@longarc/mdash 3.1.1 → 3.1.3

package/docs/SECURITY-PATCHES.md

@@ -0,0 +1,170 @@
+# mdash v3.0 Security Patches
+
+Applied: 2026-01-26
+Auditor: Kai (Claude + security-reasoning skill)
+
+## Summary
+
+| Priority | Issue | Status | File(s) |
+|----------|-------|--------|---------|
+| **P1** | TOCTOU in execute flow | ✅ Fixed | `index.ts`, `warrant-engine.ts` |
+| **P2a** | Cache seal verification | ✅ Fixed | `warrant-engine.ts` |
+| **P2b** | Simulated TEE detection | ✅ Fixed | `tee-engine.ts` |
+| **P3a** | Error message sanitization | ✅ Fixed | `index.ts` |
+| **P3b** | Warrant creation rate limiting | ✅ Fixed | `warrant-engine.ts` |
+| **P4** | Constraint presence validation | ✅ Fixed | `physics-engine.ts` |
+| **P5** | Minimum seal key length | ✅ Fixed | `crypto.ts` |
+
+**Test Results:** 251 passed (including 33 security tests)
+
+---
+
+## Security Test Suite Added
+
+New `security.test.ts` with comprehensive coverage:
+
+### Adversarial Input Testing
+- Prototype pollution resistance (`__proto__`, `constructor`)
+- Nested pollution handling
+- Boundary value fuzzing (MAX_SAFE_INTEGER, negative, NaN, Infinity)
+- Timestamp manipulation
+- String injection (SQL-like, null bytes, unicode normalization)
+
+### Concurrent Access Testing (TOCTOU Verification)
+- Concurrent warrant activations
+- Revocation during execute flow
+- High concurrency serialization
+- Rate limiting under burst (100/min enforced)
+
+### Replay Attack Resistance
+- Expired attestation detection
+- Tampered seal detection
+- Missing L1 commitment detection
+- Unique ID generation
+- Timestamp verification
+
+### Cross-Layer Failure Handling
+- L1/L2 commitment reference verification
+- Cross-layer reference mismatch detection
+- Physics validation failure propagation
+- Execute function failure handling
+- Audit trail persistence on failure
+
+### Security Edge Cases
+- Empty/short seal key rejection (32 char minimum)
+- Long agent ID handling (10,000 chars)
+- Special characters in policy ID
+- Constant-time seal comparison
+
+---
+
+## P1: TOCTOU Fix (Critical)
+
+**Problem:** Race condition between warrant authorization check and action execution.
+
+**Fix:** Added warrant revocation re-check immediately before `params.execute()` call.
+
+```typescript
+// In index.ts execute() method, before calling params.execute():
+if (this.warrant.isRevoked(warrant.id)) {
+  await this.checkpoint.onError({...});
+  throw new Error('Authorization denied');
+}
+```
+
+---
+
+## P2a: Cache Seal Verification
+
+**Problem:** Cache retrieval lacked seal verification.
+
+**Fix:** Added `getVerified()` method with HMAC verification.
+
+---
+
+## P2b: Simulated TEE Detection
+
+**Problem:** Silent fallback to simulated mode in production.
+
+**Fix:** Hard failure in `NODE_ENV=production` without explicit override.
+
+---
+
+## P3a: Error Message Sanitization
+
+**Problem:** Errors leaked internal state.
+
+**Fix:** Generic `"Authorization denied"` for all auth failures.
+
+---
+
+## P3b: Warrant Creation Rate Limiting
+
+**Problem:** Unbounded warrant creation.
+
+**Fix:** 100 warrants/minute per issuer.
+
+---
+
+## P4: Constraint Presence Validation
+
+**Problem:** Nullish coalescing bypass with explicit undefined.
+
+**Fix:** `Object.prototype.hasOwnProperty.call()` checks.
+
+---
+
+## P5: Minimum Seal Key Length (NEW)
+
+**Problem:** Empty or weak seal keys accepted.
+
+**Fix:** Enforce 32 character minimum in `deriveKey()`.
+
+```typescript
+if (!masterKey || masterKey.length < 32) {
+  throw new Error('Seal key must be at least 32 characters');
+}
+```
+
+---
+
+## Files Included
+
+1. `index.ts` - Protocol entry point with TOCTOU fix, error sanitization
+2. `warrant-engine.ts` - isRevoked(), seal verification, rate limiting
+3. `tee-engine.ts` - Simulated mode detection
+4. `physics-engine.ts` - Constraint presence validation
+5. `crypto.ts` - Minimum key length validation
+6. `security.test.ts` - 33 new adversarial tests
+
+---
+
+## Application Instructions
+
+```bash
+# From mdash root
+cp mdash-security-patches/index.ts src/index.ts
+cp mdash-security-patches/warrant-engine.ts src/warrant/engine.ts
+cp mdash-security-patches/tee-engine.ts src/tee/engine.ts
+cp mdash-security-patches/physics-engine.ts src/physics/engine.ts
+cp mdash-security-patches/crypto.ts src/core/crypto.ts
+cp mdash-security-patches/security.test.ts src/__tests__/security.test.ts
+
+# Also update phase2-4 test key (was 31 chars, now needs 32)
+# In src/__tests__/phase2-4.test.ts, change:
+# const TEST_SEAL_KEY = 'test-seal-key-phase-2-4-v3.0.0';
+# to:
+# const TEST_SEAL_KEY = 'test-seal-key-phase-2-4-v3.0.0-x';
+
+npm test  # Expect 157 passing
+```
+
+---
+
+## Remaining Considerations
+
+1. **Warrant expiry during execution** - Current implementation may need stronger expiry checking mid-flow
+2. **NaN handling in amounts** - NaN passes constraint checks (NaN > X is always false)
+3. **Unicode normalization** - Consider normalizing strings before hashing for consistency
+
+These are documented in the test suite with "documents current behavior" comments.

package/package.json

@@ -1,17 +1,28 @@
 {
   "name": "@longarc/mdash",
-  "version": "3.1.1",
-  "description": "Accountability infrastructure for autonomous AI agents — cryptographic attestation at execution speed.",
+  "version": "3.1.3",
+  "description": "Cryptographic attestation protocol for autonomous AI agents",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "module",
+  "exports": {
+    ".": "./dist/index.js",
+    "./context": "./dist/context/index.js",
+    "./warrant": "./dist/warrant/engine.js",
+    "./physics": "./dist/physics/engine.js",
+    "./checkpoint": "./dist/checkpoint/engine.js",
+    "./mcca": "./dist/mcca/engine.js",
+    "./tee": "./dist/tee/engine.js",
+    "./zk": "./dist/zk/engine.js"
+  },
   "scripts": {
     "build": "tsc",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "lint": "eslint src --ext .ts",
-    "clean": "rm -rf dist"
+    "clean": "rm -rf dist",
+    "typecheck": "tsc --noEmit"
   },
   "keywords": [
     "ai",
@@ -20,9 +31,10 @@
     "attestation",
     "cryptography",
     "tee",
-    "zk-proofs"
+    "zk-proofs",
+    "warrant"
   ],
-  "author": "Long Arc Studios <josh@mdash.sh>",
+  "author": "Long Arc Studios",
   "license": "MIT",
   "engines": {
     "node": ">=18.0.0"

package/src/__tests__/accountability.test.ts

@@ -0,0 +1,308 @@
+/**
+ * AccountabilityEngine Test Suite
+ *
+ * Full lifecycle: issue warrant → check action → commit attestation → verify
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import { AccountabilityEngine } from '../accountability/engine.js';
+import type { WarrantPermissions } from '../accountability/types.js';
+
+const SEAL_KEY = 'test-seal-key-minimum-32-characters-long';
+
+const DEFAULT_PERMISSIONS: WarrantPermissions = {
+  allowedActions: ['read', 'write', 'query'],
+  forbiddenActions: ['delete', 'drop-table'],
+  ttlMs: 60_000,
+};
+
+describe('AccountabilityEngine', () => {
+  let engine: AccountabilityEngine;
+
+  beforeEach(async () => {
+    engine = new AccountabilityEngine();
+    await engine.initialize(SEAL_KEY);
+  });
+
+  // ── Authorization ──
+
+  it('should execute authorized actions with cryptographic attestation', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+
+    const result = await engine.executeAction('agent-1', 'read', { file: 'data.csv' });
+
+    expect(result.executed).toBe(true);
+    expect(result.commitment).toBeDefined();
+    expect(result.commitment!.content_hash).toBeTruthy();
+    expect(result.commitment!.seal).toBeTruthy();
+    expect(result.verified).toBe(true);
+    expect(result.violation).toBeUndefined();
+  });
+
+  it('should verify commitment seals are cryptographically valid', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    const result = await engine.executeAction('agent-1', 'read', {});
+
+    const valid = await engine.verifyCommitment(result.commitment!);
+    expect(valid).toBe(true);
+  });
+
+  it('should handle multiple authorized actions with distinct commitments', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+
+    const r1 = await engine.executeAction('agent-1', 'read', { id: 1 });
+    const r2 = await engine.executeAction('agent-1', 'write', { id: 2 });
+    const r3 = await engine.executeAction('agent-1', 'query', { sql: 'SELECT 1' });
+
+    expect(r1.executed).toBe(true);
+    expect(r2.executed).toBe(true);
+    expect(r3.executed).toBe(true);
+
+    // Each gets a unique commitment
+    expect(r1.commitment!.id).not.toBe(r2.commitment!.id);
+    expect(r2.commitment!.id).not.toBe(r3.commitment!.id);
+  });
+
+  // ── Denial: Forbidden Actions ──
+
+  it('should deny forbidden actions with typed violation', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+
+    const result = await engine.executeAction('agent-1', 'delete', { target: 'users' });
+
+    expect(result.executed).toBe(false);
+    expect(result.violation).toBeDefined();
+    expect(result.violation!.type).toBe('FORBIDDEN_ACTION');
+    expect(result.violation!.agentId).toBe('agent-1');
+    expect(result.violation!.action).toBe('delete');
+    expect(result.commitment).toBeUndefined();
+  });
+
+  it('should deny forbidden actions even if also in allowed list', async () => {
+    // Forbidden takes precedence
+    await engine.issueWarrant('agent-1', {
+      allowedActions: ['delete'],
+      forbiddenActions: ['delete'],
+      ttlMs: 60_000,
+    });
+
+    const result = await engine.executeAction('agent-1', 'delete', {});
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('FORBIDDEN_ACTION');
+  });
+
+  // ── Denial: Unauthorized Actions ──
+
+  it('should deny actions not in the allowed list', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+
+    const result = await engine.executeAction('agent-1', 'execute-shell', { cmd: 'rm -rf /' });
+
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('UNAUTHORIZED_ACTION');
+  });
+
+  // ── Denial: No Warrant ──
+
+  it('should deny actions from agents with no warrant', async () => {
+    const result = await engine.executeAction('unknown-agent', 'read', {});
+
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('NO_WARRANT');
+    expect(result.violation!.agentId).toBe('unknown-agent');
+  });
+
+  // ── Denial: Expired Warrants ──
+
+  it('should deny actions when warrant has expired', async () => {
+    await engine.issueWarrant('agent-1', {
+      allowedActions: ['read'],
+      forbiddenActions: [],
+      ttlMs: 1, // 1ms TTL — will expire immediately
+    });
+
+    // Wait for expiry
+    await new Promise(resolve => setTimeout(resolve, 10));
+
+    const result = await engine.executeAction('agent-1', 'read', {});
+
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('WARRANT_EXPIRED');
+  });
+
+  // ── Denial: Revoked Warrants ──
+
+  it('should deny actions after warrant revocation', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+
+    // Authorized before revocation
+    const before = await engine.executeAction('agent-1', 'read', {});
+    expect(before.executed).toBe(true);
+
+    engine.revokeWarrant('agent-1');
+
+    const after = await engine.executeAction('agent-1', 'read', {});
+    expect(after.executed).toBe(false);
+    expect(after.violation!.type).toBe('WARRANT_REVOKED');
+  });
+
+  // ── Denial: Execution Limit ──
+
+  it('should deny actions when execution limit is reached', async () => {
+    await engine.issueWarrant('agent-1', {
+      allowedActions: ['read'],
+      forbiddenActions: [],
+      ttlMs: 60_000,
+      maxExecutions: 2,
+    });
+
+    const r1 = await engine.executeAction('agent-1', 'read', { n: 1 });
+    const r2 = await engine.executeAction('agent-1', 'read', { n: 2 });
+    const r3 = await engine.executeAction('agent-1', 'read', { n: 3 });
+
+    expect(r1.executed).toBe(true);
+    expect(r2.executed).toBe(true);
+    expect(r3.executed).toBe(false);
+    expect(r3.violation!.type).toBe('EXECUTION_LIMIT_REACHED');
+  });
+
+  // ── Audit Trail ──
+
+  it('should produce correct audit summary', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+
+    await engine.executeAction('agent-1', 'read', {});
+    await engine.executeAction('agent-1', 'write', {});
+    await engine.executeAction('agent-1', 'delete', {});
+    await engine.executeAction('agent-1', 'execute-shell', {});
+
+    const audit = engine.getAuditSummary();
+
+    expect(audit.total).toBe(4);
+    expect(audit.authorized).toBe(2);
+    expect(audit.denied).toBe(2);
+    expect(audit.log).toHaveLength(4);
+  });
+
+  it('should include commit details in audit records for attested actions', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    await engine.executeAction('agent-1', 'read', { file: 'test.txt' });
+
+    const audit = engine.getAuditSummary();
+    const record = audit.log[0]!;
+
+    expect(record.type).toBe('ATTESTED_ACTION');
+    expect(record.commitId).toBeTruthy();
+    expect(record.contentHash).toBeTruthy();
+    expect(record.verified).toBe(true);
+    expect(record.warrantId).toBeTruthy();
+  });
+
+  it('should include violation details in audit records for denied actions', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    await engine.executeAction('agent-1', 'delete', {});
+
+    const audit = engine.getAuditSummary();
+    const record = audit.log[0]!;
+
+    expect(record.type).toBe('FORBIDDEN_ACTION');
+    expect(record.detail).toContain('forbidden');
+    expect(record.warrantId).toBeTruthy();
+  });
+
+  // ── Multi-Agent Isolation ──
+
+  it('should isolate warrants between agents', async () => {
+    await engine.issueWarrant('agent-a', {
+      allowedActions: ['read'],
+      forbiddenActions: ['write'],
+      ttlMs: 60_000,
+    });
+
+    await engine.issueWarrant('agent-b', {
+      allowedActions: ['write'],
+      forbiddenActions: ['read'],
+      ttlMs: 60_000,
+    });
+
+    // agent-a can read but not write
+    expect((await engine.executeAction('agent-a', 'read', {})).executed).toBe(true);
+    expect((await engine.executeAction('agent-a', 'write', {})).executed).toBe(false);
+
+    // agent-b can write but not read
+    expect((await engine.executeAction('agent-b', 'write', {})).executed).toBe(true);
+    expect((await engine.executeAction('agent-b', 'read', {})).executed).toBe(false);
+  });
+
+  // ── Full Lifecycle ──
+
+  it('should support the full lifecycle: issue → execute → deny → revoke → audit', async () => {
+    // Issue
+    await engine.issueWarrant('lifecycle-agent', {
+      allowedActions: ['query-database', 'read-file'],
+      forbiddenActions: ['delete-database'],
+      ttlMs: 60_000,
+    });
+
+    // Execute authorized
+    const authorized = await engine.executeAction('lifecycle-agent', 'query-database', {
+      table: 'users',
+      limit: 100,
+    });
+    expect(authorized.executed).toBe(true);
+    expect(authorized.verified).toBe(true);
+
+    // Deny forbidden
+    const denied = await engine.executeAction('lifecycle-agent', 'delete-database', {
+      target: 'users',
+    });
+    expect(denied.executed).toBe(false);
+    expect(denied.violation!.type).toBe('FORBIDDEN_ACTION');
+
+    // Revoke
+    engine.revokeWarrant('lifecycle-agent');
+
+    // Deny after revocation
+    const postRevoke = await engine.executeAction('lifecycle-agent', 'read-file', {});
+    expect(postRevoke.executed).toBe(false);
+    expect(postRevoke.violation!.type).toBe('WARRANT_REVOKED');
+
+    // Audit
+    const audit = engine.getAuditSummary();
+    expect(audit.authorized).toBe(1);
+    expect(audit.denied).toBe(2);
+    expect(audit.total).toBe(3);
+  });
+
+  // ── Warrant checks happen BEFORE execution ──
+
+  it('should check warrant before creating commitment (no partial attestation on denial)', async () => {
+    // No warrant — should not create any commitment
+    const result = await engine.executeAction('no-warrant-agent', 'read', {});
+
+    expect(result.executed).toBe(false);
+    expect(result.commitment).toBeUndefined();
+    expect(result.verified).toBeUndefined();
+
+    // Audit should have zero attested actions
+    const audit = engine.getAuditSummary();
+    expect(audit.authorized).toBe(0);
+  });
+
+  // ── Revoking nonexistent warrant is safe ──
+
+  it('should handle revoking a warrant that does not exist', () => {
+    // Should not throw
+    expect(() => engine.revokeWarrant('nonexistent-agent')).not.toThrow();
+  });
+
+  // ── Audit starts empty ──
+
+  it('should return empty audit summary when no actions have been taken', () => {
+    const audit = engine.getAuditSummary();
+    expect(audit.total).toBe(0);
+    expect(audit.authorized).toBe(0);
+    expect(audit.denied).toBe(0);
+    expect(audit.log).toHaveLength(0);
+  });
+});