npm - @longarc/mdash - Versions diffs - 3.1.1 → 3.1.3 - Mend

@longarc/mdash 3.1.1 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/README.md +86 -23
package/SECURITY.md +254 -0
package/dist/accountability/engine.d.ts +27 -0
package/dist/accountability/engine.d.ts.map +1 -0
package/dist/accountability/engine.js +148 -0
package/dist/accountability/engine.js.map +1 -0
package/dist/accountability/types.d.ts +46 -0
package/dist/accountability/types.d.ts.map +1 -0
package/dist/accountability/types.js +8 -0
package/dist/accountability/types.js.map +1 -0
package/dist/checkpoint/engine.d.ts +2 -2
package/dist/checkpoint/engine.d.ts.map +1 -1
package/dist/checkpoint/engine.js +5 -1
package/dist/checkpoint/engine.js.map +1 -1
package/dist/context/compose.d.ts +62 -0
package/dist/context/compose.d.ts.map +1 -0
package/dist/context/compose.js +286 -0
package/dist/context/compose.js.map +1 -0
package/dist/context/crypto/hash.d.ts +100 -0
package/dist/context/crypto/hash.d.ts.map +1 -0
package/dist/context/crypto/hash.js +248 -0
package/dist/context/crypto/hash.js.map +1 -0
package/dist/context/crypto/hmac.d.ts +80 -0
package/dist/context/crypto/hmac.d.ts.map +1 -0
package/dist/context/crypto/hmac.js +192 -0
package/dist/context/crypto/hmac.js.map +1 -0
package/dist/context/crypto/index.d.ts +7 -0
package/dist/context/crypto/index.d.ts.map +1 -0
package/dist/context/crypto/index.js +7 -0
package/dist/context/crypto/index.js.map +1 -0
package/dist/context/engine-v3.0-backup.d.ts +197 -0
package/dist/context/engine-v3.0-backup.d.ts.map +1 -0
package/dist/context/engine-v3.0-backup.js +392 -0
package/dist/context/engine-v3.0-backup.js.map +1 -0
package/dist/context/engine.d.ts +2 -2
package/dist/context/engine.d.ts.map +1 -1
package/dist/context/engine.js +2 -2
package/dist/context/engine.js.map +1 -1
package/dist/context/fragment.d.ts +99 -0
package/dist/context/fragment.d.ts.map +1 -0
package/dist/context/fragment.js +316 -0
package/dist/context/fragment.js.map +1 -0
package/dist/context/index.d.ts +99 -0
package/dist/context/index.d.ts.map +1 -0
package/dist/context/index.js +180 -0
package/dist/context/index.js.map +1 -0
package/dist/context/provenance.d.ts +80 -0
package/dist/context/provenance.d.ts.map +1 -0
package/dist/context/provenance.js +294 -0
package/dist/context/provenance.js.map +1 -0
package/dist/context/resolve.d.ts +106 -0
package/dist/context/resolve.d.ts.map +1 -0
package/dist/context/resolve.js +440 -0
package/dist/context/resolve.js.map +1 -0
package/dist/context/store.d.ts +156 -0
package/dist/context/store.d.ts.map +1 -0
package/dist/context/store.js +396 -0
package/dist/context/store.js.map +1 -0
package/dist/context/types.d.ts +463 -0
package/dist/context/types.d.ts.map +1 -0
package/dist/context/types.js +94 -0
package/dist/context/types.js.map +1 -0
package/dist/context/utils/atomic.d.ts +76 -0
package/dist/context/utils/atomic.d.ts.map +1 -0
package/dist/context/utils/atomic.js +159 -0
package/dist/context/utils/atomic.js.map +1 -0
package/dist/context/utils/credit.d.ts +65 -0
package/dist/context/utils/credit.d.ts.map +1 -0
package/dist/context/utils/credit.js +164 -0
package/dist/context/utils/credit.js.map +1 -0
package/dist/context/utils/index.d.ts +13 -0
package/dist/context/utils/index.d.ts.map +1 -0
package/dist/context/utils/index.js +13 -0
package/dist/context/utils/index.js.map +1 -0
package/dist/context/utils/utility.d.ts +63 -0
package/dist/context/utils/utility.d.ts.map +1 -0
package/dist/context/utils/utility.js +141 -0
package/dist/context/utils/utility.js.map +1 -0
package/dist/core/commitment.d.ts +26 -3
package/dist/core/commitment.d.ts.map +1 -1
package/dist/core/commitment.js +45 -7
package/dist/core/commitment.js.map +1 -1
package/dist/core/crypto.d.ts +2 -0
package/dist/core/crypto.d.ts.map +1 -1
package/dist/core/crypto.js +12 -0
package/dist/core/crypto.js.map +1 -1
package/dist/index.d.ts +11 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +35 -10
package/dist/index.js.map +1 -1
package/dist/mcca/engine.d.ts.map +1 -1
package/dist/mcca/engine.js +5 -4
package/dist/mcca/engine.js.map +1 -1
package/dist/physics/engine.d.ts +3 -2
package/dist/physics/engine.d.ts.map +1 -1
package/dist/physics/engine.js +37 -3
package/dist/physics/engine.js.map +1 -1
package/dist/provenance/api-handler.d.ts +45 -0
package/dist/provenance/api-handler.d.ts.map +1 -0
package/dist/provenance/api-handler.js +223 -0
package/dist/provenance/api-handler.js.map +1 -0
package/dist/provenance/api-types.d.ts +108 -0
package/dist/provenance/api-types.d.ts.map +1 -0
package/dist/provenance/api-types.js +9 -0
package/dist/provenance/api-types.js.map +1 -0
package/dist/provenance/index.d.ts +6 -0
package/dist/provenance/index.d.ts.map +1 -0
package/dist/provenance/index.js +3 -0
package/dist/provenance/index.js.map +1 -0
package/dist/provenance/provenance-engine.d.ts +63 -0
package/dist/provenance/provenance-engine.d.ts.map +1 -0
package/dist/provenance/provenance-engine.js +311 -0
package/dist/provenance/provenance-engine.js.map +1 -0
package/dist/provenance/types.d.ts +193 -0
package/dist/provenance/types.d.ts.map +1 -0
package/dist/provenance/types.js +9 -0
package/dist/provenance/types.js.map +1 -0
package/dist/tee/engine.d.ts.map +1 -1
package/dist/tee/engine.js +14 -0
package/dist/tee/engine.js.map +1 -1
package/dist/warrant/engine.d.ts +24 -1
package/dist/warrant/engine.d.ts.map +1 -1
package/dist/warrant/engine.js +76 -1
package/dist/warrant/engine.js.map +1 -1
package/dist/zk/engine.d.ts.map +1 -1
package/dist/zk/engine.js +7 -4
package/dist/zk/engine.js.map +1 -1
package/docs/SECURITY-PATCHES.md +170 -0
package/package.json +17 -5
package/src/__tests__/accountability.test.ts +308 -0
package/src/__tests__/l1-verification-modes.test.ts +424 -0
package/src/__tests__/phase1.benchmark.test.ts +94 -0
package/src/__tests__/phase1.test.ts +0 -77
package/src/__tests__/phase2-4.benchmark.test.ts +60 -0
package/src/__tests__/phase2-4.test.ts +1 -52
package/src/__tests__/provenance/api-handler.test.ts +356 -0
package/src/__tests__/provenance/provenance-engine.test.ts +628 -0
package/src/__tests__/sa-2026-008.test.ts +45 -0
package/src/__tests__/sa-2026-009.test.ts +86 -0
package/src/__tests__/sa-2026-010.test.ts +72 -0
package/src/__tests__/sa-2026-012.test.ts +65 -0
package/src/__tests__/sa-2026-nfc.test.ts +40 -0
package/src/__tests__/security.test.ts +786 -0
package/src/accountability/engine.ts +230 -0
package/src/accountability/types.ts +58 -0
package/src/checkpoint/engine.ts +6 -2
package/src/context/__tests__/caret-v0.2.0.test.ts +860 -0
package/src/context/__tests__/integration.test.ts +356 -0
package/src/context/compose.ts +388 -0
package/src/context/crypto/hash.ts +277 -0
package/src/context/crypto/hmac.ts +253 -0
package/src/context/crypto/index.ts +29 -0
package/src/context/engine-v3.0-backup.ts +598 -0
package/src/context/engine.ts +2 -2
package/src/context/fragment.ts +454 -0
package/src/context/index.ts +427 -0
package/src/context/provenance.ts +380 -0
package/src/context/resolve.ts +581 -0
package/src/context/store.ts +503 -0
package/src/context/types.ts +679 -0
package/src/context/utils/atomic.ts +207 -0
package/src/context/utils/credit.ts +224 -0
package/src/context/utils/index.ts +13 -0
package/src/context/utils/utility.ts +200 -0
package/src/core/commitment.ts +130 -68
package/src/core/crypto.ts +13 -0
package/src/index.ts +62 -10
package/src/mcca/engine.ts +5 -4
package/src/physics/engine.ts +42 -5
package/src/provenance/api-handler.ts +248 -0
package/src/provenance/api-types.ts +112 -0
package/src/provenance/index.ts +19 -0
package/src/provenance/provenance-engine.ts +387 -0
package/src/provenance/types.ts +211 -0
package/src/tee/engine.ts +16 -0
package/src/warrant/engine.ts +89 -1
package/src/zk/engine.ts +8 -4
package/tsconfig.json +1 -1

package/src/warrant/engine.ts CHANGED Viewed

@@ -19,6 +19,7 @@ import {
   generateTimestamp,
   sha256Object,
   hmacSeal,
+  hmacVerify,
   deriveKey,
 } from '../core/crypto.js';
@@ -65,7 +66,7 @@ export interface Warrant {
   policy_id: string;
   /** Current state */
   state: WarrantState;
-  /** Accountability tier */
+  /** Liability tier */
   tier: WarrantTier;
   /** Operational constraints */
   constraints: WarrantConstraints;
@@ -125,10 +126,18 @@ export class WarrantCache {
   private cache: Map<WarrantId, CacheEntry> = new Map();
   private speculative: Map<string, WarrantId[]> = new Map(); // agent_id -> warrant_ids
   private revocations: Set<WarrantId> = new Set();
+  private verifyKey: CryptoKey | null = null;
   private readonly DEFAULT_TTL = 5 * 60 * 1000; // 5 minutes
   private readonly SPECULATIVE_TTL = 60 * 1000; // 60 seconds (WARRANT-INV-001)
+  /**
+   * P2 SECURITY: Set verification key for seal checks on retrieval
+   */
+  setVerificationKey(key: CryptoKey): void {
+    this.verifyKey = key;
+  }
   /**
    * Store a warrant in cache
    */
@@ -175,6 +184,45 @@ export class WarrantCache {
     return entry.warrant;
   }
+  /**
+   * P2 SECURITY: Get warrant with seal verification
+   * Use for security-critical operations to prevent cache poisoning
+   */
+  async getVerified(id: WarrantId): Promise<Warrant | SpeculativeWarrant | null> {
+    const warrant = this.get(id);
+    if (!warrant) return null;
+    // If no verification key set, fall back to unverified (log warning)
+    if (!this.verifyKey) {
+      console.warn('WarrantCache.getVerified called without verification key');
+      return warrant;
+    }
+    // Verify seal integrity
+    const warrantData = {
+      _v: 1,
+      id: warrant.id,
+      agent_id: warrant.agent_id,
+      policy_id: warrant.policy_id,
+      state: warrant.state === 'SPECULATIVE' ? 'SPECULATIVE' : warrant.state,
+      tier: warrant.tier,
+      constraints: warrant.constraints,
+      created_at: warrant.created_at,
+      expires_at: warrant.expires_at,
+      issued_by: warrant.issued_by,
+    };
+    const isValid = await hmacVerify(warrantData, warrant.seal, this.verifyKey);
+    if (!isValid) {
+      // P2 SECURITY: Cache poisoning detected - remove and return null
+      console.error(`SECURITY: Warrant seal verification failed for ${id}`);
+      this.cache.delete(id);
+      return null;
+    }
+    return warrant;
+  }
   /**
    * Get speculative warrants for an agent
    * For pre-staged activation
@@ -261,6 +309,11 @@ export class WarrantEngine {
   private eventLog: WarrantEvent[] = [];
   private lastEventHash: Hash | null = null;
+  // P3 SECURITY: Rate limiting for warrant creation
+  private creationRateLimits: Map<string, { count: number; windowStart: number }> = new Map();
+  private readonly CREATION_RATE_LIMIT = 100; // Max warrants per issuer per minute
+  private readonly CREATION_RATE_WINDOW_MS = 60 * 1000;
   constructor(commitmentEngine: CommitmentEngine) {
     this.cache = new WarrantCache();
     this.commitmentEngine = commitmentEngine;
@@ -271,6 +324,8 @@ export class WarrantEngine {
    */
   async initialize(sealKey: string): Promise<void> {
     this.key = await deriveKey(sealKey);
+    // P2 SECURITY: Enable seal verification on cache retrieval
+    this.cache.setVerificationKey(this.key);
   }
   /**
@@ -289,6 +344,9 @@ export class WarrantEngine {
       throw new Error('Engine not initialized. Call initialize() first.');
     }
+    // P3 SECURITY: Rate limit warrant creation per issuer
+    this.checkCreationRateLimit(params.issued_by);
     const startTime = performance.now();
     const id = generateWarrantId();
@@ -545,6 +603,28 @@ export class WarrantEngine {
     return true;
   }
+  /**
+   * P3 SECURITY: Check rate limit for warrant creation
+   * Prevents DoS via cache flooding
+   */
+  private checkCreationRateLimit(issuerId: string): void {
+    const now = Date.now();
+    let limiter = this.creationRateLimits.get(issuerId);
+    // Reset window if expired
+    if (!limiter || now - limiter.windowStart > this.CREATION_RATE_WINDOW_MS) {
+      limiter = { count: 0, windowStart: now };
+    }
+    limiter.count++;
+    this.creationRateLimits.set(issuerId, limiter);
+    if (limiter.count > this.CREATION_RATE_LIMIT) {
+      console.warn(`[WARRANT] Rate limit exceeded for issuer: ${issuerId}`);
+      throw new Error('Warrant creation rate limit exceeded');
+    }
+  }
   /**
    * Log a warrant event with hash chain
    */
@@ -590,6 +670,14 @@ export class WarrantEngine {
     return [...this.eventLog];
   }
+  /**
+   * Check if a warrant has been revoked
+   * P1 SECURITY: Used for TOCTOU protection in execute flow
+   */
+  isRevoked(id: WarrantId): boolean {
+    return this.cache.isRevoked(id);
+  }
   /**
    * Get cache statistics
    */

package/src/zk/engine.ts CHANGED Viewed

@@ -25,6 +25,7 @@ import {
   sha256Object,
   hmacSeal,
   deriveKey,
+  constantTimeEqual,
 } from '../core/crypto.js';
 import { CommitmentEngine, Commitment } from '../core/commitment.js';
@@ -395,7 +396,8 @@ export class ZKProofsEngine {
         verifier: 'mdash-zk-engine-v3',
       };
-      // Re-seal with proof included
+      // Re-seal with proof included (SA-2026-009: zero seal before computing)
+      item.document.seal = '' as Seal;
       item.document.seal = await hmacSeal(item.document, this.key!);
       // Commit to L1
@@ -537,12 +539,14 @@ export class ZKProofsEngine {
       return { valid: false, errors };
     }
-    // 3. Verify seal
+    // 3. Verify seal (SA-2026-009: constant-time comparison closes verification gap)
     const docForSeal = { ...document };
     docForSeal.seal = '' as Seal;
     const expectedSeal = await hmacSeal(docForSeal, this.key);
-    // Note: In production, seal verification would be more robust
+    if (!constantTimeEqual(expectedSeal, document.seal)) {
+      errors.push('Seal verification failed');
+    }
     // 4. Verify proof structure
     if (!document.proof.verifier_key_hash) {
       errors.push('Missing verifier key hash');

package/tsconfig.json CHANGED Viewed

@@ -17,5 +17,5 @@
     "resolveJsonModule": true
   },
   "include": ["src/**/*"],
-  "exclude": ["node_modules", "dist", "src/__tests__"]
+  "exclude": ["node_modules", "dist", "src/**/__tests__"]
 }