|
195
|
+
---
|
|
196
|
+
|
|
197
|
+
Attested Intelligence Holdings LLC
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Reporting a Vulnerability
|
|
4
|
+
|
|
5
|
+
If you discover a security vulnerability in AGA, please report it responsibly.
|
|
6
|
+
|
|
7
|
+
**Email:** [admin@attestedintelligence.com](mailto:admin@attestedintelligence.com)
|
|
8
|
+
|
|
9
|
+
**Subject line:** `[SECURITY] AGA Vulnerability Report`
|
|
10
|
+
|
|
11
|
+
### What to Include
|
|
12
|
+
|
|
13
|
+
- Description of the vulnerability
|
|
14
|
+
- Steps to reproduce
|
|
15
|
+
- Potential impact assessment
|
|
16
|
+
- Suggested fix (if you have one)
|
|
17
|
+
|
|
18
|
+
### Response Timeline
|
|
19
|
+
|
|
20
|
+
- **Acknowledgment:** Within 48 hours of receipt
|
|
21
|
+
- **Initial assessment:** Within 5 business days
|
|
22
|
+
- **Resolution target:** Dependent on severity, typically within 30 days for critical issues
|
|
23
|
+
|
|
24
|
+
### Scope
|
|
25
|
+
|
|
26
|
+
This policy covers:
|
|
27
|
+
|
|
28
|
+
- The AGA reference implementation (`src/`, `independent-verifier/`)
|
|
29
|
+
- The MCP server (`@attested-intelligence/aga-mcp-server`)
|
|
30
|
+
- Cryptographic operations (signing, verification, hash computation, chain integrity)
|
|
31
|
+
- Evidence Bundle generation and verification
|
|
32
|
+
|
|
33
|
+
### Out of Scope
|
|
34
|
+
|
|
35
|
+
- The attestedintelligence.com website (report separately to the same email)
|
|
36
|
+
- Third-party dependencies (report to the upstream maintainer, but let us know)
|
|
37
|
+
- Social engineering or phishing attacks
|
|
38
|
+
|
|
39
|
+
### Cryptographic Considerations
|
|
40
|
+
|
|
41
|
+
AGA relies on Ed25519 signatures, SHA-256 hashing, BLAKE2b-256 fingerprinting, and Merkle tree anchoring. If you identify a weakness in how these primitives are applied (not the primitives themselves), that is a valid report.
|
|
42
|
+
|
|
43
|
+
Key areas of concern:
|
|
44
|
+
|
|
45
|
+
- Sealed hash computation correctness
|
|
46
|
+
- Receipt chain integrity (hash linking)
|
|
47
|
+
- Merkle checkpoint verification
|
|
48
|
+
- Key separation enforcement between Portal and agent
|
|
49
|
+
- Evidence Bundle completeness and tamper detection
|
|
50
|
+
|
|
51
|
+
### Disclosure
|
|
52
|
+
|
|
53
|
+
We follow coordinated disclosure. Please do not publicly disclose vulnerabilities until we have released a fix or 90 days have elapsed, whichever comes first.
|
|
54
|
+
|
|
55
|
+
We do not currently operate a bug bounty program.
|
|
56
|
+
|
|
57
|
+
---
|
|
58
|
+
|
|
59
|
+
Attested Intelligence Holdings LLC
|
package/dist/core/bundle.d.ts
CHANGED
|
@@ -1,6 +1,13 @@
|
|
|
1
1
|
import type { KeyPair, MerkleInclusionProof } from '../crypto/types.js';
|
|
2
|
-
import type { EvidenceBundle, PolicyArtifact, SignedReceipt, CheckpointReference } from './types.js';
|
|
3
|
-
|
|
2
|
+
import type { EvidenceBundle, PolicyArtifact, SignedReceipt, CheckpointReference, VerificationTier } from './types.js';
|
|
3
|
+
/**
|
|
4
|
+
* Generate an evidence bundle. Original signature preserved for backward compatibility.
|
|
5
|
+
* Tiered bundle generation (CAISI §3b):
|
|
6
|
+
* BRONZE - artifact + receipts only (proofs omitted)
|
|
7
|
+
* SILVER - artifact + receipts + Merkle proofs
|
|
8
|
+
* GOLD - artifact + receipts + Merkle proofs + anchor checkpoint reference
|
|
9
|
+
*/
|
|
10
|
+
export declare function generateBundle(artifact: PolicyArtifact, receipts: SignedReceipt[], proofs: MerkleInclusionProof[], checkpoint: CheckpointReference, kp: KeyPair, tier?: VerificationTier): EvidenceBundle;
|
|
4
11
|
export interface VerificationResult {
|
|
5
12
|
step1_artifact_sig: boolean;
|
|
6
13
|
step2_receipt_sigs: boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEvH;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,aAAa,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,UAAU,EAAE,mBAAmB,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,gBAAgB,GAAG,cAAc,CAUzM;AAED,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,EAAE,OAAO,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAC;IACzD,mBAAmB,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,iBAAiB,GAAG,OAAO,CAAC;IACxE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;CACpC;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG,kBAAkB,CAanG"}
|
package/dist/core/bundle.js
CHANGED
|
@@ -1,8 +1,22 @@
|
|
|
1
1
|
import { signStr, sigToB64, b64ToSig, hexToPk, verifyStr, pkToHex } from '../crypto/sign.js';
|
|
2
2
|
import { verifyProof } from '../crypto/merkle.js';
|
|
3
3
|
import { canonicalize } from '../utils/canonical.js';
|
|
4
|
-
|
|
5
|
-
|
|
4
|
+
/**
|
|
5
|
+
* Generate an evidence bundle. Original signature preserved for backward compatibility.
|
|
6
|
+
* Tiered bundle generation (CAISI §3b):
|
|
7
|
+
* BRONZE - artifact + receipts only (proofs omitted)
|
|
8
|
+
* SILVER - artifact + receipts + Merkle proofs
|
|
9
|
+
* GOLD - artifact + receipts + Merkle proofs + anchor checkpoint reference
|
|
10
|
+
*/
|
|
11
|
+
export function generateBundle(artifact, receipts, proofs, checkpoint, kp, tier) {
|
|
12
|
+
const effectiveTier = tier ?? 'GOLD';
|
|
13
|
+
const bundleProofs = effectiveTier === 'BRONZE' ? [] : proofs;
|
|
14
|
+
const bundleCheckpoint = effectiveTier === 'GOLD' ? checkpoint : {
|
|
15
|
+
...checkpoint,
|
|
16
|
+
transaction_id: effectiveTier === 'BRONZE' ? '' : checkpoint.transaction_id,
|
|
17
|
+
anchor_network: effectiveTier === 'BRONZE' ? '' : checkpoint.anchor_network,
|
|
18
|
+
};
|
|
19
|
+
const unsigned = { artifact, receipts, merkle_proofs: bundleProofs, checkpoint_reference: bundleCheckpoint, public_key: pkToHex(kp.publicKey), verification_tier: effectiveTier };
|
|
6
20
|
return { ...unsigned, bundle_signature: sigToB64(signStr(canonicalize(unsigned), kp.secretKey)) };
|
|
7
21
|
}
|
|
8
22
|
export function verifyBundleOffline(bundle, pinnedPkHex) {
|
package/dist/core/bundle.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAIrD,MAAM,UAAU,cAAc,CAAC,QAAwB,EAAE,QAAyB,EAAE,MAA8B,EAAE,UAA+B,EAAE,EAAW;
|
|
1
|
+
{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAIrD;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,QAAwB,EAAE,QAAyB,EAAE,MAA8B,EAAE,UAA+B,EAAE,EAAW,EAAE,IAAuB;IACvL,MAAM,aAAa,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,YAAY,GAAG,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IAC9D,MAAM,gBAAgB,GAAwB,aAAa,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QACpF,GAAG,UAAU;QACb,cAAc,EAAE,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc;QAC3E,cAAc,EAAE,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc;KAC5E,CAAC;IACF,MAAM,QAAQ,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,aAAa,EAAE,CAAC;IAClL,OAAO,EAAE,GAAG,QAAQ,EAAE,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AACpG,CAAC;AAQD,MAAM,UAAU,mBAAmB,CAAC,MAAsB,EAAE,WAAmB;IAC7E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;IACnD,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAClD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,UAAU,aAAa,CAAC,CAAC;QAAC,CAAC;IAC9J,CAAC;IACD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QAAC,CAAC;IAAC,CAAC;IACtI,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,mBAAmB,EAAE,EAAE,EAAE,YAAY,EAAE,iBAAiB,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC;AACvJ,CAAC"}
|
package/dist/core/identity.d.ts
CHANGED
|
@@ -1,14 +1,23 @@
|
|
|
1
|
+
import type { KeyPair } from '../crypto/types.js';
|
|
2
|
+
import type { ContinuityEvent } from './types.js';
|
|
3
|
+
export { keyFingerprint } from '../crypto/sign.js';
|
|
1
4
|
/**
|
|
2
|
-
*
|
|
5
|
+
* Check whether a key is still valid given its issuance time and TTL.
|
|
6
|
+
* NCCoE §2: non-biometric identity validity check.
|
|
3
7
|
*/
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
+
export declare function isKeyValid(issuedAt: string, ttlSeconds: number): boolean;
|
|
9
|
+
/**
|
|
10
|
+
* Generate a new key pair for rotation, returning both old and new for
|
|
11
|
+
* a transition period defined by policy. NCCoE §3: key rotation.
|
|
12
|
+
*/
|
|
13
|
+
export declare function rotateKeyPair(currentKeyPair: KeyPair): {
|
|
14
|
+
oldKeyPair: KeyPair;
|
|
8
15
|
newKeyPair: KeyPair;
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
16
|
+
};
|
|
17
|
+
/**
|
|
18
|
+
* Record a key rotation event on the continuity chain.
|
|
19
|
+
* NCCoE §3: "Key rotation is handled by including both old and new public keys
|
|
20
|
+
* during a transition period defined by policy."
|
|
21
|
+
*/
|
|
22
|
+
export declare function recordKeyRotation(prevEvent: ContinuityEvent, keypairType: string, oldPublicKeyHex: string, newPublicKeyHex: string, reason: string, signingKeyPair: KeyPair): ContinuityEvent;
|
|
14
23
|
//# sourceMappingURL=identity.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAC;AAGrE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAExE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,cAAc,EAAE,OAAO,GAAG;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,OAAO,CAAA;CAAE,CAGnG;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,EACvB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,GACtB,eAAe,CAUjB"}
|
package/dist/core/identity.js
CHANGED
|
@@ -1,16 +1,50 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Identity
|
|
2
|
+
* Identity and Key Lifecycle.
|
|
3
|
+
*
|
|
4
|
+
* Non-biometric cryptographic identity: agent identity derived from
|
|
5
|
+
* cryptographic key pair bound to append-only attestation history in
|
|
6
|
+
* continuity chain. Authority from valid signature history, not biometric traits.
|
|
7
|
+
*
|
|
8
|
+
* Functions:
|
|
9
|
+
* - keyFingerprint: re-exported from crypto/sign.ts for convenience
|
|
10
|
+
* - isKeyValid: check key TTL expiry
|
|
11
|
+
* - rotateKeyPair: generate new key pair for rotation
|
|
12
|
+
* - recordKeyRotation: append KEY_ROTATION event to chain
|
|
3
13
|
*/
|
|
4
|
-
import {
|
|
5
|
-
import {
|
|
6
|
-
|
|
7
|
-
export
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
+
import { generateKeyPair } from '../crypto/sign.js';
|
|
15
|
+
import { isExpired } from '../utils/timestamp.js';
|
|
16
|
+
import { appendEvent } from './chain.js';
|
|
17
|
+
// Re-export keyFingerprint for identity module consumers (NCCoE §2)
|
|
18
|
+
export { keyFingerprint } from '../crypto/sign.js';
|
|
19
|
+
/**
|
|
20
|
+
* Check whether a key is still valid given its issuance time and TTL.
|
|
21
|
+
* NCCoE §2: non-biometric identity validity check.
|
|
22
|
+
*/
|
|
23
|
+
export function isKeyValid(issuedAt, ttlSeconds) {
|
|
24
|
+
return !isExpired(issuedAt, ttlSeconds);
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Generate a new key pair for rotation, returning both old and new for
|
|
28
|
+
* a transition period defined by policy. NCCoE §3: key rotation.
|
|
29
|
+
*/
|
|
30
|
+
export function rotateKeyPair(currentKeyPair) {
|
|
31
|
+
const newKeyPair = generateKeyPair();
|
|
32
|
+
return { oldKeyPair: currentKeyPair, newKeyPair };
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Record a key rotation event on the continuity chain.
|
|
36
|
+
* NCCoE §3: "Key rotation is handled by including both old and new public keys
|
|
37
|
+
* during a transition period defined by policy."
|
|
38
|
+
*/
|
|
39
|
+
export function recordKeyRotation(prevEvent, keypairType, oldPublicKeyHex, newPublicKeyHex, reason, signingKeyPair) {
|
|
40
|
+
const payload = {
|
|
41
|
+
keypair_type: keypairType,
|
|
42
|
+
old_public_key: oldPublicKeyHex,
|
|
43
|
+
new_public_key: newPublicKeyHex,
|
|
44
|
+
reason,
|
|
45
|
+
rotation_timestamp: new Date().toISOString(),
|
|
46
|
+
chain_sequence: prevEvent.sequence_number + 1,
|
|
14
47
|
};
|
|
48
|
+
return appendEvent('KEY_ROTATION', payload, prevEvent, signingKeyPair);
|
|
15
49
|
}
|
|
16
50
|
//# sourceMappingURL=identity.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,eAAe,EAA2B,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAIzC,oEAAoE;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,UAAkB;IAC7D,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,cAAuB;IACnD,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAA0B,EAC1B,WAAmB,EACnB,eAAuB,EACvB,eAAuB,EACvB,MAAc,EACd,cAAuB;IAEvB,MAAM,OAAO,GAAsB;QACjC,YAAY,EAAE,WAAW;QACzB,cAAc,EAAE,eAAe;QAC/B,cAAc,EAAE,eAAe;QAC/B,MAAM;QACN,kBAAkB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5C,cAAc,EAAE,SAAS,CAAC,eAAe,GAAG,CAAC;KAC9C,CAAC;IACF,OAAO,WAAW,CAAC,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;AACzE,CAAC"}
|
package/dist/core/portal.d.ts
CHANGED
|
@@ -8,6 +8,14 @@ export interface MeasurementResult {
|
|
|
8
8
|
expectedMetaHash: HashHex;
|
|
9
9
|
ttl_ok: boolean;
|
|
10
10
|
revoked: boolean;
|
|
11
|
+
degraded?: boolean;
|
|
12
|
+
}
|
|
13
|
+
/** Degradation event record for the continuity chain. */
|
|
14
|
+
export interface DegradationEvent {
|
|
15
|
+
reason: string;
|
|
16
|
+
timestamp: string;
|
|
17
|
+
artifact_reference: HashHex;
|
|
18
|
+
previous_state: string;
|
|
11
19
|
}
|
|
12
20
|
export declare class Portal {
|
|
13
21
|
state: PortalState;
|
|
@@ -15,13 +23,14 @@ export declare class Portal {
|
|
|
15
23
|
sequenceCounter: number;
|
|
16
24
|
lastLeafHash: HashHex | null;
|
|
17
25
|
revocations: Set<string>;
|
|
26
|
+
degradationLog: DegradationEvent[];
|
|
18
27
|
loadArtifact(artifact: PolicyArtifact, pinnedPkHex: string): {
|
|
19
28
|
ok: boolean;
|
|
20
29
|
error?: string;
|
|
21
30
|
};
|
|
22
31
|
measure(subjectBytes: Uint8Array, meta: SubjectMetadata): MeasurementResult;
|
|
23
32
|
enforce(action: EnforcementAction): void;
|
|
24
|
-
revoke(sealedHash: string
|
|
33
|
+
revoke(sealedHash: string): void;
|
|
25
34
|
isRevoked(sealedHash: string): boolean;
|
|
26
35
|
reset(): void;
|
|
27
36
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,yDAAyD;AACzD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IACrC,cAAc,EAAE,gBAAgB,EAAE,CAAM;IAExC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IAuC3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAUxC,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKhC,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
|