@attested-intelligence/aga-mcp-server 2.1.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (195) hide show
  1. package/README.md +209 -124
  2. package/dist/adapters/openclaw.d.ts +0 -1
  3. package/dist/adapters/openclaw.d.ts.map +1 -1
  4. package/dist/adapters/openclaw.js +0 -1
  5. package/dist/adapters/openclaw.js.map +1 -1
  6. package/dist/core/bundle.d.ts +9 -2
  7. package/dist/core/bundle.d.ts.map +1 -1
  8. package/dist/core/bundle.js +16 -2
  9. package/dist/core/bundle.js.map +1 -1
  10. package/dist/core/identity.d.ts +19 -10
  11. package/dist/core/identity.d.ts.map +1 -1
  12. package/dist/core/identity.js +45 -11
  13. package/dist/core/identity.js.map +1 -1
  14. package/dist/core/portal.d.ts +10 -1
  15. package/dist/core/portal.d.ts.map +1 -1
  16. package/dist/core/portal.js +16 -12
  17. package/dist/core/portal.js.map +1 -1
  18. package/dist/core/types.d.ts +29 -2
  19. package/dist/core/types.d.ts.map +1 -1
  20. package/dist/crypto/index.d.ts +5 -6
  21. package/dist/crypto/index.d.ts.map +1 -1
  22. package/dist/crypto/index.js +5 -6
  23. package/dist/crypto/index.js.map +1 -1
  24. package/dist/crypto/sign.d.ts +2 -0
  25. package/dist/crypto/sign.d.ts.map +1 -1
  26. package/dist/crypto/sign.js +6 -0
  27. package/dist/crypto/sign.js.map +1 -1
  28. package/dist/index.js +1 -1
  29. package/dist/index.js.map +1 -1
  30. package/dist/middleware/governance.d.ts +7 -1
  31. package/dist/middleware/governance.d.ts.map +1 -1
  32. package/dist/middleware/governance.js +18 -11
  33. package/dist/middleware/governance.js.map +1 -1
  34. package/dist/proxy/evaluator.d.ts +0 -1
  35. package/dist/proxy/evaluator.d.ts.map +1 -1
  36. package/dist/proxy/evaluator.js +0 -1
  37. package/dist/proxy/evaluator.js.map +1 -1
  38. package/dist/proxy/index.d.ts +0 -1
  39. package/dist/proxy/index.d.ts.map +1 -1
  40. package/dist/proxy/index.js +0 -1
  41. package/dist/proxy/index.js.map +1 -1
  42. package/dist/proxy/profiles.d.ts +0 -1
  43. package/dist/proxy/profiles.d.ts.map +1 -1
  44. package/dist/proxy/profiles.js +0 -1
  45. package/dist/proxy/profiles.js.map +1 -1
  46. package/dist/proxy/server.d.ts +0 -1
  47. package/dist/proxy/server.d.ts.map +1 -1
  48. package/dist/proxy/server.js +0 -1
  49. package/dist/proxy/server.js.map +1 -1
  50. package/dist/proxy/stdio-bridge.d.ts +0 -1
  51. package/dist/proxy/stdio-bridge.d.ts.map +1 -1
  52. package/dist/proxy/stdio-bridge.js +0 -1
  53. package/dist/proxy/stdio-bridge.js.map +1 -1
  54. package/dist/proxy/types.d.ts +0 -1
  55. package/dist/proxy/types.d.ts.map +1 -1
  56. package/dist/proxy/types.js +0 -1
  57. package/dist/proxy/types.js.map +1 -1
  58. package/dist/proxy/verify.d.ts +0 -1
  59. package/dist/proxy/verify.d.ts.map +1 -1
  60. package/dist/proxy/verify.js +0 -1
  61. package/dist/proxy/verify.js.map +1 -1
  62. package/dist/server.d.ts +7 -3
  63. package/dist/server.d.ts.map +1 -1
  64. package/dist/server.js +342 -214
  65. package/dist/server.js.map +1 -1
  66. package/dist/storage/sqlite.js +6 -6
  67. package/package.json +28 -12
  68. package/dist/context.d.ts +0 -39
  69. package/dist/context.d.ts.map +0 -1
  70. package/dist/context.js +0 -113
  71. package/dist/context.js.map +0 -1
  72. package/dist/core/measurement.d.ts +0 -16
  73. package/dist/core/measurement.d.ts.map +0 -1
  74. package/dist/core/measurement.js +0 -18
  75. package/dist/core/measurement.js.map +0 -1
  76. package/dist/crypto/canonicalize.d.ts +0 -7
  77. package/dist/crypto/canonicalize.d.ts.map +0 -1
  78. package/dist/crypto/canonicalize.js +0 -21
  79. package/dist/crypto/canonicalize.js.map +0 -1
  80. package/dist/crypto/keys.d.ts +0 -10
  81. package/dist/crypto/keys.d.ts.map +0 -1
  82. package/dist/crypto/keys.js +0 -19
  83. package/dist/crypto/keys.js.map +0 -1
  84. package/dist/prompts/drift-analysis.d.ts +0 -13
  85. package/dist/prompts/drift-analysis.d.ts.map +0 -1
  86. package/dist/prompts/drift-analysis.js +0 -43
  87. package/dist/prompts/drift-analysis.js.map +0 -1
  88. package/dist/prompts/governance-report.d.ts +0 -7
  89. package/dist/prompts/governance-report.d.ts.map +0 -1
  90. package/dist/prompts/governance-report.js +0 -26
  91. package/dist/prompts/governance-report.js.map +0 -1
  92. package/dist/prompts/nccoe-demo.d.ts +0 -14
  93. package/dist/prompts/nccoe-demo.d.ts.map +0 -1
  94. package/dist/prompts/nccoe-demo.js +0 -47
  95. package/dist/prompts/nccoe-demo.js.map +0 -1
  96. package/dist/resources/cosai-mapping.d.ts +0 -24
  97. package/dist/resources/cosai-mapping.d.ts.map +0 -1
  98. package/dist/resources/cosai-mapping.js +0 -127
  99. package/dist/resources/cosai-mapping.js.map +0 -1
  100. package/dist/resources/crypto-primitives.d.ts +0 -3
  101. package/dist/resources/crypto-primitives.d.ts.map +0 -1
  102. package/dist/resources/crypto-primitives.js +0 -52
  103. package/dist/resources/crypto-primitives.js.map +0 -1
  104. package/dist/resources/sample-bundle.d.ts +0 -6
  105. package/dist/resources/sample-bundle.d.ts.map +0 -1
  106. package/dist/resources/sample-bundle.js +0 -58
  107. package/dist/resources/sample-bundle.js.map +0 -1
  108. package/dist/resources/specification.d.ts +0 -3
  109. package/dist/resources/specification.d.ts.map +0 -1
  110. package/dist/resources/specification.js +0 -161
  111. package/dist/resources/specification.js.map +0 -1
  112. package/dist/tools/create-artifact.d.ts +0 -25
  113. package/dist/tools/create-artifact.d.ts.map +0 -1
  114. package/dist/tools/create-artifact.js +0 -85
  115. package/dist/tools/create-artifact.js.map +0 -1
  116. package/dist/tools/delegate-subagent.d.ts +0 -18
  117. package/dist/tools/delegate-subagent.d.ts.map +0 -1
  118. package/dist/tools/delegate-subagent.js +0 -50
  119. package/dist/tools/delegate-subagent.js.map +0 -1
  120. package/dist/tools/disclose-claim.d.ts +0 -14
  121. package/dist/tools/disclose-claim.d.ts.map +0 -1
  122. package/dist/tools/disclose-claim.js +0 -23
  123. package/dist/tools/disclose-claim.js.map +0 -1
  124. package/dist/tools/export-bundle.d.ts +0 -8
  125. package/dist/tools/export-bundle.d.ts.map +0 -1
  126. package/dist/tools/export-bundle.js +0 -25
  127. package/dist/tools/export-bundle.js.map +0 -1
  128. package/dist/tools/full-lifecycle.d.ts +0 -16
  129. package/dist/tools/full-lifecycle.d.ts.map +0 -1
  130. package/dist/tools/full-lifecycle.js +0 -121
  131. package/dist/tools/full-lifecycle.js.map +0 -1
  132. package/dist/tools/generate-receipt.d.ts +0 -16
  133. package/dist/tools/generate-receipt.d.ts.map +0 -1
  134. package/dist/tools/generate-receipt.js +0 -31
  135. package/dist/tools/generate-receipt.js.map +0 -1
  136. package/dist/tools/get-chain.d.ts +0 -14
  137. package/dist/tools/get-chain.d.ts.map +0 -1
  138. package/dist/tools/get-chain.js +0 -45
  139. package/dist/tools/get-chain.js.map +0 -1
  140. package/dist/tools/get-portal-state.d.ts +0 -8
  141. package/dist/tools/get-portal-state.d.ts.map +0 -1
  142. package/dist/tools/get-portal-state.js +0 -15
  143. package/dist/tools/get-portal-state.js.map +0 -1
  144. package/dist/tools/init-chain.d.ts +0 -10
  145. package/dist/tools/init-chain.d.ts.map +0 -1
  146. package/dist/tools/init-chain.js +0 -13
  147. package/dist/tools/init-chain.js.map +0 -1
  148. package/dist/tools/measure-behavior.d.ts +0 -12
  149. package/dist/tools/measure-behavior.d.ts.map +0 -1
  150. package/dist/tools/measure-behavior.js +0 -29
  151. package/dist/tools/measure-behavior.js.map +0 -1
  152. package/dist/tools/measure-subject.d.ts +0 -15
  153. package/dist/tools/measure-subject.d.ts.map +0 -1
  154. package/dist/tools/measure-subject.js +0 -106
  155. package/dist/tools/measure-subject.js.map +0 -1
  156. package/dist/tools/quarantine-status.d.ts +0 -8
  157. package/dist/tools/quarantine-status.d.ts.map +0 -1
  158. package/dist/tools/quarantine-status.js +0 -16
  159. package/dist/tools/quarantine-status.js.map +0 -1
  160. package/dist/tools/revoke-artifact.d.ts +0 -13
  161. package/dist/tools/revoke-artifact.d.ts.map +0 -1
  162. package/dist/tools/revoke-artifact.js +0 -24
  163. package/dist/tools/revoke-artifact.js.map +0 -1
  164. package/dist/tools/rotate-keys.d.ts +0 -13
  165. package/dist/tools/rotate-keys.d.ts.map +0 -1
  166. package/dist/tools/rotate-keys.js +0 -39
  167. package/dist/tools/rotate-keys.js.map +0 -1
  168. package/dist/tools/server-info.d.ts +0 -8
  169. package/dist/tools/server-info.d.ts.map +0 -1
  170. package/dist/tools/server-info.js +0 -23
  171. package/dist/tools/server-info.js.map +0 -1
  172. package/dist/tools/set-verification-tier.d.ts +0 -11
  173. package/dist/tools/set-verification-tier.d.ts.map +0 -1
  174. package/dist/tools/set-verification-tier.js +0 -31
  175. package/dist/tools/set-verification-tier.js.map +0 -1
  176. package/dist/tools/start-monitoring.d.ts +0 -12
  177. package/dist/tools/start-monitoring.d.ts.map +0 -1
  178. package/dist/tools/start-monitoring.js +0 -17
  179. package/dist/tools/start-monitoring.js.map +0 -1
  180. package/dist/tools/trigger-measurement.d.ts +0 -15
  181. package/dist/tools/trigger-measurement.d.ts.map +0 -1
  182. package/dist/tools/trigger-measurement.js +0 -86
  183. package/dist/tools/trigger-measurement.js.map +0 -1
  184. package/dist/tools/verify-artifact.d.ts +0 -13
  185. package/dist/tools/verify-artifact.d.ts.map +0 -1
  186. package/dist/tools/verify-artifact.js +0 -6
  187. package/dist/tools/verify-artifact.js.map +0 -1
  188. package/dist/tools/verify-bundle.d.ts +0 -13
  189. package/dist/tools/verify-bundle.d.ts.map +0 -1
  190. package/dist/tools/verify-bundle.js +0 -6
  191. package/dist/tools/verify-bundle.js.map +0 -1
  192. package/dist/types.d.ts +0 -261
  193. package/dist/types.d.ts.map +0 -1
  194. package/dist/types.js +0 -8
  195. package/dist/types.js.map +0 -1
package/README.md CHANGED
@@ -1,124 +1,209 @@
1
- # @attested-intelligence/aga-mcp-server v2.0.0
2
-
3
- [![MCP Badge](https://lobehub.com/badge/mcp/attested-intelligence-aga-mcp-server)](https://lobehub.com/mcp/attested-intelligence-aga-mcp-server)
4
-
5
- MCP server implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.
6
-
7
- ## What It Does
8
-
9
- This server acts as a **Portal** (zero-trust Policy Enforcement Point) for AI agents. Every tool call is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
10
-
11
- **20 tools, 3 resources, 3 prompts, 159 tests**
12
-
13
- ## 20 MCP Tools
14
-
15
- | # | Tool | Description |
16
- | --- | --- | --- |
17
- | 1 | `aga_server_info` | Server identity, keys, portal state, framework alignment |
18
- | 2 | `aga_init_chain` | Initialize continuity chain with genesis event |
19
- | 3 | `aga_create_artifact` | Attest subject, generate sealed Policy Artifact |
20
- | 4 | `aga_measure_subject` | Measure subject, compare to sealed ref, generate receipt |
21
- | 5 | `aga_verify_artifact` | Verify artifact signature against issuer key |
22
- | 6 | `aga_start_monitoring` | Start/restart behavioral monitoring with baseline |
23
- | 7 | `aga_get_portal_state` | Current portal enforcement state and TTL |
24
- | 8 | `aga_trigger_measurement` | Trigger measurement with specific type |
25
- | 9 | `aga_generate_receipt` | Generate signed measurement receipt manually |
26
- | 10 | `aga_export_bundle` | Package artifact + receipts + Merkle proofs |
27
- | 11 | `aga_verify_bundle` | 4-step offline bundle verification |
28
- | 12 | `aga_disclose_claim` | Privacy-preserving disclosure with auto-substitution |
29
- | 13 | `aga_get_chain` | Get chain events with optional integrity verification |
30
- | 14 | `aga_quarantine_status` | Quarantine state and forensic capture status |
31
- | 15 | `aga_revoke_artifact` | Mid-session artifact revocation |
32
- | 16 | `aga_set_verification_tier` | Set verification tier (BRONZE/SILVER/GOLD) |
33
- | 17 | `aga_demonstrate_lifecycle` | Full lifecycle: attest, measure, checkpoint, verify |
34
- | 18 | `aga_measure_behavior` | Behavioral drift detection (tool patterns) |
35
- | 19 | `aga_delegate_to_subagent` | Constrained sub-agent delegation (scope only diminishes) |
36
- | 20 | `aga_rotate_keys` | Key rotation with chain event |
37
-
38
- ## 3 Resources
39
-
40
- | Resource | URI | Description |
41
- | --- | --- | --- |
42
- | Protocol Spec | `aga://specification/protocol-v2` | Full protocol specification with SPIFFE alignment |
43
- | Sample Bundle | `aga://resources/sample-bundle` | Sample evidence bundle documentation |
44
- | Crypto Primitives | `aga://resources/crypto-primitives` | Cryptographic primitives documentation |
45
-
46
- ## 3 Prompts
47
-
48
- | Prompt | Description |
49
- |--------|-------------|
50
- | `nccoe-demo` | 4-phase NCCoE lab demo with behavioral drift |
51
- | `governance-report` | Session governance summary report |
52
- | `drift-analysis` | Drift event analysis and remediation |
53
-
54
- ## CoSAI MCP Security Threat Coverage
55
-
56
- The AGA MCP Server addresses all 12 threat categories identified in the
57
- [CoSAI MCP Security whitepaper](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/main/model-context-protocol-security.md)
58
- (Coalition for Secure AI / OASIS, January 2026).
59
-
60
- | CoSAI Category | Threat Domain | AGA Governance Mechanism |
61
- |---|---|---|
62
- | T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events |
63
- | T2: Missing Access Control | Identity & Access | Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment |
64
- | T3: Input Validation Failures | Input Handling | Runtime measurement against sealed reference, behavioral drift detection |
65
- | T4: Data/Control Boundary Failures | Input Handling | Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics |
66
- | T5: Inadequate Data Protection | Data & Code | Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention |
67
- | T6: Missing Integrity Controls | Data & Code | Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification |
68
- | T7: Session/Transport Security | Network & Transport | TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts |
69
- | T8: Network Isolation Failures | Network & Transport | Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action |
70
- | T9: Trust Boundary Failures | Trust & Design | Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM |
71
- | T10: Resource Management | Trust & Design | Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s) |
72
- | T11: Supply Chain Failures | Operational | Content-addressable hashing at attestation, runtime hash comparison blocks modified components |
73
- | T12: Insufficient Observability | Operational | Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles |
74
-
75
- Full mapping details available via the `aga://specification` resource.
76
-
77
- ## Quick Start
78
-
79
- ```bash
80
- npm install && npm run build && npm test
81
- ```
82
-
83
- ## Connect to an MCP Client
84
-
85
- Add to your MCP client config:
86
-
87
- ```json
88
- {
89
- "mcpServers": {
90
- "aga": { "command": "node", "args": ["/path/to/aga-mcp-server/dist/index.js"] }
91
- }
92
- }
93
- ```
94
-
95
- ## Architecture
96
-
97
- ```
98
- MCP Client
99
- │ JSON-RPC over stdio
100
-
101
- src/server.ts - 20 tools + 3 resources + 3 prompts
102
-
103
- ├── src/tools/ 20 individual tool handlers
104
- ├── src/core/ Protocol logic (artifact, chain, portal, etc.)
105
- ├── src/crypto/ Ed25519 + SHA-256 + Merkle + canonical JSON
106
- ├── src/middleware/ Zero-trust governance PEP
107
- ├── src/storage/ In-memory + optional SQLite
108
- ├── src/resources/ Protocol docs + crypto primitives
109
- └── src/prompts/ Demo + report + analysis prompts
110
- ```
111
-
112
- ## Test Coverage
113
-
114
- | Suite | Tests | What |
115
- |-------|-------|------|
116
- | Crypto | 33 | SHA-256, Ed25519, Merkle, salt, canonical, keys |
117
- | Core | 56 | Artifact, chain, portal, governance, behavioral, delegation, privacy, revocation, fail-closed |
118
- | Tools | 25 | All 20 tool handlers |
119
- | Integration | 38 | Bundle tamper, lifecycle, performance, NCCoE demo, crucible compatibility |
120
- | **Total** | **159** | |
121
-
122
- ## License
123
-
124
- MIT - Attested Intelligence Holdings LLC
1
+ # AGA - Attested Governance Artifacts
2
+
3
+ Cryptographic runtime governance for AI agents and autonomous systems.
4
+
5
+ [![npm](https://img.shields.io/npm/v/@attested-intelligence/aga-mcp-server)](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
6
+ [![PyPI](https://img.shields.io/pypi/v/aga-governance)](https://pypi.org/project/aga-governance/)
7
+ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
8
+ [![Tests](https://img.shields.io/badge/tests-355%2B-brightgreen)](https://github.com/attestedintelligence/AGA)
9
+
10
+ ```bash
11
+ # Try it now
12
+ pip install aga-governance
13
+ python -m aga demo
14
+ python -m aga verify demo-bundle.json
15
+ ```
16
+
17
+ ## What This Does
18
+
19
+ Every tool call an AI agent makes passes through the AGA gateway. Each call is evaluated against policy, and the decision (PERMITTED or DENIED) is recorded as a signed, hash-linked governance receipt. Receipts are collected into evidence bundles that any third party can verify offline using standard cryptography.
20
+
21
+ **Record. Prove. Verify.**
22
+
23
+ ## Use with Claude Desktop
24
+
25
+ Add to your Claude Desktop MCP config (`claude_desktop_config.json`):
26
+
27
+ ```json
28
+ {
29
+ "mcpServers": {
30
+ "aga": {
31
+ "command": "npx",
32
+ "args": ["-y", "@attested-intelligence/aga-mcp-server"]
33
+ }
34
+ }
35
+ }
36
+ ```
37
+
38
+ Claude can then seal artifacts, measure integrity, generate evidence bundles, and verify compliance through natural language.
39
+
40
+ ## MCP Tools (20)
41
+
42
+ | Category | Tools |
43
+ |----------|-------|
44
+ | **Identity** | `get_server_info`, `get_portal_state` |
45
+ | **Lifecycle** | `init_chain`, `attest_subject`, `revoke_artifact` |
46
+ | **Enforcement** | `measure_integrity`, `measure_behavior`, `verify_chain` |
47
+ | **Evidence** | `create_checkpoint`, `generate_evidence_bundle`, `verify_bundle_offline` |
48
+ | **Privacy** | `request_claim`, `list_claims` |
49
+ | **Delegation** | `delegate_to_subagent` |
50
+ | **Audit** | `get_receipts`, `get_chain_events` |
51
+
52
+ ## Quick Start
53
+
54
+ ### Verify an evidence bundle (3 commands)
55
+
56
+ ```bash
57
+ pip install aga-governance
58
+ curl -s https://aga-mcp-gateway.attestedintelligence.workers.dev/bundle -o evidence-bundle.json
59
+ python -m aga verify evidence-bundle.json
60
+ ```
61
+
62
+ ### Or verify in your browser
63
+
64
+ Go to [attestedintelligence.com/verify](https://attestedintelligence.com/verify) and click "Run Verification." Zero installs required.
65
+
66
+ ## How It Works
67
+
68
+ ```
69
+ AI Agent AGA Gateway Verifier
70
+ | | |
71
+ |-- tools/call ----------->| |
72
+ | [Evaluate Policy] |
73
+ | [Sign Receipt] |
74
+ | [Chain to Previous] |
75
+ |<-- PERMITTED/DENIED -----| |
76
+ | | |
77
+ | [Export Bundle] |
78
+ | |--------- evidence.json ----->|
79
+ | | [Verify Signatures]
80
+ | | [Verify Chain]
81
+ | | [Verify Merkle Tree]
82
+ | | [PASS / FAIL]
83
+ ```
84
+
85
+ ## MCP Governance Proxy
86
+
87
+ Run AGA as a transparent proxy between any MCP client and any MCP server. Every tool call gets evaluated against policy and produces a signed receipt.
88
+
89
+ ```bash
90
+ # Start the proxy with an upstream MCP server
91
+ npx tsx src/proxy/index.ts start --upstream "npx -y @modelcontextprotocol/server-filesystem /tmp/test" --profile standard
92
+
93
+ # Export the evidence bundle
94
+ npx tsx src/proxy/index.ts export --output evidence.json
95
+
96
+ # Verify
97
+ npx tsx src/proxy/index.ts verify evidence.json
98
+ ```
99
+
100
+ The proxy intercepts `tools/call` requests, evaluates them against a sealed policy artifact, and generates signed receipts. Permitted calls are forwarded to the downstream server. Denied calls return an MCP error. Every decision is hash-linked into a tamper-evident chain.
101
+
102
+ Three built-in policy profiles:
103
+ - **permissive** - log everything, block nothing (default)
104
+ - **standard** - rate limits + blocks destructive operations
105
+ - **restrictive** - explicit tool allowlist, all unknown tools denied
106
+
107
+ ## Verification (5 steps)
108
+
109
+ 1. **Algorithm Check** - Bundle declares Ed25519-SHA256-JCS, fail closed on anything else
110
+ 2. **Receipt Signatures** - Ed25519 over RFC 8785 canonical JSON (signature field excluded)
111
+ 3. **Chain Integrity** - Each receipt's `previous_receipt_hash` = SHA-256 of the preceding receipt
112
+ 4. **Merkle Proofs** - Walk siblings/directions to root, compare against bundle root
113
+ 5. **Bundle Consistency** - Proof count = receipt count, leaf hashes match receipt hashes
114
+
115
+ ## Cryptographic Primitives
116
+
117
+ | Primitive | Purpose |
118
+ |-----------|---------|
119
+ | Ed25519 | Receipt signatures |
120
+ | SHA-256 | Hash chaining, Merkle trees, leaf computation |
121
+ | RFC 8785 (JCS) | Canonical JSON for deterministic signing |
122
+ | Merkle Trees | Binding all receipts to a single verifiable root |
123
+
124
+ ## Live Gateway
125
+
126
+ The demo gateway is deployed on Cloudflare Workers:
127
+
128
+ ```bash
129
+ # Check status
130
+ curl https://aga-mcp-gateway.attestedintelligence.workers.dev/health
131
+
132
+ # Export evidence bundle
133
+ curl https://aga-mcp-gateway.attestedintelligence.workers.dev/bundle -o evidence-bundle.json
134
+ ```
135
+
136
+ ## Python SDK
137
+
138
+ ```bash
139
+ pip install aga-governance
140
+ ```
141
+
142
+ ```python
143
+ from aga import AgentSession
144
+
145
+ with AgentSession(gateway_id="my-gateway") as session:
146
+ session.record_tool_call(
147
+ tool_name="search_web",
148
+ decision="PERMITTED",
149
+ reason="tool in allowlist",
150
+ request_id="req-1",
151
+ )
152
+ bundle = session.export_bundle()
153
+ result = session.verify()
154
+ assert result["overall_valid"]
155
+ ```
156
+
157
+ ## Test Suite
158
+
159
+ 355+ automated tests across TypeScript and Python:
160
+
161
+ - **TypeScript MCP Server:** 218 tests (vitest)
162
+ - **Python SDK:** 137 tests (pytest)
163
+ - **Cross-language test vectors:** 37 vectors across 9 categories
164
+
165
+ ```bash
166
+ npm test # TypeScript tests
167
+ cd aga-python && python -m pytest # Python tests
168
+ ```
169
+
170
+ ## Project Structure
171
+
172
+ ```
173
+ src/ # Core protocol: artifacts, receipts, chain, Merkle, crypto, portal state machine
174
+ core/ # Governance primitives (artifact, receipt, chain, portal, bundle)
175
+ crypto/ # Ed25519, SHA-256, BLAKE2b, Merkle, JCS canonicalization
176
+ proxy/ # MCP governance proxy (transparent interception + policy enforcement)
177
+ tools/ # MCP tool handlers (20 tools)
178
+ middleware/ # Zero-trust governance enforcement wrapper
179
+ aga-python/ # Python SDK with @governed decorator (PyPI: aga-governance)
180
+ independent-verifier/ # Standalone verifier with zero AGA imports
181
+ scenarios/ # Deployment scenarios (SCADA, drone, AI agent)
182
+ tests/ # TypeScript test suite (218 tests)
183
+ ```
184
+
185
+ ## Links
186
+
187
+ - [Website](https://attestedintelligence.com)
188
+ - [Technology](https://attestedintelligence.com/technology)
189
+ - [Live Verifier](https://attestedintelligence.com/verify)
190
+ - [Trust and Scope](https://attestedintelligence.com/trust)
191
+ - [Diligence Materials](https://attestedintelligence.com/diligence)
192
+ - [MCP Server (npm)](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
193
+ - [Python SDK (PyPI)](https://pypi.org/project/aga-governance/)
194
+
195
+ ## Security
196
+
197
+ See [SECURITY.md](SECURITY.md) for vulnerability reporting.
198
+
199
+ ## Contributing
200
+
201
+ See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
202
+
203
+ ## License
204
+
205
+ [MIT](LICENSE)
206
+
207
+ ---
208
+
209
+ Attested Intelligence Holdings LLC
@@ -5,7 +5,6 @@
5
5
  * All OpenClaw assumptions are documented inline. When a real OpenClaw instance
6
6
  * becomes available, validate each assumption.
7
7
  *
8
- * Patent: USPTO App. No. 19/433,835
9
8
  * Copyright (c) 2026 Attested Intelligence Holdings LLC
10
9
  * SPDX-License-Identifier: MIT
11
10
  */
@@ -1 +1 @@
1
- {"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAmBH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED,qBAAa,eAAgB,YAAW,kBAAkB;IACxD,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,UAAU,CAAuB;IAEzC,OAAO,CAAC,cAAc;IAIhB,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBxF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAW5C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA6B/E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAU/B"}
1
+ {"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmBH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED,qBAAa,eAAgB,YAAW,kBAAkB;IACxD,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,UAAU,CAAuB;IAEzC,OAAO,CAAC,cAAc;IAIhB,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBxF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAW5C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA6B/E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAU/B"}
@@ -5,7 +5,6 @@
5
5
  * All OpenClaw assumptions are documented inline. When a real OpenClaw instance
6
6
  * becomes available, validate each assumption.
7
7
  *
8
- * Patent: USPTO App. No. 19/433,835
9
8
  * Copyright (c) 2026 Attested Intelligence Holdings LLC
10
9
  * SPDX-License-Identifier: MIT
11
10
  */
@@ -1 +1 @@
1
- {"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AA+B9B,MAAM,OAAO,eAAe;IAClB,UAAU,GAAkB,IAAI,CAAC;IACjC,UAAU,GAAkB,IAAI,CAAC;IAEjC,cAAc;QACpB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAmB;QAC9B,MAAM,CAAC,GAAG,UAAU,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,aAAa,CAAC;QAEpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YACvD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,gBAAgB,IAAI,SAAS;aAChE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,IAAI;YACJ,GAAI,KAAiC;SACtC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,SAA4B;QACnE,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,kBAAkB;QAClB,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAClE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAE3C,sDAAsD;QACtD,qDAAqD;QACrD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEhD,6CAA6C;gBAC7C,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;oBAC/B,yBAAyB;oBACzB,GAAG,EAAE,oBAAoB,SAAS,EAAE;oBACpC,oBAAoB;oBACpB,aAAa,EAAE,QAAQ;oBACvB,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAClD,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}
1
+ {"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AA+B9B,MAAM,OAAO,eAAe;IAClB,UAAU,GAAkB,IAAI,CAAC;IACjC,UAAU,GAAkB,IAAI,CAAC;IAEjC,cAAc;QACpB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAmB;QAC9B,MAAM,CAAC,GAAG,UAAU,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,aAAa,CAAC;QAEpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YACvD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,gBAAgB,IAAI,SAAS;aAChE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,IAAI;YACJ,GAAI,KAAiC;SACtC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,SAA4B;QACnE,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,kBAAkB;QAClB,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAClE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAE3C,sDAAsD;QACtD,qDAAqD;QACrD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEhD,6CAA6C;gBAC7C,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;oBAC/B,yBAAyB;oBACzB,GAAG,EAAE,oBAAoB,SAAS,EAAE;oBACpC,oBAAoB;oBACpB,aAAa,EAAE,QAAQ;oBACvB,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAClD,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}
@@ -1,6 +1,13 @@
1
1
  import type { KeyPair, MerkleInclusionProof } from '../crypto/types.js';
2
- import type { EvidenceBundle, PolicyArtifact, SignedReceipt, CheckpointReference } from './types.js';
3
- export declare function generateBundle(artifact: PolicyArtifact, receipts: SignedReceipt[], proofs: MerkleInclusionProof[], checkpoint: CheckpointReference, kp: KeyPair): EvidenceBundle;
2
+ import type { EvidenceBundle, PolicyArtifact, SignedReceipt, CheckpointReference, VerificationTier } from './types.js';
3
+ /**
4
+ * Generate an evidence bundle. Original signature preserved for backward compatibility.
5
+ * Tiered bundle generation (CAISI §3b):
6
+ * BRONZE - artifact + receipts only (proofs omitted)
7
+ * SILVER - artifact + receipts + Merkle proofs
8
+ * GOLD - artifact + receipts + Merkle proofs + anchor checkpoint reference
9
+ */
10
+ export declare function generateBundle(artifact: PolicyArtifact, receipts: SignedReceipt[], proofs: MerkleInclusionProof[], checkpoint: CheckpointReference, kp: KeyPair, tier?: VerificationTier): EvidenceBundle;
4
11
  export interface VerificationResult {
5
12
  step1_artifact_sig: boolean;
6
13
  step2_receipt_sigs: boolean;
@@ -1 +1 @@
1
- {"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAErG,wBAAgB,cAAc,CAAC,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,aAAa,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,UAAU,EAAE,mBAAmB,EAAE,EAAE,EAAE,OAAO,GAAG,cAAc,CAGhL;AAED,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,EAAE,OAAO,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAC;IACzD,mBAAmB,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,iBAAiB,GAAG,OAAO,CAAC;IACxE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;CACpC;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG,kBAAkB,CAanG"}
1
+ {"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEvH;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,aAAa,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,UAAU,EAAE,mBAAmB,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,gBAAgB,GAAG,cAAc,CAUzM;AAED,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,EAAE,OAAO,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAC;IACzD,mBAAmB,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,iBAAiB,GAAG,OAAO,CAAC;IACxE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;CACpC;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG,kBAAkB,CAanG"}
@@ -1,8 +1,22 @@
1
1
  import { signStr, sigToB64, b64ToSig, hexToPk, verifyStr, pkToHex } from '../crypto/sign.js';
2
2
  import { verifyProof } from '../crypto/merkle.js';
3
3
  import { canonicalize } from '../utils/canonical.js';
4
- export function generateBundle(artifact, receipts, proofs, checkpoint, kp) {
5
- const unsigned = { artifact, receipts, merkle_proofs: proofs, checkpoint_reference: checkpoint, public_key: pkToHex(kp.publicKey) };
4
+ /**
5
+ * Generate an evidence bundle. Original signature preserved for backward compatibility.
6
+ * Tiered bundle generation (CAISI §3b):
7
+ * BRONZE - artifact + receipts only (proofs omitted)
8
+ * SILVER - artifact + receipts + Merkle proofs
9
+ * GOLD - artifact + receipts + Merkle proofs + anchor checkpoint reference
10
+ */
11
+ export function generateBundle(artifact, receipts, proofs, checkpoint, kp, tier) {
12
+ const effectiveTier = tier ?? 'GOLD';
13
+ const bundleProofs = effectiveTier === 'BRONZE' ? [] : proofs;
14
+ const bundleCheckpoint = effectiveTier === 'GOLD' ? checkpoint : {
15
+ ...checkpoint,
16
+ transaction_id: effectiveTier === 'BRONZE' ? '' : checkpoint.transaction_id,
17
+ anchor_network: effectiveTier === 'BRONZE' ? '' : checkpoint.anchor_network,
18
+ };
19
+ const unsigned = { artifact, receipts, merkle_proofs: bundleProofs, checkpoint_reference: bundleCheckpoint, public_key: pkToHex(kp.publicKey), verification_tier: effectiveTier };
6
20
  return { ...unsigned, bundle_signature: sigToB64(signStr(canonicalize(unsigned), kp.secretKey)) };
7
21
  }
8
22
  export function verifyBundleOffline(bundle, pinnedPkHex) {
@@ -1 +1 @@
1
- {"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAIrD,MAAM,UAAU,cAAc,CAAC,QAAwB,EAAE,QAAyB,EAAE,MAA8B,EAAE,UAA+B,EAAE,EAAW;IAC9J,MAAM,QAAQ,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,oBAAoB,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;IACpI,OAAO,EAAE,GAAG,QAAQ,EAAE,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AACpG,CAAC;AAQD,MAAM,UAAU,mBAAmB,CAAC,MAAsB,EAAE,WAAmB;IAC7E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;IACnD,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAClD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,UAAU,aAAa,CAAC,CAAC;QAAC,CAAC;IAC9J,CAAC;IACD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QAAC,CAAC;IAAC,CAAC;IACtI,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,mBAAmB,EAAE,EAAE,EAAE,YAAY,EAAE,iBAAiB,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC;AACvJ,CAAC"}
1
+ {"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAIrD;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,QAAwB,EAAE,QAAyB,EAAE,MAA8B,EAAE,UAA+B,EAAE,EAAW,EAAE,IAAuB;IACvL,MAAM,aAAa,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,YAAY,GAAG,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IAC9D,MAAM,gBAAgB,GAAwB,aAAa,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QACpF,GAAG,UAAU;QACb,cAAc,EAAE,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc;QAC3E,cAAc,EAAE,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc;KAC5E,CAAC;IACF,MAAM,QAAQ,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,aAAa,EAAE,CAAC;IAClL,OAAO,EAAE,GAAG,QAAQ,EAAE,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AACpG,CAAC;AAQD,MAAM,UAAU,mBAAmB,CAAC,MAAsB,EAAE,WAAmB;IAC7E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;IACnD,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAClD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,UAAU,aAAa,CAAC,CAAC;QAAC,CAAC;IAC9J,CAAC;IACD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QAAC,CAAC;IAAC,CAAC;IACtI,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,mBAAmB,EAAE,EAAE,EAAE,YAAY,EAAE,iBAAiB,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC;AACvJ,CAAC"}
@@ -1,14 +1,23 @@
1
+ import type { KeyPair } from '../crypto/types.js';
2
+ import type { ContinuityEvent } from './types.js';
3
+ export { keyFingerprint } from '../crypto/sign.js';
1
4
  /**
2
- * Identity operations: key fingerprinting, validation, rotation.
5
+ * Check whether a key is still valid given its issuance time and TTL.
6
+ * NCCoE §2: non-biometric identity validity check.
3
7
  */
4
- import { keyFingerprint, isKeyValid } from '../crypto/keys.js';
5
- import type { KeyPair } from '../types.js';
6
- export { keyFingerprint, isKeyValid };
7
- export interface KeyRotationResult {
8
+ export declare function isKeyValid(issuedAt: string, ttlSeconds: number): boolean;
9
+ /**
10
+ * Generate a new key pair for rotation, returning both old and new for
11
+ * a transition period defined by policy. NCCoE §3: key rotation.
12
+ */
13
+ export declare function rotateKeyPair(currentKeyPair: KeyPair): {
14
+ oldKeyPair: KeyPair;
8
15
  newKeyPair: KeyPair;
9
- newPublicKeyHex: string;
10
- oldPublicKeyHex: string;
11
- rotatedAt: string;
12
- }
13
- export declare function rotateKeys(oldKP: KeyPair): KeyRotationResult;
16
+ };
17
+ /**
18
+ * Record a key rotation event on the continuity chain.
19
+ * NCCoE §3: "Key rotation is handled by including both old and new public keys
20
+ * during a transition period defined by policy."
21
+ */
22
+ export declare function recordKeyRotation(prevEvent: ContinuityEvent, keypairType: string, oldPublicKeyHex: string, newPublicKeyHex: string, reason: string, signingKeyPair: KeyPair): ContinuityEvent;
14
23
  //# sourceMappingURL=identity.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,UAAU,EAAiB,MAAM,mBAAmB,CAAC;AAE9E,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AAEtC,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,iBAAiB,CAQ5D"}
1
+ {"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAC;AAGrE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAExE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,cAAc,EAAE,OAAO,GAAG;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,OAAO,CAAA;CAAE,CAGnG;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,EACvB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,GACtB,eAAe,CAUjB"}
@@ -1,16 +1,50 @@
1
1
  /**
2
- * Identity operations: key fingerprinting, validation, rotation.
2
+ * Identity and Key Lifecycle.
3
+ *
4
+ * Non-biometric cryptographic identity: agent identity derived from
5
+ * cryptographic key pair bound to append-only attestation history in
6
+ * continuity chain. Authority from valid signature history, not biometric traits.
7
+ *
8
+ * Functions:
9
+ * - keyFingerprint: re-exported from crypto/sign.ts for convenience
10
+ * - isKeyValid: check key TTL expiry
11
+ * - rotateKeyPair: generate new key pair for rotation
12
+ * - recordKeyRotation: append KEY_ROTATION event to chain
3
13
  */
4
- import { keyFingerprint, isKeyValid, rotateKeyPair } from '../crypto/keys.js';
5
- import { pkToHex } from '../crypto/sign.js';
6
- export { keyFingerprint, isKeyValid };
7
- export function rotateKeys(oldKP) {
8
- const newKP = rotateKeyPair();
9
- return {
10
- newKeyPair: newKP,
11
- newPublicKeyHex: pkToHex(newKP.publicKey),
12
- oldPublicKeyHex: pkToHex(oldKP.publicKey),
13
- rotatedAt: new Date().toISOString(),
14
+ import { generateKeyPair } from '../crypto/sign.js';
15
+ import { isExpired } from '../utils/timestamp.js';
16
+ import { appendEvent } from './chain.js';
17
+ // Re-export keyFingerprint for identity module consumers (NCCoE §2)
18
+ export { keyFingerprint } from '../crypto/sign.js';
19
+ /**
20
+ * Check whether a key is still valid given its issuance time and TTL.
21
+ * NCCoE §2: non-biometric identity validity check.
22
+ */
23
+ export function isKeyValid(issuedAt, ttlSeconds) {
24
+ return !isExpired(issuedAt, ttlSeconds);
25
+ }
26
+ /**
27
+ * Generate a new key pair for rotation, returning both old and new for
28
+ * a transition period defined by policy. NCCoE §3: key rotation.
29
+ */
30
+ export function rotateKeyPair(currentKeyPair) {
31
+ const newKeyPair = generateKeyPair();
32
+ return { oldKeyPair: currentKeyPair, newKeyPair };
33
+ }
34
+ /**
35
+ * Record a key rotation event on the continuity chain.
36
+ * NCCoE §3: "Key rotation is handled by including both old and new public keys
37
+ * during a transition period defined by policy."
38
+ */
39
+ export function recordKeyRotation(prevEvent, keypairType, oldPublicKeyHex, newPublicKeyHex, reason, signingKeyPair) {
40
+ const payload = {
41
+ keypair_type: keypairType,
42
+ old_public_key: oldPublicKeyHex,
43
+ new_public_key: newPublicKeyHex,
44
+ reason,
45
+ rotation_timestamp: new Date().toISOString(),
46
+ chain_sequence: prevEvent.sequence_number + 1,
14
47
  };
48
+ return appendEvent('KEY_ROTATION', payload, prevEvent, signingKeyPair);
15
49
  }
16
50
  //# sourceMappingURL=identity.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAC9E,OAAO,EAAmB,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAG7D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AAStC,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,eAAe,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;QACzC,eAAe,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;QACzC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,eAAe,EAA2B,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAIzC,oEAAoE;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,UAAkB;IAC7D,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,cAAuB;IACnD,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAA0B,EAC1B,WAAmB,EACnB,eAAuB,EACvB,eAAuB,EACvB,MAAc,EACd,cAAuB;IAEvB,MAAM,OAAO,GAAsB;QACjC,YAAY,EAAE,WAAW;QACzB,cAAc,EAAE,eAAe;QAC/B,cAAc,EAAE,eAAe;QAC/B,MAAM;QACN,kBAAkB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5C,cAAc,EAAE,SAAS,CAAC,eAAe,GAAG,CAAC;KAC9C,CAAC;IACF,OAAO,WAAW,CAAC,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;AACzE,CAAC"}
@@ -8,6 +8,14 @@ export interface MeasurementResult {
8
8
  expectedMetaHash: HashHex;
9
9
  ttl_ok: boolean;
10
10
  revoked: boolean;
11
+ degraded?: boolean;
12
+ }
13
+ /** Degradation event record for the continuity chain. */
14
+ export interface DegradationEvent {
15
+ reason: string;
16
+ timestamp: string;
17
+ artifact_reference: HashHex;
18
+ previous_state: string;
11
19
  }
12
20
  export declare class Portal {
13
21
  state: PortalState;
@@ -15,13 +23,14 @@ export declare class Portal {
15
23
  sequenceCounter: number;
16
24
  lastLeafHash: HashHex | null;
17
25
  revocations: Set<string>;
26
+ degradationLog: DegradationEvent[];
18
27
  loadArtifact(artifact: PolicyArtifact, pinnedPkHex: string): {
19
28
  ok: boolean;
20
29
  error?: string;
21
30
  };
22
31
  measure(subjectBytes: Uint8Array, meta: SubjectMetadata): MeasurementResult;
23
32
  enforce(action: EnforcementAction): void;
24
- revoke(sealedHash: string, transitionTo?: 'TERMINATED' | 'SAFE_STATE'): void;
33
+ revoke(sealedHash: string): void;
25
34
  isRevoked(sealedHash: string): boolean;
26
35
  reset(): void;
27
36
  }
@@ -1 +1 @@
1
- {"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IAErC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IA6B3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAWxC,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,YAAY,GAAG,YAAY,GAAG,IAAI;IAO5E,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
1
+ {"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,yDAAyD;AACzD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IACrC,cAAc,EAAE,gBAAgB,EAAE,CAAM;IAExC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IAuC3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAUxC,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKhC,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}