npm - @longarc/mdash - Versions diffs - 3.1.2 → 3.1.3 - Mend

@longarc/mdash 3.1.2 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/README.md +86 -23
package/SECURITY.md +254 -0
package/dist/accountability/engine.d.ts +27 -0
package/dist/accountability/engine.d.ts.map +1 -0
package/dist/accountability/engine.js +148 -0
package/dist/accountability/engine.js.map +1 -0
package/dist/accountability/types.d.ts +46 -0
package/dist/accountability/types.d.ts.map +1 -0
package/dist/accountability/types.js +8 -0
package/dist/accountability/types.js.map +1 -0
package/dist/checkpoint/engine.d.ts.map +1 -1
package/dist/checkpoint/engine.js +4 -0
package/dist/checkpoint/engine.js.map +1 -1
package/dist/context/compose.d.ts +62 -0
package/dist/context/compose.d.ts.map +1 -0
package/dist/context/compose.js +286 -0
package/dist/context/compose.js.map +1 -0
package/dist/context/crypto/hash.d.ts +100 -0
package/dist/context/crypto/hash.d.ts.map +1 -0
package/dist/context/crypto/hash.js +248 -0
package/dist/context/crypto/hash.js.map +1 -0
package/dist/context/crypto/hmac.d.ts +80 -0
package/dist/context/crypto/hmac.d.ts.map +1 -0
package/dist/context/crypto/hmac.js +192 -0
package/dist/context/crypto/hmac.js.map +1 -0
package/dist/context/crypto/index.d.ts +7 -0
package/dist/context/crypto/index.d.ts.map +1 -0
package/dist/context/crypto/index.js +7 -0
package/dist/context/crypto/index.js.map +1 -0
package/dist/context/engine-v3.0-backup.d.ts +197 -0
package/dist/context/engine-v3.0-backup.d.ts.map +1 -0
package/dist/context/engine-v3.0-backup.js +392 -0
package/dist/context/engine-v3.0-backup.js.map +1 -0
package/dist/context/fragment.d.ts +99 -0
package/dist/context/fragment.d.ts.map +1 -0
package/dist/context/fragment.js +316 -0
package/dist/context/fragment.js.map +1 -0
package/dist/context/index.d.ts +99 -0
package/dist/context/index.d.ts.map +1 -0
package/dist/context/index.js +180 -0
package/dist/context/index.js.map +1 -0
package/dist/context/provenance.d.ts +80 -0
package/dist/context/provenance.d.ts.map +1 -0
package/dist/context/provenance.js +294 -0
package/dist/context/provenance.js.map +1 -0
package/dist/context/resolve.d.ts +106 -0
package/dist/context/resolve.d.ts.map +1 -0
package/dist/context/resolve.js +440 -0
package/dist/context/resolve.js.map +1 -0
package/dist/context/store.d.ts +156 -0
package/dist/context/store.d.ts.map +1 -0
package/dist/context/store.js +396 -0
package/dist/context/store.js.map +1 -0
package/dist/context/types.d.ts +463 -0
package/dist/context/types.d.ts.map +1 -0
package/dist/context/types.js +94 -0
package/dist/context/types.js.map +1 -0
package/dist/context/utils/atomic.d.ts +76 -0
package/dist/context/utils/atomic.d.ts.map +1 -0
package/dist/context/utils/atomic.js +159 -0
package/dist/context/utils/atomic.js.map +1 -0
package/dist/context/utils/credit.d.ts +65 -0
package/dist/context/utils/credit.d.ts.map +1 -0
package/dist/context/utils/credit.js +164 -0
package/dist/context/utils/credit.js.map +1 -0
package/dist/context/utils/index.d.ts +13 -0
package/dist/context/utils/index.d.ts.map +1 -0
package/dist/context/utils/index.js +13 -0
package/dist/context/utils/index.js.map +1 -0
package/dist/context/utils/utility.d.ts +63 -0
package/dist/context/utils/utility.d.ts.map +1 -0
package/dist/context/utils/utility.js +141 -0
package/dist/context/utils/utility.js.map +1 -0
package/dist/core/commitment.d.ts +25 -2
package/dist/core/commitment.d.ts.map +1 -1
package/dist/core/commitment.js +44 -6
package/dist/core/commitment.js.map +1 -1
package/dist/core/crypto.d.ts +2 -0
package/dist/core/crypto.d.ts.map +1 -1
package/dist/core/crypto.js +12 -0
package/dist/core/crypto.js.map +1 -1
package/dist/index.d.ts +11 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +35 -10
package/dist/index.js.map +1 -1
package/dist/mcca/engine.d.ts.map +1 -1
package/dist/mcca/engine.js +5 -4
package/dist/mcca/engine.js.map +1 -1
package/dist/physics/engine.d.ts +1 -0
package/dist/physics/engine.d.ts.map +1 -1
package/dist/physics/engine.js +36 -2
package/dist/physics/engine.js.map +1 -1
package/dist/provenance/api-handler.d.ts +45 -0
package/dist/provenance/api-handler.d.ts.map +1 -0
package/dist/provenance/api-handler.js +223 -0
package/dist/provenance/api-handler.js.map +1 -0
package/dist/provenance/api-types.d.ts +108 -0
package/dist/provenance/api-types.d.ts.map +1 -0
package/dist/provenance/api-types.js +9 -0
package/dist/provenance/api-types.js.map +1 -0
package/dist/provenance/index.d.ts +6 -0
package/dist/provenance/index.d.ts.map +1 -0
package/dist/provenance/index.js +3 -0
package/dist/provenance/index.js.map +1 -0
package/dist/provenance/provenance-engine.d.ts +63 -0
package/dist/provenance/provenance-engine.d.ts.map +1 -0
package/dist/provenance/provenance-engine.js +311 -0
package/dist/provenance/provenance-engine.js.map +1 -0
package/dist/provenance/types.d.ts +193 -0
package/dist/provenance/types.d.ts.map +1 -0
package/dist/provenance/types.js +9 -0
package/dist/provenance/types.js.map +1 -0
package/dist/tee/engine.d.ts.map +1 -1
package/dist/tee/engine.js +14 -0
package/dist/tee/engine.js.map +1 -1
package/dist/warrant/engine.d.ts +24 -1
package/dist/warrant/engine.d.ts.map +1 -1
package/dist/warrant/engine.js +76 -1
package/dist/warrant/engine.js.map +1 -1
package/dist/zk/engine.d.ts.map +1 -1
package/dist/zk/engine.js +7 -4
package/dist/zk/engine.js.map +1 -1
package/docs/SECURITY-PATCHES.md +170 -0
package/package.json +17 -5
package/src/__tests__/accountability.test.ts +308 -0
package/src/__tests__/l1-verification-modes.test.ts +424 -0
package/src/__tests__/phase1.benchmark.test.ts +94 -0
package/src/__tests__/phase1.test.ts +0 -77
package/src/__tests__/phase2-4.benchmark.test.ts +60 -0
package/src/__tests__/phase2-4.test.ts +1 -52
package/src/__tests__/provenance/api-handler.test.ts +356 -0
package/src/__tests__/provenance/provenance-engine.test.ts +628 -0
package/src/__tests__/sa-2026-008.test.ts +45 -0
package/src/__tests__/sa-2026-009.test.ts +86 -0
package/src/__tests__/sa-2026-010.test.ts +72 -0
package/src/__tests__/sa-2026-012.test.ts +65 -0
package/src/__tests__/sa-2026-nfc.test.ts +40 -0
package/src/__tests__/security.test.ts +786 -0
package/src/accountability/engine.ts +230 -0
package/src/accountability/types.ts +58 -0
package/src/checkpoint/engine.ts +4 -0
package/src/context/__tests__/caret-v0.2.0.test.ts +860 -0
package/src/context/__tests__/integration.test.ts +356 -0
package/src/context/compose.ts +388 -0
package/src/context/crypto/hash.ts +277 -0
package/src/context/crypto/hmac.ts +253 -0
package/src/context/crypto/index.ts +29 -0
package/src/context/engine-v3.0-backup.ts +598 -0
package/src/context/fragment.ts +454 -0
package/src/context/index.ts +427 -0
package/src/context/provenance.ts +380 -0
package/src/context/resolve.ts +581 -0
package/src/context/store.ts +503 -0
package/src/context/types.ts +679 -0
package/src/context/utils/atomic.ts +207 -0
package/src/context/utils/credit.ts +224 -0
package/src/context/utils/index.ts +13 -0
package/src/context/utils/utility.ts +200 -0
package/src/core/commitment.ts +129 -67
package/src/core/crypto.ts +13 -0
package/src/index.ts +62 -10
package/src/mcca/engine.ts +5 -4
package/src/physics/engine.ts +40 -3
package/src/provenance/api-handler.ts +248 -0
package/src/provenance/api-types.ts +112 -0
package/src/provenance/index.ts +19 -0
package/src/provenance/provenance-engine.ts +387 -0
package/src/provenance/types.ts +211 -0
package/src/tee/engine.ts +16 -0
package/src/warrant/engine.ts +89 -1
package/src/zk/engine.ts +8 -4
package/tsconfig.json +1 -1

package/src/__tests__/sa-2026-009.test.ts ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * SA-2026-009: ZK seal verification gap
+ * Verifies that verifyProof rejects documents with tampered seals.
+ * Prior to fix: expectedSeal was computed but never compared.
+ */
+import { describe, it, expect, beforeAll } from 'vitest';
+import { CommitmentEngine } from '../core/commitment.js';
+import { ZKProofsEngine } from '../zk/engine.js';
+import type { Seal } from '../core/crypto.js';
+const TEST_KEY = 'test-seal-key-zk-verify-gap-minimum-32-chars';
+describe('SA-2026-009: ZK seal verification gap', () => {
+  let commitmentEngine: CommitmentEngine;
+  let zkEngine: ZKProofsEngine;
+  beforeAll(async () => {
+    commitmentEngine = new CommitmentEngine();
+    await commitmentEngine.initialize(TEST_KEY);
+    zkEngine = new ZKProofsEngine(commitmentEngine);
+    await zkEngine.initialize(TEST_KEY);
+  });
+  it('verifyProof accepts a validly sealed document', async () => {
+    const doc = await zkEngine.requestProof({
+      type: 'commitment_inclusion',
+      statement: {
+        description: 'SA-2026-009 valid seal test',
+        claim: { test: 'valid-seal' },
+      },
+    });
+    const completed = await zkEngine.waitForProof(doc.id, 5000);
+    const result = await zkEngine.verifyProof(completed);
+    expect(result.valid).toBe(true);
+    expect(result.errors).toHaveLength(0);
+  });
+  it('verifyProof rejects a document with a tampered seal', async () => {
+    const doc = await zkEngine.requestProof({
+      type: 'commitment_inclusion',
+      statement: {
+        description: 'SA-2026-009 tampered seal test',
+        claim: { test: 'tampered-seal' },
+      },
+    });
+    const completed = await zkEngine.waitForProof(doc.id, 5000);
+    // Tamper with the seal
+    const tampered = { ...completed, seal: 'tampered-seal-value' as Seal };
+    const result = await zkEngine.verifyProof(tampered);
+    expect(result.valid).toBe(false);
+    expect(result.errors).toContain('Seal verification failed');
+  });
+  it('verifyProof rejects a document with mutated content', async () => {
+    const doc = await zkEngine.requestProof({
+      type: 'commitment_inclusion',
+      statement: {
+        description: 'SA-2026-009 mutation test',
+        claim: { test: 'content-mutation' },
+      },
+    });
+    const completed = await zkEngine.waitForProof(doc.id, 5000);
+    // Mutate content without re-sealing
+    const mutated = {
+      ...completed,
+      statement: {
+        ...completed.statement,
+        description: 'ALTERED after sealing',
+      },
+    };
+    const result = await zkEngine.verifyProof(mutated);
+    expect(result.valid).toBe(false);
+    expect(result.errors).toContain('Seal verification failed');
+  });
+});

package/src/__tests__/sa-2026-010.test.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * SA-2026-010: Checkpoint fire-and-forget error handling
+ * Verifies that L1 commitment failures are caught and surfaced
+ * via checkpoint status rather than silently swallowed.
+ */
+import { describe, it, expect, beforeAll, vi } from 'vitest';
+import { CommitmentEngine } from '../core/commitment.js';
+import { CheckpointEngine } from '../checkpoint/engine.js';
+const TEST_KEY = 'test-seal-key-checkpoint-catch-minimum-32-chars';
+describe('SA-2026-010: Checkpoint fire-and-forget error handling', () => {
+  let commitmentEngine: CommitmentEngine;
+  let checkpointEngine: CheckpointEngine;
+  beforeAll(async () => {
+    commitmentEngine = new CommitmentEngine();
+    await commitmentEngine.initialize(TEST_KEY);
+    checkpointEngine = new CheckpointEngine(commitmentEngine);
+    await checkpointEngine.initialize(TEST_KEY);
+  });
+  it('checkpoint status becomes failed when L1 commit rejects', async () => {
+    // Spy on commit and make it reject
+    const commitSpy = vi.spyOn(commitmentEngine, 'commit')
+      .mockRejectedValueOnce(new Error('Simulated L1 failure'));
+    // Suppress expected console.error
+    const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const checkpoint = await checkpointEngine.createCheckpoint({
+      agent_id: 'test-agent-sa010',
+      trigger: 'action_start',
+      state: {
+        warrant_id: 'w-test-sa010' as any,
+        action_type: 'test',
+        context_hash: 'hash-test' as any,
+      },
+    });
+    // checkpoint is returned immediately (fire-and-forget)
+    expect(checkpoint.status).toBe('pending');
+    // Wait for the async .then/.catch to resolve
+    await new Promise(resolve => setTimeout(resolve, 50));
+    // After failure, status should be 'failed', not stuck on 'pending'
+    expect(checkpoint.status).toBe('failed');
+    commitSpy.mockRestore();
+    errorSpy.mockRestore();
+  });
+  it('checkpoint status becomes sealed on successful L1 commit', async () => {
+    const checkpoint = await checkpointEngine.createCheckpoint({
+      agent_id: 'test-agent-sa010-ok',
+      trigger: 'action_start',
+      state: {
+        warrant_id: 'w-test-sa010-ok' as any,
+        action_type: 'test',
+        context_hash: 'hash-test-ok' as any,
+      },
+    });
+    // Wait for async commit
+    await new Promise(resolve => setTimeout(resolve, 50));
+    expect(checkpoint.status).toBe('sealed');
+    expect(checkpoint.commitment_id).toBeTruthy();
+  });
+});

package/src/__tests__/sa-2026-012.test.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * SA-2026-012: Influence budget underflow protection
+ * Verifies that influence and token counts never go negative
+ * after fragment removal.
+ */
+import { describe, it, expect, beforeAll } from 'vitest';
+import { CommitmentEngine } from '../core/commitment.js';
+import { MCCAEngine } from '../mcca/engine.js';
+const TEST_KEY = 'test-seal-key-mcca-underflow-minimum-32-chars';
+describe('SA-2026-012: Influence budget underflow protection', () => {
+  let commitmentEngine: CommitmentEngine;
+  let engine: MCCAEngine;
+  beforeAll(async () => {
+    commitmentEngine = new CommitmentEngine();
+    await commitmentEngine.initialize(TEST_KEY);
+    engine = new MCCAEngine(commitmentEngine);
+    await engine.initialize(TEST_KEY);
+  });
+  it('influence never goes negative after fragment removal', async () => {
+    // Add a fragment
+    const fragment = await engine.addFragment({
+      content: { test: 'underflow-influence' },
+      source_class: 'user',
+      region: 'task',
+      token_count: 50,
+      influence: 0.05,
+    });
+    // Remove it once
+    await engine.removeFragment(fragment.id);
+    // Remove it again (simulating race or double-remove)
+    await engine.removeFragment(fragment.id);
+    // influenceBySource is private; access via cast to verify the floor guard
+    const influenceBySource = (engine as any).influenceBySource as Record<string, number>;
+    expect(influenceBySource.user).toBeGreaterThanOrEqual(0);
+  });
+  it('token count never goes negative after double removal', async () => {
+    // Add a fragment
+    const fragment = await engine.addFragment({
+      content: { test: 'underflow-tokens' },
+      source_class: 'system',
+      region: 'task',
+      token_count: 100,
+      influence: 0.1,
+    });
+    // Remove it once
+    await engine.removeFragment(fragment.id);
+    // Remove again
+    await engine.removeFragment(fragment.id);
+    // stats.tokens maps to the internal totalTokens field
+    const stats = engine.getStats();
+    expect(stats.tokens).toBeGreaterThanOrEqual(0);
+  });
+});

package/src/__tests__/sa-2026-nfc.test.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * SA-2026-NFC: Unicode normalization in deterministicStringify
+ * Verifies that decomposed and precomposed Unicode codepoints
+ * produce identical hashes.
+ */
+import { describe, it, expect } from 'vitest';
+import { sha256Object, deterministicStringify } from '../core/crypto.js';
+describe('SA-2026-NFC: Unicode normalization', () => {
+  it('NFD and NFC representations hash identically', async () => {
+    // U+00E9 (precomposed e-acute) vs U+0065 + U+0301 (e + combining acute)
+    const nfc = { name: '\u00E9' };   // e with acute (precomposed)
+    const nfd = { name: '\u0065\u0301' }; // e + combining acute (decomposed)
+    const hashNFC = await sha256Object(nfc);
+    const hashNFD = await sha256Object(nfd);
+    expect(hashNFC).toBe(hashNFD);
+  });
+  it('deterministicStringify normalizes strings to NFC', () => {
+    const nfd = '\u0065\u0301'; // decomposed
+    const nfc = '\u00E9';       // precomposed
+    const resultNFD = deterministicStringify({ val: nfd });
+    const resultNFC = deterministicStringify({ val: nfc });
+    expect(resultNFD).toBe(resultNFC);
+  });
+  it('non-string values are unaffected', () => {
+    const result = deterministicStringify({ num: 42, bool: true, nil: null });
+    const parsed = JSON.parse(result);
+    expect(parsed.num).toBe(42);
+    expect(parsed.bool).toBe(true);
+    expect(parsed.nil).toBeNull();
+  });
+});