npm - @kya-os/checkpoint-nextjs - Versions diffs - 1.2.0 → 1.7.1 - Mend

@kya-os/checkpoint-nextjs 1.2.0 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/CHANGELOG.md +159 -0
package/EDGE_RUNTIME_WASM_SETUP.md +1 -1
package/bin/setup-edge-wasm.js +1 -1
package/dist/api-middleware.d.mts +9 -1
package/dist/api-middleware.d.ts +9 -1
package/dist/api-middleware.js +14 -4
package/dist/api-middleware.mjs +15 -5
package/dist/composed-policy.d.mts +115 -0
package/dist/composed-policy.d.ts +115 -0
package/dist/composed-policy.js +102 -0
package/dist/composed-policy.mjs +96 -0
package/dist/config-DAwIA4DB.d.mts +214 -0
package/dist/config-DyU4l5er.d.ts +214 -0
package/dist/create-middleware.js +0 -2
package/dist/create-middleware.mjs +0 -2
package/dist/edge-runtime-loader.js +3 -1
package/dist/edge-runtime-loader.mjs +3 -1
package/dist/edge-wasm-middleware.d.mts +6 -6
package/dist/edge-wasm-middleware.d.ts +6 -6
package/dist/index.d.mts +6 -14
package/dist/index.d.ts +6 -14
package/dist/index.js +191 -13
package/dist/index.mjs +192 -14
package/dist/middleware-edge.d.mts +7 -3
package/dist/middleware-edge.d.ts +7 -3
package/dist/middleware-edge.js +174 -4
package/dist/middleware-edge.mjs +171 -4
package/dist/middleware-node.d.mts +39 -116
package/dist/middleware-node.d.ts +39 -116
package/dist/middleware-node.js +181 -4
package/dist/middleware-node.mjs +178 -5
package/dist/middleware.d.mts +10 -1
package/dist/middleware.d.ts +10 -1
package/dist/middleware.js +6 -0
package/dist/middleware.mjs +6 -1
package/dist/nodejs-wasm-loader.d.mts +3 -4
package/dist/nodejs-wasm-loader.d.ts +3 -4
package/dist/nodejs-wasm-loader.js +1 -1
package/dist/nodejs-wasm-loader.mjs +1 -1
package/dist/wasm-setup.js +1 -1
package/dist/wasm-setup.mjs +1 -1
package/package.json +4 -9
package/dist/.tsbuildinfo +0 -1
package/dist/signature-verifier.d.mts +0 -33
package/dist/signature-verifier.d.ts +0 -33
package/dist/signature-verifier.js +0 -384
package/dist/signature-verifier.mjs +0 -360
package/dist/wasm-middleware.d.mts +0 -98
package/dist/wasm-middleware.d.ts +0 -98
package/dist/wasm-middleware.js +0 -125
package/dist/wasm-middleware.mjs +0 -121
package/templates/middleware-wasm-100.ts +0 -161

package/dist/signature-verifier.d.ts DELETED Viewed

@@ -1,33 +0,0 @@
-/**
- * Ed25519 Signature Verification for HTTP Message Signatures
- * Implements proper cryptographic verification for ChatGPT and other agents
- *
- * Based on RFC 9421 (HTTP Message Signatures) and ChatGPT's implementation
- * Reference: https://help.openai.com/en/articles/9785974-chatgpt-user-allowlisting
- */
-/**
- * Signature verification result
- */
-interface SignatureVerificationResult {
-    isValid: boolean;
-    agent?: string;
-    keyid?: string;
-    confidence: number;
-    reason?: string;
-    verificationMethod: 'signature' | 'none';
-}
-/**
- * Verify HTTP Message Signature for AI agents
- */
-declare function verifyAgentSignature(method: string, path: string, headers: Record<string, string>): Promise<SignatureVerificationResult>;
-/**
- * Quick check if signature headers are present (for performance)
- */
-declare function hasSignatureHeaders(headers: Record<string, string>): boolean;
-/**
- * Check if this is a ChatGPT signature based on headers
- * Uses secure URL parsing to prevent spoofing attacks
- */
-declare function isChatGPTSignature(headers: Record<string, string>): boolean;
-export { type SignatureVerificationResult, hasSignatureHeaders, isChatGPTSignature, verifyAgentSignature };

package/dist/signature-verifier.js DELETED Viewed

@@ -1,384 +0,0 @@
-'use strict';
-var ed25519 = require('@noble/ed25519');
-var sha2_js = require('@noble/hashes/sha2.js');
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
-// src/signature-verifier.ts
-ed25519__namespace.etc.sha512Sync = (...m) => sha2_js.sha512(ed25519__namespace.etc.concatBytes(...m));
-var KNOWN_KEYS = {
-  chatgpt: [
-    {
-      kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
-      // ChatGPT's current Ed25519 public key (base64)
-      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
-      publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: 1735689600,
-      // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
-    }
-  ]
-};
-var keyCache = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-var CACHE_MAX_SIZE = 100;
-function getApiBaseUrl() {
-  if (typeof window !== "undefined") {
-    return "/api/internal";
-  }
-  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
-  if (baseUrl) {
-    return baseUrl.replace(/\/$/, "") + "/api/internal";
-  }
-  if (process.env.NODE_ENV !== "production") {
-    console.warn(
-      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
-    );
-    return "http://localhost:3000/api/internal";
-  }
-  console.error(
-    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
-  );
-  return "/api/internal";
-}
-function cleanupExpiredCache() {
-  const now = Date.now();
-  const entriesToDelete = [];
-  for (const [agent, cached] of keyCache.entries()) {
-    if (now - cached.cachedAt > CACHE_TTL_MS) {
-      entriesToDelete.push(agent);
-    }
-  }
-  for (const agent of entriesToDelete) {
-    keyCache.delete(agent);
-  }
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
-      agent,
-      cachedAt: cached.cachedAt
-    }));
-    entries.sort((a, b) => a.cachedAt - b.cachedAt);
-    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
-    for (const entry of toRemove) {
-      keyCache.delete(entry.agent);
-    }
-  }
-}
-async function fetchKeysFromApi(agent) {
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    cleanupExpiredCache();
-  }
-  const cached = keyCache.get(agent);
-  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
-    return cached.keys;
-  }
-  if (typeof fetch === "undefined") {
-    console.warn("[Signature] fetch() not available in this environment");
-    return null;
-  }
-  try {
-    const apiBaseUrl = getApiBaseUrl();
-    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      // 5 second timeout
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!response.ok) {
-      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
-      return null;
-    }
-    const data = await response.json();
-    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
-      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
-      return null;
-    }
-    keyCache.set(agent, {
-      keys: data.keys,
-      cachedAt: Date.now()
-    });
-    return data.keys;
-  } catch (error) {
-    console.warn("[Signature] Error fetching keys from API, using fallback", {
-      error: error instanceof Error ? error.message : "Unknown error",
-      agent
-    });
-    return null;
-  }
-}
-function isValidAgent(agent) {
-  return agent in KNOWN_KEYS;
-}
-async function getKeysForAgent(agent) {
-  const apiKeys = await fetchKeysFromApi(agent);
-  if (apiKeys && apiKeys.length > 0) {
-    return apiKeys;
-  }
-  if (isValidAgent(agent)) {
-    return KNOWN_KEYS[agent];
-  }
-  return [];
-}
-function parseSignatureInput(signatureInput) {
-  try {
-    const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
-    if (!match) return null;
-    const [, headersList, params] = match;
-    const signedHeaders = headersList ? headersList.split(" ").map((h) => h.replace(/"/g, "").trim()).filter((h) => h.length > 0) : [];
-    const keyidMatch = params ? params.match(/keyid="([^"]+)"/) : null;
-    const createdMatch = params ? params.match(/created=(\d+)/) : null;
-    const expiresMatch = params ? params.match(/expires=(\d+)/) : null;
-    if (!keyidMatch || !keyidMatch[1]) return null;
-    return {
-      keyid: keyidMatch[1],
-      created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : void 0,
-      expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : void 0,
-      signedHeaders
-    };
-  } catch (error) {
-    console.error("[Signature] Failed to parse Signature-Input:", error);
-    return null;
-  }
-}
-function buildSignatureBase(method, path, headers, signedHeaders) {
-  const components = [];
-  for (const headerName of signedHeaders) {
-    let value;
-    switch (headerName) {
-      case "@method":
-        value = method.toUpperCase();
-        break;
-      case "@path":
-        value = path;
-        break;
-      case "@authority":
-        value = headers["host"] || headers["Host"] || "";
-        break;
-      default: {
-        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
-        value = key ? headers[key] || "" : "";
-        break;
-      }
-    }
-    components.push(`"${headerName}": ${value}`);
-  }
-  return components.join("\n");
-}
-function base64ToBytes(base64) {
-  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = standardBase64.length % 4;
-  if (padding) {
-    standardBase64 += "=".repeat(4 - padding);
-  }
-  const binaryString = atob(standardBase64);
-  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
-}
-async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
-  try {
-    const publicKeyBytes = base64ToBytes(publicKeyBase64);
-    const signatureBytes = base64ToBytes(signatureBase64);
-    const messageBytes = new TextEncoder().encode(message);
-    if (publicKeyBytes.length !== 32) {
-      console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
-      return false;
-    }
-    if (signatureBytes.length !== 64) {
-      console.error("[Signature] Invalid signature length:", signatureBytes.length);
-      return false;
-    }
-    return ed25519__namespace.verify(signatureBytes, messageBytes, publicKeyBytes);
-  } catch (nobleError) {
-    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
-    try {
-      const publicKeyBytes = base64ToBytes(publicKeyBase64);
-      const signatureBytes = base64ToBytes(signatureBase64);
-      const messageBytes = new TextEncoder().encode(message);
-      const publicKey = await crypto.subtle.importKey(
-        "raw",
-        publicKeyBytes.buffer,
-        {
-          name: "Ed25519",
-          namedCurve: "Ed25519"
-        },
-        false,
-        ["verify"]
-      );
-      return await crypto.subtle.verify(
-        "Ed25519",
-        publicKey,
-        signatureBytes.buffer,
-        messageBytes
-      );
-    } catch (cryptoError) {
-      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
-        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
-        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
-      });
-      return false;
-    }
-  }
-}
-async function verifyAgentSignature(method, path, headers) {
-  const signature = headers["signature"] || headers["Signature"];
-  const signatureInput = headers["signature-input"] || headers["Signature-Input"];
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signature || !signatureInput) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No signature headers present",
-      verificationMethod: "none"
-    };
-  }
-  const parsed = parseSignatureInput(signatureInput);
-  if (!parsed) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Invalid Signature-Input header",
-      verificationMethod: "none"
-    };
-  }
-  if (parsed.created) {
-    const now2 = Math.floor(Date.now() / 1e3);
-    const age = now2 - parsed.created;
-    if (age > 300) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature expired (older than 5 minutes)",
-        verificationMethod: "none"
-      };
-    }
-    if (age < -30) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature timestamp is in the future",
-        verificationMethod: "none"
-      };
-    }
-  }
-  let agent;
-  let agentKey;
-  const isChatGPT = signatureAgent === '"https://chatgpt.com"' || (() => {
-    try {
-      const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
-      return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
-    } catch {
-      return false;
-    }
-  })();
-  if (isChatGPT) {
-    agent = "ChatGPT";
-    agentKey = "chatgpt";
-  }
-  if (!agent || !agentKey) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Unknown signature agent",
-      verificationMethod: "none"
-    };
-  }
-  const knownKeys = await getKeysForAgent(agentKey);
-  if (knownKeys.length === 0) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No keys available for agent",
-      verificationMethod: "none"
-    };
-  }
-  const key = knownKeys.find((k) => k.kid === parsed.keyid);
-  if (!key) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: `Unknown key ID: ${parsed.keyid}`,
-      verificationMethod: "none"
-    };
-  }
-  const now = Math.floor(Date.now() / 1e3);
-  if (now < key.validFrom || now > key.validUntil) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Key is not valid at current time",
-      verificationMethod: "none"
-    };
-  }
-  const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);
-  let signatureValue = signature;
-  if (signatureValue.startsWith("sig1=:")) {
-    signatureValue = signatureValue.substring(6);
-  }
-  if (signatureValue.endsWith(":")) {
-    signatureValue = signatureValue.slice(0, -1);
-  }
-  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
-  if (isValid) {
-    return {
-      isValid: true,
-      agent,
-      keyid: parsed.keyid,
-      confidence: 1,
-      // 100% confidence for valid signature
-      verificationMethod: "signature"
-    };
-  } else {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Signature verification failed",
-      verificationMethod: "none"
-    };
-  }
-}
-function hasSignatureHeaders(headers) {
-  return !!((headers["signature"] || headers["Signature"]) && (headers["signature-input"] || headers["Signature-Input"]));
-}
-function isChatGPTSignature(headers) {
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signatureAgent) {
-    return false;
-  }
-  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
-  if (agentUrlStr === "https://chatgpt.com") {
-    return true;
-  }
-  try {
-    const agentUrl = new URL(agentUrlStr);
-    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
-    return allowedHosts.includes(agentUrl.host);
-  } catch {
-    return false;
-  }
-}
-exports.hasSignatureHeaders = hasSignatureHeaders;
-exports.isChatGPTSignature = isChatGPTSignature;
-exports.verifyAgentSignature = verifyAgentSignature;