npm - @clawbureau/clawverify-core - Versions diffs - 0.1.0 - Mend

@clawbureau/clawverify-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/LICENSE +21 -0
package/README.md +40 -0
package/dist/crypto.d.ts +27 -0
package/dist/crypto.d.ts.map +1 -0
package/dist/crypto.js +124 -0
package/dist/crypto.js.map +1 -0
package/dist/index.d.ts +27 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +24 -0
package/dist/index.js.map +1 -0
package/dist/jcs.d.ts +13 -0
package/dist/jcs.d.ts.map +1 -0
package/dist/jcs.js +43 -0
package/dist/jcs.js.map +1 -0
package/dist/model-identity.d.ts +46 -0
package/dist/model-identity.d.ts.map +1 -0
package/dist/model-identity.js +233 -0
package/dist/model-identity.js.map +1 -0
package/dist/schema-registry.d.ts +99 -0
package/dist/schema-registry.d.ts.map +1 -0
package/dist/schema-registry.js +259 -0
package/dist/schema-registry.js.map +1 -0
package/dist/schema-validation.d.ts +35 -0
package/dist/schema-validation.d.ts.map +1 -0
package/dist/schema-validation.js +156 -0
package/dist/schema-validation.js.map +1 -0
package/dist/schema-validators.generated.d.ts +158 -0
package/dist/schema-validators.generated.d.ts.map +1 -0
package/dist/schema-validators.generated.js +19186 -0
package/dist/schema-validators.generated.js.map +1 -0
package/dist/types.d.ts +910 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +33 -0
package/dist/types.js.map +1 -0
package/dist/verify-audit-result-attestation.d.ts +32 -0
package/dist/verify-audit-result-attestation.d.ts.map +1 -0
package/dist/verify-audit-result-attestation.js +396 -0
package/dist/verify-audit-result-attestation.js.map +1 -0
package/dist/verify-derivation-attestation.d.ts +30 -0
package/dist/verify-derivation-attestation.d.ts.map +1 -0
package/dist/verify-derivation-attestation.js +371 -0
package/dist/verify-derivation-attestation.js.map +1 -0
package/dist/verify-execution-attestation.d.ts +32 -0
package/dist/verify-execution-attestation.d.ts.map +1 -0
package/dist/verify-execution-attestation.js +578 -0
package/dist/verify-execution-attestation.js.map +1 -0
package/dist/verify-export-bundle.d.ts +14 -0
package/dist/verify-export-bundle.d.ts.map +1 -0
package/dist/verify-export-bundle.js +307 -0
package/dist/verify-export-bundle.js.map +1 -0
package/dist/verify-log-inclusion-proof.d.ts +16 -0
package/dist/verify-log-inclusion-proof.d.ts.map +1 -0
package/dist/verify-log-inclusion-proof.js +216 -0
package/dist/verify-log-inclusion-proof.js.map +1 -0
package/dist/verify-proof-bundle.d.ts +48 -0
package/dist/verify-proof-bundle.d.ts.map +1 -0
package/dist/verify-proof-bundle.js +1708 -0
package/dist/verify-proof-bundle.js.map +1 -0
package/dist/verify-receipt.d.ts +30 -0
package/dist/verify-receipt.d.ts.map +1 -0
package/dist/verify-receipt.js +408 -0
package/dist/verify-receipt.js.map +1 -0
package/dist/verify-web-receipt.d.ts +21 -0
package/dist/verify-web-receipt.d.ts.map +1 -0
package/dist/verify-web-receipt.js +341 -0
package/dist/verify-web-receipt.js.map +1 -0
package/package.json +54 -0

package/dist/verify-derivation-attestation.js ADDED Viewed

@@ -0,0 +1,371 @@
+/**
+ * Derivation Attestation Verification
+ * CVF-US-017: Verify derivation attestations (Prepare analogue)
+ */
+import { isAllowedVersion, isAllowedType, isAllowedAlgorithm, isAllowedHashAlgorithm, isValidDidFormat, isValidBase64Url, isValidIsoDate, } from './schema-registry.js';
+import { computeHash, base64UrlDecode, extractPublicKeyFromDidKey, verifySignature, } from './crypto.js';
+import { validateDerivationAttestationEnvelopeV1 } from './schema-validation.js';
+import { verifyLogInclusionProof } from './verify-log-inclusion-proof.js';
+function isRecord(x) {
+    return typeof x === 'object' && x !== null && !Array.isArray(x);
+}
+function normalizeModelIdentityTier(tier) {
+    if (tier === 'closed_opaque')
+        return 'closed_opaque';
+    if (tier === 'closed_provider_manifest')
+        return 'closed_provider_manifest';
+    if (tier === 'openweights_hashable')
+        return 'openweights_hashable';
+    if (tier === 'tee_measured')
+        return 'tee_measured';
+    return 'unknown';
+}
+function extractModelSummary(identity) {
+    if (!isRecord(identity))
+        return {};
+    const tier = normalizeModelIdentityTier(identity.tier);
+    const model = isRecord(identity.model) ? identity.model : null;
+    const provider = model && typeof model.provider === 'string' ? model.provider : undefined;
+    const name = model && typeof model.name === 'string' ? model.name : undefined;
+    return { provider, name, tier };
+}
+function validateEnvelopeStructure(envelope) {
+    if (typeof envelope !== 'object' || envelope === null)
+        return false;
+    const e = envelope;
+    return ('envelope_version' in e &&
+        'envelope_type' in e &&
+        'payload' in e &&
+        'payload_hash_b64u' in e &&
+        'hash_algorithm' in e &&
+        'signature_b64u' in e &&
+        'algorithm' in e &&
+        'signer_did' in e &&
+        'issued_at' in e);
+}
+export async function verifyDerivationAttestation(envelope, options = {}) {
+    const now = new Date().toISOString();
+    // 1) Envelope structure
+    if (!validateEnvelopeStructure(envelope)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Malformed envelope: missing required fields',
+                verified_at: now,
+            },
+            error: {
+                code: 'MALFORMED_ENVELOPE',
+                message: 'Envelope is missing required fields or has invalid structure',
+            },
+        };
+    }
+    // 2) Allowlisted version
+    if (!isAllowedVersion(envelope.envelope_version)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Unknown envelope version: ${envelope.envelope_version}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'UNKNOWN_ENVELOPE_VERSION',
+                message: `Envelope version "${envelope.envelope_version}" is not in the allowlist`,
+                field: 'envelope_version',
+            },
+        };
+    }
+    // 3) Allowlisted type
+    if (!isAllowedType(envelope.envelope_type)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Unknown envelope type: ${envelope.envelope_type}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'UNKNOWN_ENVELOPE_TYPE',
+                message: `Envelope type "${envelope.envelope_type}" is not in the allowlist`,
+                field: 'envelope_type',
+            },
+        };
+    }
+    // 4) Correct endpoint type
+    if (envelope.envelope_type !== 'derivation_attestation') {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Expected derivation_attestation envelope, got: ${envelope.envelope_type}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'UNKNOWN_ENVELOPE_TYPE',
+                message: 'This endpoint only accepts derivation_attestation envelopes',
+                field: 'envelope_type',
+            },
+        };
+    }
+    // 5) Allowlisted algorithms
+    if (!isAllowedAlgorithm(envelope.algorithm)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Unknown signature algorithm: ${envelope.algorithm}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'UNKNOWN_ALGORITHM',
+                message: `Signature algorithm "${envelope.algorithm}" is not in the allowlist`,
+                field: 'algorithm',
+            },
+        };
+    }
+    if (!isAllowedHashAlgorithm(envelope.hash_algorithm)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Unknown hash algorithm: ${envelope.hash_algorithm}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'UNKNOWN_HASH_ALGORITHM',
+                message: `Hash algorithm "${envelope.hash_algorithm}" is not in the allowlist`,
+                field: 'hash_algorithm',
+            },
+        };
+    }
+    // 6) Strict JSON schema validation (Ajv standalone)
+    const schemaResult = validateDerivationAttestationEnvelopeV1(envelope);
+    if (!schemaResult.valid) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: schemaResult.message,
+                envelope_type: envelope.envelope_type,
+                signer_did: envelope.signer_did,
+                verified_at: now,
+            },
+            error: {
+                code: 'SCHEMA_VALIDATION_FAILED',
+                message: schemaResult.message,
+                field: schemaResult.field,
+            },
+        };
+    }
+    // 7) DID format
+    if (!isValidDidFormat(envelope.signer_did)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Invalid DID format: ${envelope.signer_did}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'INVALID_DID_FORMAT',
+                message: 'Signer DID does not match expected format (did:key:... or did:web:...)',
+                field: 'signer_did',
+            },
+        };
+    }
+    // 8) Fail-closed allowlist
+    if (!options.allowlistedSignerDids || options.allowlistedSignerDids.length === 0) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Derivation attestation signer allowlist not configured',
+                envelope_type: envelope.envelope_type,
+                signer_did: envelope.signer_did,
+                verified_at: now,
+            },
+            error: {
+                code: 'DEPENDENCY_NOT_CONFIGURED',
+                message: 'Derivation attestation signer allowlist is not configured. Set DERIVATION_ATTESTATION_SIGNER_DIDS to enable verification.',
+                field: 'env.DERIVATION_ATTESTATION_SIGNER_DIDS',
+            },
+        };
+    }
+    if (!options.allowlistedSignerDids.includes(envelope.signer_did)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Attestation signer DID is not allowlisted',
+                envelope_type: envelope.envelope_type,
+                signer_did: envelope.signer_did,
+                verified_at: now,
+            },
+            error: {
+                code: 'CLAIM_NOT_FOUND',
+                message: `Signer DID '${envelope.signer_did}' is not in the allowlisted derivation attester list`,
+                field: 'signer_did',
+            },
+        };
+    }
+    // 9) issued_at
+    if (!isValidIsoDate(envelope.issued_at)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Invalid issued_at date format',
+                verified_at: now,
+            },
+            error: {
+                code: 'MALFORMED_ENVELOPE',
+                message: 'issued_at must be a valid ISO 8601 date string',
+                field: 'issued_at',
+            },
+        };
+    }
+    // 10) base64url fields
+    if (!isValidBase64Url(envelope.payload_hash_b64u)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Invalid payload_hash_b64u format',
+                verified_at: now,
+            },
+            error: {
+                code: 'MALFORMED_ENVELOPE',
+                message: 'payload_hash_b64u must be a valid base64url string',
+                field: 'payload_hash_b64u',
+            },
+        };
+    }
+    if (!isValidBase64Url(envelope.signature_b64u)) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Invalid signature_b64u format',
+                verified_at: now,
+            },
+            error: {
+                code: 'MALFORMED_ENVELOPE',
+                message: 'signature_b64u must be a valid base64url string',
+                field: 'signature_b64u',
+            },
+        };
+    }
+    // 11) Hash recompute
+    try {
+        const computedHash = await computeHash(envelope.payload, envelope.hash_algorithm);
+        if (computedHash !== envelope.payload_hash_b64u) {
+            return {
+                result: {
+                    status: 'INVALID',
+                    reason: 'Payload hash mismatch: envelope may have been tampered with',
+                    verified_at: now,
+                },
+                error: {
+                    code: 'HASH_MISMATCH',
+                    message: 'Computed payload hash does not match envelope hash',
+                },
+            };
+        }
+    }
+    catch (err) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Hash computation failed: ${err instanceof Error ? err.message : 'unknown error'}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'HASH_MISMATCH',
+                message: 'Failed to compute payload hash',
+            },
+        };
+    }
+    // 12) Key extraction (did:key only)
+    const publicKeyBytes = extractPublicKeyFromDidKey(envelope.signer_did);
+    if (!publicKeyBytes) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: 'Could not extract public key from signer DID',
+                verified_at: now,
+            },
+            error: {
+                code: 'INVALID_DID_FORMAT',
+                message: 'Unable to extract Ed25519 public key from did:key. Ensure the DID uses the Ed25519 multicodec prefix.',
+                field: 'signer_did',
+            },
+        };
+    }
+    // 13) Signature verify
+    try {
+        const signatureBytes = base64UrlDecode(envelope.signature_b64u);
+        const messageBytes = new TextEncoder().encode(envelope.payload_hash_b64u);
+        const ok = await verifySignature(envelope.algorithm, publicKeyBytes, signatureBytes, messageBytes);
+        if (!ok) {
+            return {
+                result: {
+                    status: 'INVALID',
+                    reason: 'Signature verification failed',
+                    verified_at: now,
+                },
+                error: {
+                    code: 'SIGNATURE_INVALID',
+                    message: 'The Ed25519 signature does not match the payload hash',
+                },
+            };
+        }
+    }
+    catch (err) {
+        return {
+            result: {
+                status: 'INVALID',
+                reason: `Signature verification error: ${err instanceof Error ? err.message : 'unknown error'}`,
+                verified_at: now,
+            },
+            error: {
+                code: 'SIGNATURE_INVALID',
+                message: 'Failed to verify signature',
+            },
+        };
+    }
+    const payloadRec = envelope.payload;
+    // 14) Optional clawlogs inclusion proof validation (fail-closed if supplied)
+    let inclusionProofValidated;
+    if (isRecord(payloadRec.clawlogs) && payloadRec.clawlogs.inclusion_proof !== undefined) {
+        const proofVerification = await verifyLogInclusionProof(payloadRec.clawlogs.inclusion_proof);
+        if (!proofVerification.valid) {
+            return {
+                result: {
+                    status: 'INVALID',
+                    reason: `Invalid clawlogs inclusion proof: ${proofVerification.reason ?? 'verification failed'}`,
+                    envelope_type: envelope.envelope_type,
+                    signer_did: envelope.signer_did,
+                    verified_at: now,
+                },
+                error: proofVerification.error ??
+                    {
+                        code: 'INCLUSION_PROOF_INVALID',
+                        message: 'Invalid clawlogs inclusion proof',
+                        field: 'payload.clawlogs.inclusion_proof',
+                    },
+            };
+        }
+        inclusionProofValidated = true;
+    }
+    // 15) Summary extraction
+    const derivationId = typeof payloadRec.derivation_id === 'string' ? payloadRec.derivation_id : undefined;
+    let transformKind;
+    if (isRecord(payloadRec.transform) && typeof payloadRec.transform.kind === 'string') {
+        transformKind = payloadRec.transform.kind;
+    }
+    const inputSummary = extractModelSummary(payloadRec.input_model);
+    const outputSummary = extractModelSummary(payloadRec.output_model);
+    return {
+        result: {
+            status: 'VALID',
+            reason: 'Derivation attestation verified successfully',
+            envelope_type: envelope.envelope_type,
+            signer_did: envelope.signer_did,
+            verified_at: now,
+        },
+        derivation_id: derivationId,
+        transform_kind: transformKind,
+        input_model: inputSummary,
+        output_model: outputSummary,
+        clawlogs_inclusion_proof_validated: inclusionProofValidated,
+    };
+}
+//# sourceMappingURL=verify-derivation-attestation.js.map

package/dist/verify-derivation-attestation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"verify-derivation-attestation.js","sourceRoot":"","sources":["../src/verify-derivation-attestation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,GACf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,WAAW,EACX,eAAe,EACf,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,uCAAuC,EAAE,MAAM,wBAAwB,CAAC;AACjF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAU1E,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAa;IAC/C,IAAI,IAAI,KAAK,eAAe;QAAE,OAAO,eAAe,CAAC;IACrD,IAAI,IAAI,KAAK,0BAA0B;QAAE,OAAO,0BAA0B,CAAC;IAC3E,IAAI,IAAI,KAAK,sBAAsB;QAAE,OAAO,sBAAsB,CAAC;IACnE,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,cAAc,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAiB;IAK5C,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,0BAA0B,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEvD,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,QAAQ,GAAG,KAAK,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1F,MAAM,IAAI,GAAG,KAAK,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IAE9E,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,yBAAyB,CAChC,QAAiB;IAEjB,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACpE,MAAM,CAAC,GAAG,QAAmC,CAAC;IAE9C,OAAO,CACL,kBAAkB,IAAI,CAAC;QACvB,eAAe,IAAI,CAAC;QACpB,SAAS,IAAI,CAAC;QACd,mBAAmB,IAAI,CAAC;QACxB,gBAAgB,IAAI,CAAC;QACrB,gBAAgB,IAAI,CAAC;QACrB,WAAW,IAAI,CAAC;QAChB,YAAY,IAAI,CAAC;QACjB,WAAW,IAAI,CAAC,CACjB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,QAAiB,EACjB,UAAgD,EAAE;IAUlD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,wBAAwB;IACxB,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,6CAA6C;gBACrD,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,8DAA8D;aACxE;SACF,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjD,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,6BAA6B,QAAQ,CAAC,gBAAgB,EAAE;gBAChE,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,0BAA0B;gBAChC,OAAO,EAAE,qBAAqB,QAAQ,CAAC,gBAAgB,2BAA2B;gBAClF,KAAK,EAAE,kBAAkB;aAC1B;SACF,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3C,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,0BAA0B,QAAQ,CAAC,aAAa,EAAE;gBAC1D,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,uBAAuB;gBAC7B,OAAO,EAAE,kBAAkB,QAAQ,CAAC,aAAa,2BAA2B;gBAC5E,KAAK,EAAE,eAAe;aACvB;SACF,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,IAAI,QAAQ,CAAC,aAAa,KAAK,wBAAwB,EAAE,CAAC;QACxD,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,kDAAkD,QAAQ,CAAC,aAAa,EAAE;gBAClF,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,uBAAuB;gBAC7B,OAAO,EAAE,6DAA6D;gBACtE,KAAK,EAAE,eAAe;aACvB;SACF,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5C,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,gCAAgC,QAAQ,CAAC,SAAS,EAAE;gBAC5D,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,wBAAwB,QAAQ,CAAC,SAAS,2BAA2B;gBAC9E,KAAK,EAAE,WAAW;aACnB;SACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACrD,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,2BAA2B,QAAQ,CAAC,cAAc,EAAE;gBAC5D,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,wBAAwB;gBAC9B,OAAO,EAAE,mBAAmB,QAAQ,CAAC,cAAc,2BAA2B;gBAC9E,KAAK,EAAE,gBAAgB;aACxB;SACF,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,MAAM,YAAY,GAAG,uCAAuC,CAAC,QAAQ,CAAC,CAAC;IACvE,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,YAAY,CAAC,OAAO;gBAC5B,aAAa,EAAE,QAAQ,CAAC,aAAa;gBACrC,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,0BAA0B;gBAChC,OAAO,EAAE,YAAY,CAAC,OAAO;gBAC7B,KAAK,EAAE,YAAY,CAAC,KAAK;aAC1B;SACF,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3C,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,uBAAuB,QAAQ,CAAC,UAAU,EAAE;gBACpD,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,wEAAwE;gBACjF,KAAK,EAAE,YAAY;aACpB;SACF,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,IAAI,CAAC,OAAO,CAAC,qBAAqB,IAAI,OAAO,CAAC,qBAAqB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjF,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,wDAAwD;gBAChE,aAAa,EAAE,QAAQ,CAAC,aAAa;gBACrC,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,2BAA2B;gBACjC,OAAO,EACL,2HAA2H;gBAC7H,KAAK,EAAE,wCAAwC;aAChD;SACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACjE,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,2CAA2C;gBACnD,aAAa,EAAE,QAAQ,CAAC,aAAa;gBACrC,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,eAAe,QAAQ,CAAC,UAAU,sDAAsD;gBACjG,KAAK,EAAE,YAAY;aACpB;SACF,CAAC;IACJ,CAAC;IAED,eAAe;IACf,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACxC,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,+BAA+B;gBACvC,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,gDAAgD;gBACzD,KAAK,EAAE,WAAW;aACnB;SACF,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAClD,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,kCAAkC;gBAC1C,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,oDAAoD;gBAC7D,KAAK,EAAE,mBAAmB;aAC3B;SACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC/C,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,+BAA+B;gBACvC,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,iDAAiD;gBAC1D,KAAK,EAAE,gBAAgB;aACxB;SACF,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,cAAc,CAAC,CAAC;QAElF,IAAI,YAAY,KAAK,QAAQ,CAAC,iBAAiB,EAAE,CAAC;YAChD,OAAO;gBACL,MAAM,EAAE;oBACN,MAAM,EAAE,SAAS;oBACjB,MAAM,EAAE,6DAA6D;oBACrE,WAAW,EAAE,GAAG;iBACjB;gBACD,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,oDAAoD;iBAC9D;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBAC1F,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,gCAAgC;aAC1C;SACF,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,MAAM,cAAc,GAAG,0BAA0B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACvE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,8CAA8C;gBACtD,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EACL,uGAAuG;gBACzG,KAAK,EAAE,YAAY;aACpB;SACF,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,eAAe,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAChE,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;QAE1E,MAAM,EAAE,GAAG,MAAM,eAAe,CAC9B,QAAQ,CAAC,SAAS,EAClB,cAAc,EACd,cAAc,EACd,YAAY,CACb,CAAC;QAEF,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO;gBACL,MAAM,EAAE;oBACN,MAAM,EAAE,SAAS;oBACjB,MAAM,EAAE,+BAA+B;oBACvC,WAAW,EAAE,GAAG;iBACjB;gBACD,KAAK,EAAE;oBACL,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,uDAAuD;iBACjE;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,iCAAiC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBAC/F,WAAW,EAAE,GAAG;aACjB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,4BAA4B;aACtC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAA6C,CAAC;IAE1E,6EAA6E;IAC7E,IAAI,uBAA4C,CAAC;IAEjD,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;QACvF,MAAM,iBAAiB,GAAG,MAAM,uBAAuB,CAAC,UAAU,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;QAE7F,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;YAC7B,OAAO;gBACL,MAAM,EAAE;oBACN,MAAM,EAAE,SAAS;oBACjB,MAAM,EAAE,qCAAqC,iBAAiB,CAAC,MAAM,IAAI,qBAAqB,EAAE;oBAChG,aAAa,EAAE,QAAQ,CAAC,aAAa;oBACrC,UAAU,EAAE,QAAQ,CAAC,UAAU;oBAC/B,WAAW,EAAE,GAAG;iBACjB;gBACD,KAAK,EACH,iBAAiB,CAAC,KAAK;oBACvB;wBACE,IAAI,EAAE,yBAAyB;wBAC/B,OAAO,EAAE,kCAAkC;wBAC3C,KAAK,EAAE,kCAAkC;qBAC1C;aACJ,CAAC;QACJ,CAAC;QAED,uBAAuB,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,yBAAyB;IACzB,MAAM,YAAY,GAAG,OAAO,UAAU,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;IAEzG,IAAI,aAAiC,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,UAAU,CAAC,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACpF,aAAa,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC;IAC5C,CAAC;IAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;IACjE,MAAM,aAAa,GAAG,mBAAmB,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAEnE,OAAO;QACL,MAAM,EAAE;YACN,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,8CAA8C;YACtD,aAAa,EAAE,QAAQ,CAAC,aAAa;YACrC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,WAAW,EAAE,GAAG;SACjB;QACD,aAAa,EAAE,YAAY;QAC3B,cAAc,EAAE,aAAa;QAC7B,WAAW,EAAE,YAAY;QACzB,YAAY,EAAE,aAAa;QAC3B,kCAAkC,EAAE,uBAAuB;KAC5D,CAAC;AACJ,CAAC"}

package/dist/verify-execution-attestation.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Execution Attestation Verification
+ * CEA-US-010: Verify sandbox execution attestations
+ */
+import type { ExecutionAttestationPayload, VerificationResult, VerificationError } from './types.js';
+export interface ExecutionAttestationVerifierOptions {
+    /** Allowlisted execution attestation signer DIDs (did:key:...). */
+    allowlistedSignerDids?: readonly string[];
+    /** Allowlisted TEE root IDs for tee_execution attestations. */
+    teeRootAllowlist?: readonly string[];
+    /** Allowlisted TCB versions for tee_execution attestations. */
+    teeTcbAllowlist?: readonly string[];
+    /** Revoked TEE root IDs (denylist). */
+    teeRootRevoked?: readonly string[];
+    /** Revoked TCB versions (denylist). */
+    teeTcbRevoked?: readonly string[];
+}
+export declare function verifyExecutionAttestation(envelope: unknown, options?: ExecutionAttestationVerifierOptions): Promise<{
+    result: VerificationResult;
+    attestation_id?: string;
+    execution_type?: ExecutionAttestationPayload['execution_type'];
+    agent_did?: string;
+    attester_did?: string;
+    run_id?: string;
+    proof_bundle_hash_b64u?: string;
+    signer_did?: string;
+    allowlisted?: boolean;
+    tee_root_id?: string;
+    tee_tcb_version?: string;
+    error?: VerificationError;
+}>;
+//# sourceMappingURL=verify-execution-attestation.d.ts.map

package/dist/verify-execution-attestation.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"verify-execution-attestation.d.ts","sourceRoot":"","sources":["../src/verify-execution-attestation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAEV,2BAA2B,EAC3B,kBAAkB,EAClB,iBAAiB,EAClB,MAAM,YAAY,CAAC;AAkBpB,MAAM,WAAW,mCAAmC;IAClD,mEAAmE;IACnE,qBAAqB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAE1C,+DAA+D;IAC/D,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAErC,+DAA+D;IAC/D,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAEpC,uCAAuC;IACvC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAEnC,uCAAuC;IACvC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACnC;AA6ED,wBAAsB,0BAA0B,CAC9C,QAAQ,EAAE,OAAO,EACjB,OAAO,GAAE,mCAAwC,GAChD,OAAO,CAAC;IACT,MAAM,EAAE,kBAAkB,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,2BAA2B,CAAC,gBAAgB,CAAC,CAAC;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC,CAuiBD"}