@holoscript/game-security-plugin 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025-2026 HoloScript Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/__tests__/securitysolver.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/securitysolver.test.js

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const securitysolver_1 = require("../securitysolver");
+function baseState(overrides = {}) {
+    return {
+        tick: 100,
+        players: {
+            player_1: {
+                playerId: 'player_1',
+                tick: 99,
+                position: { x: 0, y: 0, z: 0 },
+                velocity: { x: 0, y: 0, z: 0 },
+                resources: { ammo: 4, coins: 10 },
+                cooldowns: { fire: 104 },
+            },
+        },
+        ...overrides,
+    };
+}
+function action(overrides = {}) {
+    return {
+        actionId: 'act_1',
+        playerId: 'player_1',
+        type: 'move',
+        tick: 100,
+        payload: { position: { x: 1, y: 0, z: 0 } },
+        ...overrides,
+    };
+}
+(0, vitest_1.describe)('AuthoritativeActionGuard', () => {
+    (0, vitest_1.it)('accepts plausible movement into authoritative state', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard({
+            rules: [(0, securitysolver_1.createMovementEnvelopeRule)({ maxMetersPerSecond: 80 })],
+            tickRateHz: 60,
+        });
+        const decision = guard.evaluate(action(), baseState());
+        (0, vitest_1.expect)(decision.stateAccepted).toBe(true);
+        (0, vitest_1.expect)(decision.disposition).toBe('accept');
+        (0, vitest_1.expect)(decision.violations).toHaveLength(0);
+        (0, vitest_1.expect)(decision.replayKey).toContain('game-sec:player_1:100');
+    });
+    (0, vitest_1.it)('rejects impossible movement before it becomes authoritative state', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard({
+            rules: [(0, securitysolver_1.createMovementEnvelopeRule)({ maxMetersPerSecond: 8 })],
+            tickRateHz: 60,
+        });
+        const decision = guard.evaluate(action({ payload: { position: { x: 50, y: 0, z: 0 } } }), baseState());
+        (0, vitest_1.expect)(decision.stateAccepted).toBe(false);
+        (0, vitest_1.expect)(decision.disposition).toBe('reject');
+        (0, vitest_1.expect)(decision.violations.map((violation) => violation.ruleId)).toContain('movement.max_speed');
+    });
+    (0, vitest_1.it)('rejects duplicate action ids as replay attempts', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard();
+        const first = guard.evaluate(action(), baseState());
+        const second = guard.evaluate(action(), baseState());
+        (0, vitest_1.expect)(first.stateAccepted).toBe(true);
+        (0, vitest_1.expect)(second.stateAccepted).toBe(false);
+        (0, vitest_1.expect)(second.violations[0].ruleId).toBe('protocol.unique_action_id');
+    });
+    (0, vitest_1.it)('rejects cooldown bypass attempts', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard({
+            rules: [(0, securitysolver_1.createCooldownRule)({ fire: 5 })],
+        });
+        const decision = guard.evaluate(action({ actionId: 'act_fire', type: 'fire', payload: {} }), baseState());
+        (0, vitest_1.expect)(decision.stateAccepted).toBe(false);
+        (0, vitest_1.expect)(decision.violations[0].ruleId).toBe('action.cooldown');
+    });
+    (0, vitest_1.it)('rejects resource spends above authoritative balance', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard({
+            rules: [(0, securitysolver_1.createResourceSpendRule)()],
+        });
+        const decision = guard.evaluate(action({ actionId: 'act_buy', type: 'buy', payload: { cost: { coins: 12 } } }), baseState());
+        (0, vitest_1.expect)(decision.stateAccepted).toBe(false);
+        (0, vitest_1.expect)(decision.violations[0].ruleId).toBe('resource.insufficient_balance');
+    });
+    (0, vitest_1.it)('lets AI watchdog quarantine high-risk but technically valid actions', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard();
+        const decision = guard.evaluate(action(), baseState(), [
+            {
+                label: 'synthetic_input_timing',
+                score: 0.82,
+                reasons: ['input cadence matched automation cluster'],
+                evidenceRef: 'watchdog/run-17',
+            },
+        ]);
+        (0, vitest_1.expect)(decision.stateAccepted).toBe(false);
+        (0, vitest_1.expect)(decision.disposition).toBe('quarantine');
+        (0, vitest_1.expect)(decision.watchdog.reasons).toContain('input cadence matched automation cluster');
+    });
+    (0, vitest_1.it)('keeps lower-confidence AI watchdog findings reviewable without blocking state', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard();
+        const decision = guard.evaluate(action(), baseState(), [
+            {
+                label: 'edge_tracking',
+                score: 0.61,
+                reasons: ['player stayed near max speed envelope'],
+            },
+        ]);
+        (0, vitest_1.expect)(decision.stateAccepted).toBe(true);
+        (0, vitest_1.expect)(decision.disposition).toBe('review');
+    });
+});
+(0, vitest_1.describe)('game security evidence', () => {
+    (0, vitest_1.it)('creates deterministic hashes for equivalent evidence payloads', () => {
+        const a = (0, securitysolver_1.stableHash)({ z: 1, a: { b: true } });
+        const b = (0, securitysolver_1.stableHash)({ a: { b: true }, z: 1 });
+        (0, vitest_1.expect)(a).toBe(b);
+        (0, vitest_1.expect)(a).toMatch(/^sha256:/);
+    });
+    (0, vitest_1.it)('builds a replayable receipt for rejected action evidence', () => {
+        const guard = new securitysolver_1.AuthoritativeActionGuard({
+            rules: [(0, securitysolver_1.createMovementEnvelopeRule)({ maxMetersPerSecond: 8 })],
+        });
+        const decision = guard.evaluate(action({ payload: { position: { x: 50, y: 0, z: 0 } } }), baseState());
+        const receipt = (0, securitysolver_1.buildGameSecurityReceipt)(decision, { runId: 'match-7' });
+        (0, vitest_1.expect)(receipt.schema).toBe('holoscript.game-security.receipt.v0.1.0');
+        (0, vitest_1.expect)(receipt.runId).toBe('match-7');
+        (0, vitest_1.expect)(receipt.acceptance.accepted).toBe(false);
+        (0, vitest_1.expect)(receipt.acceptance.violations[0].criterion).toBe('movement.max_speed');
+        (0, vitest_1.expect)(receipt.payloadHash).toMatch(/^sha256:/);
+    });
+});

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+export * from './securitysolver';
+export declare const GAME_SECURITY_KEYWORDS: readonly [{
+    readonly term: "anti cheat";
+    readonly traits: readonly ["authoritative_action_guard", "ai_watchdog"];
+    readonly spatialRole: "security";
+}, {
+    readonly term: "server authoritative game";
+    readonly traits: readonly ["authoritative_action_guard"];
+    readonly spatialRole: "authority";
+}, {
+    readonly term: "replay evidence";
+    readonly traits: readonly ["authoritative_action_guard", "replay_evidence"];
+    readonly spatialRole: "evidence";
+}, {
+    readonly term: "ai watchdog";
+    readonly traits: readonly ["ai_watchdog"];
+    readonly spatialRole: "monitor";
+}];
+export declare const VERSION = "0.1.0";

package/dist/index.js

@@ -0,0 +1,41 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VERSION = exports.GAME_SECURITY_KEYWORDS = void 0;
+__exportStar(require("./securitysolver"), exports);
+exports.GAME_SECURITY_KEYWORDS = [
+    {
+        term: 'anti cheat',
+        traits: ['authoritative_action_guard', 'ai_watchdog'],
+        spatialRole: 'security',
+    },
+    {
+        term: 'server authoritative game',
+        traits: ['authoritative_action_guard'],
+        spatialRole: 'authority',
+    },
+    {
+        term: 'replay evidence',
+        traits: ['authoritative_action_guard', 'replay_evidence'],
+        spatialRole: 'evidence',
+    },
+    {
+        term: 'ai watchdog',
+        traits: ['ai_watchdog'],
+        spatialRole: 'monitor',
+    },
+];
+exports.VERSION = '0.1.0';

package/dist/securitysolver.d.ts

@@ -0,0 +1,137 @@
+export type JsonPrimitive = string | number | boolean | null;
+export type JsonValue = JsonPrimitive | JsonValue[] | {
+    [key: string]: JsonValue;
+};
+export type JsonRecord = {
+    [key: string]: JsonValue;
+};
+export interface Vector3 {
+    x: number;
+    y: number;
+    z: number;
+}
+export interface PlayerSecuritySnapshot {
+    playerId: string;
+    tick: number;
+    position?: Vector3;
+    velocity?: Vector3;
+    resources?: Record<string, number>;
+    cooldowns?: Record<string, number>;
+}
+export interface AuthoritativeWorldState {
+    tick: number;
+    players: Record<string, PlayerSecuritySnapshot>;
+    acceptedActionIds?: readonly string[];
+}
+export interface ProposedGameAction {
+    actionId: string;
+    playerId: string;
+    type: string;
+    tick: number;
+    payload: JsonRecord;
+    clientTimeMs?: number;
+    signature?: string;
+}
+export type GuardSeverity = 'info' | 'warning' | 'error';
+export type GuardDisposition = 'accept' | 'review' | 'reject' | 'quarantine' | 'kick' | 'ban';
+export interface GuardViolation {
+    ruleId: string;
+    severity: GuardSeverity;
+    message: string;
+    evidence: JsonRecord;
+}
+export interface RuleEvaluationContext {
+    nowTick: number;
+    tickRateHz: number;
+    maxLagTicks: number;
+}
+export interface AuthoritativeRule {
+    id: string;
+    description: string;
+    evaluate(action: ProposedGameAction, state: AuthoritativeWorldState, context: RuleEvaluationContext): GuardViolation[];
+}
+export interface AiWatchdogSignal {
+    label: string;
+    score: number;
+    reasons: string[];
+    evidenceRef?: string;
+}
+export interface WatchdogThresholds {
+    review: number;
+    quarantine: number;
+    kick: number;
+    ban: number;
+}
+export interface WatchdogAssessment {
+    score: number;
+    labels: string[];
+    reasons: string[];
+    evidenceRefs: string[];
+}
+export interface GameSecurityGuardOptions {
+    rules?: AuthoritativeRule[];
+    tickRateHz?: number;
+    maxLagTicks?: number;
+    watchdogThresholds?: Partial<WatchdogThresholds>;
+}
+export interface GuardDecision {
+    actionId: string;
+    playerId: string;
+    actionType: string;
+    tick: number;
+    stateAccepted: boolean;
+    disposition: GuardDisposition;
+    violations: GuardViolation[];
+    watchdog: WatchdogAssessment;
+    evidenceHash: string;
+    replayKey: string;
+}
+export interface GameSecurityReceipt {
+    schema: 'holoscript.game-security.receipt.v0.1.0';
+    plugin: 'game-security';
+    pluginVersion: string;
+    runId: string;
+    actionId: string;
+    playerId: string;
+    actionType: string;
+    stateAccepted: boolean;
+    disposition: GuardDisposition;
+    evidenceHash: string;
+    replayKey: string;
+    acceptance: {
+        accepted: boolean;
+        violations: Array<{
+            criterion: string;
+            message: string;
+        }>;
+    };
+    watchdogScore: number;
+    payloadHash: string;
+}
+export declare class AuthoritativeActionGuard {
+    private readonly rules;
+    private readonly tickRateHz;
+    private readonly maxLagTicks;
+    private readonly watchdogThresholds;
+    private readonly seenActionIds;
+    private readonly decisions;
+    constructor(options?: GameSecurityGuardOptions);
+    evaluate(action: ProposedGameAction, state: AuthoritativeWorldState, watchdogSignals?: AiWatchdogSignal[]): GuardDecision;
+    getDecisions(): GuardDecision[];
+    clearEvidence(): void;
+    private evaluateProtocolRules;
+}
+export declare function createGameSecurityGuard(options?: GameSecurityGuardOptions): AuthoritativeActionGuard;
+export declare function createMovementEnvelopeRule(options: {
+    maxMetersPerSecond: number;
+    maxAccelerationMetersPerSecondSquared?: number;
+}): AuthoritativeRule;
+export declare function createCooldownRule(cooldownTicksByAction: Record<string, number>): AuthoritativeRule;
+export declare function createResourceSpendRule(resourcePayloadKey?: string): AuthoritativeRule;
+export declare function combineWatchdogSignals(signals: AiWatchdogSignal[]): WatchdogAssessment;
+export declare function buildGameSecurityReceipt(decision: GuardDecision, options?: {
+    runId?: string;
+    pluginVersion?: string;
+}): GameSecurityReceipt;
+export declare function stableHash(value: unknown): string;
+export declare function stableStringify(value: unknown): string;

package/dist/securitysolver.js

@@ -0,0 +1,348 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthoritativeActionGuard = void 0;
+exports.createGameSecurityGuard = createGameSecurityGuard;
+exports.createMovementEnvelopeRule = createMovementEnvelopeRule;
+exports.createCooldownRule = createCooldownRule;
+exports.createResourceSpendRule = createResourceSpendRule;
+exports.combineWatchdogSignals = combineWatchdogSignals;
+exports.buildGameSecurityReceipt = buildGameSecurityReceipt;
+exports.stableHash = stableHash;
+exports.stableStringify = stableStringify;
+const crypto_1 = require("crypto");
+const DEFAULT_THRESHOLDS = {
+    review: 0.5,
+    quarantine: 0.75,
+    kick: 0.9,
+    ban: 0.98,
+};
+class AuthoritativeActionGuard {
+    rules;
+    tickRateHz;
+    maxLagTicks;
+    watchdogThresholds;
+    seenActionIds = new Set();
+    decisions = [];
+    constructor(options = {}) {
+        this.rules = options.rules ?? [];
+        this.tickRateHz = options.tickRateHz ?? 60;
+        this.maxLagTicks = options.maxLagTicks ?? 12;
+        this.watchdogThresholds = { ...DEFAULT_THRESHOLDS, ...options.watchdogThresholds };
+    }
+    evaluate(action, state, watchdogSignals = []) {
+        const context = {
+            nowTick: state.tick,
+            tickRateHz: this.tickRateHz,
+            maxLagTicks: this.maxLagTicks,
+        };
+        const violations = [
+            ...this.evaluateProtocolRules(action, state),
+            ...this.rules.flatMap((rule) => rule.evaluate(action, state, context)),
+        ];
+        const watchdog = combineWatchdogSignals(watchdogSignals);
+        const disposition = chooseDisposition(violations, watchdog, this.watchdogThresholds);
+        const stateAccepted = disposition === 'accept' || disposition === 'review';
+        const evidenceBase = {
+            action,
+            stateTick: state.tick,
+            disposition,
+            stateAccepted,
+            violations,
+            watchdog,
+        };
+        const evidenceHash = stableHash(evidenceBase);
+        const decision = {
+            actionId: action.actionId,
+            playerId: action.playerId,
+            actionType: action.type,
+            tick: action.tick,
+            stateAccepted,
+            disposition,
+            violations,
+            watchdog,
+            evidenceHash,
+            replayKey: `game-sec:${action.playerId}:${action.tick}:${evidenceHash.slice(0, 16)}`,
+        };
+        this.seenActionIds.add(action.actionId);
+        this.decisions.push(decision);
+        return decision;
+    }
+    getDecisions() {
+        return [...this.decisions];
+    }
+    clearEvidence() {
+        this.decisions.length = 0;
+        this.seenActionIds.clear();
+    }
+    evaluateProtocolRules(action, state) {
+        const violations = [];
+        const acceptedIds = new Set(state.acceptedActionIds ?? []);
+        if (this.seenActionIds.has(action.actionId) || acceptedIds.has(action.actionId)) {
+            violations.push({
+                ruleId: 'protocol.unique_action_id',
+                severity: 'error',
+                message: `Duplicate actionId "${action.actionId}" cannot enter authoritative state`,
+                evidence: { actionId: action.actionId },
+            });
+        }
+        if (action.tick < state.tick - this.maxLagTicks) {
+            violations.push({
+                ruleId: 'protocol.max_lag_ticks',
+                severity: 'error',
+                message: `Action tick ${action.tick} is too far behind authoritative tick ${state.tick}`,
+                evidence: { actionTick: action.tick, stateTick: state.tick, maxLagTicks: this.maxLagTicks },
+            });
+        }
+        if (action.tick > state.tick + 1) {
+            violations.push({
+                ruleId: 'protocol.future_tick',
+                severity: 'error',
+                message: `Action tick ${action.tick} is ahead of authoritative tick ${state.tick}`,
+                evidence: { actionTick: action.tick, stateTick: state.tick },
+            });
+        }
+        if (!state.players[action.playerId]) {
+            violations.push({
+                ruleId: 'protocol.known_player',
+                severity: 'error',
+                message: `Unknown player "${action.playerId}" cannot submit authoritative actions`,
+                evidence: { playerId: action.playerId },
+            });
+        }
+        return violations;
+    }
+}
+exports.AuthoritativeActionGuard = AuthoritativeActionGuard;
+function createGameSecurityGuard(options = {}) {
+    return new AuthoritativeActionGuard(options);
+}
+function createMovementEnvelopeRule(options) {
+    return {
+        id: 'movement.envelope',
+        description: 'Rejects impossible movement against authoritative position history.',
+        evaluate(action, state, context) {
+            if (action.type !== 'move')
+                return [];
+            const previous = state.players[action.playerId];
+            const nextPosition = readVector3(action.payload.position);
+            if (!previous?.position || !nextPosition)
+                return [];
+            const elapsedTicks = Math.max(1, action.tick - previous.tick);
+            const elapsedSeconds = elapsedTicks / context.tickRateHz;
+            const distance = distance3(previous.position, nextPosition);
+            const speed = distance / elapsedSeconds;
+            const violations = [];
+            if (speed > options.maxMetersPerSecond) {
+                violations.push({
+                    ruleId: 'movement.max_speed',
+                    severity: 'error',
+                    message: `Movement speed ${round(speed)}m/s exceeds ${options.maxMetersPerSecond}m/s`,
+                    evidence: {
+                        distanceMeters: round(distance),
+                        elapsedSeconds: round(elapsedSeconds),
+                        speedMetersPerSecond: round(speed),
+                        maxMetersPerSecond: options.maxMetersPerSecond,
+                    },
+                });
+            }
+            if (options.maxAccelerationMetersPerSecondSquared !== undefined &&
+                previous.velocity !== undefined) {
+                const nextVelocity = scaleVector(subtractVector(nextPosition, previous.position), 1 / elapsedSeconds);
+                const acceleration = distance3(previous.velocity, nextVelocity) / Math.max(elapsedSeconds, Number.EPSILON);
+                if (acceleration > options.maxAccelerationMetersPerSecondSquared) {
+                    violations.push({
+                        ruleId: 'movement.max_acceleration',
+                        severity: 'error',
+                        message: `Movement acceleration ${round(acceleration)}m/s^2 exceeds ${options.maxAccelerationMetersPerSecondSquared}m/s^2`,
+                        evidence: {
+                            accelerationMetersPerSecondSquared: round(acceleration),
+                            maxAccelerationMetersPerSecondSquared: options.maxAccelerationMetersPerSecondSquared,
+                        },
+                    });
+                }
+            }
+            return violations;
+        },
+    };
+}
+function createCooldownRule(cooldownTicksByAction) {
+    return {
+        id: 'action.cooldown',
+        description: 'Rejects actions attempted before their authoritative cooldown expires.',
+        evaluate(action, state) {
+            const previous = state.players[action.playerId];
+            const configuredCooldown = cooldownTicksByAction[action.type];
+            const nextAllowedTick = previous?.cooldowns?.[action.type];
+            if (configuredCooldown === undefined || nextAllowedTick === undefined)
+                return [];
+            if (action.tick >= nextAllowedTick)
+                return [];
+            return [
+                {
+                    ruleId: 'action.cooldown',
+                    severity: 'error',
+                    message: `Action "${action.type}" is on cooldown until tick ${nextAllowedTick}`,
+                    evidence: {
+                        actionType: action.type,
+                        actionTick: action.tick,
+                        nextAllowedTick,
+                        configuredCooldownTicks: configuredCooldown,
+                    },
+                },
+            ];
+        },
+    };
+}
+function createResourceSpendRule(resourcePayloadKey = 'cost') {
+    return {
+        id: 'resource.spend_authority',
+        description: 'Rejects resource spends that exceed authoritative balances.',
+        evaluate(action, state) {
+            const previous = state.players[action.playerId];
+            const requestedSpend = readNumberRecord(action.payload[resourcePayloadKey]);
+            if (!previous?.resources || !requestedSpend)
+                return [];
+            const violations = [];
+            for (const [resource, amount] of Object.entries(requestedSpend)) {
+                const available = previous.resources[resource] ?? 0;
+                if (amount > available) {
+                    violations.push({
+                        ruleId: 'resource.insufficient_balance',
+                        severity: 'error',
+                        message: `Resource spend "${resource}" requested ${amount}, only ${available} authoritative`,
+                        evidence: { resource, requested: amount, available },
+                    });
+                }
+            }
+            return violations;
+        },
+    };
+}
+function combineWatchdogSignals(signals) {
+    const normalized = signals.map((signal) => ({
+        ...signal,
+        score: clamp01(signal.score),
+    }));
+    const score = normalized.reduce((max, signal) => Math.max(max, signal.score), 0);
+    return {
+        score,
+        labels: [...new Set(normalized.map((signal) => signal.label))],
+        reasons: [...new Set(normalized.flatMap((signal) => signal.reasons))],
+        evidenceRefs: [
+            ...new Set(normalized
+                .map((signal) => signal.evidenceRef)
+                .filter((ref) => typeof ref === 'string' && ref.length > 0)),
+        ],
+    };
+}
+function buildGameSecurityReceipt(decision, options = {}) {
+    const receiptWithoutHash = {
+        schema: 'holoscript.game-security.receipt.v0.1.0',
+        plugin: 'game-security',
+        pluginVersion: options.pluginVersion ?? '0.1.0',
+        runId: options.runId ?? decision.replayKey,
+        actionId: decision.actionId,
+        playerId: decision.playerId,
+        actionType: decision.actionType,
+        stateAccepted: decision.stateAccepted,
+        disposition: decision.disposition,
+        evidenceHash: decision.evidenceHash,
+        replayKey: decision.replayKey,
+        acceptance: {
+            accepted: decision.stateAccepted,
+            violations: decision.violations.map((violation) => ({
+                criterion: violation.ruleId,
+                message: violation.message,
+            })),
+        },
+        watchdogScore: decision.watchdog.score,
+    };
+    return {
+        ...receiptWithoutHash,
+        payloadHash: stableHash(receiptWithoutHash),
+    };
+}
+function stableHash(value) {
+    return `sha256:${(0, crypto_1.createHash)('sha256').update(stableStringify(value)).digest('hex')}`;
+}
+function stableStringify(value) {
+    return JSON.stringify(canonicalize(value)) ?? 'undefined';
+}
+function chooseDisposition(violations, watchdog, thresholds) {
+    const hasHardViolation = violations.some((violation) => violation.severity === 'error');
+    if (hasHardViolation) {
+        if (watchdog.score >= thresholds.ban)
+            return 'ban';
+        if (watchdog.score >= thresholds.kick)
+            return 'kick';
+        return 'reject';
+    }
+    if (watchdog.score >= thresholds.ban)
+        return 'ban';
+    if (watchdog.score >= thresholds.kick)
+        return 'kick';
+    if (watchdog.score >= thresholds.quarantine)
+        return 'quarantine';
+    if (watchdog.score >= thresholds.review)
+        return 'review';
+    return 'accept';
+}
+function canonicalize(value) {
+    if (Array.isArray(value)) {
+        return value.map((entry) => canonicalize(entry));
+    }
+    if (value && typeof value === 'object') {
+        const record = value;
+        const sorted = {};
+        for (const key of Object.keys(record).sort()) {
+            const entry = record[key];
+            if (entry !== undefined) {
+                sorted[key] = canonicalize(entry);
+            }
+        }
+        return sorted;
+    }
+    return value;
+}
+function readVector3(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return null;
+    const record = value;
+    if (typeof record.x !== 'number' ||
+        typeof record.y !== 'number' ||
+        typeof record.z !== 'number') {
+        return null;
+    }
+    return { x: record.x, y: record.y, z: record.z };
+}
+function readNumberRecord(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return null;
+    const result = {};
+    for (const [key, entry] of Object.entries(value)) {
+        if (typeof entry !== 'number')
+            return null;
+        result[key] = entry;
+    }
+    return result;
+}
+function subtractVector(a, b) {
+    return { x: a.x - b.x, y: a.y - b.y, z: a.z - b.z };
+}
+function scaleVector(v, scale) {
+    return { x: v.x * scale, y: v.y * scale, z: v.z * scale };
+}
+function distance3(a, b) {
+    const dx = a.x - b.x;
+    const dy = a.y - b.y;
+    const dz = a.z - b.z;
+    return Math.sqrt(dx * dx + dy * dy + dz * dz);
+}
+function clamp01(value) {
+    if (!Number.isFinite(value))
+        return 0;
+    return Math.max(0, Math.min(1, value));
+}
+function round(value) {
+    return Math.round(value * 1000) / 1000;
+}

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@holoscript/game-security-plugin",
+  "version": "0.1.1",
+  "description": "HoloScript game-security plugin for authoritative action validation, replay evidence, and AI-watchdog quarantine decisions.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "peerDependencies": {
+    "@holoscript/core": "8.0.6"
+  },
+  "devDependencies": {
+    "@types/node": "^24.10.1",
+    "rimraf": "^5.0.5",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.5"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage"
+  }
+}