@attestplane/attestplane 0.0.1 → 0.0.3-alpha

package/dist/replay_verifier.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Replay-manifest verifier — read-only walker, NEVER re-executes.
+ *
+ * ADR-0009 A.9 + P1.1. Given a `ReplayManifest` describing which
+ * original chain segment was replayed and what observed booleans the
+ * external replay runner reported, this function checks the manifest
+ * is internally consistent against the chain provided by the caller.
+ *
+ * **Hard constraint** (per ADR-0009 § B.6 + invariant 7): this module
+ * NEVER re-executes the workload. Replay execution lives in REDLINE
+ * C.13 `aios-replay-runner`. We only walk the provided chain.
+ */
+export type ReplayCoverage = 'deterministic' | 'non_deterministic' | 'no_replay_event';
+export interface ReplayManifest {
+    readonly replay_run_id: string;
+    readonly original_run_id: string;
+    /** The runner's claimed outcome; the verifier checks the chain agrees. */
+    readonly expected_deterministic: boolean;
+    readonly snapshot_id_ref?: string;
+}
+export interface ReplayVerificationResult {
+    readonly ok: boolean;
+    readonly coverage: ReplayCoverage;
+    /** The chain seq of the matching `replay_event`, or null. */
+    readonly matching_seq: number | null;
+    readonly reason: string | null;
+}
+/** Minimal chain-event shape this verifier needs. Matches the JSONL
+ *  backend's serialised form and the ProofBundle wire format. */
+export interface ChainEventForReplay {
+    readonly seq: number;
+    readonly event_type: string;
+    readonly payload: Record<string, unknown>;
+}
+/**
+ * Check that `chainEvents` contains a `replay_event` matching `manifest`.
+ *
+ * Read-only. Pure function. Never re-executes. Never modifies anything.
+ */
+export declare function verifyReplayManifest(chainEvents: readonly ChainEventForReplay[], manifest: ReplayManifest, options?: {
+    readonly verification_time?: Date;
+}): ReplayVerificationResult;
+//# sourceMappingURL=replay_verifier.d.ts.map

package/dist/replay_verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay_verifier.d.ts","sourceRoot":"","sources":["../src/replay_verifier.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,cAAc,GAAG,eAAe,GAAG,mBAAmB,GAAG,iBAAiB,CAAC;AAEvF,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,0EAA0E;IAC1E,QAAQ,CAAC,sBAAsB,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;CACnC;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,6DAA6D;IAC7D,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED;iEACiE;AACjE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,SAAS,mBAAmB,EAAE,EAC3C,QAAQ,EAAE,cAAc,EACxB,OAAO,GAAE;IAAE,QAAQ,CAAC,iBAAiB,CAAC,EAAE,IAAI,CAAA;CAAO,GAClD,wBAAwB,CAkF1B"}

package/dist/replay_verifier.js

@@ -0,0 +1,98 @@
+// SPDX-FileCopyrightText: 2026 The Attestplane Authors
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Replay-manifest verifier — read-only walker, NEVER re-executes.
+ *
+ * ADR-0009 A.9 + P1.1. Given a `ReplayManifest` describing which
+ * original chain segment was replayed and what observed booleans the
+ * external replay runner reported, this function checks the manifest
+ * is internally consistent against the chain provided by the caller.
+ *
+ * **Hard constraint** (per ADR-0009 § B.6 + invariant 7): this module
+ * NEVER re-executes the workload. Replay execution lives in REDLINE
+ * C.13 `aios-replay-runner`. We only walk the provided chain.
+ */
+import { validateReplayEventPayload } from './event_payloads.js';
+/**
+ * Check that `chainEvents` contains a `replay_event` matching `manifest`.
+ *
+ * Read-only. Pure function. Never re-executes. Never modifies anything.
+ */
+export function verifyReplayManifest(chainEvents, manifest, options = {}) {
+    if (!Array.isArray(chainEvents)) {
+        return {
+            ok: false,
+            coverage: 'no_replay_event',
+            matching_seq: null,
+            reason: `chainEvents must be array, got ${typeof chainEvents}`,
+        };
+    }
+    if (options.verification_time !== undefined &&
+        Number.isNaN(options.verification_time.getTime())) {
+        return {
+            ok: false,
+            coverage: 'no_replay_event',
+            matching_seq: null,
+            reason: 'verification_time must be a valid Date',
+        };
+    }
+    const candidates = [];
+    for (const ev of chainEvents) {
+        if (ev === null || typeof ev !== 'object')
+            continue;
+        if (ev.event_type !== 'replay_event')
+            continue;
+        if (ev.payload === null || typeof ev.payload !== 'object')
+            continue;
+        const payload = ev.payload;
+        if (payload.replay_run_id !== manifest.replay_run_id)
+            continue;
+        if (payload.original_run_id !== manifest.original_run_id)
+            continue;
+        if (manifest.snapshot_id_ref !== undefined &&
+            payload.snapshot_id_ref !== manifest.snapshot_id_ref) {
+            continue;
+        }
+        if (typeof ev.seq !== 'number' || !Number.isInteger(ev.seq))
+            continue;
+        candidates.push({ seq: ev.seq, payload });
+    }
+    if (candidates.length === 0) {
+        return {
+            ok: false,
+            coverage: 'no_replay_event',
+            matching_seq: null,
+            reason: `no replay_event payload found with replay_run_id=${JSON.stringify(manifest.replay_run_id)}`,
+        };
+    }
+    candidates.sort((a, b) => a.seq - b.seq);
+    const latest = candidates[candidates.length - 1];
+    const { seq, payload } = latest;
+    try {
+        validateReplayEventPayload(payload);
+    }
+    catch (exc) {
+        return {
+            ok: false,
+            coverage: 'no_replay_event',
+            matching_seq: seq,
+            reason: `matching replay_event payload failed validation: ${exc.message}`,
+        };
+    }
+    const actualDet = Boolean(payload.deterministic_result);
+    if (manifest.expected_deterministic !== actualDet) {
+        return {
+            ok: false,
+            coverage: actualDet ? 'deterministic' : 'non_deterministic',
+            matching_seq: seq,
+            reason: `manifest expected deterministic_result=${manifest.expected_deterministic}, chain payload reports ${actualDet}`,
+        };
+    }
+    return {
+        ok: true,
+        coverage: actualDet ? 'deterministic' : 'non_deterministic',
+        matching_seq: seq,
+        reason: null,
+    };
+}
+//# sourceMappingURL=replay_verifier.js.map

package/dist/replay_verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay_verifier.js","sourceRoot":"","sources":["../src/replay_verifier.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AA4BjE;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,WAA2C,EAC3C,QAAwB,EACxB,UAAiD,EAAE;IAEnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,QAAQ,EAAE,iBAAiB;YAC3B,YAAY,EAAE,IAAI;YAClB,MAAM,EAAE,kCAAkC,OAAO,WAAW,EAAE;SAC/D,CAAC;IACJ,CAAC;IACD,IACE,OAAO,CAAC,iBAAiB,KAAK,SAAS;QACvC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,OAAO,EAAE,CAAC,EACjD,CAAC;QACD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,QAAQ,EAAE,iBAAiB;YAC3B,YAAY,EAAE,IAAI;YAClB,MAAM,EAAE,wCAAwC;SACjD,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAwD,EAAE,CAAC;IAC3E,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,IAAI,EAAE,KAAK,IAAI,IAAI,OAAO,EAAE,KAAK,QAAQ;YAAE,SAAS;QACpD,IAAI,EAAE,CAAC,UAAU,KAAK,cAAc;YAAE,SAAS;QAC/C,IAAI,EAAE,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,QAAQ;YAAE,SAAS;QACpE,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC;QAC3B,IAAI,OAAO,CAAC,aAAa,KAAK,QAAQ,CAAC,aAAa;YAAE,SAAS;QAC/D,IAAI,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,eAAe;YAAE,SAAS;QACnE,IACE,QAAQ,CAAC,eAAe,KAAK,SAAS;YACtC,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,eAAe,EACpD,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,OAAO,EAAE,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC;YAAE,SAAS;QACtE,UAAU,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,QAAQ,EAAE,iBAAiB;YAC3B,YAAY,EAAE,IAAI;YAClB,MAAM,EAAE,oDAAoD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE;SACrG,CAAC;IACJ,CAAC;IAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAG9C,CAAC;IACF,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAEhC,IAAI,CAAC;QACH,0BAA0B,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,QAAQ,EAAE,iBAAiB;YAC3B,YAAY,EAAE,GAAG;YACjB,MAAM,EAAE,oDAAqD,GAAa,CAAC,OAAO,EAAE;SACrF,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,QAAQ,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;QAClD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,mBAAmB;YAC3D,YAAY,EAAE,GAAG;YACjB,MAAM,EAAE,0CAA0C,QAAQ,CAAC,sBAAsB,2BAA2B,SAAS,EAAE;SACxH,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,mBAAmB;QAC3D,YAAY,EAAE,GAAG;QACjB,MAAM,EAAE,IAAI;KACb,CAAC;AACJ,CAAC"}

package/dist/rfc3161.d.ts

@@ -0,0 +1,52 @@
+/**
+ * RFC-3161 TimeStampResp parsing + TimeStampToken signature verification
+ * (TypeScript port of `sdk/python/src/attestplane/anchoring/rfc3161.py`).
+ *
+ * Built on `src/der.ts` (hand-rolled DER reader) + Node's stdlib
+ * `crypto.verify` for RSA-PKCS1v15-SHA256. No additional npm
+ * dependencies — the TypeScript SDK keeps the same lean dep tree as
+ * v0.0.1-alpha while gaining real signature verification.
+ *
+ * The parser handles the specific structures defined in RFC-3161,
+ * RFC-5652 (CMS SignedData), and the X.509 subset needed to extract
+ * the RSA public key from a leaf cert's SubjectPublicKeyInfo.
+ *
+ * Cross-language conformance: TS reproduces Python's
+ * parse_timestamp_response semantics byte-for-byte. The
+ * anchor_vectors.json fixtures verify in both languages.
+ */
+/** Subset of TSTInfo + SignerInfo extracted from a TimeStampResp. */
+export interface ParsedTimestampTs {
+    readonly policyOid: string;
+    readonly hashAlgorithm: string;
+    readonly messageImprint: Uint8Array;
+    readonly genTime: Date;
+    readonly serialNumber: bigint;
+    readonly nonce: bigint | null;
+    readonly leafCertDer: Uint8Array;
+    readonly signedAttrsDer: Uint8Array;
+    readonly signature: Uint8Array;
+    readonly digestAlgorithmOid: string;
+    readonly signatureAlgorithmOid: string;
+}
+/** Parse a DER-encoded TimeStampResp into the substantive fields we verify. */
+export declare function parseTimestampResponse(responseDer: Uint8Array): ParsedTimestampTs;
+export interface VerifyTimestampOptions {
+    readonly expectedDigest: Uint8Array;
+    readonly trustRootsDer: readonly Uint8Array[];
+    readonly intermediatesDer?: readonly Uint8Array[];
+    readonly verificationTime?: Date;
+    readonly maxChainDepth?: number;
+}
+/**
+ * Verify a parsed TimeStampToken against the expected message digest +
+ * trust roots + intermediates.
+ *
+ * Mirrors the Python `verify_timestamp_token` API including multi-hop
+ * intermediate chain walking, time-validity checks at every cert, and
+ * BasicConstraints.cA enforcement on each intermediate.
+ *
+ * Throws `AnchorVerificationError` on any failure.
+ */
+export declare function verifyTimestampToken(parsed: ParsedTimestampTs, options: VerifyTimestampOptions): void;
+//# sourceMappingURL=rfc3161.d.ts.map

package/dist/rfc3161.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rfc3161.d.ts","sourceRoot":"","sources":["../src/rfc3161.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AAuBH,qEAAqE;AACrE,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,UAAU,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC;IACvB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC;IACjC,QAAQ,CAAC,cAAc,EAAE,UAAU,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC;IAC/B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;CACxC;AAwBD,+EAA+E;AAC/E,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,UAAU,GAAG,iBAAiB,CAgNjF;AAuJD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,cAAc,EAAE,UAAU,CAAC;IACpC,QAAQ,CAAC,aAAa,EAAE,SAAS,UAAU,EAAE,CAAC;IAC9C,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,UAAU,EAAE,CAAC;IAClD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,IAAI,CAAC;IACjC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,iBAAiB,EACzB,OAAO,EAAE,sBAAsB,GAC9B,IAAI,CA0GN"}