@certrev/cert-block 0.1.0 → 0.1.2

package/dist/contract/kernel-stub.js

@@ -1,163 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * VerdictKernel — LOCAL STUB (delete on publish; mirrors @certrev/cert-contract)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * A faithful, self-contained implementation of the cert-contract VerdictKernel so the
- * SDK's verify layer + tests run NOW, before `@certrev/cert-contract` publishes to a
- * registry this workspace installs from. The behavior is identical to the real kernel:
- *   • Ed25519 detached signature verified over the RFC-8785 (JCS) canonical bytes of
- *     `payload` (lexicographic key order, minimal whitespace, UTF-8).
- *   • Fail-closed pipeline: shape → alg → kid → signature → platform → subject →
- *     revoked → expired → drift → render. Any failure short-circuits to `suppress`.
- *   • Never throws on a bad envelope — a malformed input / throwing resolver fails
- *     closed to `suppress`, not to an exception a caller might swallow into a render.
- *
- * The byte-identical canonicalization across PHP / Node is what makes the credential
- * portable; here we hand-roll a deterministic JCS serializer (sufficient for the
- * envelope's all-string/number/bool/array/object shape — no exotic numbers) so the SDK
- * carries no production crypto-canonicalization of its own that could DRIFT from the
- * contract. On publish, the real `canonicalize` (RFC 8785) from cert-contract is used.
- *
- * INTEGRATION: delete this file + `./kernel-contract.ts`; import `verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey` from
- * `@certrev/cert-contract`. See README "Integration TODOs".
- */
-import { createPublicKey, verify as nodeVerify } from 'node:crypto';
-import { CONTRACT_VERSION, SIGNATURE_ALG } from './kernel-contract.js';
-// ── RFC-8785 (JCS) canonicalization — minimal, deterministic, envelope-shaped ─────
-/**
- * Serialize a JSON value to its RFC-8785 canonical string form: object keys sorted by
- * UTF-16 code unit, no insignificant whitespace, JSON string escaping. The payload is
- * all strings / finite numbers / booleans / null / arrays / objects, so we do NOT need
- * the full ECMAScript number-formatting machinery the production `canonicalize` package
- * implements — integers + ISO strings serialize identically either way. This stub
- * exists only so tests run; the published path uses cert-contract's vetted JCS.
- */
-function jcs(value) {
-    if (value === null)
-        return 'null';
-    const t = typeof value;
-    if (t === 'string')
-        return JSON.stringify(value);
-    if (t === 'number') {
-        if (!Number.isFinite(value))
-            throw new Error('jcs: non-finite number');
-        return JSON.stringify(value);
-    }
-    if (t === 'boolean')
-        return value ? 'true' : 'false';
-    if (Array.isArray(value)) {
-        return `[${value.map((v) => jcs(v)).join(',')}]`;
-    }
-    if (t === 'object') {
-        const obj = value;
-        const keys = Object.keys(obj)
-            .filter((k) => obj[k] !== undefined)
-            .sort();
-        return `{${keys.map((k) => `${JSON.stringify(k)}:${jcs(obj[k])}`).join(',')}}`;
-    }
-    throw new Error(`jcs: unsupported value type ${t}`);
-}
-function canonicalPayloadBytes(payload) {
-    return new TextEncoder().encode(jcs(payload));
-}
-function base64urlDecode(s) {
-    return new Uint8Array(Buffer.from(s, 'base64url'));
-}
-const RAW_SPKI_PREFIX = Uint8Array.from([0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00]);
-/** Mirror of cert-contract's `toEd25519PublicKey` for the input encodings the SDK uses. */
-function toEd25519PublicKey(input) {
-    switch (input.format) {
-        case 'pem':
-            return createPublicKey({ key: input.pem, format: 'pem' });
-        case 'spki-base64':
-            return createPublicKey({ key: Buffer.from(input.base64, 'base64'), format: 'der', type: 'spki' });
-        case 'spki-der':
-            return createPublicKey({ key: Buffer.from(input.bytes), format: 'der', type: 'spki' });
-        case 'raw': {
-            if (input.bytes.length !== 32) {
-                throw new Error(`ed25519 raw public key must be 32 bytes, got ${input.bytes.length}`);
-            }
-            const spki = new Uint8Array(RAW_SPKI_PREFIX.length + 32);
-            spki.set(RAW_SPKI_PREFIX, 0);
-            spki.set(input.bytes, RAW_SPKI_PREFIX.length);
-            return createPublicKey({ key: Buffer.from(spki), format: 'der', type: 'spki' });
-        }
-    }
-}
-function verifyDetached(payload, sigBase64url, publicKey) {
-    try {
-        return nodeVerify(null, canonicalPayloadBytes(payload), publicKey, base64urlDecode(sigBase64url));
-    }
-    catch {
-        return false;
-    }
-}
-async function verifyCryptographic(envelope, resolveKid) {
-    const { payload, signature } = envelope ?? {};
-    if (!payload || !signature || payload.contractVersion !== CONTRACT_VERSION) {
-        return { ok: false, reason: 'unsupported_contract_version' };
-    }
-    if (signature.alg !== SIGNATURE_ALG) {
-        return { ok: false, reason: 'unsupported_alg' };
-    }
-    const resolved = await resolveKid(signature.kid);
-    if (!resolved) {
-        return { ok: false, reason: 'unknown_key' };
-    }
-    let key;
-    try {
-        key = toEd25519PublicKey(resolved);
-    }
-    catch {
-        return { ok: false, reason: 'unknown_key' };
-    }
-    if (!verifyDetached(payload, signature.sig, key)) {
-        return { ok: false, reason: 'invalid_signature' };
-    }
-    return { ok: true };
-}
-/** Phase-2-only policy verdict over an already-authentic payload. Pure + synchronous. */
-export function renderVerdict(payload, ctx) {
-    const now = ctx.now ?? new Date();
-    if (payload.subject.platform !== ctx.platform) {
-        return { decision: 'suppress', reason: 'platform_mismatch' };
-    }
-    if (payload.subject.externalId !== ctx.externalId) {
-        return { decision: 'suppress', reason: 'subject_mismatch' };
-    }
-    if (payload.lifecycle.revokedAt !== null) {
-        return { decision: 'suppress', reason: 'revoked' };
-    }
-    if (now.getTime() >= Date.parse(payload.lifecycle.expiresAt)) {
-        return { decision: 'suppress', reason: 'expired' };
-    }
-    const bound = payload.subject.contentDigest;
-    const live = ctx.liveContentHash;
-    if (bound !== null && live != null && bound !== live) {
-        return { decision: 'suppress', reason: 'content_drift' };
-    }
-    return { decision: 'render', payload };
-}
-/** Phase-1-only cryptographic verification. */
-export async function verifySignatureOnly(envelope, resolveKid) {
-    return verifyCryptographic(envelope, resolveKid);
-}
-/** Full kernel: verify signature, then apply policy. Fail-closed, never throws. */
-export async function verifyEnvelope(envelope, resolveKid, ctx) {
-    let crypto;
-    try {
-        crypto = await verifyCryptographic(envelope, resolveKid);
-    }
-    catch {
-        return { decision: 'suppress', reason: 'unknown_key' };
-    }
-    if (!crypto.ok) {
-        return { decision: 'suppress', reason: crypto.reason };
-    }
-    return renderVerdict(envelope.payload, ctx);
-}
-/** Re-export for tests that need to build a public key from raw/spki bytes. */
-export { toEd25519PublicKey };
-//# sourceMappingURL=kernel-stub.js.map

package/dist/contract/kernel-stub.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-stub.js","sourceRoot":"","sources":["../../src/contract/kernel-stub.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,eAAe,EAAkB,MAAM,IAAI,UAAU,EAAE,MAAM,aAAa,CAAA;AAUnF,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEtE,qFAAqF;AACrF;;;;;;;GAOG;AACH,SAAS,GAAG,CAAC,KAAc;IAC1B,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAA;IACjC,MAAM,CAAC,GAAG,OAAO,KAAK,CAAA;IACtB,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAChD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;QACpB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAe,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;QAChF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAC7B,CAAC;IACD,IAAI,CAAC,KAAK,SAAS;QAAE,OAAQ,KAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAA;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;IACjD,CAAC;IACD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,KAAgC,CAAA;QAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;aAC3B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC;aACnC,IAAI,EAAE,CAAA;QACR,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;IAC/E,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAA;AACpD,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAoB;IAClD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IACjC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAA;AACnD,CAAC;AAED,MAAM,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAA;AAEjH,2FAA2F;AAC3F,SAAS,kBAAkB,CAAC,KAA4B;IACvD,QAAQ,KAAK,CAAC,MAAM,EAAE,CAAC;QACtB,KAAK,KAAK;YACT,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;QAC1D,KAAK,aAAa;YACjB,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;QAClG,KAAK,UAAU;YACd,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;QACvF,KAAK,KAAK,CAAC,CAAC,CAAC;YACZ,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,gDAAgD,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAA;YACtF,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;YACxD,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,CAAA;YAC5B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,eAAe,CAAC,MAAM,CAAC,CAAA;YAC7C,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;QAChF,CAAC;IACF,CAAC;AACF,CAAC;AAED,SAAS,cAAc,CAAC,OAAoB,EAAE,YAAoB,EAAE,SAAoB;IACvF,IAAI,CAAC;QACJ,OAAO,UAAU,CAAC,IAAI,EAAE,qBAAqB,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC,CAAA;IAClG,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,KAAK,CAAA;IACb,CAAC;AACF,CAAC;AAID,KAAK,UAAU,mBAAmB,CACjC,QAA8B,EAC9B,UAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,QAAQ,IAAK,EAA2B,CAAA;IACvE,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,eAAe,KAAK,gBAAgB,EAAE,CAAC;QAC5E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;IAC7D,CAAC;IACD,IAAI,SAAS,CAAC,GAAG,KAAK,aAAa,EAAE,CAAC;QACrC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAA;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACf,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IAC5C,CAAC;IACD,IAAI,GAAc,CAAA;IAClB,IAAI,CAAC;QACJ,GAAG,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IACnC,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IAC5C,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IAClD,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACpB,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,aAAa,CAAC,OAAoB,EAAE,GAAkB;IACrE,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAA;IACjC,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC/C,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IAC7D,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,CAAC,UAAU,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC;QACnD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAA;IAC5D,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;QAC1C,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACnD,CAAC;IACD,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9D,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAA;IAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,eAAe,CAAA;IAChC,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACtD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;AACvC,CAAC;AAED,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACxC,QAA8B,EAC9B,UAAiC;IAEjC,OAAO,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;AACjD,CAAC;AAED,mFAAmF;AACnF,MAAM,CAAC,KAAK,UAAU,cAAc,CACnC,QAA8B,EAC9B,UAAiC,EACjC,GAAkB;IAElB,IAAI,MAAoB,CAAA;IACxB,IAAI,CAAC;QACJ,MAAM,GAAG,MAAM,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;IACzD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IACvD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QAChB,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAA;IACvD,CAAC;IACD,OAAO,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC;AAED,+EAA+E;AAC/E,OAAO,EAAE,kBAAkB,EAAE,CAAA"}