npm - @longarc/mdash - Versions diffs - 3.1.2 → 3.1.3 - Mend

@longarc/mdash 3.1.2 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/README.md +86 -23
package/SECURITY.md +254 -0
package/dist/accountability/engine.d.ts +27 -0
package/dist/accountability/engine.d.ts.map +1 -0
package/dist/accountability/engine.js +148 -0
package/dist/accountability/engine.js.map +1 -0
package/dist/accountability/types.d.ts +46 -0
package/dist/accountability/types.d.ts.map +1 -0
package/dist/accountability/types.js +8 -0
package/dist/accountability/types.js.map +1 -0
package/dist/checkpoint/engine.d.ts.map +1 -1
package/dist/checkpoint/engine.js +4 -0
package/dist/checkpoint/engine.js.map +1 -1
package/dist/context/compose.d.ts +62 -0
package/dist/context/compose.d.ts.map +1 -0
package/dist/context/compose.js +286 -0
package/dist/context/compose.js.map +1 -0
package/dist/context/crypto/hash.d.ts +100 -0
package/dist/context/crypto/hash.d.ts.map +1 -0
package/dist/context/crypto/hash.js +248 -0
package/dist/context/crypto/hash.js.map +1 -0
package/dist/context/crypto/hmac.d.ts +80 -0
package/dist/context/crypto/hmac.d.ts.map +1 -0
package/dist/context/crypto/hmac.js +192 -0
package/dist/context/crypto/hmac.js.map +1 -0
package/dist/context/crypto/index.d.ts +7 -0
package/dist/context/crypto/index.d.ts.map +1 -0
package/dist/context/crypto/index.js +7 -0
package/dist/context/crypto/index.js.map +1 -0
package/dist/context/engine-v3.0-backup.d.ts +197 -0
package/dist/context/engine-v3.0-backup.d.ts.map +1 -0
package/dist/context/engine-v3.0-backup.js +392 -0
package/dist/context/engine-v3.0-backup.js.map +1 -0
package/dist/context/fragment.d.ts +99 -0
package/dist/context/fragment.d.ts.map +1 -0
package/dist/context/fragment.js +316 -0
package/dist/context/fragment.js.map +1 -0
package/dist/context/index.d.ts +99 -0
package/dist/context/index.d.ts.map +1 -0
package/dist/context/index.js +180 -0
package/dist/context/index.js.map +1 -0
package/dist/context/provenance.d.ts +80 -0
package/dist/context/provenance.d.ts.map +1 -0
package/dist/context/provenance.js +294 -0
package/dist/context/provenance.js.map +1 -0
package/dist/context/resolve.d.ts +106 -0
package/dist/context/resolve.d.ts.map +1 -0
package/dist/context/resolve.js +440 -0
package/dist/context/resolve.js.map +1 -0
package/dist/context/store.d.ts +156 -0
package/dist/context/store.d.ts.map +1 -0
package/dist/context/store.js +396 -0
package/dist/context/store.js.map +1 -0
package/dist/context/types.d.ts +463 -0
package/dist/context/types.d.ts.map +1 -0
package/dist/context/types.js +94 -0
package/dist/context/types.js.map +1 -0
package/dist/context/utils/atomic.d.ts +76 -0
package/dist/context/utils/atomic.d.ts.map +1 -0
package/dist/context/utils/atomic.js +159 -0
package/dist/context/utils/atomic.js.map +1 -0
package/dist/context/utils/credit.d.ts +65 -0
package/dist/context/utils/credit.d.ts.map +1 -0
package/dist/context/utils/credit.js +164 -0
package/dist/context/utils/credit.js.map +1 -0
package/dist/context/utils/index.d.ts +13 -0
package/dist/context/utils/index.d.ts.map +1 -0
package/dist/context/utils/index.js +13 -0
package/dist/context/utils/index.js.map +1 -0
package/dist/context/utils/utility.d.ts +63 -0
package/dist/context/utils/utility.d.ts.map +1 -0
package/dist/context/utils/utility.js +141 -0
package/dist/context/utils/utility.js.map +1 -0
package/dist/core/commitment.d.ts +25 -2
package/dist/core/commitment.d.ts.map +1 -1
package/dist/core/commitment.js +44 -6
package/dist/core/commitment.js.map +1 -1
package/dist/core/crypto.d.ts +2 -0
package/dist/core/crypto.d.ts.map +1 -1
package/dist/core/crypto.js +12 -0
package/dist/core/crypto.js.map +1 -1
package/dist/index.d.ts +11 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +35 -10
package/dist/index.js.map +1 -1
package/dist/mcca/engine.d.ts.map +1 -1
package/dist/mcca/engine.js +5 -4
package/dist/mcca/engine.js.map +1 -1
package/dist/physics/engine.d.ts +1 -0
package/dist/physics/engine.d.ts.map +1 -1
package/dist/physics/engine.js +36 -2
package/dist/physics/engine.js.map +1 -1
package/dist/provenance/api-handler.d.ts +45 -0
package/dist/provenance/api-handler.d.ts.map +1 -0
package/dist/provenance/api-handler.js +223 -0
package/dist/provenance/api-handler.js.map +1 -0
package/dist/provenance/api-types.d.ts +108 -0
package/dist/provenance/api-types.d.ts.map +1 -0
package/dist/provenance/api-types.js +9 -0
package/dist/provenance/api-types.js.map +1 -0
package/dist/provenance/index.d.ts +6 -0
package/dist/provenance/index.d.ts.map +1 -0
package/dist/provenance/index.js +3 -0
package/dist/provenance/index.js.map +1 -0
package/dist/provenance/provenance-engine.d.ts +63 -0
package/dist/provenance/provenance-engine.d.ts.map +1 -0
package/dist/provenance/provenance-engine.js +311 -0
package/dist/provenance/provenance-engine.js.map +1 -0
package/dist/provenance/types.d.ts +193 -0
package/dist/provenance/types.d.ts.map +1 -0
package/dist/provenance/types.js +9 -0
package/dist/provenance/types.js.map +1 -0
package/dist/tee/engine.d.ts.map +1 -1
package/dist/tee/engine.js +14 -0
package/dist/tee/engine.js.map +1 -1
package/dist/warrant/engine.d.ts +24 -1
package/dist/warrant/engine.d.ts.map +1 -1
package/dist/warrant/engine.js +76 -1
package/dist/warrant/engine.js.map +1 -1
package/dist/zk/engine.d.ts.map +1 -1
package/dist/zk/engine.js +7 -4
package/dist/zk/engine.js.map +1 -1
package/docs/SECURITY-PATCHES.md +170 -0
package/package.json +17 -5
package/src/__tests__/accountability.test.ts +308 -0
package/src/__tests__/l1-verification-modes.test.ts +424 -0
package/src/__tests__/phase1.benchmark.test.ts +94 -0
package/src/__tests__/phase1.test.ts +0 -77
package/src/__tests__/phase2-4.benchmark.test.ts +60 -0
package/src/__tests__/phase2-4.test.ts +1 -52
package/src/__tests__/provenance/api-handler.test.ts +356 -0
package/src/__tests__/provenance/provenance-engine.test.ts +628 -0
package/src/__tests__/sa-2026-008.test.ts +45 -0
package/src/__tests__/sa-2026-009.test.ts +86 -0
package/src/__tests__/sa-2026-010.test.ts +72 -0
package/src/__tests__/sa-2026-012.test.ts +65 -0
package/src/__tests__/sa-2026-nfc.test.ts +40 -0
package/src/__tests__/security.test.ts +786 -0
package/src/accountability/engine.ts +230 -0
package/src/accountability/types.ts +58 -0
package/src/checkpoint/engine.ts +4 -0
package/src/context/__tests__/caret-v0.2.0.test.ts +860 -0
package/src/context/__tests__/integration.test.ts +356 -0
package/src/context/compose.ts +388 -0
package/src/context/crypto/hash.ts +277 -0
package/src/context/crypto/hmac.ts +253 -0
package/src/context/crypto/index.ts +29 -0
package/src/context/engine-v3.0-backup.ts +598 -0
package/src/context/fragment.ts +454 -0
package/src/context/index.ts +427 -0
package/src/context/provenance.ts +380 -0
package/src/context/resolve.ts +581 -0
package/src/context/store.ts +503 -0
package/src/context/types.ts +679 -0
package/src/context/utils/atomic.ts +207 -0
package/src/context/utils/credit.ts +224 -0
package/src/context/utils/index.ts +13 -0
package/src/context/utils/utility.ts +200 -0
package/src/core/commitment.ts +129 -67
package/src/core/crypto.ts +13 -0
package/src/index.ts +62 -10
package/src/mcca/engine.ts +5 -4
package/src/physics/engine.ts +40 -3
package/src/provenance/api-handler.ts +248 -0
package/src/provenance/api-types.ts +112 -0
package/src/provenance/index.ts +19 -0
package/src/provenance/provenance-engine.ts +387 -0
package/src/provenance/types.ts +211 -0
package/src/tee/engine.ts +16 -0
package/src/warrant/engine.ts +89 -1
package/src/zk/engine.ts +8 -4
package/tsconfig.json +1 -1

package/src/accountability/engine.ts ADDED Viewed

@@ -0,0 +1,230 @@
+/**
+ * mdash v3.1 — AccountabilityEngine
+ *
+ * Unified consumer API: warrants + commitments in one class.
+ * Composes CommitmentEngine (attestation) and WarrantEngine (warrant lifecycle).
+ *
+ * Consumer story: import { AccountabilityEngine } from '@longarc/mdash'
+ * One class, full accountability lifecycle.
+ */
+import { CommitmentEngine } from '../core/commitment.js';
+import type { Commitment } from '../core/commitment.js';
+import { WarrantEngine } from '../warrant/engine.js';
+import type { WarrantId } from '../core/crypto.js';
+import type {
+  WarrantPermissions,
+  Violation,
+  ViolationType,
+  ActionResult,
+  AuditRecord,
+  AuditSummary,
+} from './types.js';
+interface ManagedWarrant {
+  agentId: string;
+  permissions: WarrantPermissions;
+  issuedAt: number;
+  status: 'ACTIVE' | 'EXPIRED' | 'REVOKED';
+  executionCount: number;
+  infraWarrantId: WarrantId;
+}
+export class AccountabilityEngine {
+  private commitmentEngine: CommitmentEngine;
+  private warrantEngine: WarrantEngine;
+  private managedWarrants: Map<string, ManagedWarrant> = new Map();
+  private auditLog: AuditRecord[] = [];
+  private actionCounters: Map<string, number> = new Map();
+  constructor() {
+    this.commitmentEngine = new CommitmentEngine();
+    this.warrantEngine = new WarrantEngine(this.commitmentEngine);
+  }
+  async initialize(sealKey: string): Promise<void> {
+    await this.commitmentEngine.initialize(sealKey);
+    await this.warrantEngine.initialize(sealKey);
+  }
+  async issueWarrant(agentId: string, permissions: WarrantPermissions): Promise<void> {
+    // Create a crypto-sealed infrastructure warrant via WarrantEngine
+    const speculative = await this.warrantEngine.createSpeculative({
+      agent_id: agentId,
+      policy_id: 'accountability-default',
+      tier: 'T1',
+      constraints: {
+        maxCalls: permissions.maxExecutions,
+      },
+      duration_ms: permissions.ttlMs,
+      issued_by: 'accountability-engine',
+    });
+    // Activate immediately — consumer warrants are active on issuance
+    const activated = await this.warrantEngine.activate(speculative.id);
+    this.managedWarrants.set(agentId, {
+      agentId,
+      permissions,
+      issuedAt: Date.now(),
+      status: 'ACTIVE',
+      executionCount: 0,
+      infraWarrantId: activated.id,
+    });
+  }
+  revokeWarrant(agentId: string): void {
+    const managed = this.managedWarrants.get(agentId);
+    if (!managed) return;
+    managed.status = 'REVOKED';
+    // Best-effort infrastructure-level revocation (fire-and-forget)
+    this.warrantEngine
+      .revoke(managed.infraWarrantId, 'Consumer API revocation', {
+        type: 'system',
+        id: 'accountability-engine',
+      })
+      .catch(() => {
+        // Infra warrant may have already expired from cache — local state is authoritative
+      });
+  }
+  async executeAction(
+    agentId: string,
+    action: string,
+    params: unknown,
+  ): Promise<ActionResult> {
+    const managed = this.managedWarrants.get(agentId);
+    // No warrant issued for this agent
+    if (!managed) {
+      return this.deny(agentId, action, 'NO_WARRANT', `No warrant found for agent '${agentId}'`);
+    }
+    // Check infrastructure-level revocation (propagates across caches)
+    if (this.warrantEngine.isRevoked(managed.infraWarrantId)) {
+      managed.status = 'REVOKED';
+    }
+    // Revoked
+    if (managed.status === 'REVOKED') {
+      return this.deny(
+        agentId, action, 'WARRANT_REVOKED',
+        `Warrant for agent '${agentId}' has been revoked`,
+        managed.infraWarrantId,
+      );
+    }
+    // Expired
+    if (Date.now() - managed.issuedAt > managed.permissions.ttlMs) {
+      managed.status = 'EXPIRED';
+      return this.deny(
+        agentId, action, 'WARRANT_EXPIRED',
+        `Warrant for agent '${agentId}' has expired`,
+        managed.infraWarrantId,
+      );
+    }
+    // Execution limit
+    if (
+      managed.permissions.maxExecutions !== undefined &&
+      managed.executionCount >= managed.permissions.maxExecutions
+    ) {
+      return this.deny(
+        agentId, action, 'EXECUTION_LIMIT_REACHED',
+        `Agent '${agentId}' has reached execution limit of ${managed.permissions.maxExecutions}`,
+        managed.infraWarrantId,
+      );
+    }
+    // Forbidden action (explicit deny takes precedence)
+    if (managed.permissions.forbiddenActions.includes(action)) {
+      return this.deny(
+        agentId, action, 'FORBIDDEN_ACTION',
+        `Action '${action}' is explicitly forbidden for agent '${agentId}'`,
+        managed.infraWarrantId,
+      );
+    }
+    // Not in allowed list
+    if (!managed.permissions.allowedActions.includes(action)) {
+      return this.deny(
+        agentId, action, 'UNAUTHORIZED_ACTION',
+        `Action '${action}' is not in the allowed list for agent '${agentId}'`,
+        managed.infraWarrantId,
+      );
+    }
+    // ── AUTHORIZED — commit attestation ──
+    managed.executionCount++;
+    const count = (this.actionCounters.get(agentId) || 0) + 1;
+    this.actionCounters.set(agentId, count);
+    const commitId = `${agentId}-action-${count}`;
+    const commitment = await this.commitmentEngine.commit(
+      { agentId, action, params, timestamp: Date.now() },
+      commitId,
+    );
+    const verified = await this.commitmentEngine.verify(commitment);
+    this.auditLog.push({
+      type: 'ATTESTED_ACTION',
+      agentId,
+      action,
+      timestamp: Date.now(),
+      commitId,
+      contentHash: commitment.content_hash,
+      verified,
+      warrantId: managed.infraWarrantId,
+    });
+    return { executed: true, commitment, verified };
+  }
+  getAuditSummary(): AuditSummary {
+    const authorized = this.auditLog.filter(r => r.type === 'ATTESTED_ACTION').length;
+    const denied = this.auditLog.filter(r => r.type !== 'ATTESTED_ACTION').length;
+    return {
+      total: this.auditLog.length,
+      authorized,
+      denied,
+      log: [...this.auditLog],
+    };
+  }
+  async verifyCommitment(commitment: Commitment): Promise<boolean> {
+    return this.commitmentEngine.verify(commitment);
+  }
+  private deny(
+    agentId: string,
+    action: string,
+    type: ViolationType,
+    detail: string,
+    warrantId?: WarrantId,
+  ): ActionResult {
+    const violation: Violation = {
+      type,
+      agentId,
+      action,
+      timestamp: Date.now(),
+      detail,
+      warrantId,
+    };
+    this.auditLog.push({
+      type,
+      agentId,
+      action,
+      timestamp: Date.now(),
+      detail,
+      warrantId,
+    });
+    return { executed: false, violation };
+  }
+}

package/src/accountability/types.ts ADDED Viewed

@@ -0,0 +1,58 @@
+/**
+ * mdash v3.1 — Accountability Engine Types
+ *
+ * Consumer-facing types for the unified accountability API.
+ * Warrants + Commitments in a single lifecycle.
+ */
+import type { Commitment } from '../core/commitment.js';
+export interface WarrantPermissions {
+  allowedActions: string[];
+  forbiddenActions: string[];
+  ttlMs: number;
+  maxExecutions?: number;
+}
+export type ViolationType =
+  | 'FORBIDDEN_ACTION'
+  | 'UNAUTHORIZED_ACTION'
+  | 'WARRANT_EXPIRED'
+  | 'WARRANT_REVOKED'
+  | 'EXECUTION_LIMIT_REACHED'
+  | 'NO_WARRANT';
+export interface Violation {
+  type: ViolationType;
+  agentId: string;
+  action: string;
+  timestamp: number;
+  detail: string;
+  warrantId?: string;
+}
+export interface ActionResult {
+  executed: boolean;
+  commitment?: Commitment;
+  verified?: boolean;
+  violation?: Violation;
+}
+export interface AuditRecord {
+  type: 'ATTESTED_ACTION' | ViolationType;
+  agentId: string;
+  action: string;
+  timestamp: number;
+  commitId?: string;
+  contentHash?: string;
+  verified?: boolean;
+  detail?: string;
+  warrantId?: string;
+}
+export interface AuditSummary {
+  total: number;
+  authorized: number;
+  denied: number;
+  log: AuditRecord[];
+}

package/src/checkpoint/engine.ts CHANGED Viewed

@@ -315,6 +315,10 @@ export class CheckpointEngine {
     this.commitmentEngine.commit(checkpoint, commitmentId).then(() => {
       checkpoint.commitment_id = commitmentId;
       checkpoint.status = 'sealed';
+    }).catch((error) => {
+      // SA-2026-010: Log commitment failures instead of silently swallowing
+      checkpoint.status = 'failed';
+      console.error(`[Checkpoint] L1 commit failed for ${id}: ${error}`);
     });
     // Store and index