@hardkas/artifacts 0.7.9-alpha → 0.7.11-alpha
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +44 -0
- package/dist/index.js +1 -5
- package/package.json +3 -3
package/README.md
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# `@hardkas/artifacts`
|
|
2
|
+
|
|
3
|
+
The Artifacts engine is the cryptographic heart of HardKAS. It ensures that every plan, signature, and transaction receipt is content-addressed, deterministic, and immutable.
|
|
4
|
+
|
|
5
|
+
## 1. Deterministic Hashing Pipeline
|
|
6
|
+
|
|
7
|
+
HardKAS does not hash raw JSON strings. It hashes the *semantic meaning* of an artifact. Two artifacts generated on different OS platforms, or with different `hardkasVersion` metadata, must hash to the exact same `contentHash`.
|
|
8
|
+
|
|
9
|
+
### Flow: Canonicalization
|
|
10
|
+
1. **Semantic Exclusion:** Metadata fields (like `createdAt`, `hardkasVersion`, `os`) are aggressively stripped from the payload.
|
|
11
|
+
2. **Key Sorting:** Object keys are sorted recursively.
|
|
12
|
+
- **CRITICAL INVARIANT:** Sorting must use strict byte-level comparison. `localeCompare` is explicitly forbidden to prevent cross-platform determinism failures.
|
|
13
|
+
3. **Data Types:** `BigInt` values are explicitly serialized to base-10 strings to prevent JSON truncation.
|
|
14
|
+
4. **Unicode Normalization:** All string values are normalized using NFC.
|
|
15
|
+
5. **Hashing:** The canonical JSON string is passed through SHA-256.
|
|
16
|
+
|
|
17
|
+
## 2. Path Traversal & Workspace Boundaries
|
|
18
|
+
|
|
19
|
+
HardKAS operates strictly within the `.hardkas/` directory.
|
|
20
|
+
|
|
21
|
+
### Flow: Secure Read/Write
|
|
22
|
+
Any read or write to the artifact store (`.hardkas/artifacts/`) passes through a strict path normalizer:
|
|
23
|
+
1. The requested path is resolved using `path.resolve()`.
|
|
24
|
+
2. The engine verifies that the resolved path begins exactly with the absolute path of `.hardkas/artifacts/`.
|
|
25
|
+
|
|
26
|
+
### Variant: Traversal Attempt
|
|
27
|
+
If an artifact reference attempts to break out of the workspace (e.g., `../../../etc/passwd`):
|
|
28
|
+
1. The verification engine throws a `PATH_TRAVERSAL_ATTEMPT` exception.
|
|
29
|
+
2. The violation is logged securely without leaking the underlying system path.
|
|
30
|
+
3. The artifact read is hard-aborted.
|
|
31
|
+
|
|
32
|
+
## 3. Lineage Verification (Replay Engine)
|
|
33
|
+
|
|
34
|
+
Artifacts form a cryptographic Directed Acyclic Graph (DAG) via a `causationId` field.
|
|
35
|
+
|
|
36
|
+
### Flow: Strict Verification (`--strict`)
|
|
37
|
+
When running `hardkas verify --strict`:
|
|
38
|
+
1. Every artifact in `.hardkas/artifacts/` is loaded into memory.
|
|
39
|
+
2. Its canonical hash is recalculated and compared against its filename.
|
|
40
|
+
3. The engine follows the `causationId` pointers: `Receipt` -> `SignedTx` -> `TxPlan`.
|
|
41
|
+
4. If a parent artifact is missing, or its hash has changed, the verification immediately fails with `LINEAGE_BROKEN`.
|
|
42
|
+
|
|
43
|
+
### Variant: Relaxed Verification
|
|
44
|
+
When querying artifacts interactively (e.g., `hardkas query artifacts list`), the engine skips full lineage recalculation for speed, relying on SQLite indexing. If a discrepancy is found later, the `Query Store` will flag the artifact as `ORPHANED` rather than halting the entire workspace.
|
package/dist/index.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
// package.json
|
|
2
2
|
var package_default = {
|
|
3
3
|
name: "@hardkas/artifacts",
|
|
4
|
-
version: "0.7.
|
|
4
|
+
version: "0.7.11-alpha",
|
|
5
5
|
type: "module",
|
|
6
6
|
license: "MIT",
|
|
7
7
|
author: "Javier Rodriguez",
|
|
@@ -1381,10 +1381,6 @@ Note: Provided path is a directory. Auto-generating artifact filename: ${path.ba
|
|
|
1381
1381
|
const id = artifactObj.planId || artifactObj.signedId || artifactObj.txId || Date.now().toString(36);
|
|
1382
1382
|
const prefix = artifactObj.schema ? artifactObj.schema.split(".")[1] || "artifact" : "artifact";
|
|
1383
1383
|
targetPath = path.join(filePath, `${prefix}-${id}.json`);
|
|
1384
|
-
console.log(
|
|
1385
|
-
`
|
|
1386
|
-
Note: Provided path is a directory. Auto-generating artifact filename: ${path.basename(targetPath)}`
|
|
1387
|
-
);
|
|
1388
1384
|
}
|
|
1389
1385
|
}
|
|
1390
1386
|
const content = typeof artifact === "string" ? artifact : JSON.stringify(artifact, bigIntReplacer, 2) + "\n";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@hardkas/artifacts",
|
|
3
|
-
"version": "0.7.
|
|
3
|
+
"version": "0.7.11-alpha",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Javier Rodriguez",
|
|
@@ -24,8 +24,8 @@
|
|
|
24
24
|
"types": "./dist/index.d.ts",
|
|
25
25
|
"dependencies": {
|
|
26
26
|
"zod": "^3.24.1",
|
|
27
|
-
"@hardkas/core": "0.7.
|
|
28
|
-
"@hardkas/tx-builder": "0.7.
|
|
27
|
+
"@hardkas/core": "0.7.11-alpha",
|
|
28
|
+
"@hardkas/tx-builder": "0.7.11-alpha"
|
|
29
29
|
},
|
|
30
30
|
"devDependencies": {
|
|
31
31
|
"tsup": "^8.3.5",
|