@mondaydotcomorg/atp-provenance 0.17.14

package/dist/tokens.js

@@ -0,0 +1,239 @@
+/**
+ * Provenance Token System
+ *
+ * Cryptographically-signed tokens for multi-step provenance tracking
+ */
+import crypto from 'crypto';
+import { nanoid } from 'nanoid';
+const MAX_VALUE_SIZE = 1024 * 1024; // 1MB
+/**
+ * Deterministic JSON stringification with sorted keys
+ */
+export function stableStringify(value) {
+    try {
+        if (value === null || value === undefined) {
+            return String(value);
+        }
+        if (typeof value === 'string' || typeof value === 'number' || typeof value === 'boolean') {
+            return JSON.stringify(value);
+        }
+        if (typeof value === 'function' || typeof value === 'symbol') {
+            return null;
+        }
+        const seen = new WeakSet();
+        const replacer = (_key, val) => {
+            if (val !== null && typeof val === 'object') {
+                if (seen.has(val)) {
+                    return '[Circular]';
+                }
+                seen.add(val);
+                if (!Array.isArray(val)) {
+                    const sorted = {};
+                    const keys = Object.keys(val).sort();
+                    for (const k of keys) {
+                        sorted[k] = val[k];
+                    }
+                    return sorted;
+                }
+            }
+            return val;
+        };
+        const result = JSON.stringify(value, replacer);
+        if (result.length > MAX_VALUE_SIZE) {
+            return null;
+        }
+        return result;
+    }
+    catch (error) {
+        return null;
+    }
+}
+/**
+ * Compute SHA-256 digest of value
+ */
+export function computeDigest(value) {
+    const serialized = stableStringify(value);
+    if (!serialized) {
+        return null;
+    }
+    return crypto.createHash('sha256').update(serialized).digest('base64url');
+}
+/**
+ * Get client secret (Phase 1: single secret from env)
+ */
+export function getClientSecret(clientId) {
+    const secret = process.env.PROVENANCE_SECRET;
+    if (!secret) {
+        throw new Error('PROVENANCE_SECRET environment variable is required for provenance tracking. ' +
+            'Generate a strong secret with: openssl rand -base64 32');
+    }
+    // Validate secret length - must be at least 32 bytes
+    // Base64 encoding: 32 bytes = 44 chars, but we'll check raw byte length
+    const secretBytes = Buffer.from(secret, 'utf-8').length;
+    if (secretBytes < 32) {
+        throw new Error(`PROVENANCE_SECRET must be at least 32 bytes (currently ${secretBytes} bytes). ` +
+            'Generate a strong secret with: openssl rand -base64 32');
+    }
+    return secret;
+}
+/**
+ * Generate HMAC signature
+ */
+function hmacSign(data, secret) {
+    return crypto.createHmac('sha256', secret).update(data).digest('base64url');
+}
+/**
+ * Issue a provenance token for a value
+ */
+export async function issueProvenanceToken(metadata, value, clientId, executionId, cacheProvider, ttl = 3600) {
+    const valueDigest = computeDigest(value);
+    if (!valueDigest) {
+        return null;
+    }
+    const metaId = nanoid();
+    const cacheKey = `prov:meta:${clientId}:${metaId}`;
+    try {
+        await cacheProvider.set(cacheKey, JSON.stringify(metadata), ttl);
+        if (typeof value === 'string' || typeof value === 'number') {
+            const valueKey = `prov:value:${clientId}:${valueDigest}`;
+            await cacheProvider.set(valueKey, JSON.stringify({ value: String(value), metaId }), ttl);
+        }
+    }
+    catch (error) {
+        console.error('Failed to store provenance metadata in cache:', error);
+        return null;
+    }
+    const payload = {
+        v: 1,
+        clientId,
+        executionId,
+        createdAt: Date.now(),
+        expiresAt: Date.now() + ttl * 1000,
+        valueDigest,
+        metaId,
+    };
+    const payloadStr = JSON.stringify(payload);
+    const payloadB64 = Buffer.from(payloadStr).toString('base64url');
+    const secret = getClientSecret(clientId);
+    const signature = hmacSign(payloadB64, secret);
+    return `${payloadB64}.${signature}`;
+}
+/**
+ * Verify and extract provenance from a token
+ */
+export async function verifyProvenanceToken(token, value, clientId, executionId, cacheProvider) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2) {
+            return null;
+        }
+        const [payloadB64, signature] = parts;
+        if (!payloadB64 || !signature) {
+            return null;
+        }
+        const secret = getClientSecret(clientId);
+        const expectedSig = hmacSign(payloadB64, secret);
+        // Use constant-time comparison to prevent timing attacks
+        try {
+            const sigBuf = Buffer.from(signature, 'base64url');
+            const expectedBuf = Buffer.from(expectedSig, 'base64url');
+            if (sigBuf.length !== expectedBuf.length || !crypto.timingSafeEqual(sigBuf, expectedBuf)) {
+                console.error('Token signature verification failed');
+                return null;
+            }
+        }
+        catch (error) {
+            console.error('Token signature comparison error:', error);
+            return null;
+        }
+        const payloadStr = Buffer.from(payloadB64, 'base64url').toString();
+        const payload = JSON.parse(payloadStr);
+        if (payload.v !== 1) {
+            console.error('Unsupported token version:', payload.v);
+            return null;
+        }
+        if (payload.clientId !== clientId) {
+            console.error('Token clientId mismatch:', payload.clientId, 'vs', clientId);
+            return null;
+        }
+        if (payload.executionId !== executionId) {
+            console.error('Token executionId mismatch:', payload.executionId, 'vs', executionId);
+            return null;
+        }
+        if (Date.now() > payload.expiresAt) {
+            console.warn('Token expired');
+            return null;
+        }
+        const valueDigest = computeDigest(value);
+        if (!valueDigest || valueDigest !== payload.valueDigest) {
+            console.warn('Token value digest mismatch (value may have been modified)');
+            return null;
+        }
+        const cacheKey = `prov:meta:${payload.clientId}:${payload.metaId}`;
+        const metaStr = await cacheProvider.get(cacheKey);
+        if (!metaStr || typeof metaStr !== 'string') {
+            console.warn('Token metadata not found in cache (expired or evicted)');
+            return null;
+        }
+        const metadata = JSON.parse(metaStr);
+        return metadata;
+    }
+    catch (error) {
+        console.error('Token verification error:', error);
+        return null;
+    }
+}
+/**
+ * Verify multiple hints and build a digest → metadata map
+ * Returns map for O(1) lookup during re-attachment
+ * ALSO returns a value → metadata map for substring matching
+ */
+export async function verifyProvenanceHints(hints, clientId, executionId, cacheProvider, maxHints = 1000) {
+    const map = new Map();
+    const hintsToProcess = hints.slice(0, maxHints);
+    if (hints.length > maxHints) {
+        console.warn(`Capped provenance hints from ${hints.length} to ${maxHints}`);
+    }
+    const timeout = 100;
+    const promises = hintsToProcess.map(async (token) => {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 2)
+                return;
+            const [payloadB64] = parts;
+            if (!payloadB64)
+                return;
+            const payloadStr = Buffer.from(payloadB64, 'base64url').toString();
+            const payload = JSON.parse(payloadStr);
+            const cacheKey = `prov:meta:${payload.clientId}:${payload.metaId}`;
+            const fetchPromise = cacheProvider.get(cacheKey);
+            const timeoutPromise = new Promise((resolve) => setTimeout(() => resolve(null), timeout));
+            const metaStr = await Promise.race([fetchPromise, timeoutPromise]);
+            if (metaStr && typeof metaStr === 'string') {
+                const metadata = JSON.parse(metaStr);
+                map.set(payload.valueDigest, metadata);
+                const valueKey = `prov:value:${payload.clientId}:${payload.valueDigest}`;
+                const valueStr = await Promise.race([
+                    cacheProvider.get(valueKey),
+                    new Promise((resolve) => setTimeout(() => resolve(null), timeout)),
+                ]);
+                if (valueStr && typeof valueStr === 'string') {
+                    try {
+                        const { value } = JSON.parse(valueStr);
+                        map.__valueMap = map.__valueMap || new Map();
+                        map.__valueMap.set(value, metadata);
+                    }
+                    catch (e) {
+                        // Value parsing failed, skip
+                    }
+                }
+            }
+        }
+        catch (error) {
+            // Skip invalid tokens silently
+        }
+    });
+    await Promise.all(promises);
+    return map;
+}
+//# sourceMappingURL=tokens.js.map

package/dist/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AA0BhC,MAAM,cAAc,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAE1C;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,KAAc;IAC7C,IAAI,CAAC;QACJ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1F,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,UAAU,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;QAE3B,MAAM,QAAQ,GAAG,CAAC,IAAY,EAAE,GAAY,EAAW,EAAE;YACxD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC7C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAa,CAAC,EAAE,CAAC;oBAC7B,OAAO,YAAY,CAAC;gBACrB,CAAC;gBACD,IAAI,CAAC,GAAG,CAAC,GAAa,CAAC,CAAC;gBAExB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzB,MAAM,MAAM,GAA4B,EAAE,CAAC;oBAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC,IAAI,EAAE,CAAC;oBAChE,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;wBACtB,MAAM,CAAC,CAAC,CAAC,GAAI,GAA+B,CAAC,CAAC,CAAC,CAAC;oBACjD,CAAC;oBACD,OAAO,MAAM,CAAC;gBACf,CAAC;YACF,CAAC;YACD,OAAO,GAAG,CAAC;QACZ,CAAC,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,MAAM,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACb,CAAC;QAED,OAAO,MAAM,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAc;IAC3C,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC;IACb,CAAC;IACD,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC7C,IAAI,CAAC,MAAM,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACd,8EAA8E;YAC7E,wDAAwD,CACzD,CAAC;IACH,CAAC;IACD,qDAAqD;IACrD,wEAAwE;IACxE,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC;IACxD,IAAI,WAAW,GAAG,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACd,0DAA0D,WAAW,WAAW;YAC/E,wDAAwD,CACzD,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,IAAY,EAAE,MAAc;IAC7C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAC7E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACzC,QAA4B,EAC5B,KAAc,EACd,QAAgB,EAChB,WAAmB,EACnB,aAA4B,EAC5B,MAAc,IAAI;IAElB,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,WAAW,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACb,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,aAAa,QAAQ,IAAI,MAAM,EAAE,CAAC;IAEnD,IAAI,CAAC;QACJ,MAAM,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC;QAEjE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC5D,MAAM,QAAQ,GAAG,cAAc,QAAQ,IAAI,WAAW,EAAE,CAAC;YACzD,MAAM,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;QAC1F,CAAC;IACF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC;IACb,CAAC;IAED,MAAM,OAAO,GAAiB;QAC7B,CAAC,EAAE,CAAC;QACJ,QAAQ;QACR,WAAW;QACX,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI;QAClC,WAAW;QACX,MAAM;KACN,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjE,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAE/C,OAAO,GAAG,UAAU,IAAI,SAAS,EAAE,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAC1C,KAAa,EACb,KAAc,EACd,QAAgB,EAChB,WAAmB,EACnB,aAA4B;IAE5B,IAAI,CAAC;QACJ,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QACtC,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAEjD,yDAAyD;QACzD,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACnD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YAE1D,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;gBAC1F,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;gBACrD,OAAO,IAAI,CAAC;YACb,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;QACnE,MAAM,OAAO,GAAiB,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAErD,IAAI,OAAO,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,IAAI,CAAC;QACb,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC5E,OAAO,IAAI,CAAC;QACb,CAAC;QAED,IAAI,OAAO,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACzC,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,OAAO,CAAC,WAAW,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;YACrF,OAAO,IAAI,CAAC;QACb,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,WAAW,IAAI,WAAW,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;YACzD,OAAO,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;YAC3E,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,QAAQ,GAAG,aAAa,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnE,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAElD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;YACvE,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,QAAQ,GAAuB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzD,OAAO,QAAQ,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAC1C,KAAe,EACf,QAAgB,EAChB,WAAmB,EACnB,aAA4B,EAC5B,WAAmB,IAAI;IAEvB,MAAM,GAAG,GAAG,IAAI,GAAG,EAA8B,CAAC;IAElD,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,KAAK,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,gCAAgC,KAAK,CAAC,MAAM,OAAO,QAAQ,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC;IACpB,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACnD,IAAI,CAAC;YACJ,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAE/B,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;YAC3B,IAAI,CAAC,UAAU;gBAAE,OAAO;YAExB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;YACnE,MAAM,OAAO,GAAiB,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAErD,MAAM,QAAQ,GAAG,aAAa,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YAEnE,MAAM,YAAY,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,MAAM,cAAc,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CACpD,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CACxC,CAAC;YAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC;YAEnE,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,MAAM,QAAQ,GAAuB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACzD,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;gBAEvC,MAAM,QAAQ,GAAG,cAAc,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACzE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBACnC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAC3B,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;iBACxE,CAAC,CAAC;gBAEH,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAC9C,IAAI,CAAC;wBACJ,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;wBACtC,GAAW,CAAC,UAAU,GAAI,GAAW,CAAC,UAAU,IAAI,IAAI,GAAG,EAAE,CAAC;wBAC9D,GAAW,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;oBAC9C,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACZ,6BAA6B;oBAC9B,CAAC;gBACF,CAAC;YACF,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,+BAA+B;QAChC,CAAC;IACF,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE5B,OAAO,GAAG,CAAC;AACZ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,150 @@
+/**
+ * Provenance Tracking Types
+ *
+ * Implements CAMEL-inspired data provenance tracking for prompt injection defense.
+
+/**
+ * Provenance tracking mode enum
+ */
+export declare enum ProvenanceMode {
+    /** No provenance tracking - zero overhead */
+    NONE = "none",
+    /** Proxy-based tracking - runtime tracking */
+    PROXY = "proxy",
+    /** AST instrumentation - compile-time tracking */
+    AST = "ast"
+}
+/**
+ * Data source types
+ */
+export declare enum ProvenanceSource {
+    /** Direct from user input (trusted) */
+    USER = "user",
+    /** From LLM generation */
+    LLM = "llm",
+    /** From tool execution */
+    TOOL = "tool",
+    /** Generated by runtime/system */
+    SYSTEM = "system"
+}
+/**
+ * Tool source metadata
+ */
+export interface ToolSource {
+    type: ProvenanceSource.TOOL;
+    toolName: string;
+    apiGroup: string;
+    timestamp: number;
+}
+/**
+ * LLM source metadata
+ */
+export interface LLMSource {
+    type: ProvenanceSource.LLM;
+    operation: 'call' | 'extract' | 'classify';
+    timestamp: number;
+}
+/**
+ * User source metadata
+ */
+export interface UserSource {
+    type: ProvenanceSource.USER;
+    timestamp: number;
+}
+/**
+ * System source metadata
+ */
+export interface SystemSource {
+    type: ProvenanceSource.SYSTEM;
+    operation: string;
+    timestamp: number;
+}
+/**
+ * Source metadata union
+ */
+export type SourceMetadata = ToolSource | LLMSource | UserSource | SystemSource;
+/**
+ * Reader permissions - who can access this data
+ */
+export type ReaderPermissions = {
+    type: 'public';
+} | {
+    type: 'restricted';
+    readers: string[];
+};
+/**
+ * Complete provenance metadata
+ */
+export interface ProvenanceMetadata {
+    /** Where this data came from */
+    source: SourceMetadata;
+    /** Who can read this data */
+    readers: ReaderPermissions;
+    /** Chain of dependencies (for tracking data flow) */
+    dependencies?: string[];
+    /** Unique identifier for this provenance record */
+    id: string;
+    /** Additional context */
+    context?: Record<string, unknown>;
+}
+/**
+ * Serialized provenance state for pause/resume
+ */
+export interface ProvenanceState {
+    registry: Array<[string, ProvenanceMetadata]>;
+}
+/**
+ * Enhanced provenance snapshot including primitive taints
+ * Used for cross-execution token persistence
+ */
+export interface ProvenanceSnapshot {
+    /** Object provenance registry */
+    registry: Array<[string, ProvenanceMetadata]>;
+    /** Primitive taint mappings */
+    primitives: Array<[string, ProvenanceMetadata]>;
+}
+/**
+ * Policy action types
+ * - log: Allow operation but log security event for audit
+ * - approve: Pause and request human approval
+ * - block: Deny operation immediately
+ */
+export type PolicyAction = 'log' | 'approve' | 'block';
+/**
+ * Security policy result
+ */
+export interface PolicyResult {
+    /** @deprecated Use action instead */
+    allowed?: boolean;
+    /**
+     * Action to take:
+     * - log: Allow but audit (permissive monitoring)
+     * - approve: Request human approval (interactive gating)
+     * - block: Deny immediately (maximum security)
+     */
+    action: PolicyAction;
+    /** Human-readable reason for the action */
+    reason?: string;
+    /** Policy name that produced this result */
+    policy?: string;
+    /** Additional context for approval UI (when action='approve') or audit log */
+    context?: Record<string, unknown>;
+}
+/**
+ * Security policy interface
+ */
+export interface SecurityPolicy {
+    name: string;
+    description?: string;
+    check: (toolName: string, args: Record<string, unknown>, getProvenance: (value: unknown) => ProvenanceMetadata | null) => PolicyResult | Promise<PolicyResult>;
+}
+/**
+ * Provenance security policy violation error
+ */
+export declare class ProvenanceSecurityError extends Error {
+    policy: string;
+    toolName: string;
+    details?: Record<string, unknown> | undefined;
+    constructor(message: string, policy: string, toolName: string, details?: Record<string, unknown> | undefined);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,oBAAY,cAAc;IACzB,6CAA6C;IAC7C,IAAI,SAAS;IACb,8CAA8C;IAC9C,KAAK,UAAU;IACf,kDAAkD;IAClD,GAAG,QAAQ;CACX;AAED;;GAEG;AACH,oBAAY,gBAAgB;IAC3B,uCAAuC;IACvC,IAAI,SAAS;IACb,0BAA0B;IAC1B,GAAG,QAAQ;IACX,0BAA0B;IAC1B,IAAI,SAAS;IACb,kCAAkC;IAClC,MAAM,WAAW;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,gBAAgB,CAAC,IAAI,CAAC;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,gBAAgB,CAAC,GAAG,CAAC;IAC3B,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;IAC3C,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,gBAAgB,CAAC,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,SAAS,GAAG,UAAU,GAAG,YAAY,CAAC;AAEhF;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAAE,IAAI,EAAE,QAAQ,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAE/F;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,gCAAgC;IAChC,MAAM,EAAE,cAAc,CAAC;IAEvB,6BAA6B;IAC7B,OAAO,EAAE,iBAAiB,CAAC;IAE3B,qDAAqD;IACrD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,mDAAmD;IACnD,EAAE,EAAE,MAAM,CAAC;IAEX,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,iCAAiC;IACjC,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAC9C,+BAA+B;IAC/B,UAAU,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;CAChD;AAED;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,SAAS,GAAG,OAAO,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,qCAAqC;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;OAKG;IACH,MAAM,EAAE,YAAY,CAAC;IAErB,2CAA2C;IAC3C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,CACN,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,aAAa,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,kBAAkB,GAAG,IAAI,KACxD,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;CAC1C;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;IAGzC,MAAM,EAAE,MAAM;IACd,QAAQ,EAAE,MAAM;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAHxC,OAAO,EAAE,MAAM,EACR,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAKzC"}

package/dist/types.js

@@ -0,0 +1,47 @@
+/**
+ * Provenance Tracking Types
+ *
+ * Implements CAMEL-inspired data provenance tracking for prompt injection defense.
+
+/**
+ * Provenance tracking mode enum
+ */
+export var ProvenanceMode;
+(function (ProvenanceMode) {
+    /** No provenance tracking - zero overhead */
+    ProvenanceMode["NONE"] = "none";
+    /** Proxy-based tracking - runtime tracking */
+    ProvenanceMode["PROXY"] = "proxy";
+    /** AST instrumentation - compile-time tracking */
+    ProvenanceMode["AST"] = "ast";
+})(ProvenanceMode || (ProvenanceMode = {}));
+/**
+ * Data source types
+ */
+export var ProvenanceSource;
+(function (ProvenanceSource) {
+    /** Direct from user input (trusted) */
+    ProvenanceSource["USER"] = "user";
+    /** From LLM generation */
+    ProvenanceSource["LLM"] = "llm";
+    /** From tool execution */
+    ProvenanceSource["TOOL"] = "tool";
+    /** Generated by runtime/system */
+    ProvenanceSource["SYSTEM"] = "system";
+})(ProvenanceSource || (ProvenanceSource = {}));
+/**
+ * Provenance security policy violation error
+ */
+export class ProvenanceSecurityError extends Error {
+    policy;
+    toolName;
+    details;
+    constructor(message, policy, toolName, details) {
+        super(message);
+        this.policy = policy;
+        this.toolName = toolName;
+        this.details = details;
+        this.name = 'ProvenanceSecurityError';
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,MAAM,CAAN,IAAY,cAOX;AAPD,WAAY,cAAc;IACzB,6CAA6C;IAC7C,+BAAa,CAAA;IACb,8CAA8C;IAC9C,iCAAe,CAAA;IACf,kDAAkD;IAClD,6BAAW,CAAA;AACZ,CAAC,EAPW,cAAc,KAAd,cAAc,QAOzB;AAED;;GAEG;AACH,MAAM,CAAN,IAAY,gBASX;AATD,WAAY,gBAAgB;IAC3B,uCAAuC;IACvC,iCAAa,CAAA;IACb,0BAA0B;IAC1B,+BAAW,CAAA;IACX,0BAA0B;IAC1B,iCAAa,CAAA;IACb,kCAAkC;IAClC,qCAAiB,CAAA;AAClB,CAAC,EATW,gBAAgB,KAAhB,gBAAgB,QAS3B;AAoID;;GAEG;AACH,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAGzC;IACA;IACA;IAJR,YACC,OAAe,EACR,MAAc,EACd,QAAgB,EAChB,OAAiC;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJR,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,YAAO,GAAP,OAAO,CAA0B;QAGxC,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACvC,CAAC;CACD"}

package/package.json

@@ -0,0 +1,51 @@
+{
+	"name": "@mondaydotcomorg/atp-provenance",
+	"version": "0.17.14",
+	"description": "CAMEL-inspired provenance security for LLM applications - track data origin and enforce security policies",
+	"main": "./dist/index.js",
+	"types": "./dist/index.d.ts",
+	"type": "module",
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"import": "./dist/index.js"
+		}
+	},
+	"files": [
+		"dist",
+		"README.md"
+	],
+	"scripts": {
+		"build": "tsc",
+		"test": "jest",
+		"lint": "tsc --noEmit",
+		"clean": "rm -rf dist"
+	},
+	"keywords": [
+		"provenance",
+		"security",
+		"llm",
+		"prompt-injection",
+		"camel",
+		"agent",
+		"capability-based-security"
+	],
+	"author": "Agent Tool Protocol Team",
+	"license": "MIT",
+	"dependencies": {
+		"acorn": "^8.11.0",
+		"acorn-walk": "^8.3.0",
+		"escodegen": "^2.1.0",
+		"nanoid": "^5.0.0"
+	},
+	"devDependencies": {
+		"@types/escodegen": "^0.0.10",
+		"@types/node": "^20.10.0",
+		"typescript": "^5.3.0"
+	},
+	"repository": {
+		"type": "git",
+		"url": "https://github.com/your-org/agent-tool-protocol.git",
+		"directory": "packages/provenance"
+	}
+}