@kya-os/checkpoint-wasm-runtime 1.4.4 → 1.5.1

package/CHANGELOG.md

@@ -1,5 +1,188 @@
 # @kya-os/checkpoint-wasm-runtime
 
+## 1.5.1 — 2026-05-20
+
+**Tier 1 verification is now observable from the wire.** Closes the
+diagnostic gap Bench-Detection-Delta V3 (2026-05-20) surfaced: although
+Tier 1 RFC 9421 cryptographic verification was engaging correctly in
+1.5.0, the response headers only exposed `Decision`-level info — operators
+couldn't tell whether the engine had verified the request OR what tier
+fired. Required a bench-side `onResult` callback to see
+`detectionDetail.metadata.verified_*`. This patch surfaces the same
+information on the wire.
+
+Patch bump (not minor) because both changes are additive observability
+improvements — no public API surface change, no behavior change for any
+existing consumer:
+
+| Change                                                                                                 | Type     | Consumer impact                                                                                                                                                                                                                                                                                                        |
+| ------------------------------------------------------------------------------------------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `X-Checkpoint-Verified-Tier` / `-Vendor` / `-Protocol` response headers                                | Additive | New headers only emitted when `detectionDetail.metadata.verified_*` populated. No existing consumer parsed these (they didn't exist).                                                                                                                                                                                  |
+| `ruleset_hash` `t1:` slot now populates with vendor-keys SHA-256 (`t1:<64-hex>` instead of `t1:unset`) | Additive | The structured format documented `unset` / `disabled` / `<64-hex>` as valid slot values per [[Engine-Tier-Ruleset-Hash-1]]. Operators pinning on the literal `t1:unset` string would see breakage — but doing so was always against the documented contract (the slot was documented as a placeholder pending wiring). |
+
+### Added
+
+- **`X-Checkpoint-Verified-Tier` response header.** Emitted when
+  `detectionDetail.metadata.verified_tier` is a finite number or non-empty
+  string. Value is the stringified tier (`"1"` for Tier 1 RFC 9421 today;
+  `"2"` reserved for Tier 2 IP+UA cross-match attribution when that path
+  populates `verified_*`).
+- **`X-Checkpoint-Verified-Vendor` response header.** Emitted when
+  `detectionDetail.metadata.verified_vendor` is a non-empty string.
+  Today: `openai` (the only Tier 1 vendor with a bundled JWK). Future
+  Anthropic / Google RFC 9421 signers will add `anthropic` / `google`
+  values without a SemVer event.
+- **`X-Checkpoint-Verified-Protocol` response header.** Emitted when
+  `detectionDetail.metadata.verified_protocol` is a non-empty string.
+  Today: `rfc9421` (HTTP Message Signatures). Future MCP-I JWS envelope
+  verifications will emit `mcp-i` / `did-jws`.
+- **`X-Checkpoint-Ruleset-Hash`'s `t1:` slot now populates.** Computed
+  at engine build time as SHA-256 of the canonical concat of every
+  `data/vendor-keys/*.json` file (sorted by filename, `\n--\n`
+  separator). Build-time panic gate on empty dir / empty file prevents
+  shipping a misleading empty-input hash (mirrors Tier 2/3 discipline).
+  The `cargo:rustc-env=KYA_OS_ENGINE_TIER1_KEYS_SHA256` producer in
+  `kya-os-engine/build.rs` is the single source of truth; `api.rs`
+  consumes via `env!()`.
+
+### Defensive guards (PR #2718 reviewer feedback)
+
+- `X-Checkpoint-Verified-Tier` number path uses `Number.isFinite` to
+  reject `NaN` / `±Infinity` (`typeof NaN === 'number'` is true in JS,
+  so a plain typeof check would emit `Verified-Tier: NaN`).
+- `X-Checkpoint-Verified-Tier` string path requires `length > 0`
+  (mirrors `Verified-Vendor` / `Verified-Protocol` defensive guards).
+
+### Tests
+
+- New Rust drift gate `ruleset_hash_tier1_slot_resolves_to_vendor_keys_sha`
+  re-reads `data/vendor-keys/*.json` at test time + asserts the `t1:`
+  slot matches the computed SHA. Mirrors the existing Tier 2 YAML drift
+  gate. 96/96 lib tests pass.
+- 6 new vitest cases on `render-decision.test.ts` cover the
+  `Verified-*` header emission (presence, absence, partial metadata,
+  Block-path co-emission, observe-mode co-emission, empty-string +
+  NaN + ±Infinity defensive guards, number-vs-string acceptance).
+  26/26 render-decision tests pass.
+
+### What this DOESN'T change
+
+- Engine verify-dispatch behavior — unchanged. Tier 1 was already
+  engaging in 1.5.0; this release only makes that visible.
+- Public API surface — unchanged. No new exports, no new types, no
+  removed exports.
+- Existing response headers — unchanged. `X-Checkpoint-Decision`,
+  `-Reason`, `-Engine`, `-Engine-Version` emit exactly as before.
+- Ruleset-hash format — unchanged. The structured-prefix format
+  pinned by `ruleset_hash_matches_structured_per_tier_format` still
+  matches `sha256:t1:<slot>:t2:<slot>:t3:<slot>:t4:<slot>` where
+  each slot is one of `unset`/`disabled`/`[0-9a-f]{64}`. Only the
+  `t1:` slot's runtime value changed from `unset` to `<64-hex>`.
+
+### Pin guidance
+
+- Customers pinning `^1.5.0` (caret) → auto-pick up 1.5.1 on next
+  install. No action needed.
+- Customers pinning `~1.5.0` (tilde) → auto-pick up 1.5.1 on next
+  install. No action needed.
+- Customers pinning `1.5.0` (exact) → no auto-pickup. Bump to
+  `^1.5.1` to see Tier 1 attribution on the wire.
+
+## 1.5.0 — 2026-05-19
+
+**Formal announcement of HTTP-Sig-Verifier-1 — Tier 1 RFC 9421 HTTP
+Message Signature verification (PR #2642).** Engine cryptographically
+verifies OpenAI's `ChatGPT-Agent` signed traffic at 0.99 confidence
+with vendor attribution on `detection_detail.metadata.verified_*`.
+Pin `^1.5.0` if your dashboard / handler consumes the new Tier 1
+metadata or the failure/skip-reason taxonomy.
+
+### Honest note on what 1.5.0 actually is
+
+The Tier 1 code first rode along in 1.4.3 + 1.4.4 because the publish
+workflow rebuilds wasm from `main` HEAD and #2642 had already merged.
+But both releases shipped under publish-mechanic CHANGELOG entries
+(`workspace:*` leaks, `.gitignore` poison) and were never advertised
+as the Tier 1 ship. 1.5.0 corrects the SemVer label: Tier 1 adds a
+new `AgentRequest::HttpSigned` enum variant + new `verified_*`
+metadata fields + new failure-reason taxonomy strings. That's
+additive public API surface → minor bump, not patch. 1.4.4 is not
+broken and stays on the registry, but new consumers should pin
+`^1.5.0` for clarity of intent.
+
+### Added (Tier 1 RFC 9421 verification)
+
+- **`AgentRequest::HttpSigned` variant** wired through `verify`
+  dispatch. Verified signatures short-circuit to a high-confidence
+  `Permit` Decision; failed / skipped verification falls through to
+  the existing plain-HTTP pipeline with `tier1_failure_reason` /
+  `tier1_skipped_reason` preserved on the detection metadata.
+- **`detection_detail.metadata.verified_*` attribution** when Tier 1
+  succeeds: `verified_tier` (1), `verified_protocol` (`rfc9421`),
+  `verified_vendor` (e.g. `openai`), `key_id`, `covered_components`.
+  F-18 dual-write contract: these fields are byte-stable.
+- **Embedded OpenAI JWK manifest** (`data/vendor-keys/openai.json`)
+  loaded via `include_str!` into a lazy `VendorKeyRegistry`. Resilient
+  to packaging failure (engine still runs without Tier 1 if the
+  manifest is absent or malformed).
+- **Failure-reason taxonomy (byte-stable):** `bad_signature`,
+  `replay_expires_violation`, `replay_window_violation`, `alg_mismatch`,
+  `unknown_keyid_with_signature_agent`, `signature_agent_mismatch`,
+  `malformed_header`, `unsupported_covered_component`,
+  `missing_covered_header`, `key_expired`, `key_not_yet_valid`.
+- **Skip-reason taxonomy (byte-stable):** `no_signature_header`,
+  `unsupported_alg`, `unknown_signature_agent_no_matching_keyid`.
+- **Cross-runtime parity:** 13 fixtures × 3 runtimes (Rust + WASM
+  Node + WASM Edge) green, including 2 new `HttpSigned` fixtures
+  covering skip + fail paths.
+- **`serde-wasm-bindgen` `Serializer::json_compatible()` fix** so
+  `BTreeMap<String, Value>` metadata survives `JSON.stringify` across
+  the WASM boundary. Was silently collapsing to `{}` before; Tier 1
+  is the first real emit site for metadata so the bug surfaced now.
+
+### Operator surface
+
+- `scripts/refresh-openai-signing-keys.ts` — runnable today; fetches
+  `https://chatgpt.com/.well-known/http-message-signatures-directory`,
+  diffs against the embedded manifest, applies 4 sanity gates (>50%
+  removal block, >10× growth block, Ed25519-only alg whitelist,
+  per-kid expiry regression block) + `--ack-vendor` one-shot override.
+  GitHub Actions cron wrapper lands in a follow-up.
+
+### Verification gates active on this release
+
+All four publish-workflow gates from 1.4.4 still apply:
+
+1. Sanity gate — all three wasm-pack targets produce non-trivial
+   `.wasm` binaries on disk.
+2. Tarball-content gate — `tar -tz` listing must contain every
+   required wasm artifact path. (1.4.1/1.4.2 failure mode.)
+3. Manifest gate — packed `package.json` must contain zero
+   `workspace:` substrings in any dependency field. (1.4.3 failure
+   mode.)
+4. Post-publish re-fetch gate — fetches the published tarball from
+   the registry and re-runs gates 2 + 3.
+
+### Adobe pitch narrative upgrade
+
+Pre-1.5.0: "MCP-I cryptographic verification + Tier 2 vendor IP+UA
+cross-match + Tier 3 UA pattern fallback (Monitor)." Post-1.5.0:
+"Same engine; same `Decision` output shape; also verifies RFC 9421
+signed traffic from OpenAI's ChatGPT-Agent at 0.99 confidence today,
+plus any vendor that adopts the same protocol tomorrow. No vendor
+adoption of MCP-I required for verification to work." DataDome /
+Cloudflare / Kasada ceiling at Tier 3 heuristics; this release puts
+KYA-OS one tier above the field for any vendor that signs.
+
+### Follow-ups (not in this release)
+
+- Real ChatGPT-Agent traffic fixture (synthetic-signed fixtures cover
+  dispatch + crypto today).
+- GitHub Actions cron + PR template + vitest coverage + architecture
+  doc for the JWK refresh script.
+- Phase 2 crypto (RSA-PSS-SHA512 + ECDSA-P256-SHA256) — when a
+  second vendor adopts RFC 9421.
+
 ## 1.4.4 — 2026-05-18
 
 **Third recovery release. Do NOT use 1.4.3 — the published manifest

package/dist/orchestrator-edge.js

@@ -404,6 +404,23 @@ function buildBaseHeaders(result) {
   if (result.engineInfo.rulesetHash) {
     headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
   }
+  const meta = result.detectionDetail.metadata;
+  if (meta) {
+    const verifiedTier = meta.verified_tier;
+    if (typeof verifiedTier === "number" && Number.isFinite(verifiedTier)) {
+      headers["X-Checkpoint-Verified-Tier"] = String(verifiedTier);
+    } else if (typeof verifiedTier === "string" && verifiedTier.length > 0) {
+      headers["X-Checkpoint-Verified-Tier"] = verifiedTier;
+    }
+    const verifiedVendor = meta.verified_vendor;
+    if (typeof verifiedVendor === "string" && verifiedVendor.length > 0) {
+      headers["X-Checkpoint-Verified-Vendor"] = verifiedVendor;
+    }
+    const verifiedProtocol = meta.verified_protocol;
+    if (typeof verifiedProtocol === "string" && verifiedProtocol.length > 0) {
+      headers["X-Checkpoint-Verified-Protocol"] = verifiedProtocol;
+    }
+  }
   return headers;
 }
 function httpStatusForBlockReason(reason) {

package/dist/orchestrator-edge.mjs

@@ -402,6 +402,23 @@ function buildBaseHeaders(result) {
   if (result.engineInfo.rulesetHash) {
     headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
   }
+  const meta = result.detectionDetail.metadata;
+  if (meta) {
+    const verifiedTier = meta.verified_tier;
+    if (typeof verifiedTier === "number" && Number.isFinite(verifiedTier)) {
+      headers["X-Checkpoint-Verified-Tier"] = String(verifiedTier);
+    } else if (typeof verifiedTier === "string" && verifiedTier.length > 0) {
+      headers["X-Checkpoint-Verified-Tier"] = verifiedTier;
+    }
+    const verifiedVendor = meta.verified_vendor;
+    if (typeof verifiedVendor === "string" && verifiedVendor.length > 0) {
+      headers["X-Checkpoint-Verified-Vendor"] = verifiedVendor;
+    }
+    const verifiedProtocol = meta.verified_protocol;
+    if (typeof verifiedProtocol === "string" && verifiedProtocol.length > 0) {
+      headers["X-Checkpoint-Verified-Protocol"] = verifiedProtocol;
+    }
+  }
   return headers;
 }
 function httpStatusForBlockReason(reason) {

package/dist/orchestrator-node.js

@@ -508,6 +508,23 @@ function buildBaseHeaders(result) {
   if (result.engineInfo.rulesetHash) {
     headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
   }
+  const meta = result.detectionDetail.metadata;
+  if (meta) {
+    const verifiedTier = meta.verified_tier;
+    if (typeof verifiedTier === "number" && Number.isFinite(verifiedTier)) {
+      headers["X-Checkpoint-Verified-Tier"] = String(verifiedTier);
+    } else if (typeof verifiedTier === "string" && verifiedTier.length > 0) {
+      headers["X-Checkpoint-Verified-Tier"] = verifiedTier;
+    }
+    const verifiedVendor = meta.verified_vendor;
+    if (typeof verifiedVendor === "string" && verifiedVendor.length > 0) {
+      headers["X-Checkpoint-Verified-Vendor"] = verifiedVendor;
+    }
+    const verifiedProtocol = meta.verified_protocol;
+    if (typeof verifiedProtocol === "string" && verifiedProtocol.length > 0) {
+      headers["X-Checkpoint-Verified-Protocol"] = verifiedProtocol;
+    }
+  }
   return headers;
 }
 function httpStatusForBlockReason(reason) {

package/dist/orchestrator-node.mjs

@@ -487,6 +487,23 @@ function buildBaseHeaders(result) {
   if (result.engineInfo.rulesetHash) {
     headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
   }
+  const meta = result.detectionDetail.metadata;
+  if (meta) {
+    const verifiedTier = meta.verified_tier;
+    if (typeof verifiedTier === "number" && Number.isFinite(verifiedTier)) {
+      headers["X-Checkpoint-Verified-Tier"] = String(verifiedTier);
+    } else if (typeof verifiedTier === "string" && verifiedTier.length > 0) {
+      headers["X-Checkpoint-Verified-Tier"] = verifiedTier;
+    }
+    const verifiedVendor = meta.verified_vendor;
+    if (typeof verifiedVendor === "string" && verifiedVendor.length > 0) {
+      headers["X-Checkpoint-Verified-Vendor"] = verifiedVendor;
+    }
+    const verifiedProtocol = meta.verified_protocol;
+    if (typeof verifiedProtocol === "string" && verifiedProtocol.length > 0) {
+      headers["X-Checkpoint-Verified-Protocol"] = verifiedProtocol;
+    }
+  }
   return headers;
 }
 function httpStatusForBlockReason(reason) {

package/dist/orchestrator.js

@@ -512,6 +512,23 @@ function buildBaseHeaders(result) {
   if (result.engineInfo.rulesetHash) {
     headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
   }
+  const meta = result.detectionDetail.metadata;
+  if (meta) {
+    const verifiedTier = meta.verified_tier;
+    if (typeof verifiedTier === "number" && Number.isFinite(verifiedTier)) {
+      headers["X-Checkpoint-Verified-Tier"] = String(verifiedTier);
+    } else if (typeof verifiedTier === "string" && verifiedTier.length > 0) {
+      headers["X-Checkpoint-Verified-Tier"] = verifiedTier;
+    }
+    const verifiedVendor = meta.verified_vendor;
+    if (typeof verifiedVendor === "string" && verifiedVendor.length > 0) {
+      headers["X-Checkpoint-Verified-Vendor"] = verifiedVendor;
+    }
+    const verifiedProtocol = meta.verified_protocol;
+    if (typeof verifiedProtocol === "string" && verifiedProtocol.length > 0) {
+      headers["X-Checkpoint-Verified-Protocol"] = verifiedProtocol;
+    }
+  }
   return headers;
 }
 function httpStatusForBlockReason(reason) {

package/dist/orchestrator.mjs

@@ -510,6 +510,23 @@ function buildBaseHeaders(result) {
   if (result.engineInfo.rulesetHash) {
     headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
   }
+  const meta = result.detectionDetail.metadata;
+  if (meta) {
+    const verifiedTier = meta.verified_tier;
+    if (typeof verifiedTier === "number" && Number.isFinite(verifiedTier)) {
+      headers["X-Checkpoint-Verified-Tier"] = String(verifiedTier);
+    } else if (typeof verifiedTier === "string" && verifiedTier.length > 0) {
+      headers["X-Checkpoint-Verified-Tier"] = verifiedTier;
+    }
+    const verifiedVendor = meta.verified_vendor;
+    if (typeof verifiedVendor === "string" && verifiedVendor.length > 0) {
+      headers["X-Checkpoint-Verified-Vendor"] = verifiedVendor;
+    }
+    const verifiedProtocol = meta.verified_protocol;
+    if (typeof verifiedProtocol === "string" && verifiedProtocol.length > 0) {
+      headers["X-Checkpoint-Verified-Protocol"] = verifiedProtocol;
+    }
+  }
   return headers;
 }
 function httpStatusForBlockReason(reason) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-wasm-runtime",
-  "version": "1.4.4",
+  "version": "1.5.1",
   "description": "Checkpoint WASM runtime for AI agent detection across all environments (formerly @kya-os/agentshield-wasm-runtime)",
   "keywords": [
     "ai",

package/wasm/kya-os-engine/package.json

@@ -12,7 +12,8 @@
   },
   "files": [
     "kya_os_engine_bg.wasm",
-    "kya_os_engine.js"
+    "kya_os_engine.js",
+    "kya_os_engine.d.ts"
   ],
   "main": "kya_os_engine.js",
   "keywords": [
@@ -23,5 +24,6 @@
     "did"
   ],
   "type": "commonjs",
-  "_note": "wasm-bindgen --target nodejs output: uses module.exports + require('fs') at module load. The parent wasm/package.json says type:module (for the older agentshield_wasm.js ESM file), which would make Node mis-classify this CJS file and throw ERR_REQUIRE_ESM. This nested package.json overrides per Node's nearest-package.json resolution algorithm. See SDK-WASM-Bundler-Loader-1 (#2613) for the original incident; AIVF-1 Path B (#2639) re-instated this override after a wasm-pack regen silently dropped it, plus a regen-pipeline patcher (rust/scripts/build-engine-wasm.sh) + an integrity test (packages/checkpoint-wasm-runtime/src/__tests__/wasm-artifact-integrity.test.ts) so the next regen can't silently break Node consumers again."
+  "types": "kya_os_engine.d.ts",
+  "_note": "wasm-bindgen --target nodejs output: uses module.exports + require('fs') at module load. The parent wasm/package.json says type:module (for the older agentshield_wasm.js ESM file), which would make Node mis-classify this CJS file and throw ERR_REQUIRE_ESM. This nested package.json overrides per Node's nearest-package.json resolution algorithm. See SDK-WASM-Bundler-Loader-1 (#2613) for the original incident; AIVF-1 Path B (#2639) re-instated this override after a wasm-pack regen silently dropped it, plus a regen-pipeline patcher (rust/scripts/build-engine-wasm.sh) + an integrity test (packages/checkpoint-wasm-runtime/src/__tests__/wasm-artifact-integrity.test.ts) so the next regen can't silently break Node consumers again. Engine-Pattern-Codegen-Retirement-1 extended the patcher to also restore the types/`files` .d.ts references that --no-typescript drops."
 }

package/wasm/kya-os-engine-web/package.json

@@ -13,7 +13,8 @@
   },
   "files": [
     "kya_os_engine_bg.wasm",
-    "kya_os_engine.js"
+    "kya_os_engine.js",
+    "kya_os_engine.d.ts"
   ],
   "main": "kya_os_engine.js",
   "sideEffects": [
@@ -25,5 +26,6 @@
     "mcp-i",
     "agent",
     "did"
-  ]
-}
+  ],
+  "types": "kya_os_engine.d.ts"
+}