npm - @longarc/mdash - Versions diffs - 3.1.2 → 3.1.3 - Mend

@longarc/mdash 3.1.2 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/README.md +86 -23
package/SECURITY.md +254 -0
package/dist/accountability/engine.d.ts +27 -0
package/dist/accountability/engine.d.ts.map +1 -0
package/dist/accountability/engine.js +148 -0
package/dist/accountability/engine.js.map +1 -0
package/dist/accountability/types.d.ts +46 -0
package/dist/accountability/types.d.ts.map +1 -0
package/dist/accountability/types.js +8 -0
package/dist/accountability/types.js.map +1 -0
package/dist/checkpoint/engine.d.ts.map +1 -1
package/dist/checkpoint/engine.js +4 -0
package/dist/checkpoint/engine.js.map +1 -1
package/dist/context/compose.d.ts +62 -0
package/dist/context/compose.d.ts.map +1 -0
package/dist/context/compose.js +286 -0
package/dist/context/compose.js.map +1 -0
package/dist/context/crypto/hash.d.ts +100 -0
package/dist/context/crypto/hash.d.ts.map +1 -0
package/dist/context/crypto/hash.js +248 -0
package/dist/context/crypto/hash.js.map +1 -0
package/dist/context/crypto/hmac.d.ts +80 -0
package/dist/context/crypto/hmac.d.ts.map +1 -0
package/dist/context/crypto/hmac.js +192 -0
package/dist/context/crypto/hmac.js.map +1 -0
package/dist/context/crypto/index.d.ts +7 -0
package/dist/context/crypto/index.d.ts.map +1 -0
package/dist/context/crypto/index.js +7 -0
package/dist/context/crypto/index.js.map +1 -0
package/dist/context/engine-v3.0-backup.d.ts +197 -0
package/dist/context/engine-v3.0-backup.d.ts.map +1 -0
package/dist/context/engine-v3.0-backup.js +392 -0
package/dist/context/engine-v3.0-backup.js.map +1 -0
package/dist/context/fragment.d.ts +99 -0
package/dist/context/fragment.d.ts.map +1 -0
package/dist/context/fragment.js +316 -0
package/dist/context/fragment.js.map +1 -0
package/dist/context/index.d.ts +99 -0
package/dist/context/index.d.ts.map +1 -0
package/dist/context/index.js +180 -0
package/dist/context/index.js.map +1 -0
package/dist/context/provenance.d.ts +80 -0
package/dist/context/provenance.d.ts.map +1 -0
package/dist/context/provenance.js +294 -0
package/dist/context/provenance.js.map +1 -0
package/dist/context/resolve.d.ts +106 -0
package/dist/context/resolve.d.ts.map +1 -0
package/dist/context/resolve.js +440 -0
package/dist/context/resolve.js.map +1 -0
package/dist/context/store.d.ts +156 -0
package/dist/context/store.d.ts.map +1 -0
package/dist/context/store.js +396 -0
package/dist/context/store.js.map +1 -0
package/dist/context/types.d.ts +463 -0
package/dist/context/types.d.ts.map +1 -0
package/dist/context/types.js +94 -0
package/dist/context/types.js.map +1 -0
package/dist/context/utils/atomic.d.ts +76 -0
package/dist/context/utils/atomic.d.ts.map +1 -0
package/dist/context/utils/atomic.js +159 -0
package/dist/context/utils/atomic.js.map +1 -0
package/dist/context/utils/credit.d.ts +65 -0
package/dist/context/utils/credit.d.ts.map +1 -0
package/dist/context/utils/credit.js +164 -0
package/dist/context/utils/credit.js.map +1 -0
package/dist/context/utils/index.d.ts +13 -0
package/dist/context/utils/index.d.ts.map +1 -0
package/dist/context/utils/index.js +13 -0
package/dist/context/utils/index.js.map +1 -0
package/dist/context/utils/utility.d.ts +63 -0
package/dist/context/utils/utility.d.ts.map +1 -0
package/dist/context/utils/utility.js +141 -0
package/dist/context/utils/utility.js.map +1 -0
package/dist/core/commitment.d.ts +25 -2
package/dist/core/commitment.d.ts.map +1 -1
package/dist/core/commitment.js +44 -6
package/dist/core/commitment.js.map +1 -1
package/dist/core/crypto.d.ts +2 -0
package/dist/core/crypto.d.ts.map +1 -1
package/dist/core/crypto.js +12 -0
package/dist/core/crypto.js.map +1 -1
package/dist/index.d.ts +11 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +35 -10
package/dist/index.js.map +1 -1
package/dist/mcca/engine.d.ts.map +1 -1
package/dist/mcca/engine.js +5 -4
package/dist/mcca/engine.js.map +1 -1
package/dist/physics/engine.d.ts +1 -0
package/dist/physics/engine.d.ts.map +1 -1
package/dist/physics/engine.js +36 -2
package/dist/physics/engine.js.map +1 -1
package/dist/provenance/api-handler.d.ts +45 -0
package/dist/provenance/api-handler.d.ts.map +1 -0
package/dist/provenance/api-handler.js +223 -0
package/dist/provenance/api-handler.js.map +1 -0
package/dist/provenance/api-types.d.ts +108 -0
package/dist/provenance/api-types.d.ts.map +1 -0
package/dist/provenance/api-types.js +9 -0
package/dist/provenance/api-types.js.map +1 -0
package/dist/provenance/index.d.ts +6 -0
package/dist/provenance/index.d.ts.map +1 -0
package/dist/provenance/index.js +3 -0
package/dist/provenance/index.js.map +1 -0
package/dist/provenance/provenance-engine.d.ts +63 -0
package/dist/provenance/provenance-engine.d.ts.map +1 -0
package/dist/provenance/provenance-engine.js +311 -0
package/dist/provenance/provenance-engine.js.map +1 -0
package/dist/provenance/types.d.ts +193 -0
package/dist/provenance/types.d.ts.map +1 -0
package/dist/provenance/types.js +9 -0
package/dist/provenance/types.js.map +1 -0
package/dist/tee/engine.d.ts.map +1 -1
package/dist/tee/engine.js +14 -0
package/dist/tee/engine.js.map +1 -1
package/dist/warrant/engine.d.ts +24 -1
package/dist/warrant/engine.d.ts.map +1 -1
package/dist/warrant/engine.js +76 -1
package/dist/warrant/engine.js.map +1 -1
package/dist/zk/engine.d.ts.map +1 -1
package/dist/zk/engine.js +7 -4
package/dist/zk/engine.js.map +1 -1
package/docs/SECURITY-PATCHES.md +170 -0
package/package.json +17 -5
package/src/__tests__/accountability.test.ts +308 -0
package/src/__tests__/l1-verification-modes.test.ts +424 -0
package/src/__tests__/phase1.benchmark.test.ts +94 -0
package/src/__tests__/phase1.test.ts +0 -77
package/src/__tests__/phase2-4.benchmark.test.ts +60 -0
package/src/__tests__/phase2-4.test.ts +1 -52
package/src/__tests__/provenance/api-handler.test.ts +356 -0
package/src/__tests__/provenance/provenance-engine.test.ts +628 -0
package/src/__tests__/sa-2026-008.test.ts +45 -0
package/src/__tests__/sa-2026-009.test.ts +86 -0
package/src/__tests__/sa-2026-010.test.ts +72 -0
package/src/__tests__/sa-2026-012.test.ts +65 -0
package/src/__tests__/sa-2026-nfc.test.ts +40 -0
package/src/__tests__/security.test.ts +786 -0
package/src/accountability/engine.ts +230 -0
package/src/accountability/types.ts +58 -0
package/src/checkpoint/engine.ts +4 -0
package/src/context/__tests__/caret-v0.2.0.test.ts +860 -0
package/src/context/__tests__/integration.test.ts +356 -0
package/src/context/compose.ts +388 -0
package/src/context/crypto/hash.ts +277 -0
package/src/context/crypto/hmac.ts +253 -0
package/src/context/crypto/index.ts +29 -0
package/src/context/engine-v3.0-backup.ts +598 -0
package/src/context/fragment.ts +454 -0
package/src/context/index.ts +427 -0
package/src/context/provenance.ts +380 -0
package/src/context/resolve.ts +581 -0
package/src/context/store.ts +503 -0
package/src/context/types.ts +679 -0
package/src/context/utils/atomic.ts +207 -0
package/src/context/utils/credit.ts +224 -0
package/src/context/utils/index.ts +13 -0
package/src/context/utils/utility.ts +200 -0
package/src/core/commitment.ts +129 -67
package/src/core/crypto.ts +13 -0
package/src/index.ts +62 -10
package/src/mcca/engine.ts +5 -4
package/src/physics/engine.ts +40 -3
package/src/provenance/api-handler.ts +248 -0
package/src/provenance/api-types.ts +112 -0
package/src/provenance/index.ts +19 -0
package/src/provenance/provenance-engine.ts +387 -0
package/src/provenance/types.ts +211 -0
package/src/tee/engine.ts +16 -0
package/src/warrant/engine.ts +89 -1
package/src/zk/engine.ts +8 -4
package/tsconfig.json +1 -1

package/src/__tests__/accountability.test.ts ADDED Viewed

@@ -0,0 +1,308 @@
+/**
+ * AccountabilityEngine Test Suite
+ *
+ * Full lifecycle: issue warrant → check action → commit attestation → verify
+ */
+import { describe, it, expect, beforeEach } from 'vitest';
+import { AccountabilityEngine } from '../accountability/engine.js';
+import type { WarrantPermissions } from '../accountability/types.js';
+const SEAL_KEY = 'test-seal-key-minimum-32-characters-long';
+const DEFAULT_PERMISSIONS: WarrantPermissions = {
+  allowedActions: ['read', 'write', 'query'],
+  forbiddenActions: ['delete', 'drop-table'],
+  ttlMs: 60_000,
+};
+describe('AccountabilityEngine', () => {
+  let engine: AccountabilityEngine;
+  beforeEach(async () => {
+    engine = new AccountabilityEngine();
+    await engine.initialize(SEAL_KEY);
+  });
+  // ── Authorization ──
+  it('should execute authorized actions with cryptographic attestation', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    const result = await engine.executeAction('agent-1', 'read', { file: 'data.csv' });
+    expect(result.executed).toBe(true);
+    expect(result.commitment).toBeDefined();
+    expect(result.commitment!.content_hash).toBeTruthy();
+    expect(result.commitment!.seal).toBeTruthy();
+    expect(result.verified).toBe(true);
+    expect(result.violation).toBeUndefined();
+  });
+  it('should verify commitment seals are cryptographically valid', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    const result = await engine.executeAction('agent-1', 'read', {});
+    const valid = await engine.verifyCommitment(result.commitment!);
+    expect(valid).toBe(true);
+  });
+  it('should handle multiple authorized actions with distinct commitments', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    const r1 = await engine.executeAction('agent-1', 'read', { id: 1 });
+    const r2 = await engine.executeAction('agent-1', 'write', { id: 2 });
+    const r3 = await engine.executeAction('agent-1', 'query', { sql: 'SELECT 1' });
+    expect(r1.executed).toBe(true);
+    expect(r2.executed).toBe(true);
+    expect(r3.executed).toBe(true);
+    // Each gets a unique commitment
+    expect(r1.commitment!.id).not.toBe(r2.commitment!.id);
+    expect(r2.commitment!.id).not.toBe(r3.commitment!.id);
+  });
+  // ── Denial: Forbidden Actions ──
+  it('should deny forbidden actions with typed violation', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    const result = await engine.executeAction('agent-1', 'delete', { target: 'users' });
+    expect(result.executed).toBe(false);
+    expect(result.violation).toBeDefined();
+    expect(result.violation!.type).toBe('FORBIDDEN_ACTION');
+    expect(result.violation!.agentId).toBe('agent-1');
+    expect(result.violation!.action).toBe('delete');
+    expect(result.commitment).toBeUndefined();
+  });
+  it('should deny forbidden actions even if also in allowed list', async () => {
+    // Forbidden takes precedence
+    await engine.issueWarrant('agent-1', {
+      allowedActions: ['delete'],
+      forbiddenActions: ['delete'],
+      ttlMs: 60_000,
+    });
+    const result = await engine.executeAction('agent-1', 'delete', {});
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('FORBIDDEN_ACTION');
+  });
+  // ── Denial: Unauthorized Actions ──
+  it('should deny actions not in the allowed list', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    const result = await engine.executeAction('agent-1', 'execute-shell', { cmd: 'rm -rf /' });
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('UNAUTHORIZED_ACTION');
+  });
+  // ── Denial: No Warrant ──
+  it('should deny actions from agents with no warrant', async () => {
+    const result = await engine.executeAction('unknown-agent', 'read', {});
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('NO_WARRANT');
+    expect(result.violation!.agentId).toBe('unknown-agent');
+  });
+  // ── Denial: Expired Warrants ──
+  it('should deny actions when warrant has expired', async () => {
+    await engine.issueWarrant('agent-1', {
+      allowedActions: ['read'],
+      forbiddenActions: [],
+      ttlMs: 1, // 1ms TTL — will expire immediately
+    });
+    // Wait for expiry
+    await new Promise(resolve => setTimeout(resolve, 10));
+    const result = await engine.executeAction('agent-1', 'read', {});
+    expect(result.executed).toBe(false);
+    expect(result.violation!.type).toBe('WARRANT_EXPIRED');
+  });
+  // ── Denial: Revoked Warrants ──
+  it('should deny actions after warrant revocation', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    // Authorized before revocation
+    const before = await engine.executeAction('agent-1', 'read', {});
+    expect(before.executed).toBe(true);
+    engine.revokeWarrant('agent-1');
+    const after = await engine.executeAction('agent-1', 'read', {});
+    expect(after.executed).toBe(false);
+    expect(after.violation!.type).toBe('WARRANT_REVOKED');
+  });
+  // ── Denial: Execution Limit ──
+  it('should deny actions when execution limit is reached', async () => {
+    await engine.issueWarrant('agent-1', {
+      allowedActions: ['read'],
+      forbiddenActions: [],
+      ttlMs: 60_000,
+      maxExecutions: 2,
+    });
+    const r1 = await engine.executeAction('agent-1', 'read', { n: 1 });
+    const r2 = await engine.executeAction('agent-1', 'read', { n: 2 });
+    const r3 = await engine.executeAction('agent-1', 'read', { n: 3 });
+    expect(r1.executed).toBe(true);
+    expect(r2.executed).toBe(true);
+    expect(r3.executed).toBe(false);
+    expect(r3.violation!.type).toBe('EXECUTION_LIMIT_REACHED');
+  });
+  // ── Audit Trail ──
+  it('should produce correct audit summary', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    await engine.executeAction('agent-1', 'read', {});
+    await engine.executeAction('agent-1', 'write', {});
+    await engine.executeAction('agent-1', 'delete', {});
+    await engine.executeAction('agent-1', 'execute-shell', {});
+    const audit = engine.getAuditSummary();
+    expect(audit.total).toBe(4);
+    expect(audit.authorized).toBe(2);
+    expect(audit.denied).toBe(2);
+    expect(audit.log).toHaveLength(4);
+  });
+  it('should include commit details in audit records for attested actions', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    await engine.executeAction('agent-1', 'read', { file: 'test.txt' });
+    const audit = engine.getAuditSummary();
+    const record = audit.log[0]!;
+    expect(record.type).toBe('ATTESTED_ACTION');
+    expect(record.commitId).toBeTruthy();
+    expect(record.contentHash).toBeTruthy();
+    expect(record.verified).toBe(true);
+    expect(record.warrantId).toBeTruthy();
+  });
+  it('should include violation details in audit records for denied actions', async () => {
+    await engine.issueWarrant('agent-1', DEFAULT_PERMISSIONS);
+    await engine.executeAction('agent-1', 'delete', {});
+    const audit = engine.getAuditSummary();
+    const record = audit.log[0]!;
+    expect(record.type).toBe('FORBIDDEN_ACTION');
+    expect(record.detail).toContain('forbidden');
+    expect(record.warrantId).toBeTruthy();
+  });
+  // ── Multi-Agent Isolation ──
+  it('should isolate warrants between agents', async () => {
+    await engine.issueWarrant('agent-a', {
+      allowedActions: ['read'],
+      forbiddenActions: ['write'],
+      ttlMs: 60_000,
+    });
+    await engine.issueWarrant('agent-b', {
+      allowedActions: ['write'],
+      forbiddenActions: ['read'],
+      ttlMs: 60_000,
+    });
+    // agent-a can read but not write
+    expect((await engine.executeAction('agent-a', 'read', {})).executed).toBe(true);
+    expect((await engine.executeAction('agent-a', 'write', {})).executed).toBe(false);
+    // agent-b can write but not read
+    expect((await engine.executeAction('agent-b', 'write', {})).executed).toBe(true);
+    expect((await engine.executeAction('agent-b', 'read', {})).executed).toBe(false);
+  });
+  // ── Full Lifecycle ──
+  it('should support the full lifecycle: issue → execute → deny → revoke → audit', async () => {
+    // Issue
+    await engine.issueWarrant('lifecycle-agent', {
+      allowedActions: ['query-database', 'read-file'],
+      forbiddenActions: ['delete-database'],
+      ttlMs: 60_000,
+    });
+    // Execute authorized
+    const authorized = await engine.executeAction('lifecycle-agent', 'query-database', {
+      table: 'users',
+      limit: 100,
+    });
+    expect(authorized.executed).toBe(true);
+    expect(authorized.verified).toBe(true);
+    // Deny forbidden
+    const denied = await engine.executeAction('lifecycle-agent', 'delete-database', {
+      target: 'users',
+    });
+    expect(denied.executed).toBe(false);
+    expect(denied.violation!.type).toBe('FORBIDDEN_ACTION');
+    // Revoke
+    engine.revokeWarrant('lifecycle-agent');
+    // Deny after revocation
+    const postRevoke = await engine.executeAction('lifecycle-agent', 'read-file', {});
+    expect(postRevoke.executed).toBe(false);
+    expect(postRevoke.violation!.type).toBe('WARRANT_REVOKED');
+    // Audit
+    const audit = engine.getAuditSummary();
+    expect(audit.authorized).toBe(1);
+    expect(audit.denied).toBe(2);
+    expect(audit.total).toBe(3);
+  });
+  // ── Warrant checks happen BEFORE execution ──
+  it('should check warrant before creating commitment (no partial attestation on denial)', async () => {
+    // No warrant — should not create any commitment
+    const result = await engine.executeAction('no-warrant-agent', 'read', {});
+    expect(result.executed).toBe(false);
+    expect(result.commitment).toBeUndefined();
+    expect(result.verified).toBeUndefined();
+    // Audit should have zero attested actions
+    const audit = engine.getAuditSummary();
+    expect(audit.authorized).toBe(0);
+  });
+  // ── Revoking nonexistent warrant is safe ──
+  it('should handle revoking a warrant that does not exist', () => {
+    // Should not throw
+    expect(() => engine.revokeWarrant('nonexistent-agent')).not.toThrow();
+  });
+  // ── Audit starts empty ──
+  it('should return empty audit summary when no actions have been taken', () => {
+    const audit = engine.getAuditSummary();
+    expect(audit.total).toBe(0);
+    expect(audit.authorized).toBe(0);
+    expect(audit.denied).toBe(0);
+    expect(audit.log).toHaveLength(0);
+  });
+});