npm - @longarc/mdash - Versions diffs - 3.1.1 → 3.1.3 - Mend

@longarc/mdash 3.1.1 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/README.md +86 -23
package/SECURITY.md +254 -0
package/dist/accountability/engine.d.ts +27 -0
package/dist/accountability/engine.d.ts.map +1 -0
package/dist/accountability/engine.js +148 -0
package/dist/accountability/engine.js.map +1 -0
package/dist/accountability/types.d.ts +46 -0
package/dist/accountability/types.d.ts.map +1 -0
package/dist/accountability/types.js +8 -0
package/dist/accountability/types.js.map +1 -0
package/dist/checkpoint/engine.d.ts +2 -2
package/dist/checkpoint/engine.d.ts.map +1 -1
package/dist/checkpoint/engine.js +5 -1
package/dist/checkpoint/engine.js.map +1 -1
package/dist/context/compose.d.ts +62 -0
package/dist/context/compose.d.ts.map +1 -0
package/dist/context/compose.js +286 -0
package/dist/context/compose.js.map +1 -0
package/dist/context/crypto/hash.d.ts +100 -0
package/dist/context/crypto/hash.d.ts.map +1 -0
package/dist/context/crypto/hash.js +248 -0
package/dist/context/crypto/hash.js.map +1 -0
package/dist/context/crypto/hmac.d.ts +80 -0
package/dist/context/crypto/hmac.d.ts.map +1 -0
package/dist/context/crypto/hmac.js +192 -0
package/dist/context/crypto/hmac.js.map +1 -0
package/dist/context/crypto/index.d.ts +7 -0
package/dist/context/crypto/index.d.ts.map +1 -0
package/dist/context/crypto/index.js +7 -0
package/dist/context/crypto/index.js.map +1 -0
package/dist/context/engine-v3.0-backup.d.ts +197 -0
package/dist/context/engine-v3.0-backup.d.ts.map +1 -0
package/dist/context/engine-v3.0-backup.js +392 -0
package/dist/context/engine-v3.0-backup.js.map +1 -0
package/dist/context/engine.d.ts +2 -2
package/dist/context/engine.d.ts.map +1 -1
package/dist/context/engine.js +2 -2
package/dist/context/engine.js.map +1 -1
package/dist/context/fragment.d.ts +99 -0
package/dist/context/fragment.d.ts.map +1 -0
package/dist/context/fragment.js +316 -0
package/dist/context/fragment.js.map +1 -0
package/dist/context/index.d.ts +99 -0
package/dist/context/index.d.ts.map +1 -0
package/dist/context/index.js +180 -0
package/dist/context/index.js.map +1 -0
package/dist/context/provenance.d.ts +80 -0
package/dist/context/provenance.d.ts.map +1 -0
package/dist/context/provenance.js +294 -0
package/dist/context/provenance.js.map +1 -0
package/dist/context/resolve.d.ts +106 -0
package/dist/context/resolve.d.ts.map +1 -0
package/dist/context/resolve.js +440 -0
package/dist/context/resolve.js.map +1 -0
package/dist/context/store.d.ts +156 -0
package/dist/context/store.d.ts.map +1 -0
package/dist/context/store.js +396 -0
package/dist/context/store.js.map +1 -0
package/dist/context/types.d.ts +463 -0
package/dist/context/types.d.ts.map +1 -0
package/dist/context/types.js +94 -0
package/dist/context/types.js.map +1 -0
package/dist/context/utils/atomic.d.ts +76 -0
package/dist/context/utils/atomic.d.ts.map +1 -0
package/dist/context/utils/atomic.js +159 -0
package/dist/context/utils/atomic.js.map +1 -0
package/dist/context/utils/credit.d.ts +65 -0
package/dist/context/utils/credit.d.ts.map +1 -0
package/dist/context/utils/credit.js +164 -0
package/dist/context/utils/credit.js.map +1 -0
package/dist/context/utils/index.d.ts +13 -0
package/dist/context/utils/index.d.ts.map +1 -0
package/dist/context/utils/index.js +13 -0
package/dist/context/utils/index.js.map +1 -0
package/dist/context/utils/utility.d.ts +63 -0
package/dist/context/utils/utility.d.ts.map +1 -0
package/dist/context/utils/utility.js +141 -0
package/dist/context/utils/utility.js.map +1 -0
package/dist/core/commitment.d.ts +26 -3
package/dist/core/commitment.d.ts.map +1 -1
package/dist/core/commitment.js +45 -7
package/dist/core/commitment.js.map +1 -1
package/dist/core/crypto.d.ts +2 -0
package/dist/core/crypto.d.ts.map +1 -1
package/dist/core/crypto.js +12 -0
package/dist/core/crypto.js.map +1 -1
package/dist/index.d.ts +11 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +35 -10
package/dist/index.js.map +1 -1
package/dist/mcca/engine.d.ts.map +1 -1
package/dist/mcca/engine.js +5 -4
package/dist/mcca/engine.js.map +1 -1
package/dist/physics/engine.d.ts +3 -2
package/dist/physics/engine.d.ts.map +1 -1
package/dist/physics/engine.js +37 -3
package/dist/physics/engine.js.map +1 -1
package/dist/provenance/api-handler.d.ts +45 -0
package/dist/provenance/api-handler.d.ts.map +1 -0
package/dist/provenance/api-handler.js +223 -0
package/dist/provenance/api-handler.js.map +1 -0
package/dist/provenance/api-types.d.ts +108 -0
package/dist/provenance/api-types.d.ts.map +1 -0
package/dist/provenance/api-types.js +9 -0
package/dist/provenance/api-types.js.map +1 -0
package/dist/provenance/index.d.ts +6 -0
package/dist/provenance/index.d.ts.map +1 -0
package/dist/provenance/index.js +3 -0
package/dist/provenance/index.js.map +1 -0
package/dist/provenance/provenance-engine.d.ts +63 -0
package/dist/provenance/provenance-engine.d.ts.map +1 -0
package/dist/provenance/provenance-engine.js +311 -0
package/dist/provenance/provenance-engine.js.map +1 -0
package/dist/provenance/types.d.ts +193 -0
package/dist/provenance/types.d.ts.map +1 -0
package/dist/provenance/types.js +9 -0
package/dist/provenance/types.js.map +1 -0
package/dist/tee/engine.d.ts.map +1 -1
package/dist/tee/engine.js +14 -0
package/dist/tee/engine.js.map +1 -1
package/dist/warrant/engine.d.ts +24 -1
package/dist/warrant/engine.d.ts.map +1 -1
package/dist/warrant/engine.js +76 -1
package/dist/warrant/engine.js.map +1 -1
package/dist/zk/engine.d.ts.map +1 -1
package/dist/zk/engine.js +7 -4
package/dist/zk/engine.js.map +1 -1
package/docs/SECURITY-PATCHES.md +170 -0
package/package.json +17 -5
package/src/__tests__/accountability.test.ts +308 -0
package/src/__tests__/l1-verification-modes.test.ts +424 -0
package/src/__tests__/phase1.benchmark.test.ts +94 -0
package/src/__tests__/phase1.test.ts +0 -77
package/src/__tests__/phase2-4.benchmark.test.ts +60 -0
package/src/__tests__/phase2-4.test.ts +1 -52
package/src/__tests__/provenance/api-handler.test.ts +356 -0
package/src/__tests__/provenance/provenance-engine.test.ts +628 -0
package/src/__tests__/sa-2026-008.test.ts +45 -0
package/src/__tests__/sa-2026-009.test.ts +86 -0
package/src/__tests__/sa-2026-010.test.ts +72 -0
package/src/__tests__/sa-2026-012.test.ts +65 -0
package/src/__tests__/sa-2026-nfc.test.ts +40 -0
package/src/__tests__/security.test.ts +786 -0
package/src/accountability/engine.ts +230 -0
package/src/accountability/types.ts +58 -0
package/src/checkpoint/engine.ts +6 -2
package/src/context/__tests__/caret-v0.2.0.test.ts +860 -0
package/src/context/__tests__/integration.test.ts +356 -0
package/src/context/compose.ts +388 -0
package/src/context/crypto/hash.ts +277 -0
package/src/context/crypto/hmac.ts +253 -0
package/src/context/crypto/index.ts +29 -0
package/src/context/engine-v3.0-backup.ts +598 -0
package/src/context/engine.ts +2 -2
package/src/context/fragment.ts +454 -0
package/src/context/index.ts +427 -0
package/src/context/provenance.ts +380 -0
package/src/context/resolve.ts +581 -0
package/src/context/store.ts +503 -0
package/src/context/types.ts +679 -0
package/src/context/utils/atomic.ts +207 -0
package/src/context/utils/credit.ts +224 -0
package/src/context/utils/index.ts +13 -0
package/src/context/utils/utility.ts +200 -0
package/src/core/commitment.ts +130 -68
package/src/core/crypto.ts +13 -0
package/src/index.ts +62 -10
package/src/mcca/engine.ts +5 -4
package/src/physics/engine.ts +42 -5
package/src/provenance/api-handler.ts +248 -0
package/src/provenance/api-types.ts +112 -0
package/src/provenance/index.ts +19 -0
package/src/provenance/provenance-engine.ts +387 -0
package/src/provenance/types.ts +211 -0
package/src/tee/engine.ts +16 -0
package/src/warrant/engine.ts +89 -1
package/src/zk/engine.ts +8 -4
package/tsconfig.json +1 -1

package/src/physics/engine.ts CHANGED Viewed

@@ -18,9 +18,9 @@ import {
   hmacSeal,
   deriveKey,
   generateTimestamp,
-} from '../core/crypto';
+} from '../core/crypto.js';
-import { Warrant, WarrantConstraints } from '../warrant/engine';
+import { Warrant, WarrantConstraints } from '../warrant/engine.js';
 // ============================================================================
 // PHYSICS TYPES
@@ -289,6 +289,7 @@ export class PhysicsEngine {
   /**
    * Check a specific constraint
+   * P4 SECURITY: Explicit presence checks prevent trust escalation
    */
   private async checkConstraint(
     constraint: PhysicsConstraint,
@@ -298,8 +299,38 @@ export class PhysicsEngine {
     switch (constraint.type) {
       case 'max_amount': {
         const amount = action.params.amount as number | undefined;
-        const limit = warrantConstraints.maxAmount ?? (constraint.params.limit as number);
+        // SA-2026-011: Explicit NaN and negative rejection
+        // NaN > X is always false in JS, bypassing maxAmount constraints.
+        // Negative amounts have no floor without explicit check.
+        if (amount !== undefined) {
+          if (typeof amount !== 'number' || isNaN(amount)) {
+            return {
+              type: 'amount_exceeded',
+              constraint,
+              message: 'Amount is not a valid number',
+              severity: 'block',
+            };
+          }
+          if (amount < 0) {
+            return {
+              type: 'amount_exceeded',
+              constraint,
+              message: 'Negative amounts are not permitted',
+              severity: 'block',
+            };
+          }
+        }
+        // P4 SECURITY: Explicit presence check - warrant must define maxAmount
+        // or policy default applies. Explicitly passing undefined is NOT the same
+        // as not having the constraint.
+        const hasWarrantLimit = Object.prototype.hasOwnProperty.call(warrantConstraints, 'maxAmount')
+          && warrantConstraints.maxAmount !== undefined;
+        const limit = hasWarrantLimit
+          ? warrantConstraints.maxAmount!
+          : (constraint.params.limit as number);
         if (amount !== undefined && amount > limit) {
           return {
             type: 'amount_exceeded',
@@ -313,7 +344,13 @@ export class PhysicsEngine {
       case 'domain_allowlist': {
         const domain = action.params.domain as string | undefined;
-        const allowed = warrantConstraints.allowedDomains ?? (constraint.params.domains as string[]);
+        // P4 SECURITY: Same pattern - explicit presence check
+        const hasWarrantDomains = Object.prototype.hasOwnProperty.call(warrantConstraints, 'allowedDomains')
+          && warrantConstraints.allowedDomains !== undefined;
+        const allowed = hasWarrantDomains
+          ? warrantConstraints.allowedDomains!
+          : (constraint.params.domains as string[]);
         if (domain && allowed.length > 0 && !allowed.includes(domain)) {
           return {

package/src/provenance/api-handler.ts ADDED Viewed

@@ -0,0 +1,248 @@
+/**
+ * mdash v3.1 - Provenance API Handler
+ *
+ * Wires HTTP request/response types to the ProvenanceEngine.
+ * This is the door: external parties call through here to
+ * attest, verify, and inspect model provenance.
+ */
+import { ProvenanceEngine } from './provenance-engine.js';
+import type {
+  AttestRequest,
+  AttestResponse,
+  VerifyRequest,
+  VerifyResponse,
+  ChainResponse,
+} from './api-types.js';
+export class ProvenanceApiHandler {
+  private engine: ProvenanceEngine;
+  constructor(engine: ProvenanceEngine) {
+    this.engine = engine;
+  }
+  /**
+   * Handle POST /provenance/attest
+   *
+   * Validates the request, creates the identity attestation,
+   * and returns the attestation ID and L1 hash.
+   */
+  async handleAttest(req: AttestRequest): Promise<{ status: number; body: AttestResponse }> {
+    // Validate required fields
+    const missing: string[] = [];
+    if (!req.model?.name) missing.push('model.name');
+    if (!req.model?.version) missing.push('model.version');
+    if (!req.model?.provider) missing.push('model.provider');
+    if (!req.deployment?.environment) missing.push('deployment.environment');
+    if (missing.length > 0) {
+      return {
+        status: 400,
+        body: {
+          attestationId: '',
+          l1Hash: '',
+          timestamp: '',
+          status: 'error',
+          error: `Missing required fields: ${missing.join(', ')}`,
+        },
+      };
+    }
+    // Check for duplicate (409)
+    const existing = this.engine.getIdentity(req.model.name, req.model.version);
+    if (existing) {
+      return {
+        status: 409,
+        body: {
+          attestationId: existing.id,
+          l1Hash: existing.attestation.l1Hash,
+          timestamp: existing.attestation.timestamp,
+          status: 'error',
+          error: `Attestation for ${req.model.name}:${req.model.version} already exists`,
+        },
+      };
+    }
+    try {
+      const constraints = {
+        safetyTier: req.constraints.safetyTier,
+        authorizedDomains: req.constraints.authorizedDomains,
+        excludedDomains: req.constraints.excludedDomains,
+        maxContextWindow: req.constraints.maxContextWindow,
+        reasoningEnabled: req.constraints.reasoningEnabled,
+        custom: req.constraints.custom || {},
+      };
+      const attestation = await this.engine.createIdentityAttestation(
+        req.model,
+        constraints,
+        req.deployment
+      );
+      return {
+        status: 201,
+        body: {
+          attestationId: attestation.id,
+          l1Hash: attestation.attestation.l1Hash,
+          timestamp: attestation.attestation.timestamp,
+          status: 'created',
+        },
+      };
+    } catch (err) {
+      return {
+        status: 500,
+        body: {
+          attestationId: '',
+          l1Hash: '',
+          timestamp: '',
+          status: 'error',
+          error: err instanceof Error ? err.message : 'Internal error',
+        },
+      };
+    }
+  }
+  /**
+   * Handle POST /provenance/verify
+   *
+   * Validates the request, runs provenance verification,
+   * and returns the chain verdict with optional ZK proof.
+   */
+  async handleVerify(req: VerifyRequest): Promise<{ status: number; body: VerifyResponse }> {
+    if (!req.modelName) {
+      return {
+        status: 400,
+        body: {
+          status: 'error',
+          chain: { isComplete: false, confidence: 0, assessment: '', flags: [] },
+          timestamp: '',
+          responseHash: '',
+          error: 'Missing required field: modelName',
+        },
+      };
+    }
+    try {
+      const response = await this.engine.verifyProvenance({
+        queryType: req.queryType || 'full_chain',
+        modelName: req.modelName,
+        modelVersion: req.modelVersion,
+        timeWindow: req.timeWindow,
+        requireHardwareAttestation: req.requireHardwareAttestation || false,
+        generateZkProof: req.generateZkProof || false,
+      });
+      const isVerified = response.chain.verdict.isComplete;
+      const isPartial = !isVerified && response.chain.verdict.confidence > 0;
+      const httpStatus = isVerified ? 200 : (response.chain.verdict.flags.includes('no_identity') ? 404 : 200);
+      let verifyStatus: VerifyResponse['status'];
+      if (isVerified) {
+        verifyStatus = 'verified';
+      } else if (isPartial) {
+        verifyStatus = 'partial';
+      } else {
+        verifyStatus = 'unverified';
+      }
+      return {
+        status: httpStatus,
+        body: {
+          status: verifyStatus,
+          chain: {
+            isComplete: response.chain.verdict.isComplete,
+            confidence: response.chain.verdict.confidence,
+            assessment: response.chain.verdict.assessment,
+            flags: response.chain.verdict.flags,
+          },
+          zkProof: response.zkProof,
+          timestamp: response.timestamp,
+          responseHash: response.responseHash,
+        },
+      };
+    } catch (err) {
+      return {
+        status: 500,
+        body: {
+          status: 'error',
+          chain: { isComplete: false, confidence: 0, assessment: '', flags: [] },
+          timestamp: '',
+          responseHash: '',
+          error: err instanceof Error ? err.message : 'Internal error',
+        },
+      };
+    }
+  }
+  /**
+   * Handle GET /provenance/chain/:modelId
+   *
+   * Retrieves the full provenance chain for a model.
+   * modelId format: "name:version"
+   */
+  async handleGetChain(modelId: string): Promise<{ status: number; body: ChainResponse }> {
+    const [modelName, modelVersion] = modelId.split(':');
+    const chain = this.engine.getChain(modelName, modelVersion);
+    if (!chain) {
+      // Try verifying to build a minimal chain from identity
+      const identity = this.engine.getIdentity(modelName, modelVersion);
+      if (!identity) {
+        return {
+          status: 404,
+          body: {
+            modelId,
+            identity: { name: modelName || '', version: modelVersion || '', provider: '', attestedAt: '', l1Hash: '' },
+            warrants: { total: 0, active: 0, revoked: 0, chainHash: '' },
+            behavior: { totalSessions: 0, totalActions: 0, violations: 0 },
+            verdict: { isComplete: false, confidence: 0, assessment: 'Model not found', flags: ['no_identity'] },
+            chainAttestation: { l1Hash: '', timestamp: '' },
+          },
+        };
+      }
+      // Build minimal chain from identity alone
+      const minimalChain = await this.engine.buildProvenanceChain(identity, [], []);
+      return {
+        status: 200,
+        body: this.mapChainResponse(modelId, minimalChain),
+      };
+    }
+    return {
+      status: 200,
+      body: this.mapChainResponse(modelId, chain),
+    };
+  }
+  private mapChainResponse(
+    modelId: string,
+    chain: import('./types.js').ProvenanceChain
+  ): ChainResponse {
+    return {
+      modelId,
+      identity: {
+        name: chain.identity.model.name,
+        version: chain.identity.model.version,
+        provider: chain.identity.model.provider,
+        attestedAt: chain.identity.attestation.timestamp,
+        l1Hash: chain.identity.attestation.l1Hash,
+      },
+      warrants: {
+        total: chain.warrantHistory.totalWarrants,
+        active: chain.warrantHistory.activeWarrants,
+        revoked: chain.warrantHistory.revokedWarrants,
+        chainHash: chain.warrantHistory.warrantChainHash,
+      },
+      behavior: {
+        totalSessions: chain.behavioralRecord.totalSessions,
+        totalActions: chain.behavioralRecord.totalActions,
+        violations: chain.behavioralRecord.violations,
+        latestDriftScore: chain.behavioralRecord.latestDriftReport?.compositeScore,
+      },
+      verdict: chain.verdict,
+      chainAttestation: chain.chainAttestation,
+    };
+  }
+}

package/src/provenance/api-types.ts ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * mdash v3.1 - Provenance API Types
+ *
+ * HTTP request/response types for the provenance API surface.
+ * These types define the contract between external callers
+ * and the ProvenanceEngine.
+ */
+/**
+ * POST /provenance/attest
+ * Called by model providers to register a model's identity.
+ */
+export interface AttestRequest {
+  model: {
+    name: string;
+    version: string;
+    manifestHash?: string;
+    provider: string;
+  };
+  constraints: {
+    safetyTier: string;
+    authorizedDomains: string[];
+    excludedDomains: string[];
+    maxContextWindow: number;
+    reasoningEnabled: boolean;
+    custom?: Record<string, string | number | boolean>;
+  };
+  deployment: {
+    environment: string;
+    region?: string;
+    tenantId?: string;
+  };
+}
+export interface AttestResponse {
+  attestationId: string;
+  l1Hash: string;
+  timestamp: string;
+  status: 'created' | 'error';
+  error?: string;
+}
+/**
+ * POST /provenance/verify
+ * Called by verifiers to check a model's provenance.
+ */
+export interface VerifyRequest {
+  modelName: string;
+  modelVersion?: string;
+  queryType: 'identity' | 'constraints' | 'behavior' | 'full_chain';
+  timeWindow?: {
+    start: string;
+    end: string;
+  };
+  requireHardwareAttestation?: boolean;
+  generateZkProof?: boolean;
+}
+export interface VerifyResponse {
+  status: 'verified' | 'unverified' | 'partial' | 'error';
+  chain: {
+    isComplete: boolean;
+    confidence: number;
+    assessment: string;
+    flags: string[];
+  };
+  zkProof?: {
+    claim: string;
+    proof: string;
+    verificationKey: string;
+  };
+  timestamp: string;
+  responseHash: string;
+  error?: string;
+}
+/**
+ * GET /provenance/chain/:modelId
+ * Called by regulators to retrieve the full provenance chain.
+ */
+export interface ChainResponse {
+  modelId: string;
+  identity: {
+    name: string;
+    version: string;
+    provider: string;
+    attestedAt: string;
+    l1Hash: string;
+  };
+  warrants: {
+    total: number;
+    active: number;
+    revoked: number;
+    chainHash: string;
+  };
+  behavior: {
+    totalSessions: number;
+    totalActions: number;
+    violations: number;
+    latestDriftScore?: number;
+  };
+  verdict: {
+    isComplete: boolean;
+    confidence: number;
+    assessment: string;
+    flags: string[];
+  };
+  chainAttestation: {
+    l1Hash: string;
+    timestamp: string;
+  };
+}

package/src/provenance/index.ts ADDED Viewed

@@ -0,0 +1,19 @@
+export type {
+  ModelIdentityAttestation,
+  ProvenanceChain,
+  ProvenanceQuery,
+  ProvenanceResponse,
+  GlossEntry,
+} from './types.js';
+export { ProvenanceEngine } from './provenance-engine.js';
+export type { DriftReportInput } from './provenance-engine.js';
+export { ProvenanceApiHandler } from './api-handler.js';
+export type {
+  AttestRequest,
+  AttestResponse,
+  VerifyRequest,
+  VerifyResponse,
+  ChainResponse,
+} from './api-types.js';