npm - @clawbureau/clawverify-core - Versions diffs - 0.1.1 → 0.2.1 - Mend

@clawbureau/clawverify-core 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/README.md +12 -0
package/dist/badge-health.d.ts +40 -0
package/dist/badge-health.d.ts.map +1 -0
package/dist/badge-health.js +56 -0
package/dist/badge-health.js.map +1 -0
package/dist/compliance.d.ts +106 -0
package/dist/compliance.d.ts.map +1 -0
package/dist/compliance.js +356 -0
package/dist/compliance.js.map +1 -0
package/dist/hashcash.d.ts +44 -0
package/dist/hashcash.d.ts.map +1 -0
package/dist/hashcash.js +97 -0
package/dist/hashcash.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +10 -0
package/dist/index.js.map +1 -1
package/dist/policy-evaluator.d.ts +119 -0
package/dist/policy-evaluator.d.ts.map +1 -0
package/dist/policy-evaluator.js +452 -0
package/dist/policy-evaluator.js.map +1 -0
package/dist/trace-compiler.d.ts +7 -0
package/dist/trace-compiler.d.ts.map +1 -0
package/dist/trace-compiler.js +46 -0
package/dist/trace-compiler.js.map +1 -0
package/dist/types.d.ts +68 -1
package/dist/types.d.ts.map +1 -1
package/dist/verify-causal-integrity.d.ts +68 -0
package/dist/verify-causal-integrity.d.ts.map +1 -0
package/dist/verify-causal-integrity.js +186 -0
package/dist/verify-causal-integrity.js.map +1 -0
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -35,6 +35,18 @@ console.log(result.reason_code); // 'OK', 'SIGNATURE_INVALID', etc.
 Unknown schema versions, hash algorithms, or envelope formats produce `FAIL` — never silently pass.
+## Learn more
+- **[Full documentation](https://www.clawea.com/docs)** — Quick Start, SDK reference, API reference, protocol spec
+- **[Adoption guide](https://github.com/clawbureau/clawbureau/blob/main/docs/specs/clawsig-protocol/ADOPTION_GUIDE.md)** — integrate in a day
+- **[Clawsig Protocol](https://clawsig.com)** — protocol overview, design principles, conformance suite
+### Enterprise
+Running AI agents in regulated environments? Claw EA provides approval gates, DLP redaction, audit trails, and compliance evidence for SOX, HIPAA, and FedRAMP.
+**[See enterprise plans →](https://www.clawea.com/pricing/enterprise)**
 ## License
 MIT

package/dist/badge-health.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * badge-health.ts — Heartbeat Badge status computation
+ *
+ * Red Team Fix #9: Dynamic badge that reflects real-time verification
+ * activity. Prevents frameworks from passing conformance once and then
+ * silently removing the integration while keeping the badge.
+ *
+ * The badge color is computed from trailing 7-day run statistics.
+ */
+/** Badge color enum for rendering. */
+export type BadgeColor = 'green' | 'yellow' | 'gray' | 'red';
+/** Input statistics for badge computation. */
+export interface BadgeStats {
+    /** Number of verification runs in the last 7 days. */
+    runs_7d: number;
+    /** Number of policy violations in the last 7 days. */
+    violations_7d: number;
+    /** ISO 8601 timestamp of the most recent run. */
+    last_run_at: string;
+}
+/** Computed badge status. */
+export interface BadgeStatus {
+    /** Badge color for rendering. */
+    color: BadgeColor;
+    /** Human-readable label. */
+    label: string;
+    /** Whether the badge represents a healthy integration. */
+    healthy: boolean;
+}
+/**
+ * Compute the badge status from trailing 7-day run statistics.
+ *
+ * Color logic:
+ * - Green:  runs_7d >= 10 AND violations_7d == 0
+ * - Yellow: runs_7d >= 10 AND violations_7d > 0 (but within 10%)
+ * - Gray:   runs_7d < 10 (insufficient recent activity)
+ * - Red:    violations_7d > runs_7d * 0.1 (>10% violation rate)
+ */
+export declare function computeBadgeStatus(stats: BadgeStats): BadgeStatus;
+//# sourceMappingURL=badge-health.d.ts.map

package/dist/badge-health.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"badge-health.d.ts","sourceRoot":"","sources":["../src/badge-health.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,sCAAsC;AACtC,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,CAAC;AAE7D,8CAA8C;AAC9C,MAAM,WAAW,UAAU;IACzB,sDAAsD;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,aAAa,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,6BAA6B;AAC7B,MAAM,WAAW,WAAW;IAC1B,iCAAiC;IACjC,KAAK,EAAE,UAAU,CAAC;IAClB,4BAA4B;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,0DAA0D;IAC1D,OAAO,EAAE,OAAO,CAAC;CAClB;AAQD;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW,CAoCjE"}

package/dist/badge-health.js ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * badge-health.ts — Heartbeat Badge status computation
+ *
+ * Red Team Fix #9: Dynamic badge that reflects real-time verification
+ * activity. Prevents frameworks from passing conformance once and then
+ * silently removing the integration while keeping the badge.
+ *
+ * The badge color is computed from trailing 7-day run statistics.
+ */
+/** Minimum number of runs in 7 days for the badge to be considered active. */
+const MIN_ACTIVE_RUNS = 10;
+/** Violation rate threshold (fraction) above which the badge turns red. */
+const RED_VIOLATION_RATE = 0.1;
+/**
+ * Compute the badge status from trailing 7-day run statistics.
+ *
+ * Color logic:
+ * - Green:  runs_7d >= 10 AND violations_7d == 0
+ * - Yellow: runs_7d >= 10 AND violations_7d > 0 (but within 10%)
+ * - Gray:   runs_7d < 10 (insufficient recent activity)
+ * - Red:    violations_7d > runs_7d * 0.1 (>10% violation rate)
+ */
+export function computeBadgeStatus(stats) {
+    const { runs_7d, violations_7d } = stats;
+    // Insufficient activity — badge is stale
+    if (runs_7d < MIN_ACTIVE_RUNS) {
+        return {
+            color: 'gray',
+            label: 'Insufficient activity',
+            healthy: false,
+        };
+    }
+    // High violation rate — badge is red
+    if (violations_7d > runs_7d * RED_VIOLATION_RATE) {
+        return {
+            color: 'red',
+            label: `${violations_7d} violations (${((violations_7d / runs_7d) * 100).toFixed(1)}%)`,
+            healthy: false,
+        };
+    }
+    // Some violations but within tolerance — badge is yellow
+    if (violations_7d > 0) {
+        return {
+            color: 'yellow',
+            label: `${violations_7d} violation${violations_7d === 1 ? '' : 's'} in 7d`,
+            healthy: true,
+        };
+    }
+    // Clean — badge is green
+    return {
+        color: 'green',
+        label: `${runs_7d} verified runs`,
+        healthy: true,
+    };
+}
+//# sourceMappingURL=badge-health.js.map

package/dist/badge-health.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"badge-health.js","sourceRoot":"","sources":["../src/badge-health.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAyBH,8EAA8E;AAC9E,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,2EAA2E;AAC3E,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAE/B;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAiB;IAClD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,KAAK,CAAC;IAEzC,yCAAyC;IACzC,IAAI,OAAO,GAAG,eAAe,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,aAAa,GAAG,OAAO,GAAG,kBAAkB,EAAE,CAAC;QACjD,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,GAAG,aAAa,gBAAgB,CAAC,CAAC,aAAa,GAAG,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;YACvF,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,KAAK,EAAE,QAAQ;YACf,KAAK,EAAE,GAAG,aAAa,aAAa,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,QAAQ;YAC1E,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,OAAO;QACL,KAAK,EAAE,OAAO;QACd,KAAK,EAAE,GAAG,OAAO,gBAAgB;QACjC,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC"}

package/dist/compliance.d.ts ADDED Viewed

@@ -0,0 +1,106 @@
+/**
+ * Compliance Report Generator
+ *
+ * Maps verified Clawsig proof bundles to enterprise compliance framework controls.
+ * P9 (Revenue): SOC2 is the wedge, EU AI Act is the whale.
+ *
+ * Mapping rules (from Gemini Deep Think Round 2):
+ *   CC6.1 (Logical Access)       <- WPC allowed_models + proof_tier
+ *   CC6.2 (System Boundaries)    <- side_effect_receipts (network_egress)
+ *   CC7.1 (Detection of Changes) <- tool_receipts (file changes)
+ *   CC7.2 (Monitoring)           <- event_chain existence + log_inclusion_proof
+ *   CC8.1 (Change Management)    <- human_approval_receipts OR gateway_receipt tier
+ */
+export type ComplianceFramework = 'SOC2_Type2' | 'ISO27001' | 'EU_AI_Act' | 'NIST_AI_RMF';
+export type ControlStatus = 'PASS' | 'FAIL' | 'NOT_APPLICABLE' | 'INSUFFICIENT_EVIDENCE';
+export type EvidenceType = 'gateway_receipt' | 'tool_receipt' | 'side_effect_receipt' | 'human_approval_receipt' | 'wpc' | 'event_chain' | 'delegation_receipt' | 'log_inclusion_proof';
+export interface ControlResult {
+    control_id: string;
+    control_name: string;
+    status: ControlStatus;
+    evidence_type?: EvidenceType;
+    evidence_ref?: string;
+    narrative?: string;
+}
+export interface ComplianceGap {
+    control_id: string;
+    description: string;
+    recommendation: string;
+}
+export interface ComplianceReport {
+    report_version: '1';
+    framework: ComplianceFramework;
+    generated_at: string;
+    proof_bundle_hash_b64u: string;
+    agent_did: string;
+    policy_hash_b64u?: string;
+    controls: ControlResult[];
+    gaps: ComplianceGap[];
+}
+export interface ComplianceBundleInput {
+    bundle_version?: string;
+    bundle_id?: string;
+    agent_did: string;
+    event_chain?: unknown[];
+    receipts?: Array<{
+        payload?: {
+            receipt_id?: string;
+            model?: string;
+            [key: string]: unknown;
+        };
+        [key: string]: unknown;
+    }>;
+    tool_receipts?: Array<{
+        receipt_id?: string;
+        tool_name?: string;
+        [key: string]: unknown;
+    }>;
+    side_effect_receipts?: Array<{
+        receipt_id?: string;
+        effect_class?: string;
+        [key: string]: unknown;
+    }>;
+    human_approval_receipts?: Array<{
+        receipt_id?: string;
+        approval_type?: string;
+        [key: string]: unknown;
+    }>;
+    delegation_receipts?: Array<{
+        receipt_id?: string;
+        delegate_did?: string;
+        delegate_bundle_hash_b64u?: string;
+        [key: string]: unknown;
+    }>;
+    attestations?: unknown[];
+    metadata?: Record<string, unknown>;
+}
+export interface CompliancePolicyInput {
+    /** Raw WPC hash (base64url). Used for CC6.1 evidence. */
+    policy_hash_b64u?: string;
+    /** If the WPC contains allowed_models, list them here. */
+    allowed_models?: string[];
+    /** Minimum model identity tier required by the WPC. */
+    minimum_model_identity_tier?: string;
+}
+/**
+ * Maps a proof bundle to SOC2 Type II controls.
+ *
+ * The bundle should already be verified (signature + hash chain valid).
+ * This function evaluates evidence presence and quality, not cryptographic integrity.
+ */
+export declare function mapToSOC2(bundle: ComplianceBundleInput, policy?: CompliancePolicyInput, opts?: {
+    bundleHash?: string;
+}): ComplianceReport;
+export declare function mapToISO27001(bundle: ComplianceBundleInput, policy?: CompliancePolicyInput, opts?: {
+    bundleHash?: string;
+}): ComplianceReport;
+export declare function mapToEUAIAct(bundle: ComplianceBundleInput, policy?: CompliancePolicyInput, opts?: {
+    bundleHash?: string;
+}): ComplianceReport;
+/**
+ * Generate a compliance report for any supported framework.
+ */
+export declare function generateComplianceReport(framework: ComplianceFramework, bundle: ComplianceBundleInput, policy?: CompliancePolicyInput, opts?: {
+    bundleHash?: string;
+}): ComplianceReport;
+//# sourceMappingURL=compliance.d.ts.map

package/dist/compliance.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"compliance.d.ts","sourceRoot":"","sources":["../src/compliance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;AAE1F,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,MAAM,GAAG,gBAAgB,GAAG,uBAAuB,CAAC;AAEzF,MAAM,MAAM,YAAY,GACpB,iBAAiB,GACjB,cAAc,GACd,qBAAqB,GACrB,wBAAwB,GACxB,KAAK,GACL,aAAa,GACb,oBAAoB,GACpB,qBAAqB,CAAC;AAE1B,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,aAAa,CAAC;IACtB,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,GAAG,CAAC;IACpB,SAAS,EAAE,mBAAmB,CAAC;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,IAAI,EAAE,aAAa,EAAE,CAAC;CACvB;AAOD,MAAM,WAAW,qBAAqB;IACpC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC;IACxB,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,OAAO,CAAC,EAAE;YACR,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;SACxB,CAAC;QACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC,CAAC;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC,CAAC;IACH,oBAAoB,CAAC,EAAE,KAAK,CAAC;QAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC,CAAC;IACH,uBAAuB,CAAC,EAAE,KAAK,CAAC;QAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC,CAAC;IACH,mBAAmB,CAAC,EAAE,KAAK,CAAC;QAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,yBAAyB,CAAC,EAAE,MAAM,CAAC;QACnC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC,CAAC;IACH,YAAY,CAAC,EAAE,OAAO,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,qBAAqB;IACpC,yDAAyD;IACzD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0DAA0D;IAC1D,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,uDAAuD;IACvD,2BAA2B,CAAC,EAAE,MAAM,CAAC;CACtC;AAqMD;;;;;GAKG;AACH,wBAAgB,SAAS,CACvB,MAAM,EAAE,qBAAqB,EAC7B,MAAM,CAAC,EAAE,qBAAqB,EAC9B,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,gBAAgB,CAqClB;AA8BD,wBAAgB,aAAa,CAC3B,MAAM,EAAE,qBAAqB,EAC7B,MAAM,CAAC,EAAE,qBAAqB,EAC9B,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,gBAAgB,CAwBlB;AAaD,wBAAgB,YAAY,CAC1B,MAAM,EAAE,qBAAqB,EAC7B,MAAM,CAAC,EAAE,qBAAqB,EAC9B,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,gBAAgB,CAgClB;AAMD;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,mBAAmB,EAC9B,MAAM,EAAE,qBAAqB,EAC7B,MAAM,CAAC,EAAE,qBAAqB,EAC9B,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,gBAAgB,CA+BlB"}

package/dist/compliance.js ADDED Viewed

@@ -0,0 +1,356 @@
+/**
+ * Compliance Report Generator
+ *
+ * Maps verified Clawsig proof bundles to enterprise compliance framework controls.
+ * P9 (Revenue): SOC2 is the wedge, EU AI Act is the whale.
+ *
+ * Mapping rules (from Gemini Deep Think Round 2):
+ *   CC6.1 (Logical Access)       <- WPC allowed_models + proof_tier
+ *   CC6.2 (System Boundaries)    <- side_effect_receipts (network_egress)
+ *   CC7.1 (Detection of Changes) <- tool_receipts (file changes)
+ *   CC7.2 (Monitoring)           <- event_chain existence + log_inclusion_proof
+ *   CC8.1 (Change Management)    <- human_approval_receipts OR gateway_receipt tier
+ */
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function hashBundle(bundle) {
+    // Deterministic hash placeholder — in production this would be
+    // sha256_b64u(JCS(bundle)). The CLI layer computes the real hash
+    // before calling the mapper.
+    return 'BUNDLE_HASH_COMPUTED_BY_CALLER';
+}
+function hasNetworkEgressReceipts(bundle) {
+    return (bundle.side_effect_receipts ?? []).some((r) => r.effect_class === 'network_egress');
+}
+function hasFileWriteReceipts(bundle) {
+    return (bundle.tool_receipts ?? []).length > 0;
+}
+function hasHumanApprovals(bundle) {
+    return (bundle.human_approval_receipts ?? []).some((r) => r.approval_type === 'explicit_approve');
+}
+function hasGatewayReceipts(bundle) {
+    return (bundle.receipts ?? []).length > 0;
+}
+function hasEventChain(bundle) {
+    return (bundle.event_chain ?? []).length > 0;
+}
+// ---------------------------------------------------------------------------
+// SOC2 Type II Mapper
+// ---------------------------------------------------------------------------
+function mapCC6_1(bundle, policy) {
+    const control = {
+        control_id: 'CC6.1',
+        control_name: 'Logical Access Controls',
+        status: 'INSUFFICIENT_EVIDENCE',
+    };
+    // CC6.1: WPC allowed_models + proof_tier from gateway receipts
+    if (policy?.allowed_models && policy.allowed_models.length > 0) {
+        const gatewayModels = (bundle.receipts ?? [])
+            .map((r) => r.payload?.model)
+            .filter(Boolean);
+        if (gatewayModels.length > 0) {
+            const allWithinPolicy = gatewayModels.every((m) => policy.allowed_models.includes(m));
+            control.status = allWithinPolicy ? 'PASS' : 'FAIL';
+            control.evidence_type = 'wpc';
+            control.evidence_ref = policy.policy_hash_b64u;
+            control.narrative = allWithinPolicy
+                ? `All ${gatewayModels.length} gateway receipt(s) reference models within the WPC allowlist (${policy.allowed_models.join(', ')}). Agent operated strictly within approved intelligence boundaries.`
+                : `One or more gateway receipts reference a model outside the WPC allowlist. Models used: ${gatewayModels.join(', ')}.`;
+        }
+        else if (hasGatewayReceipts(bundle)) {
+            control.status = 'PASS';
+            control.evidence_type = 'gateway_receipt';
+            control.evidence_ref = bundle.receipts[0].payload?.receipt_id;
+            control.narrative =
+                'Gateway receipts present; WPC policy defines allowed models. Agent used approved gateway for all LLM calls.';
+        }
+        else {
+            control.narrative =
+                'WPC defines allowed_models but no gateway receipts present to verify compliance.';
+        }
+    }
+    else if (hasGatewayReceipts(bundle)) {
+        // No WPC but gateway receipts exist — partial evidence
+        control.status = 'PASS';
+        control.evidence_type = 'gateway_receipt';
+        control.evidence_ref = bundle.receipts[0].payload?.receipt_id;
+        control.narrative =
+            'Gateway receipts prove agent routed through trusted proxy. No WPC model allowlist configured — recommend adding allowed_models for full CC6.1 coverage.';
+    }
+    else {
+        control.narrative =
+            'No gateway receipts and no WPC model allowlist. Cannot verify logical access controls for LLM usage.';
+    }
+    return control;
+}
+function mapCC6_2(bundle) {
+    const control = {
+        control_id: 'CC6.2',
+        control_name: 'System Boundary Controls',
+        status: 'INSUFFICIENT_EVIDENCE',
+    };
+    const networkReceipts = (bundle.side_effect_receipts ?? []).filter((r) => r.effect_class === 'network_egress');
+    if (networkReceipts.length > 0) {
+        control.status = 'PASS';
+        control.evidence_type = 'side_effect_receipt';
+        control.evidence_ref = networkReceipts[0].receipt_id;
+        control.narrative = `${networkReceipts.length} network egress side-effect receipt(s) present. Every outbound network call by the agent is cryptographically logged with target digest and response hash.`;
+    }
+    else if ((bundle.side_effect_receipts ?? []).length > 0) {
+        // Has side-effect receipts but none for network egress
+        control.status = 'PASS';
+        control.evidence_type = 'side_effect_receipt';
+        control.evidence_ref = bundle.side_effect_receipts[0].receipt_id;
+        control.narrative =
+            'Side-effect receipts present (non-network). No network egress detected — agent stayed within system boundaries.';
+    }
+    else {
+        control.narrative =
+            'No side-effect receipts present. Cannot verify system boundary compliance. Add side-effect receipt instrumentation to the harness.';
+    }
+    return control;
+}
+function mapCC7_1(bundle) {
+    const control = {
+        control_id: 'CC7.1',
+        control_name: 'Detection of Changes',
+        status: 'INSUFFICIENT_EVIDENCE',
+    };
+    if (hasFileWriteReceipts(bundle)) {
+        control.status = 'PASS';
+        control.evidence_type = 'tool_receipt';
+        control.evidence_ref = bundle.tool_receipts[0].receipt_id;
+        control.narrative = `${bundle.tool_receipts.length} tool receipt(s) present. Every file modification and tool invocation by the agent is logged with input/output hashes in an immutable event chain.`;
+    }
+    else if (hasEventChain(bundle)) {
+        control.status = 'PASS';
+        control.evidence_type = 'event_chain';
+        control.narrative =
+            'Event chain present but no tool receipts. Change detection relies on event chain integrity — recommend adding tool receipt instrumentation for granular file-level evidence.';
+    }
+    else {
+        control.narrative =
+            'No tool receipts or event chain present. Cannot verify change detection compliance.';
+    }
+    return control;
+}
+function mapCC7_2(bundle) {
+    const control = {
+        control_id: 'CC7.2',
+        control_name: 'System Monitoring',
+        status: 'INSUFFICIENT_EVIDENCE',
+    };
+    if (hasEventChain(bundle)) {
+        control.status = 'PASS';
+        control.evidence_type = 'event_chain';
+        control.narrative = `Hash-linked event chain present with ${bundle.event_chain.length} event(s). Every agent action is logged to a tamper-evident, append-only chain. Receipt Transparency Log integration provides additional Merkle tree inclusion proof coverage.`;
+    }
+    else {
+        control.narrative =
+            'No event chain present. System monitoring requires a tamper-evident event log. Configure the harness to emit an event chain.';
+    }
+    return control;
+}
+function mapCC8_1(bundle) {
+    const control = {
+        control_id: 'CC8.1',
+        control_name: 'Change Management',
+        status: 'INSUFFICIENT_EVIDENCE',
+    };
+    if (hasHumanApprovals(bundle)) {
+        const approvals = bundle.human_approval_receipts.filter((r) => r.approval_type === 'explicit_approve');
+        control.status = 'PASS';
+        control.evidence_type = 'human_approval_receipt';
+        control.evidence_ref = approvals[0]?.receipt_id;
+        control.narrative = `${approvals.length} explicit human approval receipt(s) present. Cryptographic proof that a human reviewer authorized changes before deployment. This satisfies change management controls without traditional peer review.`;
+    }
+    else if (hasGatewayReceipts(bundle)) {
+        // Gateway receipts provide weaker but acceptable evidence
+        control.status = 'PASS';
+        control.evidence_type = 'gateway_receipt';
+        control.evidence_ref = bundle.receipts[0].payload?.receipt_id;
+        control.narrative =
+            'Gateway receipts prove code was generated through a trusted, auditable proxy under policy constraints. No explicit human approval — recommend adding human_approval_receipts for stronger CC8.1 evidence.';
+    }
+    else {
+        control.narrative =
+            'No human approval receipts or gateway receipts present. Change management requires either human oversight proof or gateway-tier evidence.';
+    }
+    return control;
+}
+/**
+ * Maps a proof bundle to SOC2 Type II controls.
+ *
+ * The bundle should already be verified (signature + hash chain valid).
+ * This function evaluates evidence presence and quality, not cryptographic integrity.
+ */
+export function mapToSOC2(bundle, policy, opts) {
+    const controls = [
+        mapCC6_1(bundle, policy),
+        mapCC6_2(bundle),
+        mapCC7_1(bundle),
+        mapCC7_2(bundle),
+        mapCC8_1(bundle),
+    ];
+    const gaps = [];
+    for (const c of controls) {
+        if (c.status === 'FAIL') {
+            gaps.push({
+                control_id: c.control_id,
+                description: c.narrative ?? `Control ${c.control_id} failed evaluation.`,
+                recommendation: getRemediation(c.control_id),
+            });
+        }
+        else if (c.status === 'INSUFFICIENT_EVIDENCE') {
+            gaps.push({
+                control_id: c.control_id,
+                description: c.narrative ?? `Insufficient evidence for ${c.control_id}.`,
+                recommendation: getRemediation(c.control_id),
+            });
+        }
+    }
+    return {
+        report_version: '1',
+        framework: 'SOC2_Type2',
+        generated_at: new Date().toISOString(),
+        proof_bundle_hash_b64u: opts?.bundleHash ?? hashBundle(bundle),
+        agent_did: bundle.agent_did,
+        policy_hash_b64u: policy?.policy_hash_b64u,
+        controls,
+        gaps,
+    };
+}
+function getRemediation(controlId) {
+    switch (controlId) {
+        case 'CC6.1':
+            return 'Configure a Work Policy Contract (WPC) with allowed_models and route LLM calls through clawproxy to generate gateway receipts.';
+        case 'CC6.2':
+            return 'Instrument the agent harness to emit side_effect_receipts for all network egress calls.';
+        case 'CC7.1':
+            return 'Instrument the agent harness to emit tool_receipts for all file system operations and tool invocations.';
+        case 'CC7.2':
+            return 'Configure the agent harness to emit a hash-linked event chain. Enable Receipt Transparency Log integration for Merkle tree inclusion proofs.';
+        case 'CC8.1':
+            return 'Add human-in-the-loop approval gates for high-risk actions. The harness should emit human_approval_receipts, or at minimum route through clawproxy for gateway-tier evidence.';
+        default:
+            return 'Review the Clawsig Protocol documentation for instrumentation guidance.';
+    }
+}
+// ---------------------------------------------------------------------------
+// ISO 27001 Mapper (stub)
+// ---------------------------------------------------------------------------
+// TODO: Implement ISO 27001 information security control mapping.
+// Key controls to map:
+//   A.9.1 (Access Control Policy) <- WPC + gateway_receipts
+//   A.9.2 (User Access Management) <- agent_did + owner_attestation
+//   A.12.4 (Logging and Monitoring) <- event_chain + log_inclusion_proof
+//   A.14.2 (Security in Development) <- tool_receipts + human_approval_receipts
+//   A.18.1 (Compliance with Legal Requirements) <- full proof_bundle
+export function mapToISO27001(bundle, policy, opts) {
+    return {
+        report_version: '1',
+        framework: 'ISO27001',
+        generated_at: new Date().toISOString(),
+        proof_bundle_hash_b64u: opts?.bundleHash ?? hashBundle(bundle),
+        agent_did: bundle.agent_did,
+        policy_hash_b64u: policy?.policy_hash_b64u,
+        controls: [
+            {
+                control_id: 'A.9.1',
+                control_name: 'Access Control Policy',
+                status: 'NOT_APPLICABLE',
+                narrative: 'ISO 27001 mapper not yet implemented. SOC2 mapping is available.',
+            },
+        ],
+        gaps: [
+            {
+                control_id: 'A.9.1',
+                description: 'ISO 27001 compliance mapping is not yet implemented.',
+                recommendation: 'Use SOC2 framework for current compliance reporting. ISO 27001 support is planned.',
+            },
+        ],
+    };
+}
+// ---------------------------------------------------------------------------
+// EU AI Act Mapper (stub)
+// ---------------------------------------------------------------------------
+// TODO: Implement EU AI Act compliance mapping.
+// Key articles to map:
+//   Art 9 (Risk Management) <- WPC + proof_tier
+//   Art 11 (Technical Documentation) <- export_bundle + urm
+//   Art 13 (Transparency) <- system_prompt_report + model_identity
+//   Art 14 (Human Oversight) <- human_approval_receipts (the killer feature)
+//   Art 15 (Accuracy, Robustness, Security) <- audit_result_attestations
+export function mapToEUAIAct(bundle, policy, opts) {
+    return {
+        report_version: '1',
+        framework: 'EU_AI_Act',
+        generated_at: new Date().toISOString(),
+        proof_bundle_hash_b64u: opts?.bundleHash ?? hashBundle(bundle),
+        agent_did: bundle.agent_did,
+        policy_hash_b64u: policy?.policy_hash_b64u,
+        controls: [
+            {
+                control_id: 'Art14',
+                control_name: 'Human Oversight',
+                status: hasHumanApprovals(bundle) ? 'PASS' : 'INSUFFICIENT_EVIDENCE',
+                evidence_type: hasHumanApprovals(bundle) ? 'human_approval_receipt' : undefined,
+                evidence_ref: hasHumanApprovals(bundle)
+                    ? bundle.human_approval_receipts?.find((r) => r.approval_type === 'explicit_approve')?.receipt_id
+                    : undefined,
+                narrative: hasHumanApprovals(bundle)
+                    ? 'Cryptographic proof of Article 14 compliance. High-risk actions are mathematically locked until a HumanApprovalReceipt is signed by a verified operator.'
+                    : 'No human approval receipts present. Article 14 requires proof of human oversight for high-risk AI systems.',
+            },
+        ],
+        gaps: hasHumanApprovals(bundle)
+            ? []
+            : [
+                {
+                    control_id: 'Art14',
+                    description: 'No human approval receipts. EU AI Act Article 14 requires verifiable human oversight.',
+                    recommendation: 'Add human-in-the-loop approval gates. The harness should emit human_approval_receipts for high-risk operations.',
+                },
+            ],
+    };
+}
+// ---------------------------------------------------------------------------
+// Dispatcher
+// ---------------------------------------------------------------------------
+/**
+ * Generate a compliance report for any supported framework.
+ */
+export function generateComplianceReport(framework, bundle, policy, opts) {
+    switch (framework) {
+        case 'SOC2_Type2':
+            return mapToSOC2(bundle, policy, opts);
+        case 'ISO27001':
+            return mapToISO27001(bundle, policy, opts);
+        case 'EU_AI_Act':
+            return mapToEUAIAct(bundle, policy, opts);
+        case 'NIST_AI_RMF':
+            // TODO: Implement NIST AI RMF mapping
+            return {
+                report_version: '1',
+                framework: 'NIST_AI_RMF',
+                generated_at: new Date().toISOString(),
+                proof_bundle_hash_b64u: opts?.bundleHash ?? hashBundle(bundle),
+                agent_did: bundle.agent_did,
+                policy_hash_b64u: policy?.policy_hash_b64u,
+                controls: [],
+                gaps: [
+                    {
+                        control_id: 'GOVERN',
+                        description: 'NIST AI RMF compliance mapping is not yet implemented.',
+                        recommendation: 'Use SOC2 framework for current compliance reporting. NIST AI RMF support is planned.',
+                    },
+                ],
+            };
+        default: {
+            const _exhaustive = framework;
+            throw new Error(`Unknown compliance framework: ${_exhaustive}`);
+        }
+    }
+}
+//# sourceMappingURL=compliance.js.map

package/dist/compliance.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"compliance.js","sourceRoot":"","sources":["../src/compliance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAkGH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,MAA6B;IAC/C,+DAA+D;IAC/D,iEAAiE;IACjE,6BAA6B;IAC7B,OAAO,gCAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,wBAAwB,CAAC,MAA6B;IAC7D,OAAO,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,IAAI,CAC7C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,gBAAgB,CAC3C,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,MAA6B;IACzD,OAAO,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA6B;IACtD,OAAO,CAAC,MAAM,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAC,IAAI,CAChD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,kBAAkB,CAC9C,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACvD,OAAO,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,aAAa,CAAC,MAA6B;IAClD,OAAO,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,SAAS,QAAQ,CACf,MAA6B,EAC7B,MAAyC;IAEzC,MAAM,OAAO,GAAkB;QAC7B,UAAU,EAAE,OAAO;QACnB,YAAY,EAAE,yBAAyB;QACvC,MAAM,EAAE,uBAAuB;KAChC,CAAC;IAEF,+DAA+D;IAC/D,IAAI,MAAM,EAAE,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/D,MAAM,aAAa,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC1C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;aAC5B,MAAM,CAAC,OAAO,CAAa,CAAC;QAE/B,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAChD,MAAM,CAAC,cAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CACnC,CAAC;YACF,OAAO,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;YACnD,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC;YAC9B,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,gBAAgB,CAAC;YAC/C,OAAO,CAAC,SAAS,GAAG,eAAe;gBACjC,CAAC,CAAC,OAAO,aAAa,CAAC,MAAM,kEAAkE,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,qEAAqE;gBACpM,CAAC,CAAC,0FAA0F,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QAC5H,CAAC;aAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,iBAAiB,CAAC;YAC1C,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,QAAS,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC;YAC/D,OAAO,CAAC,SAAS;gBACf,6GAA6G,CAAC;QAClH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,SAAS;gBACf,kFAAkF,CAAC;QACvF,CAAC;IACH,CAAC;SAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,uDAAuD;QACvD,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,iBAAiB,CAAC;QAC1C,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,QAAS,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC;QAC/D,OAAO,CAAC,SAAS;YACf,yJAAyJ,CAAC;IAC9J,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,SAAS;YACf,sGAAsG,CAAC;IAC3G,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CAAC,MAA6B;IAC7C,MAAM,OAAO,GAAkB;QAC7B,UAAU,EAAE,OAAO;QACnB,YAAY,EAAE,0BAA0B;QACxC,MAAM,EAAE,uBAAuB;KAChC,CAAC;IAEF,MAAM,eAAe,GAAG,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,MAAM,CAChE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,gBAAgB,CAC3C,CAAC;IAEF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,qBAAqB,CAAC;QAC9C,OAAO,CAAC,YAAY,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QACrD,OAAO,CAAC,SAAS,GAAG,GAAG,eAAe,CAAC,MAAM,4JAA4J,CAAC;IAC5M,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,uDAAuD;QACvD,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,qBAAqB,CAAC;QAC9C,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,oBAAqB,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAClE,OAAO,CAAC,SAAS;YACf,iHAAiH,CAAC;IACtH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,SAAS;YACf,oIAAoI,CAAC;IACzI,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CAAC,MAA6B;IAC7C,MAAM,OAAO,GAAkB;QAC7B,UAAU,EAAE,OAAO;QACnB,YAAY,EAAE,sBAAsB;QACpC,MAAM,EAAE,uBAAuB;KAChC,CAAC;IAEF,IAAI,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,cAAc,CAAC;QACvC,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,aAAc,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3D,OAAO,CAAC,SAAS,GAAG,GAAG,MAAM,CAAC,aAAc,CAAC,MAAM,oJAAoJ,CAAC;IAC1M,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,aAAa,CAAC;QACtC,OAAO,CAAC,SAAS;YACf,8KAA8K,CAAC;IACnL,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,SAAS;YACf,qFAAqF,CAAC;IAC1F,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CAAC,MAA6B;IAC7C,MAAM,OAAO,GAAkB;QAC7B,UAAU,EAAE,OAAO;QACnB,YAAY,EAAE,mBAAmB;QACjC,MAAM,EAAE,uBAAuB;KAChC,CAAC;IAEF,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,aAAa,CAAC;QACtC,OAAO,CAAC,SAAS,GAAG,wCAAwC,MAAM,CAAC,WAAY,CAAC,MAAM,gLAAgL,CAAC;IACzQ,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,SAAS;YACf,8HAA8H,CAAC;IACnI,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CAAC,MAA6B;IAC7C,MAAM,OAAO,GAAkB;QAC7B,UAAU,EAAE,OAAO;QACnB,YAAY,EAAE,mBAAmB;QACjC,MAAM,EAAE,uBAAuB;KAChC,CAAC;IAEF,IAAI,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,uBAAwB,CAAC,MAAM,CACtD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,kBAAkB,CAC9C,CAAC;QACF,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,wBAAwB,CAAC;QACjD,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC;QAChD,OAAO,CAAC,SAAS,GAAG,GAAG,SAAS,CAAC,MAAM,yMAAyM,CAAC;IACnP,CAAC;SAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,0DAA0D;QAC1D,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,OAAO,CAAC,aAAa,GAAG,iBAAiB,CAAC;QAC1C,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,QAAS,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC;QAC/D,OAAO,CAAC,SAAS;YACf,2MAA2M,CAAC;IAChN,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,SAAS;YACf,2IAA2I,CAAC;IAChJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CACvB,MAA6B,EAC7B,MAA8B,EAC9B,IAA8B;IAE9B,MAAM,QAAQ,GAAoB;QAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,QAAQ,CAAC,MAAM,CAAC;QAChB,QAAQ,CAAC,MAAM,CAAC;QAChB,QAAQ,CAAC,MAAM,CAAC;QAChB,QAAQ,CAAC,MAAM,CAAC;KACjB,CAAC;IAEF,MAAM,IAAI,GAAoB,EAAE,CAAC;IAEjC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC;gBACR,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,WAAW,EAAE,CAAC,CAAC,SAAS,IAAI,WAAW,CAAC,CAAC,UAAU,qBAAqB;gBACxE,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC;aAC7C,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,CAAC,CAAC,MAAM,KAAK,uBAAuB,EAAE,CAAC;YAChD,IAAI,CAAC,IAAI,CAAC;gBACR,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,WAAW,EAAE,CAAC,CAAC,SAAS,IAAI,6BAA6B,CAAC,CAAC,UAAU,GAAG;gBACxE,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,SAAS,EAAE,YAAY;QACvB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,sBAAsB,EAAE,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,MAAM,CAAC;QAC9D,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,gBAAgB,EAAE,MAAM,EAAE,gBAAgB;QAC1C,QAAQ;QACR,IAAI;KACL,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB;IACvC,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,OAAO;YACV,OAAO,gIAAgI,CAAC;QAC1I,KAAK,OAAO;YACV,OAAO,yFAAyF,CAAC;QACnG,KAAK,OAAO;YACV,OAAO,yGAAyG,CAAC;QACnH,KAAK,OAAO;YACV,OAAO,8IAA8I,CAAC;QACxJ,KAAK,OAAO;YACV,OAAO,+KAA+K,CAAC;QACzL;YACE,OAAO,yEAAyE,CAAC;IACrF,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,kEAAkE;AAClE,uBAAuB;AACvB,4DAA4D;AAC5D,oEAAoE;AACpE,yEAAyE;AACzE,gFAAgF;AAChF,qEAAqE;AACrE,MAAM,UAAU,aAAa,CAC3B,MAA6B,EAC7B,MAA8B,EAC9B,IAA8B;IAE9B,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,sBAAsB,EAAE,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,MAAM,CAAC;QAC9D,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,gBAAgB,EAAE,MAAM,EAAE,gBAAgB;QAC1C,QAAQ,EAAE;YACR;gBACE,UAAU,EAAE,OAAO;gBACnB,YAAY,EAAE,uBAAuB;gBACrC,MAAM,EAAE,gBAAgB;gBACxB,SAAS,EAAE,kEAAkE;aAC9E;SACF;QACD,IAAI,EAAE;YACJ;gBACE,UAAU,EAAE,OAAO;gBACnB,WAAW,EAAE,sDAAsD;gBACnE,cAAc,EAAE,oFAAoF;aACrG;SACF;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,gDAAgD;AAChD,uBAAuB;AACvB,gDAAgD;AAChD,4DAA4D;AAC5D,mEAAmE;AACnE,6EAA6E;AAC7E,yEAAyE;AACzE,MAAM,UAAU,YAAY,CAC1B,MAA6B,EAC7B,MAA8B,EAC9B,IAA8B;IAE9B,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,SAAS,EAAE,WAAW;QACtB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,sBAAsB,EAAE,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,MAAM,CAAC;QAC9D,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,gBAAgB,EAAE,MAAM,EAAE,gBAAgB;QAC1C,QAAQ,EAAE;YACR;gBACE,UAAU,EAAE,OAAO;gBACnB,YAAY,EAAE,iBAAiB;gBAC/B,MAAM,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,uBAAuB;gBACpE,aAAa,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,SAAS;gBAC/E,YAAY,EAAE,iBAAiB,CAAC,MAAM,CAAC;oBACrC,CAAC,CAAC,MAAM,CAAC,uBAAuB,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,kBAAkB,CAAC,EAAE,UAAU;oBACjG,CAAC,CAAC,SAAS;gBACb,SAAS,EAAE,iBAAiB,CAAC,MAAM,CAAC;oBAClC,CAAC,CAAC,0JAA0J;oBAC5J,CAAC,CAAC,4GAA4G;aACjH;SACF;QACD,IAAI,EAAE,iBAAiB,CAAC,MAAM,CAAC;YAC7B,CAAC,CAAC,EAAE;YACJ,CAAC,CAAC;gBACE;oBACE,UAAU,EAAE,OAAO;oBACnB,WAAW,EAAE,uFAAuF;oBACpG,cAAc,EAAE,iHAAiH;iBAClI;aACF;KACN,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,wBAAwB,CACtC,SAA8B,EAC9B,MAA6B,EAC7B,MAA8B,EAC9B,IAA8B;IAE9B,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QACzC,KAAK,UAAU;YACb,OAAO,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAC7C,KAAK,WAAW;YACd,OAAO,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAC5C,KAAK,aAAa;YAChB,sCAAsC;YACtC,OAAO;gBACL,cAAc,EAAE,GAAG;gBACnB,SAAS,EAAE,aAAa;gBACxB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACtC,sBAAsB,EAAE,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,MAAM,CAAC;gBAC9D,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,gBAAgB,EAAE,MAAM,EAAE,gBAAgB;gBAC1C,QAAQ,EAAE,EAAE;gBACZ,IAAI,EAAE;oBACJ;wBACE,UAAU,EAAE,QAAQ;wBACpB,WAAW,EAAE,wDAAwD;wBACrE,cAAc,EAAE,sFAAsF;qBACvG;iBACF;aACF,CAAC;QACJ,OAAO,CAAC,CAAC,CAAC;YACR,MAAM,WAAW,GAAU,SAAS,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,iCAAiC,WAAW,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/hashcash.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * hashcash.ts — Proof-of-Work for VaaS DoS protection
+ *
+ * Red Team Fix #8: Requires unauthenticated API callers to present a
+ * valid PoW token, making volumetric DoS economically infeasible.
+ *
+ * Uses WebCrypto (crypto.subtle) for Cloudflare Workers compatibility.
+ *
+ * Challenge format: `${dateHourUTC}:${clientIdentifier}`
+ * The client must find a nonce such that SHA-256(challenge + ":" + nonce)
+ * has `difficulty` leading zero hex characters.
+ *
+ * Default difficulty: 4 (approx 65,536 attempts, ~100ms on modern hardware).
+ */
+/** Default number of leading zero hex chars required. */
+export declare const DEFAULT_POW_DIFFICULTY = 4;
+/**
+ * Generate the current date-hour challenge component.
+ * Format: YYYYMMDDHH (UTC).
+ */
+export declare function getDateHourUTC(date?: Date): string;
+/**
+ * Build a challenge string from the date-hour and client identifier.
+ */
+export declare function buildChallenge(clientIdentifier: string, date?: Date): string;
+/**
+ * Find a nonce such that SHA-256(challenge + ":" + nonce) has `difficulty`
+ * leading zero hex characters.
+ *
+ * @param challenge  The challenge string (e.g. "2026021223:192.168.1.1")
+ * @param difficulty Number of leading zero hex chars required (default: 4)
+ * @returns          The nonce string that satisfies the PoW
+ */
+export declare function generatePoW(challenge: string, difficulty?: number): Promise<string>;
+/**
+ * Verify that a nonce satisfies the PoW requirement.
+ *
+ * @param challenge  The challenge string
+ * @param nonce      The claimed nonce
+ * @param difficulty Number of leading zero hex chars required (default: 4)
+ * @returns          true if the PoW is valid
+ */
+export declare function verifyPoW(challenge: string, nonce: string, difficulty?: number): Promise<boolean>;
+//# sourceMappingURL=hashcash.d.ts.map

package/dist/hashcash.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hashcash.d.ts","sourceRoot":"","sources":["../src/hashcash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,yDAAyD;AACzD,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAExC;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,GAAG,MAAM,CAOlD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,gBAAgB,EAAE,MAAM,EACxB,IAAI,CAAC,EAAE,IAAI,GACV,MAAM,CAER;AA0BD;;;;;;;GAOG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,UAAU,GAAE,MAA+B,GAC1C,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAC7B,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,MAAM,EACb,UAAU,GAAE,MAA+B,GAC1C,OAAO,CAAC,OAAO,CAAC,CASlB"}