@attested-intelligence/aga-mcp-server 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (209) hide show
  1. package/README.md +197 -124
  2. package/SECURITY.md +59 -0
  3. package/dist/core/bundle.d.ts +9 -2
  4. package/dist/core/bundle.d.ts.map +1 -1
  5. package/dist/core/bundle.js +16 -2
  6. package/dist/core/bundle.js.map +1 -1
  7. package/dist/core/identity.d.ts +19 -10
  8. package/dist/core/identity.d.ts.map +1 -1
  9. package/dist/core/identity.js +45 -11
  10. package/dist/core/identity.js.map +1 -1
  11. package/dist/core/portal.d.ts +10 -1
  12. package/dist/core/portal.d.ts.map +1 -1
  13. package/dist/core/portal.js +16 -12
  14. package/dist/core/portal.js.map +1 -1
  15. package/dist/core/types.d.ts +29 -2
  16. package/dist/core/types.d.ts.map +1 -1
  17. package/dist/crypto/index.d.ts +5 -6
  18. package/dist/crypto/index.d.ts.map +1 -1
  19. package/dist/crypto/index.js +5 -6
  20. package/dist/crypto/index.js.map +1 -1
  21. package/dist/crypto/sign.d.ts +2 -0
  22. package/dist/crypto/sign.d.ts.map +1 -1
  23. package/dist/crypto/sign.js +6 -0
  24. package/dist/crypto/sign.js.map +1 -1
  25. package/dist/index.js +1 -1
  26. package/dist/index.js.map +1 -1
  27. package/dist/middleware/governance.d.ts +7 -1
  28. package/dist/middleware/governance.d.ts.map +1 -1
  29. package/dist/middleware/governance.js +18 -11
  30. package/dist/middleware/governance.js.map +1 -1
  31. package/dist/server.d.ts +7 -3
  32. package/dist/server.d.ts.map +1 -1
  33. package/dist/server.js +342 -214
  34. package/dist/server.js.map +1 -1
  35. package/dist/storage/sqlite.js +6 -6
  36. package/independent-verifier/README.md +31 -0
  37. package/independent-verifier/package.json +18 -0
  38. package/independent-verifier/verify.ts +211 -0
  39. package/package.json +97 -76
  40. package/src/adapters/openclaw.ts +125 -0
  41. package/src/core/artifact.ts +45 -0
  42. package/src/core/attestation.ts +33 -0
  43. package/src/core/behavioral.ts +132 -0
  44. package/src/core/bundle.ts +45 -0
  45. package/src/core/chain.ts +72 -0
  46. package/src/core/checkpoint.ts +22 -0
  47. package/src/core/delegation.ts +146 -0
  48. package/src/core/disclosure.ts +32 -0
  49. package/src/core/identity.ts +62 -0
  50. package/src/core/index.ts +14 -0
  51. package/src/core/portal.ts +117 -0
  52. package/src/core/quarantine.ts +16 -0
  53. package/src/core/receipt.ts +33 -0
  54. package/src/core/subject.ts +11 -0
  55. package/src/core/types.ts +285 -0
  56. package/src/crypto/hash.ts +33 -0
  57. package/src/crypto/index.ts +5 -0
  58. package/src/crypto/merkle.ts +43 -0
  59. package/src/crypto/salt.ts +18 -0
  60. package/src/crypto/sign.ts +42 -0
  61. package/src/crypto/types.ts +19 -0
  62. package/src/index.ts +12 -0
  63. package/src/middleware/governance.ts +95 -0
  64. package/src/middleware/index.ts +1 -0
  65. package/src/proxy/evaluator.ts +176 -0
  66. package/src/proxy/index.ts +259 -0
  67. package/src/proxy/profiles.ts +48 -0
  68. package/src/proxy/server.ts +499 -0
  69. package/src/proxy/stdio-bridge.ts +171 -0
  70. package/src/proxy/types.ts +40 -0
  71. package/src/proxy/verify.ts +202 -0
  72. package/src/server.ts +435 -0
  73. package/src/storage/index.ts +3 -0
  74. package/src/storage/interface.ts +21 -0
  75. package/src/storage/memory.ts +27 -0
  76. package/src/storage/sqlite.ts +45 -0
  77. package/src/tools/README.md +13 -0
  78. package/src/utils/canonical.ts +14 -0
  79. package/src/utils/constants.ts +3 -0
  80. package/src/utils/timestamp.ts +12 -0
  81. package/src/utils/uuid.ts +2 -0
  82. package/dist/context.d.ts +0 -39
  83. package/dist/context.d.ts.map +0 -1
  84. package/dist/context.js +0 -113
  85. package/dist/context.js.map +0 -1
  86. package/dist/core/measurement.d.ts +0 -16
  87. package/dist/core/measurement.d.ts.map +0 -1
  88. package/dist/core/measurement.js +0 -18
  89. package/dist/core/measurement.js.map +0 -1
  90. package/dist/crypto/canonicalize.d.ts +0 -7
  91. package/dist/crypto/canonicalize.d.ts.map +0 -1
  92. package/dist/crypto/canonicalize.js +0 -21
  93. package/dist/crypto/canonicalize.js.map +0 -1
  94. package/dist/crypto/keys.d.ts +0 -10
  95. package/dist/crypto/keys.d.ts.map +0 -1
  96. package/dist/crypto/keys.js +0 -19
  97. package/dist/crypto/keys.js.map +0 -1
  98. package/dist/prompts/drift-analysis.d.ts +0 -13
  99. package/dist/prompts/drift-analysis.d.ts.map +0 -1
  100. package/dist/prompts/drift-analysis.js +0 -43
  101. package/dist/prompts/drift-analysis.js.map +0 -1
  102. package/dist/prompts/governance-report.d.ts +0 -7
  103. package/dist/prompts/governance-report.d.ts.map +0 -1
  104. package/dist/prompts/governance-report.js +0 -26
  105. package/dist/prompts/governance-report.js.map +0 -1
  106. package/dist/prompts/nccoe-demo.d.ts +0 -14
  107. package/dist/prompts/nccoe-demo.d.ts.map +0 -1
  108. package/dist/prompts/nccoe-demo.js +0 -47
  109. package/dist/prompts/nccoe-demo.js.map +0 -1
  110. package/dist/resources/cosai-mapping.d.ts +0 -24
  111. package/dist/resources/cosai-mapping.d.ts.map +0 -1
  112. package/dist/resources/cosai-mapping.js +0 -127
  113. package/dist/resources/cosai-mapping.js.map +0 -1
  114. package/dist/resources/crypto-primitives.d.ts +0 -3
  115. package/dist/resources/crypto-primitives.d.ts.map +0 -1
  116. package/dist/resources/crypto-primitives.js +0 -52
  117. package/dist/resources/crypto-primitives.js.map +0 -1
  118. package/dist/resources/sample-bundle.d.ts +0 -6
  119. package/dist/resources/sample-bundle.d.ts.map +0 -1
  120. package/dist/resources/sample-bundle.js +0 -58
  121. package/dist/resources/sample-bundle.js.map +0 -1
  122. package/dist/resources/specification.d.ts +0 -3
  123. package/dist/resources/specification.d.ts.map +0 -1
  124. package/dist/resources/specification.js +0 -161
  125. package/dist/resources/specification.js.map +0 -1
  126. package/dist/tools/create-artifact.d.ts +0 -25
  127. package/dist/tools/create-artifact.d.ts.map +0 -1
  128. package/dist/tools/create-artifact.js +0 -85
  129. package/dist/tools/create-artifact.js.map +0 -1
  130. package/dist/tools/delegate-subagent.d.ts +0 -18
  131. package/dist/tools/delegate-subagent.d.ts.map +0 -1
  132. package/dist/tools/delegate-subagent.js +0 -50
  133. package/dist/tools/delegate-subagent.js.map +0 -1
  134. package/dist/tools/disclose-claim.d.ts +0 -14
  135. package/dist/tools/disclose-claim.d.ts.map +0 -1
  136. package/dist/tools/disclose-claim.js +0 -23
  137. package/dist/tools/disclose-claim.js.map +0 -1
  138. package/dist/tools/export-bundle.d.ts +0 -8
  139. package/dist/tools/export-bundle.d.ts.map +0 -1
  140. package/dist/tools/export-bundle.js +0 -25
  141. package/dist/tools/export-bundle.js.map +0 -1
  142. package/dist/tools/full-lifecycle.d.ts +0 -16
  143. package/dist/tools/full-lifecycle.d.ts.map +0 -1
  144. package/dist/tools/full-lifecycle.js +0 -121
  145. package/dist/tools/full-lifecycle.js.map +0 -1
  146. package/dist/tools/generate-receipt.d.ts +0 -16
  147. package/dist/tools/generate-receipt.d.ts.map +0 -1
  148. package/dist/tools/generate-receipt.js +0 -31
  149. package/dist/tools/generate-receipt.js.map +0 -1
  150. package/dist/tools/get-chain.d.ts +0 -14
  151. package/dist/tools/get-chain.d.ts.map +0 -1
  152. package/dist/tools/get-chain.js +0 -45
  153. package/dist/tools/get-chain.js.map +0 -1
  154. package/dist/tools/get-portal-state.d.ts +0 -8
  155. package/dist/tools/get-portal-state.d.ts.map +0 -1
  156. package/dist/tools/get-portal-state.js +0 -15
  157. package/dist/tools/get-portal-state.js.map +0 -1
  158. package/dist/tools/init-chain.d.ts +0 -10
  159. package/dist/tools/init-chain.d.ts.map +0 -1
  160. package/dist/tools/init-chain.js +0 -13
  161. package/dist/tools/init-chain.js.map +0 -1
  162. package/dist/tools/measure-behavior.d.ts +0 -12
  163. package/dist/tools/measure-behavior.d.ts.map +0 -1
  164. package/dist/tools/measure-behavior.js +0 -29
  165. package/dist/tools/measure-behavior.js.map +0 -1
  166. package/dist/tools/measure-subject.d.ts +0 -15
  167. package/dist/tools/measure-subject.d.ts.map +0 -1
  168. package/dist/tools/measure-subject.js +0 -106
  169. package/dist/tools/measure-subject.js.map +0 -1
  170. package/dist/tools/quarantine-status.d.ts +0 -8
  171. package/dist/tools/quarantine-status.d.ts.map +0 -1
  172. package/dist/tools/quarantine-status.js +0 -16
  173. package/dist/tools/quarantine-status.js.map +0 -1
  174. package/dist/tools/revoke-artifact.d.ts +0 -13
  175. package/dist/tools/revoke-artifact.d.ts.map +0 -1
  176. package/dist/tools/revoke-artifact.js +0 -24
  177. package/dist/tools/revoke-artifact.js.map +0 -1
  178. package/dist/tools/rotate-keys.d.ts +0 -13
  179. package/dist/tools/rotate-keys.d.ts.map +0 -1
  180. package/dist/tools/rotate-keys.js +0 -39
  181. package/dist/tools/rotate-keys.js.map +0 -1
  182. package/dist/tools/server-info.d.ts +0 -8
  183. package/dist/tools/server-info.d.ts.map +0 -1
  184. package/dist/tools/server-info.js +0 -23
  185. package/dist/tools/server-info.js.map +0 -1
  186. package/dist/tools/set-verification-tier.d.ts +0 -11
  187. package/dist/tools/set-verification-tier.d.ts.map +0 -1
  188. package/dist/tools/set-verification-tier.js +0 -31
  189. package/dist/tools/set-verification-tier.js.map +0 -1
  190. package/dist/tools/start-monitoring.d.ts +0 -12
  191. package/dist/tools/start-monitoring.d.ts.map +0 -1
  192. package/dist/tools/start-monitoring.js +0 -17
  193. package/dist/tools/start-monitoring.js.map +0 -1
  194. package/dist/tools/trigger-measurement.d.ts +0 -15
  195. package/dist/tools/trigger-measurement.d.ts.map +0 -1
  196. package/dist/tools/trigger-measurement.js +0 -86
  197. package/dist/tools/trigger-measurement.js.map +0 -1
  198. package/dist/tools/verify-artifact.d.ts +0 -13
  199. package/dist/tools/verify-artifact.d.ts.map +0 -1
  200. package/dist/tools/verify-artifact.js +0 -6
  201. package/dist/tools/verify-artifact.js.map +0 -1
  202. package/dist/tools/verify-bundle.d.ts +0 -13
  203. package/dist/tools/verify-bundle.d.ts.map +0 -1
  204. package/dist/tools/verify-bundle.js +0 -6
  205. package/dist/tools/verify-bundle.js.map +0 -1
  206. package/dist/types.d.ts +0 -261
  207. package/dist/types.d.ts.map +0 -1
  208. package/dist/types.js +0 -8
  209. package/dist/types.js.map +0 -1
@@ -0,0 +1,27 @@
1
+ import type { AGAStorage } from './interface.js';
2
+ import type { PolicyArtifact, ContinuityEvent, SignedReceipt, CheckpointReference } from '../core/types.js';
3
+
4
+ export class MemoryStorage implements AGAStorage {
5
+ private artifacts = new Map<string, PolicyArtifact>();
6
+ private events: ContinuityEvent[] = [];
7
+ private receipts = new Map<string, SignedReceipt>();
8
+ private checkpoints: CheckpointReference[] = [];
9
+
10
+ async initialize() {}
11
+ async close() {}
12
+ async storeArtifact(a: PolicyArtifact) { this.artifacts.set(a.sealed_hash, a); }
13
+ async getArtifact(h: string) { return this.artifacts.get(h) ?? null; }
14
+ async getLatestArtifact() { const a = [...this.artifacts.values()]; return a.length ? a[a.length - 1] : null; }
15
+ async storeEvent(e: ContinuityEvent) { this.events.push(e); }
16
+ async getEvent(seq: number) { return this.events.find(e => e.sequence_number === seq) ?? null; }
17
+ async getEvents(s: number, e: number) { return this.events.filter(ev => ev.sequence_number >= s && ev.sequence_number <= e); }
18
+ async getLatestEvent() { return this.events.length ? this.events[this.events.length - 1] : null; }
19
+ async getAllEvents() { return [...this.events]; }
20
+ async storeReceipt(r: SignedReceipt) { this.receipts.set(r.receipt_id, r); }
21
+ async getReceipt(id: string) { return this.receipts.get(id) ?? null; }
22
+ async getReceiptsByArtifact(ref: string) { return [...this.receipts.values()].filter(r => r.artifact_reference === ref); }
23
+ async getAllReceipts() { return [...this.receipts.values()]; }
24
+ async storeCheckpoint(c: CheckpointReference) { this.checkpoints.push(c); }
25
+ async getLatestCheckpoint() { return this.checkpoints.length ? this.checkpoints[this.checkpoints.length - 1] : null; }
26
+ async getCheckpoints() { return [...this.checkpoints]; }
27
+ }
@@ -0,0 +1,45 @@
1
+ import type { AGAStorage } from './interface.js';
2
+ import type { PolicyArtifact, ContinuityEvent, SignedReceipt, CheckpointReference } from '../core/types.js';
3
+
4
+ // Dynamic import - better-sqlite3 is optional (requires native build tools)
5
+ let Database: any;
6
+ try {
7
+ Database = (await import('better-sqlite3')).default;
8
+ } catch {
9
+ // Will throw at construction time if better-sqlite3 is not available
10
+ }
11
+
12
+ export class SQLiteStorage implements AGAStorage {
13
+ private db: any;
14
+ constructor(path = 'aga.sqlite') {
15
+ if (!Database) throw new Error('better-sqlite3 is not installed. Install Visual Studio Build Tools and run: npm install better-sqlite3');
16
+ this.db = new Database(path);
17
+ this.db.pragma('journal_mode = WAL');
18
+ }
19
+ async initialize() {
20
+ this.db.exec(`
21
+ CREATE TABLE IF NOT EXISTS artifacts (sealed_hash TEXT PRIMARY KEY, data TEXT NOT NULL, created_at TEXT DEFAULT (datetime('now')));
22
+ CREATE TABLE IF NOT EXISTS chain_events (sequence_number INTEGER PRIMARY KEY, event_id TEXT UNIQUE, event_type TEXT, leaf_hash TEXT, data TEXT NOT NULL);
23
+ CREATE TABLE IF NOT EXISTS receipts (receipt_id TEXT PRIMARY KEY, artifact_reference TEXT, sequence_number INTEGER, data TEXT NOT NULL);
24
+ CREATE TABLE IF NOT EXISTS checkpoints (id INTEGER PRIMARY KEY AUTOINCREMENT, merkle_root TEXT, batch_start INTEGER, batch_end INTEGER, data TEXT NOT NULL);
25
+ CREATE INDEX IF NOT EXISTS idx_receipts_artifact ON receipts(artifact_reference);
26
+ `);
27
+ }
28
+ async close() { this.db.close(); }
29
+ private p<T>(row: any): T | null { return row ? JSON.parse(row.data) : null; }
30
+ async storeArtifact(a: PolicyArtifact) { this.db.prepare('INSERT OR REPLACE INTO artifacts (sealed_hash,data) VALUES (?,?)').run(a.sealed_hash, JSON.stringify(a)); }
31
+ async getArtifact(h: string) { return this.p<PolicyArtifact>(this.db.prepare('SELECT data FROM artifacts WHERE sealed_hash=?').get(h)); }
32
+ async getLatestArtifact() { return this.p<PolicyArtifact>(this.db.prepare('SELECT data FROM artifacts ORDER BY created_at DESC LIMIT 1').get()); }
33
+ async storeEvent(e: ContinuityEvent) { this.db.prepare('INSERT INTO chain_events (sequence_number,event_id,event_type,leaf_hash,data) VALUES (?,?,?,?,?)').run(e.sequence_number, e.event_id, e.event_type, e.leaf_hash, JSON.stringify(e)); }
34
+ async getEvent(seq: number) { return this.p<ContinuityEvent>(this.db.prepare('SELECT data FROM chain_events WHERE sequence_number=?').get(seq)); }
35
+ async getEvents(s: number, e: number) { return (this.db.prepare('SELECT data FROM chain_events WHERE sequence_number>=? AND sequence_number<=? ORDER BY sequence_number').all(s, e) as any[]).map((r: any) => JSON.parse(r.data)); }
36
+ async getLatestEvent() { return this.p<ContinuityEvent>(this.db.prepare('SELECT data FROM chain_events ORDER BY sequence_number DESC LIMIT 1').get()); }
37
+ async getAllEvents() { return (this.db.prepare('SELECT data FROM chain_events ORDER BY sequence_number').all() as any[]).map((r: any) => JSON.parse(r.data)); }
38
+ async storeReceipt(r: SignedReceipt) { this.db.prepare('INSERT INTO receipts (receipt_id,artifact_reference,sequence_number,data) VALUES (?,?,?,?)').run(r.receipt_id, r.artifact_reference, r.sequence_number, JSON.stringify(r)); }
39
+ async getReceipt(id: string) { return this.p<SignedReceipt>(this.db.prepare('SELECT data FROM receipts WHERE receipt_id=?').get(id)); }
40
+ async getReceiptsByArtifact(ref: string) { return (this.db.prepare('SELECT data FROM receipts WHERE artifact_reference=? ORDER BY sequence_number').all(ref) as any[]).map((r: any) => JSON.parse(r.data)); }
41
+ async getAllReceipts() { return (this.db.prepare('SELECT data FROM receipts ORDER BY sequence_number').all() as any[]).map((r: any) => JSON.parse(r.data)); }
42
+ async storeCheckpoint(c: CheckpointReference) { this.db.prepare('INSERT INTO checkpoints (merkle_root,batch_start,batch_end,data) VALUES (?,?,?,?)').run(c.merkle_root, c.batch_start_sequence, c.batch_end_sequence, JSON.stringify(c)); }
43
+ async getLatestCheckpoint() { return this.p<CheckpointReference>(this.db.prepare('SELECT data FROM checkpoints ORDER BY id DESC LIMIT 1').get()); }
44
+ async getCheckpoints() { return (this.db.prepare('SELECT data FROM checkpoints ORDER BY id').all() as any[]).map((r: any) => JSON.parse(r.data)); }
45
+ }
@@ -0,0 +1,13 @@
1
+ # Tools Directory
2
+
3
+ All MCP tool handlers are defined inline in `src/server.ts`.
4
+ This keeps the server as a single-file reference implementation.
5
+
6
+ For production use, refactor tools into individual files here:
7
+ - attestation-tools.ts (attest_subject)
8
+ - enforcement-tools.ts (measure_integrity, revoke_artifact)
9
+ - chain-tools.ts (init_chain, verify_chain, get_chain_events)
10
+ - checkpoint-tools.ts (create_checkpoint)
11
+ - bundle-tools.ts (generate_evidence_bundle, verify_bundle_offline)
12
+ - disclosure-tools.ts (request_claim, list_claims)
13
+ - portal-tools.ts (get_server_info, get_portal_state, get_receipts)
@@ -0,0 +1,14 @@
1
+ export function deepSortKeys(obj: unknown): unknown {
2
+ if (obj === null || obj === undefined || typeof obj !== 'object') return obj;
3
+ if (Array.isArray(obj)) return obj.map(deepSortKeys);
4
+ if (obj instanceof Uint8Array) return obj;
5
+ const sorted: Record<string, unknown> = {};
6
+ for (const key of Object.keys(obj as Record<string, unknown>).sort()) {
7
+ sorted[key] = deepSortKeys((obj as Record<string, unknown>)[key]);
8
+ }
9
+ return sorted;
10
+ }
11
+
12
+ export function canonicalize(obj: unknown): string {
13
+ return JSON.stringify(deepSortKeys(obj));
14
+ }
@@ -0,0 +1,3 @@
1
+ export const SCHEMA_VERSION = '1.0.0';
2
+ export const PROTOCOL_VERSION = '1.0.0';
3
+ export const TAXONOMY_VERSION = '1.0.0';
@@ -0,0 +1,12 @@
1
+ export function utcNow(): string { return new Date().toISOString(); }
2
+
3
+ export function isWithinPeriod(now: string, effective: string, expiration?: string | null): boolean {
4
+ const n = Date.parse(now);
5
+ if (n < Date.parse(effective)) return false;
6
+ if (expiration && n > Date.parse(expiration)) return false;
7
+ return true;
8
+ }
9
+
10
+ export function isExpired(issuedAt: string, ttlSeconds: number): boolean {
11
+ return Date.now() > Date.parse(issuedAt) + ttlSeconds * 1000;
12
+ }
@@ -0,0 +1,2 @@
1
+ import { v4 } from 'uuid';
2
+ export function uuid(): string { return v4(); }
package/dist/context.d.ts DELETED
@@ -1,39 +0,0 @@
1
- import { Portal } from './core/portal.js';
2
- import { BehavioralMonitor as BehavioralMonitorImpl } from './core/behavioral.js';
3
- import type { AGAStorage } from './storage/interface.js';
4
- import type { KeyPair, QuarantineState, ContinuityEvent, VerificationTier, ClaimsTaxonomy, DelegationRecord, PolicyArtifact, DisclosurePolicy } from './types.js';
5
- import type { EventType } from './core/types.js';
6
- export interface ServerContext {
7
- issuerKP: KeyPair;
8
- portalKP: KeyPair;
9
- chainKP: KeyPair;
10
- portal: Portal;
11
- storage: AGAStorage;
12
- chainInitialized: boolean;
13
- activeArtifact: PolicyArtifact | null;
14
- quarantine: QuarantineState | null;
15
- behavioralMonitor: BehavioralMonitorImpl;
16
- measurementCount: number;
17
- verificationTier: VerificationTier;
18
- startTime: string;
19
- claimsTaxonomy: ClaimsTaxonomy;
20
- delegations: DelegationRecord[];
21
- defaultEnforcement: import('./types.js').EnforcementParams;
22
- defaultClaims: DisclosurePolicy;
23
- claimValues: Record<string, unknown>;
24
- appendToChain(type: EventType, payload: unknown): Promise<ContinuityEvent>;
25
- json(x: unknown): {
26
- content: Array<{
27
- type: 'text';
28
- text: string;
29
- }>;
30
- };
31
- error(msg: string, extra?: Record<string, unknown>): {
32
- content: Array<{
33
- type: 'text';
34
- text: string;
35
- }>;
36
- };
37
- }
38
- export declare function createContext(): Promise<ServerContext>;
39
- //# sourceMappingURL=context.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,iBAAiB,IAAI,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAGlF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,KAAK,EACV,OAAO,EAAE,eAAe,EAAE,eAAe,EACzC,gBAAgB,EAAE,cAAc,EAAE,gBAAgB,EAClD,cAAc,EAAE,gBAAgB,EACjC,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAGjD,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IACtC,UAAU,EAAE,eAAe,GAAG,IAAI,CAAC;IACnC,iBAAiB,EAAE,qBAAqB,CAAC;IACzC,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,kBAAkB,EAAE,OAAO,YAAY,EAAE,iBAAiB,CAAC;IAC3D,aAAa,EAAE,gBAAgB,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC3E,IAAI,CAAC,CAAC,EAAE,OAAO,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC;IACrE,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC;CACzG;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,aAAa,CAAC,CA8G5D"}
package/dist/context.js DELETED
@@ -1,113 +0,0 @@
1
- /**
2
- * ServerContext: replaces closure pattern in server.ts.
3
- * Central state container for the AGA MCP Server.
4
- */
5
- import { generateKeyPair } from './crypto/sign.js';
6
- import { sha256Str } from './crypto/hash.js';
7
- import { Portal } from './core/portal.js';
8
- import { BehavioralMonitor as BehavioralMonitorImpl } from './core/behavioral.js';
9
- import { MemoryStorage } from './storage/memory.js';
10
- import { createGenesisEvent, appendEvent } from './core/chain.js';
11
- export async function createContext() {
12
- const storage = new MemoryStorage();
13
- await storage.initialize();
14
- const issuerKP = generateKeyPair();
15
- const portalKP = generateKeyPair();
16
- const chainKP = generateKeyPair();
17
- const portal = new Portal();
18
- const behavioralMonitor = new BehavioralMonitorImpl();
19
- const defaultEnforcement = {
20
- measurement_cadence_ms: 1000,
21
- ttl_seconds: 3600,
22
- enforcement_triggers: ['QUARANTINE', 'TERMINATE'],
23
- re_attestation_required: true,
24
- measurement_types: ['FILE_SYSTEM_STATE', 'CONFIG_MANIFEST'],
25
- };
26
- const defaultClaims = {
27
- claims_taxonomy: [
28
- // Identity claims
29
- { claim_id: 'identity.name', sensitivity: 'S3_HIGH', substitutes: ['identity.pseudonym', 'identity.org'], inference_risks: [], permitted_modes: ['PROOF_ONLY'] },
30
- { claim_id: 'identity.pseudonym', sensitivity: 'S2_MODERATE', substitutes: ['identity.org'], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN'] },
31
- { claim_id: 'identity.org', sensitivity: 'S1_LOW', substitutes: [], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN', 'REVEAL_FULL'] },
32
- { claim_id: 'identity.age', sensitivity: 'S3_HIGH', substitutes: ['identity.age_range', 'identity.is_adult'], inference_risks: [], permitted_modes: ['PROOF_ONLY'] },
33
- { claim_id: 'identity.age_range', sensitivity: 'S2_MODERATE', substitutes: ['identity.is_adult'], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN', 'REVEAL_FULL'] },
34
- { claim_id: 'identity.is_adult', sensitivity: 'S1_LOW', substitutes: [], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_FULL'] },
35
- // Vehicle claims (deployment-appropriate)
36
- { claim_id: 'vehicle.exact_position', sensitivity: 'S4_CRITICAL', substitutes: ['vehicle.grid_square', 'vehicle.operational_area'], inference_risks: [], permitted_modes: ['PROOF_ONLY'] },
37
- { claim_id: 'vehicle.grid_square', sensitivity: 'S2_MODERATE', substitutes: ['vehicle.operational_area'], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN'] },
38
- { claim_id: 'vehicle.operational_area', sensitivity: 'S1_LOW', substitutes: [], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN', 'REVEAL_FULL'] },
39
- // Plant/infrastructure claims
40
- { claim_id: 'plant.reactor_id', sensitivity: 'S3_HIGH', substitutes: ['plant.facility_type'], inference_risks: [], permitted_modes: ['PROOF_ONLY'] },
41
- { claim_id: 'plant.facility_type', sensitivity: 'S1_LOW', substitutes: [], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN', 'REVEAL_FULL'] },
42
- // Agent/model claims
43
- { claim_id: 'agent.model_weights_hash', sensitivity: 'S4_CRITICAL', substitutes: ['agent.model_family', 'agent.model_generation'], inference_risks: [], permitted_modes: ['PROOF_ONLY'] },
44
- { claim_id: 'agent.model_family', sensitivity: 'S2_MODERATE', substitutes: ['agent.model_generation'], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN'] },
45
- { claim_id: 'agent.model_generation', sensitivity: 'S1_LOW', substitutes: [], inference_risks: [], permitted_modes: ['PROOF_ONLY', 'REVEAL_MIN', 'REVEAL_FULL'] },
46
- ],
47
- substitution_rules: [],
48
- };
49
- const claimValues = {
50
- 'identity.name': 'Alice Johnson',
51
- 'identity.pseudonym': 'AJ-7742',
52
- 'identity.org': 'Attested Intelligence',
53
- 'identity.age': 32,
54
- 'identity.age_range': '25-34',
55
- 'identity.is_adult': true,
56
- 'vehicle.exact_position': '38.8977° N, 77.0365° W',
57
- 'vehicle.grid_square': 'FM18lv',
58
- 'vehicle.operational_area': 'National Capital Region',
59
- 'plant.reactor_id': 'NRC-R-1234',
60
- 'plant.facility_type': 'Nuclear Power Plant',
61
- 'agent.model_weights_hash': 'a4f8c2e1b3d7094f6e2a8b1c5d9f3e7a',
62
- 'agent.model_family': 'GPT-class LLM',
63
- 'agent.model_generation': 'Generation 4',
64
- };
65
- const claimsTaxonomy = {
66
- claims: defaultClaims.claims_taxonomy,
67
- version: '1.0.0',
68
- };
69
- const ctx = {
70
- issuerKP,
71
- portalKP,
72
- chainKP,
73
- portal,
74
- storage,
75
- chainInitialized: false,
76
- activeArtifact: null,
77
- quarantine: null,
78
- behavioralMonitor,
79
- measurementCount: 0,
80
- verificationTier: 'BRONZE',
81
- startTime: new Date().toISOString(),
82
- claimsTaxonomy,
83
- delegations: [],
84
- defaultEnforcement,
85
- defaultClaims,
86
- claimValues,
87
- async appendToChain(type, payload) {
88
- if (!ctx.chainInitialized) {
89
- const genesis = createGenesisEvent(ctx.chainKP, sha256Str('AGA Protocol Specification v2.0.0'));
90
- await ctx.storage.storeEvent(genesis);
91
- ctx.chainInitialized = true;
92
- ctx.portal.sequenceCounter = 0;
93
- ctx.portal.lastLeafHash = genesis.leaf_hash;
94
- }
95
- const prev = await ctx.storage.getLatestEvent();
96
- if (!prev)
97
- throw new Error('Chain initialization failed');
98
- const event = appendEvent(type, payload, prev, ctx.chainKP);
99
- await ctx.storage.storeEvent(event);
100
- ctx.portal.sequenceCounter = event.sequence_number;
101
- ctx.portal.lastLeafHash = event.leaf_hash;
102
- return event;
103
- },
104
- json(x) {
105
- return { content: [{ type: 'text', text: JSON.stringify(x, null, 2) }] };
106
- },
107
- error(msg, extra) {
108
- return { content: [{ type: 'text', text: JSON.stringify({ success: false, error: msg, ...extra }, null, 2) }] };
109
- },
110
- };
111
- return ctx;
112
- }
113
- //# sourceMappingURL=context.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAW,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,iBAAiB,IAAI,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAClF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAiClE,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,OAAO,GAAG,IAAI,aAAa,EAAE,CAAC;IACpC,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;IAE3B,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;IAC5B,MAAM,iBAAiB,GAAG,IAAI,qBAAqB,EAAE,CAAC;IAEtD,MAAM,kBAAkB,GAA2C;QACjE,sBAAsB,EAAE,IAAI;QAC5B,WAAW,EAAE,IAAI;QACjB,oBAAoB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;QACjD,uBAAuB,EAAE,IAAI;QAC7B,iBAAiB,EAAE,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;KAC5D,CAAC;IAEF,MAAM,aAAa,GAAqB;QACtC,eAAe,EAAE;YACf,kBAAkB;YAClB,EAAE,QAAQ,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,oBAAoB,EAAE,cAAc,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;YAChK,EAAE,QAAQ,EAAE,oBAAoB,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,cAAc,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE;YACjK,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,aAAa,CAAC,EAAE;YACvJ,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;YACpK,EAAE,QAAQ,EAAE,oBAAoB,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,mBAAmB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,aAAa,CAAC,EAAE;YACrL,EAAE,QAAQ,EAAE,mBAAmB,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,aAAa,CAAC,EAAE;YAC9I,0CAA0C;YAC1C,EAAE,QAAQ,EAAE,wBAAwB,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;YAC1L,EAAE,QAAQ,EAAE,qBAAqB,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,0BAA0B,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE;YAC9K,EAAE,QAAQ,EAAE,0BAA0B,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,aAAa,CAAC,EAAE;YACnK,8BAA8B;YAC9B,EAAE,QAAQ,EAAE,kBAAkB,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,qBAAqB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;YACpJ,EAAE,QAAQ,EAAE,qBAAqB,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,aAAa,CAAC,EAAE;YAC9J,qBAAqB;YACrB,EAAE,QAAQ,EAAE,0BAA0B,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,oBAAoB,EAAE,wBAAwB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;YACzL,EAAE,QAAQ,EAAE,oBAAoB,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,wBAAwB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE;YAC3K,EAAE,QAAQ,EAAE,wBAAwB,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,aAAa,CAAC,EAAE;SAClK;QACD,kBAAkB,EAAE,EAAE;KACvB,CAAC;IAEF,MAAM,WAAW,GAA4B;QAC3C,eAAe,EAAE,eAAe;QAChC,oBAAoB,EAAE,SAAS;QAC/B,cAAc,EAAE,uBAAuB;QACvC,cAAc,EAAE,EAAE;QAClB,oBAAoB,EAAE,OAAO;QAC7B,mBAAmB,EAAE,IAAI;QACzB,wBAAwB,EAAE,wBAAwB;QAClD,qBAAqB,EAAE,QAAQ;QAC/B,0BAA0B,EAAE,yBAAyB;QACrD,kBAAkB,EAAE,YAAY;QAChC,qBAAqB,EAAE,qBAAqB;QAC5C,0BAA0B,EAAE,kCAAkC;QAC9D,oBAAoB,EAAE,eAAe;QACrC,wBAAwB,EAAE,cAAc;KACzC,CAAC;IAEF,MAAM,cAAc,GAAmB;QACrC,MAAM,EAAE,aAAa,CAAC,eAAe;QACrC,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,MAAM,GAAG,GAAkB;QACzB,QAAQ;QACR,QAAQ;QACR,OAAO;QACP,MAAM;QACN,OAAO;QACP,gBAAgB,EAAE,KAAK;QACvB,cAAc,EAAE,IAAI;QACpB,UAAU,EAAE,IAAI;QAChB,iBAAiB;QACjB,gBAAgB,EAAE,CAAC;QACnB,gBAAgB,EAAE,QAAQ;QAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,cAAc;QACd,WAAW,EAAE,EAAE;QACf,kBAAkB;QAClB,aAAa;QACb,WAAW;QAEX,KAAK,CAAC,aAAa,CAAC,IAAe,EAAE,OAAgB;YACnD,IAAI,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;gBAC1B,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBAChG,MAAM,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBACtC,GAAG,CAAC,gBAAgB,GAAG,IAAI,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,eAAe,GAAG,CAAC,CAAC;gBAC/B,GAAG,CAAC,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9C,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;YAC1D,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5D,MAAM,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACpC,GAAG,CAAC,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC,eAAe,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAU;YACb,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QACpF,CAAC;QAED,KAAK,CAAC,GAAW,EAAE,KAA+B;YAChD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC3H,CAAC;KACF,CAAC;IAEF,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -1,16 +0,0 @@
1
- import type { SubjectIdentifier, SubjectMetadata, HashHex } from '../types.js';
2
- export interface MeasurementInput {
3
- subjectBytes: Uint8Array;
4
- metadata: SubjectMetadata;
5
- }
6
- export interface MeasurementOutput {
7
- bytesHash: HashHex;
8
- metadataHash: HashHex;
9
- }
10
- export declare function measureSubject(input: MeasurementInput): MeasurementOutput;
11
- export declare function compareState(current: MeasurementOutput, expected: SubjectIdentifier): {
12
- match: boolean;
13
- bytesMatch: boolean;
14
- metadataMatch: boolean;
15
- };
16
- //# sourceMappingURL=measurement.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"measurement.d.ts","sourceRoot":"","sources":["../../src/core/measurement.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE/E,MAAM,WAAW,gBAAgB;IAC/B,YAAY,EAAE,UAAU,CAAC;IACzB,QAAQ,EAAE,eAAe,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,gBAAgB,GAAG,iBAAiB,CAKzE;AAED,wBAAgB,YAAY,CAC1B,OAAO,EAAE,iBAAiB,EAC1B,QAAQ,EAAE,iBAAiB,GAC1B;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC;IAAC,aAAa,EAAE,OAAO,CAAA;CAAE,CAIjE"}
@@ -1,18 +0,0 @@
1
- /**
2
- * Subject measurement: hash, compare, detect drift.
3
- * Consolidates subject.ts + attestation.ts measurement logic.
4
- */
5
- import { sha256Bytes, sha256Str } from '../crypto/hash.js';
6
- import { canonicalize } from '../utils/canonical.js';
7
- export function measureSubject(input) {
8
- return {
9
- bytesHash: sha256Bytes(input.subjectBytes),
10
- metadataHash: sha256Str(canonicalize(input.metadata)),
11
- };
12
- }
13
- export function compareState(current, expected) {
14
- const bytesMatch = current.bytesHash === expected.bytes_hash;
15
- const metadataMatch = current.metadataHash === expected.metadata_hash;
16
- return { match: bytesMatch && metadataMatch, bytesMatch, metadataMatch };
17
- }
18
- //# sourceMappingURL=measurement.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"measurement.js","sourceRoot":"","sources":["../../src/core/measurement.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAarD,MAAM,UAAU,cAAc,CAAC,KAAuB;IACpD,OAAO;QACL,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,YAAY,CAAC;QAC1C,YAAY,EAAE,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,OAA0B,EAC1B,QAA2B;IAE3B,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,UAAU,CAAC;IAC7D,MAAM,aAAa,GAAG,OAAO,CAAC,YAAY,KAAK,QAAQ,CAAC,aAAa,CAAC;IACtE,OAAO,EAAE,KAAK,EAAE,UAAU,IAAI,aAAa,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC;AAC3E,CAAC"}
@@ -1,7 +0,0 @@
1
- /**
2
- * Deterministic JSON serialization (RFC 8785 aligned).
3
- * Moved from src/utils/canonical.ts for directive structure alignment.
4
- */
5
- export declare function deepSortKeys(obj: unknown): unknown;
6
- export declare function canonicalize(obj: unknown): string;
7
- //# sourceMappingURL=canonicalize.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"canonicalize.d.ts","sourceRoot":"","sources":["../../src/crypto/canonicalize.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CASlD;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAEjD"}
@@ -1,21 +0,0 @@
1
- /**
2
- * Deterministic JSON serialization (RFC 8785 aligned).
3
- * Moved from src/utils/canonical.ts for directive structure alignment.
4
- */
5
- export function deepSortKeys(obj) {
6
- if (obj === null || obj === undefined || typeof obj !== 'object')
7
- return obj;
8
- if (Array.isArray(obj))
9
- return obj.map(deepSortKeys);
10
- if (obj instanceof Uint8Array)
11
- return obj;
12
- const sorted = {};
13
- for (const key of Object.keys(obj).sort()) {
14
- sorted[key] = deepSortKeys(obj[key]);
15
- }
16
- return sorted;
17
- }
18
- export function canonicalize(obj) {
19
- return JSON.stringify(deepSortKeys(obj));
20
- }
21
- //# sourceMappingURL=canonicalize.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"canonicalize.js","sourceRoot":"","sources":["../../src/crypto/canonicalize.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IAC7E,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACrD,IAAI,GAAG,YAAY,UAAU;QAAE,OAAO,GAAG,CAAC;IAC1C,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACrE,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAE,GAA+B,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC"}
@@ -1,10 +0,0 @@
1
- import { pkToHex, hexToPk } from './sign.js';
2
- import type { KeyPair } from '../types.js';
3
- /** SHA-256 fingerprint of a public key (first 16 hex chars). */
4
- export declare function keyFingerprint(pk: Uint8Array): string;
5
- /** Check if a hex-encoded public key is valid (64 hex chars for Ed25519). */
6
- export declare function isKeyValid(hexKey: string): boolean;
7
- /** Rotate a keypair - returns new keypair. Old keypair should be revoked. */
8
- export declare function rotateKeyPair(): KeyPair;
9
- export { pkToHex, hexToPk };
10
- //# sourceMappingURL=keys.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/crypto/keys.ts"],"names":[],"mappings":"AAIA,OAAO,EAAmB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,KAAK,EAAE,OAAO,EAAW,MAAM,aAAa,CAAC;AAEpD,gEAAgE;AAChE,wBAAgB,cAAc,CAAC,EAAE,EAAE,UAAU,GAAG,MAAM,CAErD;AAED,6EAA6E;AAC7E,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAElD;AAED,6EAA6E;AAC7E,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC"}
@@ -1,19 +0,0 @@
1
- /**
2
- * Key utilities: fingerprints, hex encoding, validation.
3
- */
4
- import { sha256Str } from './hash.js';
5
- import { generateKeyPair, pkToHex, hexToPk } from './sign.js';
6
- /** SHA-256 fingerprint of a public key (first 16 hex chars). */
7
- export function keyFingerprint(pk) {
8
- return sha256Str(pkToHex(pk)).slice(0, 16);
9
- }
10
- /** Check if a hex-encoded public key is valid (64 hex chars for Ed25519). */
11
- export function isKeyValid(hexKey) {
12
- return /^[0-9a-f]{64}$/.test(hexKey);
13
- }
14
- /** Rotate a keypair - returns new keypair. Old keypair should be revoked. */
15
- export function rotateKeyPair() {
16
- return generateKeyPair();
17
- }
18
- export { pkToHex, hexToPk };
19
- //# sourceMappingURL=keys.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/crypto/keys.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAG9D,gEAAgE;AAChE,MAAM,UAAU,cAAc,CAAC,EAAc;IAC3C,OAAO,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,OAAO,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,aAAa;IAC3B,OAAO,eAAe,EAAE,CAAC;AAC3B,CAAC;AAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC"}
@@ -1,13 +0,0 @@
1
- export declare const DRIFT_ANALYSIS_PROMPT: {
2
- name: string;
3
- description: string;
4
- arguments: {
5
- name: string;
6
- description: string;
7
- required: boolean;
8
- }[];
9
- template: (args: {
10
- drift_type?: string;
11
- }) => string;
12
- };
13
- //# sourceMappingURL=drift-analysis.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"drift-analysis.d.ts","sourceRoot":"","sources":["../../src/prompts/drift-analysis.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,qBAAqB;;;;;;;;qBAMf;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;CAmCzC,CAAC"}
@@ -1,43 +0,0 @@
1
- export const DRIFT_ANALYSIS_PROMPT = {
2
- name: 'drift-analysis',
3
- description: 'Analyze drift events and recommend remediation',
4
- arguments: [
5
- { name: 'drift_type', description: 'Type of drift: binary, behavioral, or both', required: false },
6
- ],
7
- template: (args) => `# Drift Event Analysis
8
-
9
- Analyze drift events in the current AGA session for type: ${args.drift_type ?? 'both'}
10
-
11
- ## Investigation Steps
12
-
13
- 1. Call \`aga_get_chain\` to retrieve all chain events
14
- 2. Filter for INTERACTION_RECEIPT events where drift_detected=true
15
- 3. Filter for BEHAVIORAL_DRIFT events
16
- 4. Call \`aga_measure_behavior\` for current behavioral state
17
- 5. Call \`aga_get_portal_state\` for enforcement status
18
-
19
- ## Analysis Framework
20
-
21
- For each drift event, determine:
22
- - **Root Cause:** Binary modification, prompt injection, configuration change, behavioral anomaly
23
- - **Severity:** Based on enforcement action taken (TERMINATE > QUARANTINE > ALERT_ONLY)
24
- - **Timeline:** When drift was first detected, how many measurements before detection
25
- - **Impact:** Which measurements were affected, what enforcement was applied
26
-
27
- ## Remediation Recommendations
28
-
29
- Based on the drift analysis:
30
- - If binary drift → Recommend re-attestation with updated subject
31
- - If behavioral drift → Recommend baseline adjustment or investigation
32
- - If both → Recommend full security review and incident response
33
-
34
- ## Output Format
35
-
36
- Produce a structured drift analysis report with:
37
- 1. Drift event timeline
38
- 2. Root cause assessment
39
- 3. Severity classification
40
- 4. Remediation steps
41
- 5. Prevention recommendations`,
42
- };
43
- //# sourceMappingURL=drift-analysis.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"drift-analysis.js","sourceRoot":"","sources":["../../src/prompts/drift-analysis.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,gDAAgD;IAC7D,SAAS,EAAE;QACT,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,KAAK,EAAE;KACnG;IACD,QAAQ,EAAE,CAAC,IAA6B,EAAE,EAAE,CAAC;;4DAEa,IAAI,CAAC,UAAU,IAAI,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAgCvD;CAC7B,CAAC"}
@@ -1,7 +0,0 @@
1
- export declare const GOVERNANCE_REPORT_PROMPT: {
2
- name: string;
3
- description: string;
4
- arguments: never[];
5
- template: () => string;
6
- };
7
- //# sourceMappingURL=governance-report.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"governance-report.d.ts","sourceRoot":"","sources":["../../src/prompts/governance-report.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,wBAAwB;;;;;CAwBpC,CAAC"}
@@ -1,26 +0,0 @@
1
- export const GOVERNANCE_REPORT_PROMPT = {
2
- name: 'governance-report',
3
- description: 'Generate a session governance summary report',
4
- arguments: [],
5
- template: () => `# Session Governance Summary Report
6
-
7
- Generate a comprehensive governance report for the current AGA session:
8
-
9
- 1. Call \`aga_server_info\` for server identity and key information
10
- 2. Call \`aga_get_portal_state\` for current enforcement status
11
- 3. Call \`aga_get_chain\` with verify=true for chain integrity
12
- 4. Call \`aga_measure_behavior\` for behavioral analysis
13
- 5. Call \`aga_quarantine_status\` for quarantine state
14
-
15
- Then produce a report with:
16
- - **Session Identity:** Server keys, verification tier, uptime
17
- - **Governance State:** Portal state, artifact status, TTL remaining
18
- - **Chain Integrity:** Event count, verification status, any breaks
19
- - **Behavioral Analysis:** Violations detected, behavioral hash
20
- - **Quarantine Status:** Active/inactive, forensic captures
21
- - **Measurement Summary:** Total measurements, drift events
22
- - **Compliance Status:** NIST/NCCoE alignment assessment
23
-
24
- Format as a structured markdown report suitable for audit documentation.`,
25
- };
26
- //# sourceMappingURL=governance-report.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"governance-report.js","sourceRoot":"","sources":["../../src/prompts/governance-report.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,IAAI,EAAE,mBAAmB;IACzB,WAAW,EAAE,8CAA8C;IAC3D,SAAS,EAAE,EAAE;IACb,QAAQ,EAAE,GAAG,EAAE,CAAC;;;;;;;;;;;;;;;;;;;yEAmBuD;CACxE,CAAC"}
@@ -1,14 +0,0 @@
1
- export declare const NCCOE_DEMO_PROMPT: {
2
- name: string;
3
- description: string;
4
- arguments: {
5
- name: string;
6
- description: string;
7
- required: boolean;
8
- }[];
9
- template: (args: {
10
- agent_code?: string;
11
- include_behavioral?: string;
12
- }) => string;
13
- };
14
- //# sourceMappingURL=nccoe-demo.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"nccoe-demo.d.ts","sourceRoot":"","sources":["../../src/prompts/nccoe-demo.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iBAAiB;;;;;;;;qBAOX;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,kBAAkB,CAAC,EAAE,MAAM,CAAA;KAAE;CAsCtE,CAAC"}
@@ -1,47 +0,0 @@
1
- export const NCCOE_DEMO_PROMPT = {
2
- name: 'nccoe-demo',
3
- description: 'NCCoE AI Agent Identity and Authorization - Full 4-phase demo with behavioral drift detection',
4
- arguments: [
5
- { name: 'agent_code', description: 'The agent source code to attest', required: false },
6
- { name: 'include_behavioral', description: 'Include behavioral drift detection phase', required: false },
7
- ],
8
- template: (args) => `# NCCoE Lab Demo - AGA Protocol Full Lifecycle
9
-
10
- Execute the following phases using the AGA MCP Server tools:
11
-
12
- ## Phase 1: Attestation and Identity Binding
13
- 1. Call \`aga_init_chain\` to initialize the continuity chain
14
- 2. Call \`aga_create_artifact\` with subject content: "${args.agent_code ?? 'def monitor(): return sensors.read_all()'}"
15
- - Include metadata: filename="scada_agent.py", version="2.1.0", author="engineering"
16
- ${args.include_behavioral === 'true' ? ` - Include behavioral_baseline: permitted_tools=["aga_measure_subject","aga_get_portal_state"], rate_limits={"aga_measure_subject":10}, forbidden_sequences=[["read_secret","send_email"]], window_ms=60000` : ''}
17
- 3. Verify the portal state is ACTIVE_MONITORING
18
-
19
- ## Phase 2: Authorized Operation
20
- 4. Call \`aga_measure_subject\` with the SAME content - expect match=true
21
- 5. Call \`aga_measure_subject\` again - expect match=true, receipt generated
22
- 6. Verify both receipts show drift_detected=false
23
-
24
- ## Phase 3: Simulated Prompt Injection
25
- 7. Call \`aga_measure_subject\` with MODIFIED content: "def monitor(): return attacker.exfiltrate(sensors.read_all())"
26
- - Expect match=false, drift_detected=true
27
- - Expect enforcement_action=QUARANTINE
28
- 8. Check portal state - should be PHANTOM_QUARANTINE
29
- 9. Call \`aga_quarantine_status\` to see forensic capture state
30
-
31
- ## Phase 3b: Mid-Session Revocation
32
- 10. Call \`aga_revoke_artifact\` with the sealed hash and reason "Compromise detected"
33
- 11. Verify portal state is TERMINATED
34
-
35
- ${args.include_behavioral === 'true' ? `## Phase 3c: Behavioral Drift Detection
36
- 12. Call \`aga_measure_behavior\` to check for tool pattern violations
37
- 13. Review violations (unauthorized tools, rate limits, forbidden sequences)
38
- ` : ''}
39
-
40
- ## Phase 4: Offline Audit
41
- ${args.include_behavioral === 'true' ? '14' : '12'}. Call \`aga_get_chain\` with verify=true to verify chain integrity
42
- ${args.include_behavioral === 'true' ? '15' : '13'}. Call \`aga_export_bundle\` to generate evidence bundle (need checkpoint first)
43
- ${args.include_behavioral === 'true' ? '16' : '14'}. Call \`aga_verify_bundle\` with the bundle and issuer public key
44
-
45
- All operations should produce signed receipts and chain events.`,
46
- };
47
- //# sourceMappingURL=nccoe-demo.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"nccoe-demo.js","sourceRoot":"","sources":["../../src/prompts/nccoe-demo.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,IAAI,EAAE,YAAY;IAClB,WAAW,EAAE,+FAA+F;IAC5G,SAAS,EAAE;QACT,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,KAAK,EAAE;QACvF,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,0CAA0C,EAAE,QAAQ,EAAE,KAAK,EAAE;KACzG;IACD,QAAQ,EAAE,CAAC,IAA0D,EAAE,EAAE,CAAC;;;;;;yDAMnB,IAAI,CAAC,UAAU,IAAI,0CAA0C;;EAEpH,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,+MAA+M,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;EAmBzP,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC;;;CAGtC,CAAC,CAAC,CAAC,EAAE;;;EAGJ,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;EAChD,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;EAChD,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;;gEAEc;CAC/D,CAAC"}