@longarc/mdash 3.0.0

package/src/core/crypto.ts

@@ -0,0 +1,304 @@
+/**
+ * mdash v3.0 - Cryptographic Core
+ * 
+ * "LLM at the edges, cryptography at the core."
+ * 
+ * All cryptographic operations use Web Crypto API for:
+ * - Hardware acceleration where available
+ * - Constant-time operations (timing attack resistance)
+ * - Non-extractable key material
+ */
+
+// ============================================================================
+// BRANDED TYPES - Type safety without runtime overhead
+// ============================================================================
+
+export type Hash = string & { readonly __brand: 'Hash' };
+export type Seal = string & { readonly __brand: 'Seal' };
+export type Timestamp = string & { readonly __brand: 'Timestamp' };
+export type FragmentId = string & { readonly __brand: 'FragmentId' };
+export type WarrantId = string & { readonly __brand: 'WarrantId' };
+export type CheckpointId = string & { readonly __brand: 'CheckpointId' };
+
+// ============================================================================
+// TYPE GUARDS
+// ============================================================================
+
+const HASH_REGEX = /^[a-f0-9]{64}$/;
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+const ISO_REGEX = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{3})?Z$/;
+
+export function isHash(value: unknown): value is Hash {
+  return typeof value === 'string' && HASH_REGEX.test(value);
+}
+
+export function isSeal(value: unknown): value is Seal {
+  return typeof value === 'string' && HASH_REGEX.test(value);
+}
+
+export function isTimestamp(value: unknown): value is Timestamp {
+  return typeof value === 'string' && ISO_REGEX.test(value);
+}
+
+export function isFragmentId(value: unknown): value is FragmentId {
+  return typeof value === 'string' && UUID_REGEX.test(value);
+}
+
+export function isWarrantId(value: unknown): value is WarrantId {
+  return typeof value === 'string' && value.startsWith('w-') && value.length === 10;
+}
+
+export function isCheckpointId(value: unknown): value is CheckpointId {
+  return typeof value === 'string' && value.startsWith('cp-') && value.length === 11;
+}
+
+// ============================================================================
+// CRYPTO CONTEXT - Web Crypto API access
+// ============================================================================
+
+function getSubtleCrypto(): SubtleCrypto {
+  if (typeof globalThis.crypto?.subtle !== 'undefined') {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error('Web Crypto API not available');
+}
+
+function getRandomUUID(): string {
+  if (typeof globalThis.crypto?.randomUUID === 'function') {
+    return globalThis.crypto.randomUUID();
+  }
+  throw new Error('crypto.randomUUID not available');
+}
+
+// ============================================================================
+// HASHING - SHA-256
+// ============================================================================
+
+/**
+ * SHA-256 hash of a string
+ * Returns lowercase hex (64 characters)
+ */
+export async function sha256(input: string): Promise<Hash> {
+  const subtle = getSubtleCrypto();
+  const encoder = new TextEncoder();
+  const data = encoder.encode(input);
+  const hashBuffer = await subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  return hashHex as Hash;
+}
+
+/**
+ * SHA-256 hash of an object using deterministic serialization
+ * Keys are sorted at all nesting levels
+ */
+export async function sha256Object(obj: unknown): Promise<Hash> {
+  const serialized = deterministicStringify(obj);
+  return sha256(serialized);
+}
+
+/**
+ * SHA-256 hash of binary data
+ */
+export async function sha256Binary(data: ArrayBuffer): Promise<Hash> {
+  const subtle = getSubtleCrypto();
+  const hashBuffer = await subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  return hashHex as Hash;
+}
+
+/**
+ * Rolling hash of multiple hashes (for Merkle tree nodes)
+ * Order matters: H(a, b) ≠ H(b, a)
+ */
+export async function rollingHash(hashes: Hash[]): Promise<Hash> {
+  if (hashes.length === 0) {
+    return sha256('');
+  }
+  if (hashes.length === 1) {
+    const first = hashes[0];
+    if (!first) {
+      return sha256('');
+    }
+    return first;
+  }
+  const combined = hashes.join('|');
+  return sha256(combined);
+}
+
+// ============================================================================
+// DETERMINISTIC SERIALIZATION
+// ============================================================================
+
+/**
+ * JSON.stringify with sorted keys at all nesting levels
+ * Ensures {a:1, b:2} and {b:2, a:1} produce identical output
+ */
+export function deterministicStringify(obj: unknown): string {
+  return JSON.stringify(obj, (_, value) => {
+    if (value && typeof value === 'object' && !Array.isArray(value)) {
+      return Object.keys(value)
+        .sort()
+        .reduce((sorted: Record<string, unknown>, key) => {
+          sorted[key] = value[key];
+          return sorted;
+        }, {});
+    }
+    return value;
+  });
+}
+
+// ============================================================================
+// HMAC SEALING - HMAC-SHA256
+// ============================================================================
+
+const HKDF_SALT = 'caret-context-primitive-engine';
+const HKDF_INFO = 'mdash-seal-v3';
+
+/**
+ * Derive an HMAC key from a master key using HKDF
+ * The derived key is non-extractable
+ */
+export async function deriveKey(masterKey: string): Promise<CryptoKey> {
+  const subtle = getSubtleCrypto();
+  const encoder = new TextEncoder();
+  
+  // Import master key as raw key material
+  const keyMaterial = await subtle.importKey(
+    'raw',
+    encoder.encode(masterKey),
+    'HKDF',
+    false,
+    ['deriveKey']
+  );
+  
+  // Derive HMAC key using HKDF
+  return subtle.deriveKey(
+    {
+      name: 'HKDF',
+      salt: encoder.encode(HKDF_SALT),
+      info: encoder.encode(HKDF_INFO),
+      hash: 'SHA-256',
+    },
+    keyMaterial,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false, // non-extractable
+    ['sign', 'verify']
+  );
+}
+
+/**
+ * Create HMAC seal of content
+ */
+export async function hmacSeal(content: unknown, key: CryptoKey): Promise<Seal> {
+  const subtle = getSubtleCrypto();
+  const encoder = new TextEncoder();
+  const data = encoder.encode(deterministicStringify(content));
+  const signature = await subtle.sign('HMAC', key, data);
+  const sigArray = Array.from(new Uint8Array(signature));
+  const sigHex = sigArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  return sigHex as Seal;
+}
+
+/**
+ * Verify HMAC seal
+ */
+export async function hmacVerify(content: unknown, seal: Seal, key: CryptoKey): Promise<boolean> {
+  const subtle = getSubtleCrypto();
+  const encoder = new TextEncoder();
+  const data = encoder.encode(deterministicStringify(content));
+  
+  // Convert seal hex to ArrayBuffer
+  const sealBytes = new Uint8Array(seal.match(/.{2}/g)!.map(byte => parseInt(byte, 16)));
+  
+  return subtle.verify('HMAC', key, sealBytes, data);
+}
+
+// ============================================================================
+// CONSTANT-TIME COMPARISON
+// ============================================================================
+
+/**
+ * Compare two strings in constant time
+ * Prevents timing attacks on seal/hash comparison
+ */
+export function constantTimeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    return false;
+  }
+  
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+// ============================================================================
+// ID GENERATION
+// ============================================================================
+
+/**
+ * Generate a new fragment ID (UUID v4)
+ */
+export function generateFragmentId(): FragmentId {
+  return getRandomUUID() as FragmentId;
+}
+
+/**
+ * Generate a new warrant ID
+ * Format: w-{8 hex chars}
+ */
+export function generateWarrantId(): WarrantId {
+  const bytes = new Uint8Array(4);
+  globalThis.crypto.getRandomValues(bytes);
+  const hex = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+  return `w-${hex}` as WarrantId;
+}
+
+/**
+ * Generate a new checkpoint ID
+ * Format: cp-{8 hex chars}
+ */
+export function generateCheckpointId(): CheckpointId {
+  const bytes = new Uint8Array(4);
+  globalThis.crypto.getRandomValues(bytes);
+  const hex = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+  return `cp-${hex}` as CheckpointId;
+}
+
+/**
+ * Generate current timestamp in ISO format
+ */
+export function generateTimestamp(): Timestamp {
+  return new Date().toISOString() as Timestamp;
+}
+
+// ============================================================================
+// PROTOTYPE POLLUTION PREVENTION
+// ============================================================================
+
+const DANGEROUS_KEYS = ['__proto__', 'constructor', 'prototype'];
+
+/**
+ * Sanitize an object by removing dangerous prototype keys
+ * Recursively processes nested objects and arrays
+ */
+export function sanitizeObject<T>(obj: T): T {
+  if (obj === null || typeof obj !== 'object') {
+    return obj;
+  }
+  
+  if (Array.isArray(obj)) {
+    return obj.map(sanitizeObject) as T;
+  }
+  
+  const result: Record<string, unknown> = {};
+  for (const key of Object.keys(obj as object)) {
+    if (!DANGEROUS_KEYS.includes(key)) {
+      result[key] = sanitizeObject((obj as Record<string, unknown>)[key]);
+    }
+  }
+  return result as T;
+}

package/src/index.ts

@@ -0,0 +1,320 @@
+/**
+ * mdash v3.0 Protocol
+ * 
+ * "The best defense is the fastest seal."
+ * 
+ * Liability infrastructure for autonomous AI agents.
+ * Cryptographic sealing at execution speed.
+ * 
+ * Architecture:
+ * - L1: Commitment Layer (<1ms)
+ * - L2: TEE Attestation (<10ms) 
+ * - L3: ZK Proofs (async)
+ * - MCCA: Manifold-Constrained Context Architecture
+ * 
+ * @version 3.0.0
+ * @author Long Arc Studios
+ */
+
+// Re-export core primitives
+export * from './core/crypto.js';
+export * from './core/commitment.js';
+
+// Re-export engines
+export * from './warrant/engine.js';
+export * from './checkpoint/engine.js';
+export * from './context/engine.js';
+export * from './physics/engine.js';
+
+// Re-export L2 TEE Attestation
+export * from './tee/engine.js';
+
+// Re-export L3 ZK Proofs
+export * from './zk/engine.js';
+
+// Re-export MCCA v3 (excluding SourceClass which is already exported from context)
+export { 
+  MCCAEngine,
+  ManifoldRegion,
+  InfluenceBudget,
+  MCCAConfig,
+  ManifoldFragment,
+  ManifoldCommitmentProof,
+  DEFAULT_CONFIG as MCCA_DEFAULT_CONFIG
+} from './mcca/engine.js';
+
+// Import for runtime
+import { CommitmentEngine, LatencyMonitor, Commitment } from './core/commitment.js';
+import { WarrantEngine, WarrantTier, WarrantConstraints, Warrant } from './warrant/engine.js';
+import { CheckpointEngine, Checkpoint } from './checkpoint/engine.js';
+import { SealedContextEngine, ContextFragment } from './context/engine.js';
+import { PhysicsEngine, PhysicsValidation, PhysicsAction } from './physics/engine.js';
+import { TEEAttestationEngine, AttestationDocument, AttestationBridge, TEEPlatform } from './tee/engine.js';
+import { ZKProofsEngine, ZKProofDocument, ClaimBuilder } from './zk/engine.js';
+import { MCCAEngine, ManifoldFragment, ContextWindowManager } from './mcca/engine.js';
+import { WarrantId, generateTimestamp } from './core/crypto.js';
+
+// ============================================================================
+// PROTOCOL RUNTIME
+// ============================================================================
+
+export interface MdashConfig {
+  sealKey: string;
+  maxTreeDepth?: number;
+  enableLatencyMonitoring?: boolean;
+  teePlatform?: TEEPlatform;
+  enableZKProofs?: boolean;
+  zkConcurrency?: number;
+  enableMCCA?: boolean;
+  maxContextTokens?: number;
+}
+
+export interface MdashStats {
+  commitment: ReturnType<CommitmentEngine['getStats']>;
+  warrant: ReturnType<WarrantEngine['getCacheStats']>;
+  checkpoint: ReturnType<CheckpointEngine['getStats']>;
+  context: ReturnType<SealedContextEngine['getStats']>;
+  physics: ReturnType<PhysicsEngine['getStats']>;
+  tee?: ReturnType<TEEAttestationEngine['getStats']>;
+  zk?: ReturnType<ZKProofsEngine['getStats']>;
+  mcca?: ReturnType<MCCAEngine['getStats']>;
+}
+
+export class MdashProtocol {
+  private config: MdashConfig;
+  private initialized: boolean = false;
+  
+  public readonly commitment: CommitmentEngine;
+  public readonly warrant: WarrantEngine;
+  public readonly checkpoint: CheckpointEngine;
+  public readonly context: SealedContextEngine;
+  public readonly physics: PhysicsEngine;
+  public readonly latency: LatencyMonitor;
+  public readonly tee: TEEAttestationEngine;
+  public readonly bridge: AttestationBridge;
+  public readonly zk: ZKProofsEngine | null;
+  public readonly mcca: MCCAEngine | null;
+  public readonly contextWindow: ContextWindowManager | null;
+  
+  constructor(config: MdashConfig) {
+    this.config = config;
+    this.commitment = new CommitmentEngine(config.maxTreeDepth);
+    this.warrant = new WarrantEngine(this.commitment);
+    this.checkpoint = new CheckpointEngine(this.commitment);
+    this.context = new SealedContextEngine(this.commitment);
+    this.physics = new PhysicsEngine();
+    this.tee = new TEEAttestationEngine(this.commitment, { platform: config.teePlatform || 'simulated' });
+    this.bridge = new AttestationBridge(this.tee, this.commitment);
+    this.zk = config.enableZKProofs !== false ? new ZKProofsEngine(this.commitment, config.zkConcurrency || 4) : null;
+    this.mcca = config.enableMCCA !== false ? new MCCAEngine(this.commitment, { maxTokens: config.maxContextTokens || 100000 }) : null;
+    this.contextWindow = this.mcca ? new ContextWindowManager(this.mcca, config.maxContextTokens || 100000) : null;
+    this.latency = new LatencyMonitor();
+  }
+  
+  async initialize(): Promise<void> {
+    const startTime = performance.now();
+    await Promise.all([
+      this.commitment.initialize(this.config.sealKey),
+      this.warrant.initialize(this.config.sealKey),
+      this.checkpoint.initialize(this.config.sealKey),
+      this.context.initialize(this.config.sealKey),
+      this.physics.initialize(this.config.sealKey),
+    ]);
+    await this.tee.initialize(this.config.sealKey);
+    if (this.zk) await this.zk.initialize(this.config.sealKey);
+    if (this.mcca) await this.mcca.initialize(this.config.sealKey);
+    this.initialized = true;
+    const elapsed = performance.now() - startTime;
+    console.log(`mdash v3.0 initialized in ${elapsed.toFixed(2)}ms`);
+  }
+  
+  isInitialized(): boolean { return this.initialized; }
+  
+  async execute<T>(params: {
+    agentId: string;
+    action: string;
+    actionParams: Record<string, unknown>;
+    execute: () => Promise<T>;
+    generateZKProof?: boolean;
+  }): Promise<{
+    result: T;
+    warrant: Warrant;
+    startCheckpoint: Checkpoint;
+    endCheckpoint: Checkpoint;
+    validation: PhysicsValidation;
+    attestation: AttestationDocument;
+    zkProof?: ZKProofDocument;
+  }> {
+    if (!this.initialized) throw new Error('Protocol not initialized');
+    
+    const authParams = {
+      agent_id: params.agentId,
+      action: params.action,
+      amount: typeof params.actionParams.amount === 'number' ? params.actionParams.amount : undefined,
+      domain: typeof params.actionParams.domain === 'string' ? params.actionParams.domain : undefined,
+    };
+    
+    const warrant = await this.warrant.checkAuthorization(authParams);
+    if (!warrant) throw new Error(`No valid warrant for agent ${params.agentId}`);
+    
+    const startCheckpoint = await this.checkpoint.onActionStart({
+      agent_id: params.agentId,
+      warrant_id: warrant.id,
+      action: params.action,
+      params: params.actionParams,
+    });
+    
+    const physicsAction: PhysicsAction = {
+      action_id: `${params.action}-${Date.now()}`,
+      type: params.action,
+      agent_id: params.agentId,
+      warrant_id: warrant.id,
+      params: params.actionParams,
+      timestamp: generateTimestamp(),
+    };
+    
+    const validation = await this.physics.validate(physicsAction, warrant);
+    if (!validation.valid) {
+      await this.checkpoint.onError({
+        agent_id: params.agentId,
+        warrant_id: warrant.id,
+        action: params.action,
+        error: `Physics validation failed`,
+      });
+      throw new Error(`Physics validation failed`);
+    }
+    
+    const { attestation } = await this.bridge.commitAndAttest(
+      { warrant_id: warrant.id, action: params.action, params: params.actionParams },
+      `action:${params.agentId}:${Date.now()}`
+    );
+    
+    let result: T;
+    try {
+      result = await params.execute();
+    } catch (error) {
+      await this.checkpoint.onError({
+        agent_id: params.agentId,
+        warrant_id: warrant.id,
+        action: params.action,
+        error: String(error),
+      });
+      throw error;
+    }
+    
+    const endCheckpoint = await this.checkpoint.onActionComplete({
+      agent_id: params.agentId,
+      warrant_id: warrant.id,
+      action: params.action,
+      params: params.actionParams,
+      result,
+      physics_score: validation.score,
+    });
+    
+    let zkProof: ZKProofDocument | undefined;
+    if (params.generateZKProof && this.zk) {
+      zkProof = await this.zk.requestProof(
+        new ClaimBuilder('action_compliance')
+          .withDescription(`Action proof for ${params.action}`)
+          .withClaim('agent_id', params.agentId)
+          .withClaim('action', params.action)
+          .withClaim('warrant_id', warrant.id)
+          .withAttestations(attestation.id)
+          .build('normal')
+      );
+    }
+    
+    return { result, warrant, startCheckpoint, endCheckpoint, validation, attestation, zkProof };
+  }
+  
+  async prestageWarrant(params: {
+    agentId: string;
+    policyId: string;
+    tier: WarrantTier;
+    constraints: WarrantConstraints;
+    durationMs: number;
+    issuedBy: string;
+  }): Promise<Warrant> {
+    if (!this.initialized) throw new Error('Protocol not initialized');
+    return this.warrant.createSpeculative({
+      agent_id: params.agentId,
+      policy_id: params.policyId,
+      tier: params.tier,
+      constraints: params.constraints,
+      duration_ms: params.durationMs,
+      issued_by: params.issuedBy,
+    });
+  }
+  
+  async revokeWarrant(warrantId: WarrantId, reason: string, actor: { type: 'user' | 'system'; id: string }): Promise<Warrant> {
+    if (!this.initialized) throw new Error('Protocol not initialized');
+    return this.warrant.revoke(warrantId, reason, actor);
+  }
+  
+  async generateAuditProof(params: {
+    description: string;
+    claim: Record<string, unknown>;
+    commitmentIds?: string[];
+    attestationIds?: string[];
+    priority?: 'low' | 'normal' | 'high';
+  }): Promise<ZKProofDocument> {
+    if (!this.zk) throw new Error('ZK proofs not enabled');
+    return this.zk.requestProof(
+      new ClaimBuilder('audit_trail')
+        .withDescription(params.description)
+        .withClaim('audit', params.claim)
+        .withCommitments(...(params.commitmentIds || []))
+        .withAttestations(...(params.attestationIds || []))
+        .build(params.priority || 'normal')
+    );
+  }
+  
+  getStats(): MdashStats {
+    const stats: MdashStats = {
+      commitment: this.commitment.getStats(),
+      warrant: this.warrant.getCacheStats(),
+      checkpoint: this.checkpoint.getStats(),
+      context: this.context.getStats(),
+      physics: this.physics.getStats(),
+    };
+    stats.tee = this.tee.getStats();
+    if (this.zk) stats.zk = this.zk.getStats();
+    if (this.mcca) stats.mcca = this.mcca.getStats();
+    return stats;
+  }
+  
+  checkSLAs(): Record<string, { withinSLA: boolean; metrics: unknown }> {
+    const ops = ['commitment_seal', 'merkle_proof', 'context_chunk_seal', 'checkpoint_create', 'execute'];
+    const results: Record<string, { withinSLA: boolean; metrics: unknown }> = {};
+    for (const op of ops) {
+      results[op] = { withinSLA: this.latency.isWithinSLA(op), metrics: this.latency.getMetrics(op) };
+    }
+    return results;
+  }
+  
+  shutdown(): void {
+    if (this.zk) this.zk.stopProcessing();
+    console.log('mdash v3.0 shutdown complete');
+  }
+}
+
+export function createMdash(config: MdashConfig): MdashProtocol {
+  return new MdashProtocol(config);
+}
+
+export const VERSION = {
+  protocol: '3.0.0',
+  codename: 'Sealed Execution',
+  releaseDate: '2026-01',
+  features: [
+    'L1 Commitment Layer (<1ms)',
+    'L2 TEE Attestation (AWS Nitro/SGX, <10ms)',
+    'L3 ZK Proofs (Plonky2, async)',
+    'MCCA v3 (Manifold-Constrained Context Architecture)',
+    'Speculative Warrant Issuance (<10ms activation)',
+    'Event-driven Checkpoints',
+    'Incremental Merkle Sealing',
+    'Physics Engine with Hot-swap Policies',
+    'Insurance-grade Audit Trails',
+  ],
+} as const;