@nekzus/liop 1.2.0-alpha.9 → 1.2.0

package/dist/server/pii.js

@@ -26,6 +26,35 @@ function isLuhnValid(cardNumber) {
     }
     return sum % 10 === 0;
 }
+/**
+ * Validates an International Bank Account Number (IBAN) using ISO 7064 Modulo 97.
+ * Uses BigInt algebra to avoid JS floating point truncation with 30-digit numbers.
+ */
+function isIbanValid(iban) {
+    const sanitized = iban.replace(/\s+/g, "").toUpperCase();
+    if (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized))
+        return false;
+    const rearranged = sanitized.substring(4) + sanitized.substring(0, 4);
+    let numericString = "";
+    for (let i = 0; i < rearranged.length; i++) {
+        const charCode = rearranged.charCodeAt(i);
+        if (charCode >= 65 && charCode <= 90) {
+            numericString += (charCode - 55).toString();
+        }
+        else if (charCode >= 48 && charCode <= 57) {
+            numericString += rearranged.charAt(i);
+        }
+        else {
+            return false;
+        }
+    }
+    try {
+        return BigInt(numericString) % 97n === 1n;
+    }
+    catch (_e) {
+        return false;
+    }
+}
 export const PII_PATTERNS = {
     EMAIL: {
         name: "EMAIL",
@@ -65,6 +94,67 @@ export const PII_PATTERNS = {
             return true;
         },
     },
+    SSN: {
+        name: "SSN",
+        pattern: /\b\d{3}[- ]?\d{2}[- ]?\d{4}\b/g,
+        validator: (match) => {
+            const digits = match.replace(/\D/g, "");
+            if (digits.length !== 9)
+                return false;
+            const area = parseInt(digits.substring(0, 3), 10);
+            if (area === 0 || area === 666 || area >= 900)
+                return false;
+            const group = parseInt(digits.substring(3, 5), 10);
+            if (group === 0)
+                return false;
+            const serial = parseInt(digits.substring(5, 9), 10);
+            if (serial === 0)
+                return false;
+            if (/^(\d)\1+$/.test(digits) || digits === "123456789")
+                return false;
+            return true;
+        },
+    },
+    IBAN: {
+        name: "IBAN",
+        pattern: /\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\b/gi,
+        validator: isIbanValid,
+    },
+    PASSPORT_MRZ: {
+        name: "PASSPORT_MRZ",
+        // Machina Readable Zone line match for standard international passports
+        pattern: /\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\b|\s|$)/g,
+    },
+};
+/**
+ * Regional and Cultural Security Presets for Out-Of-The-Box compliance.
+ * Developers can override, merge, or omit these based on local laws.
+ */
+export const PII_PRESETS = {
+    GLOBAL_STRICT: [
+        PII_PATTERNS.EMAIL,
+        PII_PATTERNS.CREDIT_CARD,
+        PII_PATTERNS.IP_ADDRESS,
+        PII_PATTERNS.PHONE,
+        PII_PATTERNS.PASSPORT_MRZ,
+        PII_PATTERNS.IBAN,
+    ],
+    US_COMPLIANT: [
+        PII_PATTERNS.EMAIL,
+        PII_PATTERNS.CREDIT_CARD,
+        PII_PATTERNS.IP_ADDRESS,
+        PII_PATTERNS.PHONE,
+        PII_PATTERNS.SSN,
+        PII_PATTERNS.PASSPORT_MRZ,
+    ],
+    EU_GDPR: [
+        PII_PATTERNS.EMAIL,
+        PII_PATTERNS.CREDIT_CARD,
+        PII_PATTERNS.IP_ADDRESS,
+        PII_PATTERNS.PHONE,
+        PII_PATTERNS.IBAN,
+        PII_PATTERNS.PASSPORT_MRZ,
+    ],
 };
 export class PiiScanner {
     patterns;

package/dist/types.d.ts

@@ -127,3 +127,19 @@ export interface ServerInfo {
         logging?: Record<string, unknown>;
     };
 }
+export interface McpRequest {
+    method: string;
+    params?: unknown;
+    id?: string | number | null;
+    jsonrpc?: "2.0";
+}
+export interface McpResponse {
+    jsonrpc: "2.0";
+    id?: string | number | null;
+    result?: unknown;
+    error?: {
+        code: number;
+        message: string;
+        data?: unknown;
+    };
+}

package/dist/utils/logger.d.ts

@@ -0,0 +1,21 @@
+export type LogLevel = "silent" | "error" | "warn" | "info" | "debug";
+/**
+ * LiopLogger - Structured Logging Abstraction
+ * Configurable via `process.env.LIOP_LOG_LEVEL`.
+ * Emits strictly to stderr to comply with MCP stdio protocols.
+ */
+export declare class LiopLogger {
+    private static instance;
+    private level;
+    private constructor();
+    static getInstance(): LiopLogger;
+    private setLevelFromEnv;
+    setLevel(level: LogLevel): void;
+    private shouldLog;
+    private formatMessage;
+    error(message: string, ...args: unknown[]): void;
+    warn(message: string, ...args: unknown[]): void;
+    info(message: string, ...args: unknown[]): void;
+    debug(message: string, ...args: unknown[]): void;
+}
+export declare const log: LiopLogger;

package/dist/utils/logger.js

@@ -0,0 +1,70 @@
+/**
+ * LiopLogger - Structured Logging Abstraction
+ * Configurable via `process.env.LIOP_LOG_LEVEL`.
+ * Emits strictly to stderr to comply with MCP stdio protocols.
+ */
+export class LiopLogger {
+    static instance;
+    level = "info";
+    constructor() {
+        this.setLevelFromEnv();
+    }
+    static getInstance() {
+        if (!LiopLogger.instance) {
+            LiopLogger.instance = new LiopLogger();
+        }
+        return LiopLogger.instance;
+    }
+    setLevelFromEnv() {
+        const envLevel = process.env.LIOP_LOG_LEVEL?.toLowerCase();
+        if (envLevel === "silent" ||
+            envLevel === "error" ||
+            envLevel === "warn" ||
+            envLevel === "info" ||
+            envLevel === "debug") {
+            this.level = envLevel;
+        }
+        else {
+            // Default level: info
+            this.level = "info";
+        }
+    }
+    setLevel(level) {
+        this.level = level;
+    }
+    shouldLog(targetLevel) {
+        const levels = {
+            silent: 0,
+            error: 1,
+            warn: 2,
+            info: 3,
+            debug: 4,
+        };
+        return levels[this.level] >= levels[targetLevel];
+    }
+    formatMessage(level, message) {
+        const ts = new Date().toISOString();
+        return `[${ts}] [${level}] ${message}`;
+    }
+    error(message, ...args) {
+        if (this.shouldLog("error")) {
+            console.error(this.formatMessage("ERROR", message), ...args);
+        }
+    }
+    warn(message, ...args) {
+        if (this.shouldLog("warn")) {
+            console.error(this.formatMessage("WARN", message), ...args);
+        }
+    }
+    info(message, ...args) {
+        if (this.shouldLog("info")) {
+            console.error(this.formatMessage("INFO", message), ...args);
+        }
+    }
+    debug(message, ...args) {
+        if (this.shouldLog("debug")) {
+            console.error(this.formatMessage("DEBUG", message), ...args);
+        }
+    }
+}
+export const log = LiopLogger.getInstance();

package/dist/utils/mcpCompact.d.ts

@@ -0,0 +1,11 @@
+/**
+ * MCP UX: optional compact tool descriptions for clients (e.g. cloud models)
+ * that over-trigger on long "envelope / injection" wording in tools/list.
+ *
+ * Full LIOP payload format remains in prompts/get → liop_blind_analyst.
+ */
+export declare function mcpCompactToolDescriptions(): boolean;
+/**
+ * Removes SDK-appended LIOP specification blocks from a registered tool description.
+ */
+export declare function stripVerboseLiopToolDescription(description: string): string;

package/dist/utils/mcpCompact.js

@@ -0,0 +1,29 @@
+/**
+ * MCP UX: optional compact tool descriptions for clients (e.g. cloud models)
+ * that over-trigger on long "envelope / injection" wording in tools/list.
+ *
+ * Full LIOP payload format remains in prompts/get → liop_blind_analyst.
+ */
+export function mcpCompactToolDescriptions() {
+    const v = process.env.LIOP_MCP_COMPACT_TOOL_DESCRIPTIONS?.toLowerCase().trim();
+    return v === "1" || v === "true" || v === "yes";
+}
+/**
+ * Removes SDK-appended LIOP specification blocks from a registered tool description.
+ */
+export function stripVerboseLiopToolDescription(description) {
+    let d = description;
+    const markers = [
+        "\n\n[LIOP-PROTO-V1:",
+        "\r\n\r\n[LIOP-PROTO-V1:",
+        "\n[LIOP-PROTO-V1:", // rare
+    ];
+    for (const m of markers) {
+        const i = d.indexOf(m);
+        if (i !== -1) {
+            d = d.slice(0, i);
+            break;
+        }
+    }
+    return d.trimEnd();
+}

package/dist/workers/logic-execution.d.ts

@@ -11,7 +11,7 @@ export interface WorkerData {
 }
 export default function processLogicExecution(data: WorkerData): Promise<{
     image_id: string;
-    output: string;
+    output: unknown;
     fuel_consumed: number;
     zk_receipt?: string;
 }>;

package/dist/workers/logic-execution.js

@@ -1,12 +1,14 @@
 import { Buffer } from "node:buffer";
 import crypto from "node:crypto";
 import { createMlKem768 } from "mlkem";
+import { deriveLogicImageDigest, normalizeLogicSource, } from "../crypto/logic-image-id.js";
 import { ASTGuardian } from "../sandbox/guardian.js";
 import { WasiSandbox } from "../sandbox/wasi.js";
 export default async function processLogicExecution(data) {
     const { ciphertext, secretKeyObj, wasmBinary, inputs, aesNonce, records, isEncrypted = true, } = data;
     let decryptedPayload;
     const decryptedInputs = {};
+    let sessionSecret = Buffer.alloc(32); // Fallback if plain text (no PQC)
     if (isEncrypted) {
         // 1. Decapsulate Kyber secret
         const sk = new Uint8Array(secretKeyObj);
@@ -14,6 +16,7 @@ export default async function processLogicExecution(data) {
         const kem = await createMlKem768();
         const sharedSecret = kem.decap(ct, sk);
         const aesKey = Buffer.from(sharedSecret);
+        sessionSecret = aesKey;
         // 2. Decrypt Main Payload (WASM/JS Code)
         // LIOP Serialization: Ciphertext = EncryptedData + 16-byte AuthTag
         const wasmBuffer = Buffer.from(wasmBinary);
@@ -63,33 +66,48 @@ export default async function processLogicExecution(data) {
     else if (decryptedPayload instanceof Buffer && !isWasm) {
         decryptedPayload = decryptedPayload.toString("utf-8");
     }
-    // Sanitization: Remove LIOP Metadata, Manifests and Logic Block markers
+    // Strip only a whole-document LIOP envelope (see logic-image-id.ts).
     if (typeof decryptedPayload === "string") {
-        decryptedPayload = decryptedPayload
-            .replace(/^\s*LIOP_MAGIC:.*?\n/g, "")
-            .replace(/^\s*MANIFEST:.*?\n/g, "")
-            .replace(/\s*---BEGIN_LOGIC---\n?/g, "")
-            .replace(/\n?---END_LOGIC---\s*$/g, "")
-            .trim();
+        decryptedPayload = normalizeLogicSource(decryptedPayload);
     }
     // 4. Instantiate and Execute WASI Sandbox (or V8 Fallback)
     const sandbox = new WasiSandbox();
     await sandbox.init();
     try {
         const result = await sandbox.execute(decryptedPayload, records, decryptedInputs);
-        // 5. Generate ZK Receipt Mock / Cryptographic Proof of Execution
-        // Simulate the computational overhead of running the logic inside a zkVM Prover like RISC Zero (~50ms test)
-        await new Promise((resolve) => setTimeout(resolve, 50));
-        const logicBuffer = decryptedPayload instanceof Buffer
-            ? decryptedPayload
-            : Buffer.from(decryptedPayload);
-        const hasher = crypto.createHash("sha256");
-        hasher.update(logicBuffer);
-        const imageId = hasher.digest("hex");
-        // Phase 5: Structured ZK-Receipt (Journal + Seal)
-        // Alpha payload with minimum entropy representing the cryptographic Seal
-        const dummySeal = crypto.randomBytes(64).toString("hex");
-        const zkReceipt = Buffer.from(`JOURNAL:${imageId}|SEAL:${dummySeal}`).toString("base64");
+        // 5. Generate Cryptographic Proof of Execution (HMAC-SHA256 Commitment)
+        let logicBytes;
+        if (typeof decryptedPayload === "string") {
+            logicBytes = Buffer.from(decryptedPayload, "utf-8");
+        }
+        else {
+            logicBytes = new Uint8Array(decryptedPayload);
+        }
+        const imageId = deriveLogicImageDigest(logicBytes).toString("hex");
+        const journal = Buffer.from(JSON.stringify({
+            image_id: imageId,
+            output_hash: crypto
+                .createHash("sha256")
+                .update(typeof result.output === "string"
+                ? result.output
+                : JSON.stringify(result.output))
+                .digest("hex"),
+            fuel: result.fuelConsumed,
+            ts: Date.now(),
+        }));
+        const seal = crypto
+            .createHmac("sha256", sessionSecret)
+            .update(journal)
+            .digest();
+        const journalLen = Buffer.alloc(2);
+        journalLen.writeUInt16BE(journal.length);
+        const receiptBuf = Buffer.concat([
+            Buffer.from([0x01]), // Receipt format v1
+            journalLen,
+            journal,
+            seal, // 32 bytes HMAC
+        ]);
+        const zkReceipt = receiptBuf.toString("base64");
         return {
             image_id: imageId,
             zk_receipt: zkReceipt,

package/dist/workers/zk-verifier.js

@@ -1,35 +1,11 @@
-import * as crypto from "node:crypto";
 import { parentPort } from "node:worker_threads";
+import { deriveLogicImageDigest } from "../crypto/logic-image-id.js";
 // Ensure this worker is used via Piscina pool
 if (!parentPort) {
     // Not fatal in Piscina, but handled appropriately
 }
-/**
- * Derives the ImageID of a logic payload following the LIOP v1 Standard.
- */
 function deriveImageId(logicPayload) {
-    // Sanitization logic for JS payloads (Magic headers, etc.)
-    let processed = Buffer.from(logicPayload);
-    const isWasm = logicPayload[0] === 0x00 && logicPayload[1] === 0x61; // \0asm
-    if (!isWasm) {
-        const text = Buffer.from(logicPayload).toString("utf-8");
-        const regex = /\s*LIOP_MAGIC:0x00FF\s*\n?\s*MANIFEST:(?<manifest>\{[\s\S]*?\})\s*\n?\s*---BEGIN_LOGIC---\n?(?<logic>[\s\S]*?)\n?---END_LOGIC---/m;
-        const match = text.match(regex);
-        if (match?.groups?.logic) {
-            processed = Buffer.from(match.groups.logic.trim());
-        }
-        else {
-            // Fallback string manipulation if no explicit full envelope
-            const clean = text
-                .replace(/^LIOP_MAGIC:.*?\n/g, "")
-                .replace(/^MANIFEST:.*?\n/g, "")
-                .replace(/---BEGIN_LOGIC---\n?/g, "")
-                .replace(/\n?---END_LOGIC---/g, "")
-                .trim();
-            processed = Buffer.from(clean);
-        }
-    }
-    return crypto.createHash("sha256").update(processed).digest();
+    return deriveLogicImageDigest(logicPayload);
 }
 /**
  * Simulates heavy ZK-Proof cryptographic verification.
@@ -46,19 +22,47 @@ async function verifyZkReceipt(payload) {
             message: `Integrity Violation: Local (${localImageIdHex.slice(0, 8)}) != Remote (${remoteImageIdHex.slice(0, 8)})`,
         };
     }
-    // 2. Structural/Mathematical Seal Verification
-    // Simulated cost of ZK Proof Polynomial Verification (~150-200ms depending on SNARK vs STARK)
-    // In Production: await verifier.verify(zkReceipt, localImageIdHex);
-    await new Promise((resolve) => setTimeout(resolve, 150));
-    if (zkReceipt.length < 32) {
+    // 2. Structural Verification: Deserialize Binary Receipt
+    const receiptBuf = Buffer.from(zkReceipt);
+    if (receiptBuf.length < 35) {
+        // 1 version + 2 len + 32 seal minimum
+        return {
+            verified: false,
+            message: "Receipt too short for binary format.",
+        };
+    }
+    const version = receiptBuf[0];
+    if (version !== 0x01) {
         return {
             verified: false,
-            message: "Invalid Receipt: Proof payload lacks minimum entropy.",
+            message: `Unknown receipt version: ${version}`,
         };
     }
+    const journalLen = receiptBuf.readUInt16BE(1);
+    const journal = receiptBuf.subarray(3, 3 + journalLen);
+    const seal = receiptBuf.subarray(3 + journalLen);
+    if (seal.length !== 32) {
+        return {
+            verified: false,
+            message: "Invalid seal length (expected 32 bytes HMAC-SHA256).",
+        };
+    }
+    // 3. Parse journal and verify imageId
+    try {
+        const journalData = JSON.parse(journal.toString());
+        if (journalData.image_id !== localImageIdHex) {
+            return {
+                verified: false,
+                message: `Journal ImageID mismatch: ${journalData.image_id.slice(0, 8)} != ${localImageIdHex.slice(0, 8)}`,
+            };
+        }
+    }
+    catch (_e) {
+        return { verified: false, message: "Failed to parse journal data." };
+    }
     return {
         verified: true,
-        message: "ZK-SNARK Mathematical Audit: SUCCESS",
+        message: "HMAC Commitment Verified: Integrity intact.",
     };
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nekzus/liop",
-  "version": "1.2.0-alpha.9",
+  "version": "1.2.0",
   "description": "Official SDK for Logic-Injection-on-Origin Protocol (LIOP). Deploy Logic-on-Origin with WebAssembly at gRPC speed and bidirectional MCP compatibility.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -56,7 +56,16 @@
     "demo:client-quickstart": "pnpm --filter @liop/example-client-quickstart start",
     "demo:server-quickstart": "pnpm --filter @liop/example-server-quickstart start",
     "demo:server": "pnpm --filter @liop/example-server start",
-    "demo:client": "pnpm --filter @liop/example-client start"
+    "demo:client": "pnpm --filter @liop/example-client start",
+    "test:crossnet": "tsx tests/infra/cli/crossnet.ts",
+    "test:crossnet:burn": "tsx tests/infra/cli/crossnet-burn.ts",
+    "demo:build": "tsx tests/infra/cli/demo-build.ts",
+    "demo:start": "tsx tests/infra/cli/demo-start.ts",
+    "demo:start:rebuild": "tsx tests/infra/cli/demo-start-rebuild.ts",
+    "demo:stop": "tsx tests/infra/cli/demo-stop.ts",
+    "demo:clean": "tsx tests/infra/cli/demo-clean.ts",
+    "demo:claude": "tsx tests/infra/cli/demo-claude.ts",
+    "demo:inspector": "tsx tests/infra/cli/demo-inspector.ts"
   },
   "keywords": [
     "liop",
@@ -95,6 +104,7 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.4",
+    "@opentelemetry/sdk-metrics": "^2.7.0",
     "@types/node": "^25.3.1",
     "@vitest/coverage-v8": "^4.0.18",
     "tsx": "^4.21.0",
@@ -120,6 +130,8 @@
     "@libp2p/websockets": "^10.1.7",
     "@modelcontextprotocol/sdk": "^1.28.0",
     "@multiformats/multiaddr": "^13.0.1",
+    "@opentelemetry/api": "^1.9.1",
+    "gpt-tokenizer": "^3.4.0",
     "hono": "^4.12.5",
     "it-pipe": "^3.0.1",
     "libp2p": "^3.1.3",