@framers/agentos 0.1.6 → 0.1.7

package/dist/core/provenance/verification/BundleExporter.js

@@ -0,0 +1,240 @@
+/**
+ * @file BundleExporter.ts
+ * @description Export and import verification bundles for offline chain verification.
+ * Bundles contain events, anchors, public key, and a bundle-level signature.
+ *
+ * @module AgentOS/Provenance/Verification
+ */
+import { AgentKeyManager } from '../crypto/AgentKeyManager.js';
+import { HashChain } from '../crypto/HashChain.js';
+import { ChainVerifier } from './ChainVerifier.js';
+// =============================================================================
+// BundleExporter
+// =============================================================================
+export class BundleExporter {
+    constructor(ledger, keyManager, anchorStorage = null, tablePrefix = '') {
+        this.ledger = ledger;
+        this.keyManager = keyManager;
+        this.anchorStorage = anchorStorage;
+        this.tablePrefix = tablePrefix;
+    }
+    /**
+     * Export a verification bundle containing all events, anchors, and public key.
+     * The bundle is signed for tamper evidence.
+     *
+     * @param fromSequence - Optional start sequence (inclusive). Defaults to 1.
+     * @param toSequence - Optional end sequence (inclusive). Defaults to latest.
+     * @returns A self-contained verification bundle.
+     */
+    async exportBundle(fromSequence, toSequence) {
+        // Get events
+        let events;
+        if (fromSequence !== undefined && toSequence !== undefined) {
+            events = await this.ledger.getEventsByRange(fromSequence, toSequence);
+        }
+        else {
+            events = await this.ledger.getAllEvents();
+        }
+        // Get anchors
+        let anchors = [];
+        if (this.anchorStorage) {
+            const rows = await this.anchorStorage.all(`SELECT * FROM ${this.tablePrefix}anchors ORDER BY sequence_from ASC`);
+            anchors = rows.map(row => ({
+                id: row.id,
+                merkleRoot: row.merkle_root,
+                sequenceFrom: row.sequence_from,
+                sequenceTo: row.sequence_to,
+                eventCount: row.event_count,
+                signature: row.signature,
+                timestamp: row.timestamp,
+                externalRef: row.external_ref ?? undefined,
+            }));
+            // Filter anchors to the requested range
+            if (fromSequence !== undefined || toSequence !== undefined) {
+                anchors = anchors.filter(a => {
+                    if (fromSequence !== undefined && a.sequenceTo < fromSequence)
+                        return false;
+                    if (toSequence !== undefined && a.sequenceFrom > toSequence)
+                        return false;
+                    return true;
+                });
+            }
+        }
+        const publicKey = this.keyManager.getPublicKeyBase64();
+        const exportedAt = new Date().toISOString();
+        // Compute bundle hash (hash of all event hashes + anchor merkle roots)
+        const contentHashes = [
+            ...events.map(e => e.hash),
+            ...anchors.map(a => a.merkleRoot),
+        ];
+        const bundleContentHash = HashChain.hash(contentHashes.join('|'));
+        // Sign the bundle
+        const bundleSignature = await this.keyManager.sign(bundleContentHash);
+        const bundle = {
+            version: '1.0.0',
+            agentId: events.length > 0 ? events[0].agentId : '',
+            publicKey,
+            events,
+            anchors,
+            exportedAt,
+            bundleHash: bundleContentHash,
+            bundleSignature,
+        };
+        return bundle;
+    }
+    /**
+     * Export a bundle as a JSONL string (one JSON object per line).
+     * Format:
+     *   Line 1: Bundle metadata (version, agentId, publicKey, exportedAt, bundleHash, bundleSignature)
+     *   Lines 2-N: One event per line
+     *   Lines N+1-M: One anchor per line (prefixed with type: 'anchor')
+     */
+    async exportAsJSONL(fromSequence, toSequence) {
+        const bundle = await this.exportBundle(fromSequence, toSequence);
+        const lines = [];
+        // Metadata line
+        lines.push(JSON.stringify({
+            type: 'metadata',
+            version: bundle.version,
+            agentId: bundle.agentId,
+            publicKey: bundle.publicKey,
+            exportedAt: bundle.exportedAt,
+            bundleHash: bundle.bundleHash,
+            bundleSignature: bundle.bundleSignature,
+            eventCount: bundle.events.length,
+            anchorCount: bundle.anchors.length,
+        }));
+        // Event lines
+        for (const event of bundle.events) {
+            lines.push(JSON.stringify({ _line: 'event', ...event }));
+        }
+        // Anchor lines
+        for (const anchor of bundle.anchors) {
+            lines.push(JSON.stringify({ _line: 'anchor', ...anchor }));
+        }
+        return lines.join('\n');
+    }
+    /**
+     * Import and verify a bundle. Works completely offline (no DB required).
+     *
+     * @param bundle - The verification bundle to verify.
+     * @returns Verification result.
+     */
+    static async importAndVerify(bundle) {
+        const errors = [];
+        const warnings = [];
+        // 1. Verify bundle signature
+        const contentHashes = [
+            ...bundle.events.map(e => e.hash),
+            ...bundle.anchors.map(a => a.merkleRoot),
+        ];
+        const recomputedBundleHash = HashChain.hash(contentHashes.join('|'));
+        if (recomputedBundleHash !== bundle.bundleHash) {
+            errors.push({
+                eventId: '',
+                sequence: 0,
+                code: 'BUNDLE_HASH_MISMATCH',
+                message: 'Bundle content hash does not match. Bundle may have been tampered with.',
+            });
+        }
+        if (bundle.bundleSignature && bundle.publicKey) {
+            try {
+                const sigValid = await AgentKeyManager.verifySignature(bundle.bundleHash, bundle.bundleSignature, bundle.publicKey);
+                if (!sigValid) {
+                    errors.push({
+                        eventId: '',
+                        sequence: 0,
+                        code: 'BUNDLE_SIGNATURE_INVALID',
+                        message: 'Bundle signature is invalid.',
+                    });
+                }
+            }
+            catch (e) {
+                errors.push({
+                    eventId: '',
+                    sequence: 0,
+                    code: 'BUNDLE_SIGNATURE_INVALID',
+                    message: `Bundle signature verification failed: ${e.message}`,
+                });
+            }
+        }
+        // 2. Verify the event chain
+        const chainResult = await ChainVerifier.verify(bundle.events, bundle.publicKey);
+        // 3. Verify anchors reference valid event ranges
+        for (const anchor of bundle.anchors) {
+            const anchorEvents = bundle.events.filter(e => e.sequence >= anchor.sequenceFrom && e.sequence <= anchor.sequenceTo);
+            if (anchorEvents.length !== anchor.eventCount) {
+                warnings.push(`Anchor ${anchor.id}: expected ${anchor.eventCount} events in range [${anchor.sequenceFrom}, ${anchor.sequenceTo}], found ${anchorEvents.length} in bundle.`);
+            }
+            // Verify anchor signature
+            if (anchor.signature && bundle.publicKey) {
+                try {
+                    const sigValid = await AgentKeyManager.verifySignature(anchor.merkleRoot, anchor.signature, bundle.publicKey);
+                    if (!sigValid) {
+                        errors.push({
+                            eventId: anchor.id,
+                            sequence: anchor.sequenceFrom,
+                            code: 'ANCHOR_SIGNATURE_INVALID',
+                            message: `Anchor ${anchor.id} signature is invalid.`,
+                        });
+                    }
+                }
+                catch (e) {
+                    errors.push({
+                        eventId: anchor.id,
+                        sequence: anchor.sequenceFrom,
+                        code: 'ANCHOR_SIGNATURE_INVALID',
+                        message: `Anchor ${anchor.id} signature verification failed: ${e.message}`,
+                    });
+                }
+            }
+        }
+        return {
+            valid: errors.length === 0 && chainResult.valid,
+            eventsVerified: bundle.events.length,
+            errors: [...errors, ...chainResult.errors],
+            warnings: [...warnings, ...chainResult.warnings],
+            firstSequence: bundle.events.length > 0 ? bundle.events[0].sequence : undefined,
+            lastSequence: bundle.events.length > 0 ? bundle.events[bundle.events.length - 1].sequence : undefined,
+            agentId: bundle.agentId,
+            verifiedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Parse a JSONL bundle string back into a VerificationBundle.
+     */
+    static parseJSONL(jsonl) {
+        const lines = jsonl.trim().split('\n').filter(l => l.length > 0);
+        if (lines.length === 0) {
+            throw new Error('Empty JSONL bundle');
+        }
+        const metadataLine = JSON.parse(lines[0]);
+        if (metadataLine.type !== 'metadata') {
+            throw new Error('First line must be metadata');
+        }
+        const events = [];
+        const anchors = [];
+        for (let i = 1; i < lines.length; i++) {
+            const obj = JSON.parse(lines[i]);
+            if (obj._line === 'event') {
+                const { _line, ...event } = obj;
+                events.push(event);
+            }
+            else if (obj._line === 'anchor') {
+                const { _line, ...anchor } = obj;
+                anchors.push(anchor);
+            }
+        }
+        return {
+            version: metadataLine.version,
+            agentId: metadataLine.agentId,
+            publicKey: metadataLine.publicKey,
+            events,
+            anchors,
+            exportedAt: metadataLine.exportedAt,
+            bundleHash: metadataLine.bundleHash,
+            bundleSignature: metadataLine.bundleSignature,
+        };
+    }
+}
+//# sourceMappingURL=BundleExporter.js.map

package/dist/core/provenance/verification/BundleExporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"BundleExporter.js","sourceRoot":"","sources":["../../../../src/core/provenance/verification/BundleExporter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAUnD,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF,MAAM,OAAO,cAAc;IAMzB,YACE,MAAyB,EACzB,UAA2B,EAC3B,gBAA6C,IAAI,EACjD,cAAsB,EAAE;QAExB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;QACnC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,YAAY,CAChB,YAAqB,EACrB,UAAmB;QAEnB,aAAa;QACb,IAAI,MAAqB,CAAC;QAC1B,IAAI,YAAY,KAAK,SAAS,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC3D,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACxE,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QAC5C,CAAC;QAED,cAAc;QACd,IAAI,OAAO,GAAmB,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CACvC,iBAAiB,IAAI,CAAC,WAAW,oCAAoC,CACtE,CAAC;YACF,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACzB,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,UAAU,EAAE,GAAG,CAAC,WAAW;gBAC3B,YAAY,EAAE,GAAG,CAAC,aAAa;gBAC/B,UAAU,EAAE,GAAG,CAAC,WAAW;gBAC3B,UAAU,EAAE,GAAG,CAAC,WAAW;gBAC3B,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,WAAW,EAAE,GAAG,CAAC,YAAY,IAAI,SAAS;aAC3C,CAAC,CAAC,CAAC;YAEJ,wCAAwC;YACxC,IAAI,YAAY,KAAK,SAAS,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;gBAC3D,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;oBAC3B,IAAI,YAAY,KAAK,SAAS,IAAI,CAAC,CAAC,UAAU,GAAG,YAAY;wBAAE,OAAO,KAAK,CAAC;oBAC5E,IAAI,UAAU,KAAK,SAAS,IAAI,CAAC,CAAC,YAAY,GAAG,UAAU;wBAAE,OAAO,KAAK,CAAC;oBAC1E,OAAO,IAAI,CAAC;gBACd,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE5C,uEAAuE;QACvE,MAAM,aAAa,GAAG;YACpB,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YAC1B,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;SAClC,CAAC;QACF,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAElE,kBAAkB;QAClB,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAEtE,MAAM,MAAM,GAAuB;YACjC,OAAO,EAAE,OAAO;YAChB,OAAO,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YACnD,SAAS;YACT,MAAM;YACN,OAAO;YACP,UAAU;YACV,UAAU,EAAE,iBAAiB;YAC7B,eAAe;SAChB,CAAC;QAEF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,aAAa,CACjB,YAAqB,EACrB,UAAmB;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,gBAAgB;QAChB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACxB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;YAChC,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;SACnC,CAAC,CAAC,CAAC;QAEJ,cAAc;QACd,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC;QAC3D,CAAC;QAED,eAAe;QACf,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,MAA0B;QACrD,MAAM,MAAM,GAAiC,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,6BAA6B;QAC7B,MAAM,aAAa,GAAG;YACpB,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YACjC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;SACzC,CAAC;QACF,MAAM,oBAAoB,GAAG,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAErE,IAAI,oBAAoB,KAAK,MAAM,CAAC,UAAU,EAAE,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,EAAE;gBACX,QAAQ,EAAE,CAAC;gBACX,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,yEAAyE;aACnF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,CAAC,eAAe,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,eAAe,CACpD,MAAM,CAAC,UAAU,EACjB,MAAM,CAAC,eAAe,EACtB,MAAM,CAAC,SAAS,CACjB,CAAC;gBACF,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,EAAE;wBACX,QAAQ,EAAE,CAAC;wBACX,IAAI,EAAE,0BAA0B;wBAChC,OAAO,EAAE,8BAA8B;qBACxC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,EAAE;oBACX,QAAQ,EAAE,CAAC;oBACX,IAAI,EAAE,0BAA0B;oBAChC,OAAO,EAAE,yCAAyC,CAAC,CAAC,OAAO,EAAE;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,MAAM,WAAW,GAAG,MAAM,aAAa,CAAC,MAAM,CAC5C,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,SAAS,CACjB,CAAC;QAEF,iDAAiD;QACjD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC,QAAQ,IAAI,MAAM,CAAC,UAAU,CAC1E,CAAC;YAEF,IAAI,YAAY,CAAC,MAAM,KAAK,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC9C,QAAQ,CAAC,IAAI,CACX,UAAU,MAAM,CAAC,EAAE,cAAc,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,YAAY,KAAK,MAAM,CAAC,UAAU,YAAY,YAAY,CAAC,MAAM,aAAa,CAC7J,CAAC;YACJ,CAAC;YAED,0BAA0B;YAC1B,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACzC,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,eAAe,CACpD,MAAM,CAAC,UAAU,EACjB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,SAAS,CACjB,CAAC;oBACF,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACd,MAAM,CAAC,IAAI,CAAC;4BACV,OAAO,EAAE,MAAM,CAAC,EAAE;4BAClB,QAAQ,EAAE,MAAM,CAAC,YAAY;4BAC7B,IAAI,EAAE,0BAA0B;4BAChC,OAAO,EAAE,UAAU,MAAM,CAAC,EAAE,wBAAwB;yBACrD,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,MAAM,CAAC,EAAE;wBAClB,QAAQ,EAAE,MAAM,CAAC,YAAY;wBAC7B,IAAI,EAAE,0BAA0B;wBAChC,OAAO,EAAE,UAAU,MAAM,CAAC,EAAE,mCAAmC,CAAC,CAAC,OAAO,EAAE;qBAC3E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,KAAK;YAC/C,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;YACpC,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC;YAC1C,QAAQ,EAAE,CAAC,GAAG,QAAQ,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC;YAChD,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YAC/E,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YACrG,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAa;QAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACjE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1C,IAAI,YAAY,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,MAAM,GAAkB,EAAE,CAAC;QACjC,MAAM,OAAO,GAAmB,EAAE,CAAC;QAEnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;gBAC1B,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,EAAE,GAAG,GAAG,CAAC;gBAChC,MAAM,CAAC,IAAI,CAAC,KAAoB,CAAC,CAAC;YACpC,CAAC;iBAAM,IAAI,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAClC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,EAAE,GAAG,GAAG,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,MAAsB,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,YAAY,CAAC,OAAO;YAC7B,OAAO,EAAE,YAAY,CAAC,OAAO;YAC7B,SAAS,EAAE,YAAY,CAAC,SAAS;YACjC,MAAM;YACN,OAAO;YACP,UAAU,EAAE,YAAY,CAAC,UAAU;YACnC,UAAU,EAAE,YAAY,CAAC,UAAU;YACnC,eAAe,EAAE,YAAY,CAAC,eAAe;SAC9C,CAAC;IACJ,CAAC;CACF"}

package/dist/core/provenance/verification/ChainVerifier.d.ts

@@ -0,0 +1,39 @@
+/**
+ * @file ChainVerifier.ts
+ * @description Verifies the integrity of the signed event hash chain.
+ * Checks sequence continuity, hash linkage, payload hashes, signatures,
+ * and timestamp monotonicity.
+ *
+ * @module AgentOS/Provenance/Verification
+ */
+import type { SignedEvent, VerificationResult } from '../types.js';
+export declare class ChainVerifier {
+    /**
+     * Verify an ordered array of signed events for chain integrity.
+     *
+     * Checks performed:
+     * 1. Sequence continuity (monotonically increasing, no gaps)
+     * 2. Hash linkage (each event's prevHash matches the prior event's hash)
+     * 3. Payload hash integrity (recomputed hash matches stored payloadHash)
+     * 4. Event hash integrity (recomputed hash matches stored hash)
+     * 5. Ed25519 signature verification (if signatures present)
+     * 6. Timestamp monotonicity (non-decreasing)
+     *
+     * @param events - Ordered array of SignedEvent objects (sorted by sequence ASC).
+     * @param publicKeyBase64 - Optional public key for signature verification.
+     *                          If omitted, uses each event's signerPublicKey field.
+     * @param hashAlgorithm - Hash algorithm used (default: 'sha256').
+     * @returns VerificationResult with validity status and any errors found.
+     */
+    static verify(events: SignedEvent[], publicKeyBase64?: string, hashAlgorithm?: 'sha256'): Promise<VerificationResult>;
+    /**
+     * Quick integrity check - returns true/false without detailed errors.
+     */
+    static isValid(events: SignedEvent[], publicKeyBase64?: string): Promise<boolean>;
+    /**
+     * Verify a sub-chain (range of events) within a larger chain.
+     * The first event's prevHash is trusted as a starting point.
+     */
+    static verifySubChain(events: SignedEvent[], expectedStartPrevHash: string, publicKeyBase64?: string): Promise<VerificationResult>;
+}
+//# sourceMappingURL=ChainVerifier.d.ts.map

package/dist/core/provenance/verification/ChainVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ChainVerifier.d.ts","sourceRoot":"","sources":["../../../../src/core/provenance/verification/ChainVerifier.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAqB,MAAM,aAAa,CAAC;AAQtF,qBAAa,aAAa;IACxB;;;;;;;;;;;;;;;;OAgBG;WACU,MAAM,CACjB,MAAM,EAAE,WAAW,EAAE,EACrB,eAAe,CAAC,EAAE,MAAM,EACxB,aAAa,GAAE,QAAmB,GACjC,OAAO,CAAC,kBAAkB,CAAC;IAyJ9B;;OAEG;WACU,OAAO,CAClB,MAAM,EAAE,WAAW,EAAE,EACrB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,OAAO,CAAC;IAKnB;;;OAGG;WACU,cAAc,CACzB,MAAM,EAAE,WAAW,EAAE,EACrB,qBAAqB,EAAE,MAAM,EAC7B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;CA+B/B"}

package/dist/core/provenance/verification/ChainVerifier.js

@@ -0,0 +1,204 @@
+/**
+ * @file ChainVerifier.ts
+ * @description Verifies the integrity of the signed event hash chain.
+ * Checks sequence continuity, hash linkage, payload hashes, signatures,
+ * and timestamp monotonicity.
+ *
+ * @module AgentOS/Provenance/Verification
+ */
+import { HashChain } from '../crypto/HashChain.js';
+import { AgentKeyManager } from '../crypto/AgentKeyManager.js';
+// =============================================================================
+// ChainVerifier
+// =============================================================================
+export class ChainVerifier {
+    /**
+     * Verify an ordered array of signed events for chain integrity.
+     *
+     * Checks performed:
+     * 1. Sequence continuity (monotonically increasing, no gaps)
+     * 2. Hash linkage (each event's prevHash matches the prior event's hash)
+     * 3. Payload hash integrity (recomputed hash matches stored payloadHash)
+     * 4. Event hash integrity (recomputed hash matches stored hash)
+     * 5. Ed25519 signature verification (if signatures present)
+     * 6. Timestamp monotonicity (non-decreasing)
+     *
+     * @param events - Ordered array of SignedEvent objects (sorted by sequence ASC).
+     * @param publicKeyBase64 - Optional public key for signature verification.
+     *                          If omitted, uses each event's signerPublicKey field.
+     * @param hashAlgorithm - Hash algorithm used (default: 'sha256').
+     * @returns VerificationResult with validity status and any errors found.
+     */
+    static async verify(events, publicKeyBase64, hashAlgorithm = 'sha256') {
+        const errors = [];
+        const warnings = [];
+        if (events.length === 0) {
+            return {
+                valid: true,
+                eventsVerified: 0,
+                errors: [],
+                warnings: ['Empty event chain provided.'],
+                verifiedAt: new Date().toISOString(),
+            };
+        }
+        // Check first event
+        const first = events[0];
+        if (first.sequence !== 1) {
+            warnings.push(`Chain does not start at sequence 1 (starts at ${first.sequence}). Partial chain verification.`);
+        }
+        let previousEvent = null;
+        for (let i = 0; i < events.length; i++) {
+            const event = events[i];
+            // 1. Sequence continuity
+            if (previousEvent && event.sequence !== previousEvent.sequence + 1) {
+                errors.push({
+                    eventId: event.id,
+                    sequence: event.sequence,
+                    code: 'SEQUENCE_GAP',
+                    message: `Sequence gap: expected ${previousEvent.sequence + 1}, got ${event.sequence}`,
+                });
+            }
+            // 2. Hash linkage
+            const expectedPrevHash = previousEvent ? previousEvent.hash : '';
+            if (event.prevHash !== expectedPrevHash) {
+                // Allow first event in partial chain to have any prevHash
+                if (i > 0) {
+                    errors.push({
+                        eventId: event.id,
+                        sequence: event.sequence,
+                        code: 'HASH_CHAIN_BROKEN',
+                        message: `Hash chain broken at sequence ${event.sequence}: prevHash does not match previous event's hash`,
+                    });
+                }
+            }
+            // 3. Payload hash integrity
+            const recomputedPayloadHash = HashChain.computePayloadHash(event.payload, hashAlgorithm);
+            if (recomputedPayloadHash !== event.payloadHash) {
+                errors.push({
+                    eventId: event.id,
+                    sequence: event.sequence,
+                    code: 'PAYLOAD_HASH_MISMATCH',
+                    message: `Payload hash mismatch at sequence ${event.sequence}: payload may have been tampered with`,
+                });
+            }
+            // 4. Event hash integrity
+            const recomputedEventHash = HashChain.computeEventHash({
+                sequence: event.sequence,
+                type: event.type,
+                timestamp: event.timestamp,
+                agentId: event.agentId,
+                prevHash: event.prevHash,
+                payloadHash: event.payloadHash,
+            }, hashAlgorithm);
+            if (recomputedEventHash !== event.hash) {
+                errors.push({
+                    eventId: event.id,
+                    sequence: event.sequence,
+                    code: 'EVENT_HASH_MISMATCH',
+                    message: `Event hash mismatch at sequence ${event.sequence}: event data may have been tampered with`,
+                });
+            }
+            // 5. Signature verification
+            if (event.signature && event.signature.length > 0) {
+                const pubKey = publicKeyBase64 || event.signerPublicKey;
+                if (pubKey) {
+                    try {
+                        const isValid = await AgentKeyManager.verifySignature(event.hash, event.signature, pubKey);
+                        if (!isValid) {
+                            errors.push({
+                                eventId: event.id,
+                                sequence: event.sequence,
+                                code: 'SIGNATURE_INVALID',
+                                message: `Invalid signature at sequence ${event.sequence}`,
+                            });
+                        }
+                    }
+                    catch (e) {
+                        errors.push({
+                            eventId: event.id,
+                            sequence: event.sequence,
+                            code: 'SIGNATURE_INVALID',
+                            message: `Signature verification failed at sequence ${event.sequence}: ${e.message}`,
+                        });
+                    }
+                }
+                else {
+                    warnings.push(`Event ${event.id} (seq ${event.sequence}) has signature but no public key for verification.`);
+                }
+            }
+            // 6. Timestamp monotonicity
+            if (previousEvent) {
+                const prevTime = new Date(previousEvent.timestamp).getTime();
+                const currTime = new Date(event.timestamp).getTime();
+                if (currTime < prevTime) {
+                    errors.push({
+                        eventId: event.id,
+                        sequence: event.sequence,
+                        code: 'TIMESTAMP_REGRESSION',
+                        message: `Timestamp regression at sequence ${event.sequence}: ${event.timestamp} is before ${previousEvent.timestamp}`,
+                    });
+                }
+            }
+            previousEvent = event;
+        }
+        // Check agent ID consistency
+        const agentIds = new Set(events.map(e => e.agentId));
+        if (agentIds.size > 1) {
+            warnings.push(`Multiple agent IDs found in chain: ${[...agentIds].join(', ')}. This may indicate events from different agents.`);
+        }
+        // Check signer key consistency
+        const signerKeys = new Set(events.filter(e => e.signerPublicKey).map(e => e.signerPublicKey));
+        if (signerKeys.size > 1) {
+            warnings.push(`Multiple signer public keys found. Key rotation may have occurred.`);
+        }
+        return {
+            valid: errors.length === 0,
+            eventsVerified: events.length,
+            errors,
+            warnings,
+            firstSequence: events[0].sequence,
+            lastSequence: events[events.length - 1].sequence,
+            agentId: events[0].agentId,
+            verifiedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Quick integrity check - returns true/false without detailed errors.
+     */
+    static async isValid(events, publicKeyBase64) {
+        const result = await ChainVerifier.verify(events, publicKeyBase64);
+        return result.valid;
+    }
+    /**
+     * Verify a sub-chain (range of events) within a larger chain.
+     * The first event's prevHash is trusted as a starting point.
+     */
+    static async verifySubChain(events, expectedStartPrevHash, publicKeyBase64) {
+        if (events.length === 0) {
+            return {
+                valid: true,
+                eventsVerified: 0,
+                errors: [],
+                warnings: ['Empty sub-chain provided.'],
+                verifiedAt: new Date().toISOString(),
+            };
+        }
+        const errors = [];
+        // Verify the sub-chain connects to the expected starting point
+        if (events[0].prevHash !== expectedStartPrevHash) {
+            errors.push({
+                eventId: events[0].id,
+                sequence: events[0].sequence,
+                code: 'HASH_CHAIN_BROKEN',
+                message: `Sub-chain does not connect: expected prevHash '${expectedStartPrevHash}', got '${events[0].prevHash}'`,
+            });
+        }
+        const chainResult = await ChainVerifier.verify(events, publicKeyBase64);
+        return {
+            ...chainResult,
+            valid: chainResult.valid && errors.length === 0,
+            errors: [...errors, ...chainResult.errors],
+        };
+    }
+}
+//# sourceMappingURL=ChainVerifier.js.map

package/dist/core/provenance/verification/ChainVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ChainVerifier.js","sourceRoot":"","sources":["../../../../src/core/provenance/verification/ChainVerifier.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAE/D,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF,MAAM,OAAO,aAAa;IACxB;;;;;;;;;;;;;;;;OAgBG;IACH,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,MAAqB,EACrB,eAAwB,EACxB,gBAA0B,QAAQ;QAElC,MAAM,MAAM,GAAwB,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,cAAc,EAAE,CAAC;gBACjB,MAAM,EAAE,EAAE;gBACV,QAAQ,EAAE,CAAC,6BAA6B,CAAC;gBACzC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACrC,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,KAAK,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC,iDAAiD,KAAK,CAAC,QAAQ,gCAAgC,CAAC,CAAC;QACjH,CAAC;QAED,IAAI,aAAa,GAAuB,IAAI,CAAC;QAE7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YAExB,yBAAyB;YACzB,IAAI,aAAa,IAAI,KAAK,CAAC,QAAQ,KAAK,aAAa,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;gBACnE,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,KAAK,CAAC,EAAE;oBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,0BAA0B,aAAa,CAAC,QAAQ,GAAG,CAAC,SAAS,KAAK,CAAC,QAAQ,EAAE;iBACvF,CAAC,CAAC;YACL,CAAC;YAED,kBAAkB;YAClB,MAAM,gBAAgB,GAAG,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,IAAI,KAAK,CAAC,QAAQ,KAAK,gBAAgB,EAAE,CAAC;gBACxC,0DAA0D;gBAC1D,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,KAAK,CAAC,EAAE;wBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;wBACxB,IAAI,EAAE,mBAAmB;wBACzB,OAAO,EAAE,iCAAiC,KAAK,CAAC,QAAQ,iDAAiD;qBAC1G,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,MAAM,qBAAqB,GAAG,SAAS,CAAC,kBAAkB,CAAC,KAAK,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YACzF,IAAI,qBAAqB,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC;gBAChD,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,KAAK,CAAC,EAAE;oBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,IAAI,EAAE,uBAAuB;oBAC7B,OAAO,EAAE,qCAAqC,KAAK,CAAC,QAAQ,uCAAuC;iBACpG,CAAC,CAAC;YACL,CAAC;YAED,0BAA0B;YAC1B,MAAM,mBAAmB,GAAG,SAAS,CAAC,gBAAgB,CACpD;gBACE,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,WAAW,EAAE,KAAK,CAAC,WAAW;aAC/B,EACD,aAAa,CACd,CAAC;YACF,IAAI,mBAAmB,KAAK,KAAK,CAAC,IAAI,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,KAAK,CAAC,EAAE;oBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,mCAAmC,KAAK,CAAC,QAAQ,0CAA0C;iBACrG,CAAC,CAAC;YACL,CAAC;YAED,4BAA4B;YAC5B,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,MAAM,MAAM,GAAG,eAAe,IAAI,KAAK,CAAC,eAAe,CAAC;gBACxD,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,eAAe,CACnD,KAAK,CAAC,IAAI,EACV,KAAK,CAAC,SAAS,EACf,MAAM,CACP,CAAC;wBACF,IAAI,CAAC,OAAO,EAAE,CAAC;4BACb,MAAM,CAAC,IAAI,CAAC;gCACV,OAAO,EAAE,KAAK,CAAC,EAAE;gCACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gCACxB,IAAI,EAAE,mBAAmB;gCACzB,OAAO,EAAE,iCAAiC,KAAK,CAAC,QAAQ,EAAE;6BAC3D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;oBAAC,OAAO,CAAM,EAAE,CAAC;wBAChB,MAAM,CAAC,IAAI,CAAC;4BACV,OAAO,EAAE,KAAK,CAAC,EAAE;4BACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;4BACxB,IAAI,EAAE,mBAAmB;4BACzB,OAAO,EAAE,6CAA6C,KAAK,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE;yBACrF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,QAAQ,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,EAAE,SAAS,KAAK,CAAC,QAAQ,qDAAqD,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;gBAC7D,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;gBACrD,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;oBACxB,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,KAAK,CAAC,EAAE;wBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ;wBACxB,IAAI,EAAE,sBAAsB;wBAC5B,OAAO,EAAE,oCAAoC,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC,SAAS,cAAc,aAAa,CAAC,SAAS,EAAE;qBACvH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,aAAa,GAAG,KAAK,CAAC;QACxB,CAAC;QAED,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QACrD,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACtB,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QACnI,CAAC;QAED,+BAA+B;QAC/B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC;QAC9F,IAAI,UAAU,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QACtF,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;YAC1B,cAAc,EAAE,MAAM,CAAC,MAAM;YAC7B,MAAM;YACN,QAAQ;YACR,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ;YACjC,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ;YAChD,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO;YAC1B,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,MAAqB,EACrB,eAAwB;QAExB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,cAAc,CACzB,MAAqB,EACrB,qBAA6B,EAC7B,eAAwB;QAExB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,cAAc,EAAE,CAAC;gBACjB,MAAM,EAAE,EAAE;gBACV,QAAQ,EAAE,CAAC,2BAA2B,CAAC;gBACvC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACrC,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAwB,EAAE,CAAC;QAEvC,+DAA+D;QAC/D,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,qBAAqB,EAAE,CAAC;YACjD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE;gBACrB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ;gBAC5B,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,kDAAkD,qBAAqB,WAAW,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,GAAG;aACjH,CAAC,CAAC;QACL,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExE,OAAO;YACL,GAAG,WAAW;YACd,KAAK,EAAE,WAAW,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAC/C,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC;SAC3C,CAAC;IACJ,CAAC;CACF"}

package/dist/core/provenance/verification/ConversationVerifier.d.ts

@@ -0,0 +1,56 @@
+/**
+ * @file ConversationVerifier.ts
+ * @description Convenience verifier for conversation-level provenance checks.
+ * Filters events by conversation ID and verifies the sub-chain.
+ *
+ * @module AgentOS/Provenance/Verification
+ */
+import type { VerificationResult } from '../types.js';
+import type { SignedEventLedger } from '../ledger/SignedEventLedger.js';
+export interface ConversationVerificationResult extends VerificationResult {
+    conversationId: string;
+    messageCount: number;
+    hasGenesis: boolean;
+    hasHumanInterventions: boolean;
+    humanInterventionCount: number;
+    isFullyAutonomous: boolean;
+}
+export declare class ConversationVerifier {
+    private readonly ledger;
+    constructor(ledger: SignedEventLedger);
+    /**
+     * Verify the provenance chain for a specific conversation.
+     *
+     * @param conversationId - The conversation ID to verify.
+     * @param publicKeyBase64 - Optional public key for signature verification.
+     * @returns Detailed verification result including conversation-specific metadata.
+     */
+    verifyConversation(conversationId: string, publicKeyBase64?: string): Promise<ConversationVerificationResult>;
+    /**
+     * Verify a single post/message within a conversation.
+     * Checks that the message event exists and its chain position is valid.
+     *
+     * @param messageId - The message ID to verify.
+     * @param publicKeyBase64 - Optional public key for signature verification.
+     */
+    verifyMessage(messageId: string, publicKeyBase64?: string): Promise<VerificationResult & {
+        messageId: string;
+        found: boolean;
+    }>;
+    /**
+     * Get a summary of provenance status for a conversation.
+     * Lighter than full verification - just counts and metadata.
+     */
+    getProvenanceSummary(conversationId: string): Promise<{
+        conversationId: string;
+        totalEvents: number;
+        messageEvents: number;
+        revisionEvents: number;
+        tombstoneEvents: number;
+        humanInterventions: number;
+        hasGenesis: boolean;
+        chainLength: number;
+        lastEventTimestamp: string | null;
+    }>;
+}
+//# sourceMappingURL=ConversationVerifier.d.ts.map

package/dist/core/provenance/verification/ConversationVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConversationVerifier.d.ts","sourceRoot":"","sources":["../../../../src/core/provenance/verification/ConversationVerifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAe,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAOxE,MAAM,WAAW,8BAA+B,SAAQ,kBAAkB;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,OAAO,CAAC;IACpB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAoB;gBAE/B,MAAM,EAAE,iBAAiB;IAIrC;;;;;;OAMG;IACG,kBAAkB,CACtB,cAAc,EAAE,MAAM,EACtB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,8BAA8B,CAAC;IA2C1C;;;;;;OAMG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,GAAG;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IAkCtE;;;OAGG;IACG,oBAAoB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC;QAC1D,cAAc,EAAE,MAAM,CAAC;QACvB,WAAW,EAAE,MAAM,CAAC;QACpB,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,UAAU,EAAE,OAAO,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;QACpB,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;KACnC,CAAC;CAwBH"}