npm - @hsuite/smart-engines-sdk - Versions diffs - 3.2.0 → 3.2.1 - Mend

@hsuite/smart-engines-sdk 3.2.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.d.ts +1051 -942
package/dist/index.js +6175 -858
package/dist/index.js.map +1 -1
package/dist/nestjs/index.d.ts +815 -812
package/dist/nestjs/index.js +5371 -239
package/dist/nestjs/index.js.map +1 -1
package/dist/pqc-verify/index.d.ts +99 -0
package/dist/pqc-verify/index.js +167 -0
package/dist/pqc-verify/index.js.map +1 -0
package/package.json +10 -3

package/dist/pqc-verify/index.d.ts ADDED Viewed

@@ -0,0 +1,99 @@
+// Generated by dts-bundle-generator v9.5.1
+import { z } from 'zod';
+export declare const PqcCertV1Schema: z.ZodObject<{
+	pqcCertVersion: z.ZodLiteral<1>;
+	algorithm: z.ZodLiteral<"ml-dsa-87">;
+	consumer: z.ZodString;
+	contentHash: z.ZodString;
+	payloadHash: z.ZodOptional<z.ZodString>;
+	threshold: z.ZodNumber;
+	signers: z.ZodArray<z.ZodObject<{
+		nodeId: z.ZodString;
+		dilithium5PublicKey: z.ZodString;
+		signature: z.ZodString;
+	}, "strip", z.ZodTypeAny, {
+		nodeId: string;
+		dilithium5PublicKey: string;
+		signature: string;
+	}, {
+		nodeId: string;
+		dilithium5PublicKey: string;
+		signature: string;
+	}>, "atleastone">;
+	ts: z.ZodNumber;
+	topicMessageId: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+	pqcCertVersion: 1;
+	algorithm: "ml-dsa-87";
+	consumer: string;
+	contentHash: string;
+	threshold: number;
+	signers: [
+		{
+			nodeId: string;
+			dilithium5PublicKey: string;
+			signature: string;
+		},
+		...{
+			nodeId: string;
+			dilithium5PublicKey: string;
+			signature: string;
+		}[]
+	];
+	ts: number;
+	payloadHash?: string | undefined;
+	topicMessageId?: string | undefined;
+}, {
+	pqcCertVersion: 1;
+	algorithm: "ml-dsa-87";
+	consumer: string;
+	contentHash: string;
+	threshold: number;
+	signers: [
+		{
+			nodeId: string;
+			dilithium5PublicKey: string;
+			signature: string;
+		},
+		...{
+			nodeId: string;
+			dilithium5PublicKey: string;
+			signature: string;
+		}[]
+	];
+	ts: number;
+	payloadHash?: string | undefined;
+	topicMessageId?: string | undefined;
+}>;
+export type PqcCertV1 = z.infer<typeof PqcCertV1Schema>;
+export type PqcCertV1Signer = PqcCertV1["signers"][number];
+export declare function parsePqcCert(input: unknown): {
+	ok: true;
+	cert: PqcCertV1;
+} | {
+	ok: false;
+	error: string;
+};
+export type ValidatorRegistrySnapshot = {
+	readonly snapshotTs: number;
+	readonly validators: readonly {
+		readonly nodeId: string;
+		readonly dilithium5PublicKey: string;
+		readonly active: boolean;
+	}[];
+};
+export type FetchRegistryOptions = {
+	readonly timeoutMs?: number;
+};
+export declare function fetchRegistrySnapshot(smartHostUrl: string, opts?: FetchRegistryOptions): Promise<ValidatorRegistrySnapshot | null>;
+export type VerifyResult = {
+	readonly valid: boolean;
+	readonly reason?: string;
+	readonly verifiedSignerCount?: number;
+	readonly thresholdMet?: boolean;
+};
+export declare function verifyPqcAttestation(cert: unknown, payload: unknown, registrySnapshot?: ValidatorRegistrySnapshot): Promise<VerifyResult>;
+export {};

package/dist/pqc-verify/index.js ADDED Viewed

@@ -0,0 +1,167 @@
+'use strict';
+var zod = require('zod');
+var mlDsa = require('@noble/post-quantum/ml-dsa');
+var sha256 = require('@noble/hashes/sha256');
+// src/pqc-verify/cert-schema.ts
+var PqcCertV1Schema = zod.z.object({
+  pqcCertVersion: zod.z.literal(1),
+  algorithm: zod.z.literal("ml-dsa-87"),
+  consumer: zod.z.string().regex(/^[a-z][a-z0-9-]{0,63}$/),
+  contentHash: zod.z.string().regex(/^[a-f0-9]{64}$/),
+  payloadHash: zod.z.string().regex(/^[a-f0-9]{64}$/).optional(),
+  threshold: zod.z.number().int().positive(),
+  signers: zod.z.array(
+    zod.z.object({
+      nodeId: zod.z.string().min(1),
+      dilithium5PublicKey: zod.z.string().min(1),
+      signature: zod.z.string().min(1)
+    })
+  ).nonempty(),
+  ts: zod.z.number().int().positive(),
+  topicMessageId: zod.z.string().optional()
+}).strict();
+function parsePqcCert(input) {
+  const result = PqcCertV1Schema.safeParse(input);
+  if (!result.success) {
+    return { ok: false, error: result.error.issues[0]?.message ?? "schema-invalid" };
+  }
+  return { ok: true, cert: result.data };
+}
+// src/pqc-verify/registry-fetch.ts
+async function fetchRegistrySnapshot(smartHostUrl, opts = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const url = `${smartHostUrl.replace(/\/+$/, "")}/api/registry/snapshot`;
+    const resp = await fetch(url, { signal: controller.signal });
+    if (!resp.ok) return null;
+    const data = await resp.json();
+    if (typeof data !== "object" || data === null) return null;
+    const obj = data;
+    if (typeof obj.snapshotTs !== "number" || !Array.isArray(obj.validators)) {
+      return null;
+    }
+    return obj;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function canonicalJsonStringify(value) {
+  return _serialize(value);
+}
+function _serialize(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(`canonicalJsonStringify: non-finite number ${value}`);
+    }
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return JSON.stringify(value);
+  if (typeof value === "undefined") {
+    throw new Error("canonicalJsonStringify: undefined is not JSON-representable");
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map(_serialize).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return "{" + keys.map((k) => JSON.stringify(k) + ":" + _serialize(obj[k])).join(",") + "}";
+  }
+  throw new Error(`canonicalJsonStringify: unsupported type ${typeof value}`);
+}
+function hexToBytes(hex) {
+  if (hex.length % 2 !== 0) throw new Error("odd-length hex");
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    const b = parseInt(hex.substr(i * 2, 2), 16);
+    if (Number.isNaN(b)) throw new Error("non-hex char");
+    out[i] = b;
+  }
+  return out;
+}
+function bytesToHex(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += bytes[i].toString(16).padStart(2, "0");
+  }
+  return s;
+}
+async function verifyPqcAttestation(cert, payload, registrySnapshot) {
+  const parsed = parsePqcCert(cert);
+  if (!parsed.ok) {
+    return { valid: false, reason: `schema-invalid: ${parsed.error}` };
+  }
+  const c = parsed.cert;
+  let computedContentHash;
+  try {
+    const canonical = canonicalJsonStringify(payload);
+    computedContentHash = bytesToHex(sha256.sha256(new TextEncoder().encode(canonical)));
+  } catch (err) {
+    return { valid: false, reason: `payload-canonicalization-failed: ${err.message}` };
+  }
+  if (computedContentHash.toLowerCase() !== c.contentHash.toLowerCase()) {
+    return {
+      valid: false,
+      reason: `content-hash-mismatch: computed=${computedContentHash} cert=${c.contentHash}`
+    };
+  }
+  if (registrySnapshot) {
+    for (const signer of c.signers) {
+      const entry = registrySnapshot.validators.find((v) => v.nodeId === signer.nodeId);
+      if (!entry) {
+        return { valid: false, reason: `registry-unknown-signer: ${signer.nodeId}` };
+      }
+      if (!entry.active) {
+        return { valid: false, reason: `registry-inactive-signer: ${signer.nodeId}` };
+      }
+      if (entry.dilithium5PublicKey.toLowerCase() !== signer.dilithium5PublicKey.toLowerCase()) {
+        return {
+          valid: false,
+          reason: `registry-pubkey-mismatch: ${signer.nodeId}`
+        };
+      }
+    }
+  }
+  const sigDigestInput = new TextEncoder().encode(`${c.consumer}|${c.contentHash}|${c.ts}`);
+  const sigDigest = sha256.sha256(sigDigestInput);
+  let verifiedSignerCount = 0;
+  for (const signer of c.signers) {
+    try {
+      const pubKey = hexToBytes(signer.dilithium5PublicKey);
+      const sigBytes = hexToBytes(signer.signature);
+      if (mlDsa.ml_dsa87.verify(pubKey, sigDigest, sigBytes)) {
+        verifiedSignerCount++;
+      }
+    } catch {
+    }
+  }
+  const thresholdMet = verifiedSignerCount >= c.threshold;
+  if (!thresholdMet) {
+    return {
+      valid: false,
+      reason: `threshold-not-met: verified=${verifiedSignerCount} required=${c.threshold}`,
+      verifiedSignerCount,
+      thresholdMet: false
+    };
+  }
+  return {
+    valid: true,
+    verifiedSignerCount,
+    thresholdMet: true
+  };
+}
+exports.PqcCertV1Schema = PqcCertV1Schema;
+exports.fetchRegistrySnapshot = fetchRegistrySnapshot;
+exports.parsePqcCert = parsePqcCert;
+exports.verifyPqcAttestation = verifyPqcAttestation;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/pqc-verify/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/pqc-verify/cert-schema.ts","../../src/pqc-verify/registry-fetch.ts","../../src/pqc-verify/verify-pqc-attestation.ts"],"names":["z","sha256","ml_dsa87"],"mappings":";;;;;;;AAYO,IAAM,eAAA,GAAkBA,MAC5B,MAAA,CAAO;AAAA,EACN,cAAA,EAAgBA,KAAA,CAAE,OAAA,CAAQ,CAAC,CAAA;AAAA,EAC3B,SAAA,EAAWA,KAAA,CAAE,OAAA,CAAQ,WAAW,CAAA;AAAA,EAChC,QAAA,EAAUA,KAAA,CAAE,MAAA,EAAO,CAAE,MAAM,wBAAwB,CAAA;AAAA,EACnD,WAAA,EAAaA,KAAA,CAAE,MAAA,EAAO,CAAE,MAAM,gBAAgB,CAAA;AAAA,EAC9C,aAAaA,KAAA,CACV,MAAA,GACA,KAAA,CAAM,gBAAgB,EACtB,QAAA,EAAS;AAAA,EACZ,WAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,QAAA,EAAS;AAAA,EACrC,SAASA,KAAA,CACN,KAAA;AAAA,IACCA,MAAE,MAAA,CAAO;AAAA,MACP,MAAA,EAAQA,KAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,MACxB,mBAAA,EAAqBA,KAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,MACrC,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC;AAAA,KAC5B;AAAA,IAEF,QAAA,EAAS;AAAA,EACZ,IAAIA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,QAAA,EAAS;AAAA,EAC9B,cAAA,EAAgBA,KAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAC7B,CAAC,EACA,MAAA;AAUI,SAAS,aACd,KAAA,EAC8D;AAC9D,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,SAAA,CAAU,KAAK,CAAA;AAC9C,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,KAAA,EAAO,MAAA,CAAO,MAAM,MAAA,CAAO,CAAC,CAAA,EAAG,OAAA,IAAW,gBAAA,EAAiB;AAAA,EACjF;AACA,EAAA,OAAO,EAAE,EAAA,EAAI,IAAA,EAAM,IAAA,EAAM,OAAO,IAAA,EAAK;AACvC;;;ACpBA,eAAsB,qBAAA,CACpB,YAAA,EACA,IAAA,GAA6B,EAAC,EACa;AAC3C,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,KAAA,GAAQ,WAAW,MAAM,UAAA,CAAW,OAAM,EAAG,IAAA,CAAK,aAAa,GAAM,CAAA;AAC3E,EAAA,IAAI;AACF,IAAA,MAAM,MAAM,CAAA,EAAG,YAAA,CAAa,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,sBAAA,CAAA;AAC/C,IAAA,MAAM,IAAA,GAAO,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,MAAA,EAAQ,UAAA,CAAW,QAAQ,CAAA;AAC3D,IAAA,IAAI,CAAC,IAAA,CAAK,EAAA,EAAI,OAAO,IAAA;AACrB,IAAA,MAAM,IAAA,GAAgB,MAAM,IAAA,CAAK,IAAA,EAAK;AACtC,IAAA,IAAI,OAAO,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,MAAM,OAAO,IAAA;AACtD,IAAA,MAAM,GAAA,GAAM,IAAA;AACZ,IAAA,IAAI,OAAO,IAAI,UAAA,KAAe,QAAA,IAAY,CAAC,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG;AACxE,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,GAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,KAAK,CAAA;AAAA,EACpB;AACF;ACjBA,SAAS,uBAAuB,KAAA,EAAwB;AACtD,EAAA,OAAO,WAAW,KAAK,CAAA;AACzB;AAEA,SAAS,WAAW,KAAA,EAAwB;AAC1C,EAAA,IAAI,KAAA,KAAU,MAAM,OAAO,MAAA;AAC3B,EAAA,IAAI,OAAO,KAAA,KAAU,SAAA,EAAW,OAAO,QAAQ,MAAA,GAAS,OAAA;AACxD,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0CAAA,EAA6C,KAAK,CAAA,CAAE,CAAA;AAAA,IACtE;AACA,IAAA,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAC1D,EAAA,IAAI,OAAO,UAAU,WAAA,EAAa;AAChC,IAAA,MAAM,IAAI,MAAM,6DAA6D,CAAA;AAAA,EAC/E;AACA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,IAAA,OAAO,MAAM,KAAA,CAAM,GAAA,CAAI,UAAU,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACjD;AACA,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,MAAM,GAAA,GAAM,KAAA;AACZ,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,GAAG,EAAE,IAAA,EAAK;AACnC,IAAA,OAAO,MAAM,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,KAAM,IAAA,CAAK,UAAU,CAAC,CAAA,GAAI,GAAA,GAAM,UAAA,CAAW,IAAI,CAAC,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACzF;AACA,EAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,OAAO,KAAK,CAAA,CAAE,CAAA;AAC5E;AAEA,SAAS,WAAW,GAAA,EAAyB;AAC3C,EAAA,IAAI,IAAI,MAAA,GAAS,CAAA,KAAM,GAAG,MAAM,IAAI,MAAM,gBAAgB,CAAA;AAC1D,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,GAAA,CAAI,SAAS,CAAC,CAAA;AACzC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,QAAQ,CAAA,EAAA,EAAK;AACnC,IAAA,MAAM,CAAA,GAAI,SAAS,GAAA,CAAI,MAAA,CAAO,IAAI,CAAA,EAAG,CAAC,GAAG,EAAE,CAAA;AAC3C,IAAA,IAAI,OAAO,KAAA,CAAM,CAAC,GAAG,MAAM,IAAI,MAAM,cAAc,CAAA;AACnD,IAAA,GAAA,CAAI,CAAC,CAAA,GAAI,CAAA;AAAA,EACX;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,WAAW,KAAA,EAA2B;AAC7C,EAAA,IAAI,CAAA,GAAI,EAAA;AACR,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAA;AAAA,EAC5C;AACA,EAAA,OAAO,CAAA;AACT;AAYA,eAAsB,oBAAA,CACpB,IAAA,EACA,OAAA,EACA,gBAAA,EACuB;AAEvB,EAAA,MAAM,MAAA,GAAS,aAAa,IAAI,CAAA;AAChC,EAAA,IAAI,CAAC,OAAO,EAAA,EAAI;AACd,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,QAAQ,CAAA,gBAAA,EAAmB,MAAA,CAAO,KAAK,CAAA,CAAA,EAAG;AAAA,EACnE;AACA,EAAA,MAAM,IAAe,MAAA,CAAO,IAAA;AAG5B,EAAA,IAAI,mBAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,uBAAuB,OAAO,CAAA;AAChD,IAAA,mBAAA,GAAsB,UAAA,CAAWC,cAAO,IAAI,WAAA,GAAc,MAAA,CAAO,SAAS,CAAC,CAAC,CAAA;AAAA,EAC9E,SAAS,GAAA,EAAK;AACZ,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,QAAQ,CAAA,iCAAA,EAAqC,GAAA,CAAc,OAAO,CAAA,CAAA,EAAG;AAAA,EAC9F;AACA,EAAA,IAAI,oBAAoB,WAAA,EAAY,KAAM,CAAA,CAAE,WAAA,CAAY,aAAY,EAAG;AACrE,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ,CAAA,gCAAA,EAAmC,mBAAmB,CAAA,MAAA,EAAS,EAAE,WAAW,CAAA;AAAA,KACtF;AAAA,EACF;AAGA,EAAA,IAAI,gBAAA,EAAkB;AACpB,IAAA,KAAA,MAAW,MAAA,IAAU,EAAE,OAAA,EAAS;AAC9B,MAAA,MAAM,KAAA,GAAQ,iBAAiB,UAAA,CAAW,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW,MAAA,CAAO,MAAM,CAAA;AAChF,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,QAAQ,CAAA,yBAAA,EAA4B,MAAA,CAAO,MAAM,CAAA,CAAA,EAAG;AAAA,MAC7E;AACA,MAAA,IAAI,CAAC,MAAM,MAAA,EAAQ;AACjB,QAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,QAAQ,CAAA,0BAAA,EAA6B,MAAA,CAAO,MAAM,CAAA,CAAA,EAAG;AAAA,MAC9E;AACA,MAAA,IAAI,MAAM,mBAAA,CAAoB,WAAA,OAAkB,MAAA,CAAO,mBAAA,CAAoB,aAAY,EAAG;AACxF,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,MAAA,EAAQ,CAAA,0BAAA,EAA6B,MAAA,CAAO,MAAM,CAAA;AAAA,SACpD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,EAAA,MAAM,cAAA,GAAiB,IAAI,WAAA,EAAY,CAAE,OAAO,CAAA,EAAG,CAAA,CAAE,QAAQ,CAAA,CAAA,EAAI,CAAA,CAAE,WAAW,CAAA,CAAA,EAAI,CAAA,CAAE,EAAE,CAAA,CAAE,CAAA;AACxF,EAAA,MAAM,SAAA,GAAYA,cAAO,cAAc,CAAA;AAEvC,EAAA,IAAI,mBAAA,GAAsB,CAAA;AAC1B,EAAA,KAAA,MAAW,MAAA,IAAU,EAAE,OAAA,EAAS;AAC9B,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,UAAA,CAAW,MAAA,CAAO,mBAAmB,CAAA;AACpD,MAAA,MAAM,QAAA,GAAW,UAAA,CAAW,MAAA,CAAO,SAAS,CAAA;AAC5C,MAAA,IAAIC,cAAA,CAAS,MAAA,CAAO,MAAA,EAAQ,SAAA,EAAW,QAAQ,CAAA,EAAG;AAChD,QAAA,mBAAA,EAAA;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAGA,EAAA,MAAM,YAAA,GAAe,uBAAuB,CAAA,CAAE,SAAA;AAC9C,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ,CAAA,4BAAA,EAA+B,mBAAmB,CAAA,UAAA,EAAa,EAAE,SAAS,CAAA,CAAA;AAAA,MAClF,mBAAA;AAAA,MACA,YAAA,EAAc;AAAA,KAChB;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,IAAA;AAAA,IACP,mBAAA;AAAA,IACA,YAAA,EAAc;AAAA,GAChB;AACF","file":"index.js","sourcesContent":["/**\n * PQC Arc 11 PR 11.0 — Customer-facing PqcCertV1 Zod schema + parser.\n *\n * Cert schema is locked at `pqcCertVersion: 1` per design §3 — additive-only\n * migration policy keeps existing customer SDKs verifying for the deprecation\n * window (12 months minimum) when v2 ships.\n *\n * @see docs/superpowers/specs/2026-05-27-pqc-arc11-external-verifier-design.md §3\n * @see docs/superpowers/plans/2026-05-27-pqc-arc11-external-verifier-plan.md §11.0.1\n */\nimport { z } from 'zod';\n\nexport const PqcCertV1Schema = z\n .object({\n pqcCertVersion: z.literal(1),\n algorithm: z.literal('ml-dsa-87'),\n consumer: z.string().regex(/^[a-z][a-z0-9-]{0,63}$/),\n contentHash: z.string().regex(/^[a-f0-9]{64}$/),\n payloadHash: z\n .string()\n .regex(/^[a-f0-9]{64}$/)\n .optional(),\n threshold: z.number().int().positive(),\n signers: z\n .array(\n z.object({\n nodeId: z.string().min(1),\n dilithium5PublicKey: z.string().min(1),\n signature: z.string().min(1),\n }),\n )\n .nonempty(),\n ts: z.number().int().positive(),\n topicMessageId: z.string().optional(),\n })\n .strict();\n\nexport type PqcCertV1 = z.infer<typeof PqcCertV1Schema>;\n\nexport type PqcCertV1Signer = PqcCertV1['signers'][number];\n\n/**\n * Fail-soft cert parser. Never throws — returns a discriminated result so the\n * verifier can surface schema errors as `{ valid: false, reason }` to customers.\n */\nexport function parsePqcCert(\n input: unknown,\n): { ok: true; cert: PqcCertV1 } | { ok: false; error: string } {\n const result = PqcCertV1Schema.safeParse(input);\n if (!result.success) {\n return { ok: false, error: result.error.issues[0]?.message ?? 'schema-invalid' };\n }\n return { ok: true, cert: result.data };\n}\n","/**\n * PQC Arc 11 PR 11.0 Phase 11.0.2 — validator-registry snapshot fetcher.\n *\n * Pulls a snapshot from the smart-host proxy (PR #820) at\n * `GET /api/registry/snapshot`. Fail-soft: any non-2xx / network error /\n * malformed body returns `null` so the verifier can fall through to the\n * signature-only validity path without throwing.\n *\n * @see docs/superpowers/specs/2026-05-27-pqc-arc11-external-verifier-design.md §4.1\n */\n\nexport type ValidatorRegistrySnapshot = {\n readonly snapshotTs: number;\n readonly validators: readonly {\n readonly nodeId: string;\n readonly dilithium5PublicKey: string;\n readonly active: boolean;\n }[];\n};\n\nexport type FetchRegistryOptions = {\n /** Abort the fetch after this many ms. Default 10_000. */\n readonly timeoutMs?: number;\n};\n\n/**\n * Fetch a validator-registry snapshot from a smart-host proxy.\n *\n * Returns `null` on any failure (HTTP non-OK, network error, JSON parse error,\n * shape mismatch). Callers can treat `null` as \"registry unavailable; skip\n * pubkey membership check\" and still verify signatures against the pubkeys\n * embedded in the cert itself.\n */\nexport async function fetchRegistrySnapshot(\n smartHostUrl: string,\n opts: FetchRegistryOptions = {},\n): Promise<ValidatorRegistrySnapshot | null> {\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), opts.timeoutMs ?? 10_000);\n try {\n const url = `${smartHostUrl.replace(/\\/+$/, '')}/api/registry/snapshot`;\n const resp = await fetch(url, { signal: controller.signal });\n if (!resp.ok) return null;\n const data: unknown = await resp.json();\n if (typeof data !== 'object' || data === null) return null;\n const obj = data as Record<string, unknown>;\n if (typeof obj.snapshotTs !== 'number' || !Array.isArray(obj.validators)) {\n return null;\n }\n return obj as unknown as ValidatorRegistrySnapshot;\n } catch {\n return null;\n } finally {\n clearTimeout(timer);\n }\n}\n","/**\n * PQC Arc 11 PR 11.0 Phase 11.0.3 — verifyPqcAttestation primitive.\n *\n * Pure verification — no platform calls. Pass a `registrySnapshot` to also\n * enforce registry membership; omit it for signature-only verification.\n *\n * Verification steps (per design §4.1):\n * 1. Schema check: pqcCertVersion === 1, algorithm === 'ml-dsa-87'.\n * 2. Content-hash match: sha256(canonical(payload)) === cert.contentHash.\n * 3. (Optional) Registry membership: each signer active in snapshot,\n * pubkey matches.\n * 4. Per-signer signature verification against\n * sha256(`${consumer}|${contentHash}|${ts}`).\n * 5. Threshold check: verified-signer-count >= cert.threshold.\n *\n * Fail-soft at every step — returns `{ valid: false, reason }` instead of\n * throwing.\n *\n * @see docs/superpowers/specs/2026-05-27-pqc-arc11-external-verifier-design.md §4.1\n */\nimport { ml_dsa87 } from '@noble/post-quantum/ml-dsa';\nimport { sha256 } from '@noble/hashes/sha256';\nimport { parsePqcCert, type PqcCertV1 } from './cert-schema';\nimport type { ValidatorRegistrySnapshot } from './registry-fetch';\n\nexport type VerifyResult = {\n readonly valid: boolean;\n readonly reason?: string;\n readonly verifiedSignerCount?: number;\n readonly thresholdMet?: boolean;\n};\n\n/**\n * Canonical JSON serialization — sorted object keys, no whitespace, JSON.stringify\n * for primitives. Mirrors libs/shared/src/schemas/pqc.schema.ts:canonicalJsonStringify\n * so that customer-side `sha256(canonical(payload))` matches platform-side hashes\n * byte-for-byte regardless of language / emitter.\n */\nfunction canonicalJsonStringify(value: unknown): string {\n return _serialize(value);\n}\n\nfunction _serialize(value: unknown): string {\n if (value === null) return 'null';\n if (typeof value === 'boolean') return value ? 'true' : 'false';\n if (typeof value === 'number') {\n if (!Number.isFinite(value)) {\n throw new Error(`canonicalJsonStringify: non-finite number ${value}`);\n }\n return JSON.stringify(value);\n }\n if (typeof value === 'string') return JSON.stringify(value);\n if (typeof value === 'undefined') {\n throw new Error('canonicalJsonStringify: undefined is not JSON-representable');\n }\n if (Array.isArray(value)) {\n return '[' + value.map(_serialize).join(',') + ']';\n }\n if (typeof value === 'object') {\n const obj = value as Record<string, unknown>;\n const keys = Object.keys(obj).sort();\n return '{' + keys.map((k) => JSON.stringify(k) + ':' + _serialize(obj[k])).join(',') + '}';\n }\n throw new Error(`canonicalJsonStringify: unsupported type ${typeof value}`);\n}\n\nfunction hexToBytes(hex: string): Uint8Array {\n if (hex.length % 2 !== 0) throw new Error('odd-length hex');\n const out = new Uint8Array(hex.length / 2);\n for (let i = 0; i < out.length; i++) {\n const b = parseInt(hex.substr(i * 2, 2), 16);\n if (Number.isNaN(b)) throw new Error('non-hex char');\n out[i] = b;\n }\n return out;\n}\n\nfunction bytesToHex(bytes: Uint8Array): string {\n let s = '';\n for (let i = 0; i < bytes.length; i++) {\n s += bytes[i].toString(16).padStart(2, '0');\n }\n return s;\n}\n\n/**\n * Verify a PQC attestation cert against a payload.\n *\n * @param cert - The PqcCertV1 cert (any shape; will be schema-validated).\n * @param payload - The artifact payload to verify against. Will be canonicalized\n * + sha256-hashed for the content-hash check.\n * @param registrySnapshot - Optional. When supplied, every signer must be\n * present + active in the snapshot, AND the cert's\n * pubkey must match the registry pubkey.\n */\nexport async function verifyPqcAttestation(\n cert: unknown,\n payload: unknown,\n registrySnapshot?: ValidatorRegistrySnapshot,\n): Promise<VerifyResult> {\n // ── Step 1: Schema check ──────────────────────────────────────────────────\n const parsed = parsePqcCert(cert);\n if (!parsed.ok) {\n return { valid: false, reason: `schema-invalid: ${parsed.error}` };\n }\n const c: PqcCertV1 = parsed.cert;\n\n // ── Step 2: Content-hash match ────────────────────────────────────────────\n let computedContentHash: string;\n try {\n const canonical = canonicalJsonStringify(payload);\n computedContentHash = bytesToHex(sha256(new TextEncoder().encode(canonical)));\n } catch (err) {\n return { valid: false, reason: `payload-canonicalization-failed: ${(err as Error).message}` };\n }\n if (computedContentHash.toLowerCase() !== c.contentHash.toLowerCase()) {\n return {\n valid: false,\n reason: `content-hash-mismatch: computed=${computedContentHash} cert=${c.contentHash}`,\n };\n }\n\n // ── Step 3: Registry membership (optional) ────────────────────────────────\n if (registrySnapshot) {\n for (const signer of c.signers) {\n const entry = registrySnapshot.validators.find((v) => v.nodeId === signer.nodeId);\n if (!entry) {\n return { valid: false, reason: `registry-unknown-signer: ${signer.nodeId}` };\n }\n if (!entry.active) {\n return { valid: false, reason: `registry-inactive-signer: ${signer.nodeId}` };\n }\n if (entry.dilithium5PublicKey.toLowerCase() !== signer.dilithium5PublicKey.toLowerCase()) {\n return {\n valid: false,\n reason: `registry-pubkey-mismatch: ${signer.nodeId}`,\n };\n }\n }\n }\n\n // ── Step 4: Per-signer signature verification ─────────────────────────────\n const sigDigestInput = new TextEncoder().encode(`${c.consumer}|${c.contentHash}|${c.ts}`);\n const sigDigest = sha256(sigDigestInput);\n\n let verifiedSignerCount = 0;\n for (const signer of c.signers) {\n try {\n const pubKey = hexToBytes(signer.dilithium5PublicKey);\n const sigBytes = hexToBytes(signer.signature);\n if (ml_dsa87.verify(pubKey, sigDigest, sigBytes)) {\n verifiedSignerCount++;\n }\n } catch {\n // malformed hex / wrong size — treat as invalid sig, continue\n }\n }\n\n // ── Step 5: Threshold ─────────────────────────────────────────────────────\n const thresholdMet = verifiedSignerCount >= c.threshold;\n if (!thresholdMet) {\n return {\n valid: false,\n reason: `threshold-not-met: verified=${verifiedSignerCount} required=${c.threshold}`,\n verifiedSignerCount,\n thresholdMet: false,\n };\n }\n\n return {\n valid: true,\n verifiedSignerCount,\n thresholdMet: true,\n };\n}\n"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hsuite/smart-engines-sdk",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Simplified client SDK for Smart Engines multi-chain infrastructure",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -12,6 +12,10 @@
     "./nestjs": {
       "types": "./dist/nestjs/index.d.ts",
       "default": "./dist/nestjs/index.js"
+    },
+    "./pqc-verify": {
+      "types": "./dist/pqc-verify/index.d.ts",
+      "default": "./dist/pqc-verify/index.js"
     }
   },
   "scripts": {
@@ -22,9 +26,12 @@
     "build:tsc": "tsc --skipLibCheck --declaration",
     "prepublishOnly": "npm run clean && npm run build",
     "build:js": "tsup",
-    "build:dts": "dts-bundle-generator --silent --project tsconfig.build.json -o dist/index.d.ts src/index.ts && dts-bundle-generator --silent --project tsconfig.build.json -o dist/nestjs/index.d.ts src/nestjs/index.ts"
+    "build:dts": "dts-bundle-generator --silent --project tsconfig.build.json -o dist/index.d.ts src/index.ts && dts-bundle-generator --silent --project tsconfig.build.json -o dist/nestjs/index.d.ts src/nestjs/index.ts && dts-bundle-generator --silent --project tsconfig.build.json -o dist/pqc-verify/index.d.ts src/pqc-verify/index.ts"
+  },
+  "dependencies": {
+    "@noble/hashes": "^1.4.0",
+    "@noble/post-quantum": "^0.4.1"
   },
-  "dependencies": {},
   "devDependencies": {
     "@types/node": "^20.10.0",
     "dts-bundle-generator": "^9.5.1",