@nekzus/liop 1.2.0 → 2.0.0-alpha.1

package/README.md

@@ -4,19 +4,19 @@
     <img alt="Logic-Injection-on-Origin Protocol Logo" src="https://res.cloudinary.com/dsvsl0b0b/image/upload/v1774702621/Neural-Mesh-Protocol/hoanw0m6tybpz5fbl12n.svg?v=20260328" width="700">
   </picture>
 
-  <h1>Logic-Injection-on-Origin Protocol (LIOP) — TypeScript SDK</h1>
+<h1>Logic-Injection-on-Origin Protocol (LIOP) — TypeScript SDK</h1>
 <p align="center">
-  <a href="https://github.com/Nekzus/Neural-Mesh-Protocol/actions/workflows/ci.yml"><img src="https://github.com/Nekzus/Neural-Mesh-Protocol/actions/workflows/ci.yml/badge.svg?event=push" alt="Github Workflow"></a>
+  <a href="https://github.com/Nekzus/LIOP/actions/workflows/ci.yml"><img src="https://github.com/Nekzus/LIOP/actions/workflows/ci.yml/badge.svg?event=push" alt="Github Workflow"></a>
   <a href="https://www.npmjs.com/package/@nekzus/liop"><img src="https://img.shields.io/npm/v/@nekzus/liop.svg" alt="npm version"></a>
   <a href="https://www.npmjs.com/package/@nekzus/liop"><img src="https://img.shields.io/npm/dm/@nekzus/liop.svg" alt="npm-month"></a>
   <a href="https://www.npmjs.com/package/@nekzus/liop"><img src="https://img.shields.io/npm/dt/@nekzus/liop.svg?style=flat" alt="npm-total"></a>
-  <a href="https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/LICENSE"><img src="https://img.shields.io/github/license/Nekzus/LIOP.svg" alt="License"></a>
-  <a href="https://liop.mintlify.app/"><img src="https://img.shields.io/badge/docs-mintlify-0D9373?style=flat" alt="Docs"></a>
+  <a href="https://github.com/Nekzus/LIOP/blob/main/LICENSE"><img src="https://img.shields.io/github/license/Nekzus/LIOP.svg" alt="License"></a>
+  <a href="https://nekzus-32.mintlify.app/"><img src="https://img.shields.io/badge/docs-mintlify-0D9373?style=flat" alt="Docs"></a>
   <a href="https://deepwiki.com/Nekzus/LIOP"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>
   <a href="https://paypal.me/maseortega"><img src="https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square" alt="Donate"></a>
 </p>
 
-  <p><strong>The official TypeScript SDK for the Logic-Injection-on-Origin Protocol.</strong></p>
+<p><strong>The official TypeScript SDK for the Logic-Injection-on-Origin Protocol.</strong></p>
   <p>Deploy Logic-on-Origin with WebAssembly sandboxing, gRPC-speed execution, and full MCP backward compatibility.</p>
 </div>
 
@@ -30,19 +30,19 @@ This fundamentally solves the data privacy, bandwidth, and latency challenges of
 
 ### Key Capabilities
 
-| Feature | Description |
-|:--|:--|
-| **Logic-Injection-on-Origin** | LLMs send code, not queries. Data never leaves the origin server. |
-| **MCP Drop-in Replacement** | `LiopServer` mirrors the Anthropic MCP `Server` API — tools, resources, and prompts with `Zod` schemas. |
-| **Guardian AST** | Zero-time heuristic inspection blocks sandbox escapes (`require`, `fs`, `eval`, `fetch`, prototype pollution). |
-| **WASI Sandbox** | JavaScript payloads execute inside V8 isolates with CPU fuel limits and no access to Node.js globals. |
-| **PII Shield** | Multi-layer egress filter with Regional Presets (Email, Credit Card with Luhn, IP, Phone, SSN, IBAN Mod-97, Passport MRZ) and custom keys. |
-| **ZK-Receipts** | Cryptographic proof (SHA-256 + SHA-512 seal) that the returned result was computed honestly from the injected logic. |
-| **Worker Pool** | Heavy computation (crypto, sandboxing) dispatched to OS threads via `piscina`, unblocking the V8 event loop. |
-| **Cross-AI Adapters**| Zero-Shot system prompts automatically adapt instructions for Claude (XML-heavy) vs OpenAI/Gemini (JSON-schema). |
-| **MCP Bridge** | `LiopMcpBridge` adapts any `LiopServer` to the JSON-RPC 2.0 / stdio protocol used by Claude Desktop, Cursor, etc. |
-| **Post-Quantum Ready** | ML-KEM-768 (Kyber) handshake + AES-256-GCM symmetric encryption for transport-layer security. |
-| **P2P Mesh** | Kademlia DHT discovery via `libp2p` with TCP + WebSocket + Yamux multiplexing and Noise encryption. |
+| Feature                             | Description                                                                                                                                |
+| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
+| **Logic-Injection-on-Origin** | LLMs send code, not queries. Data never leaves the origin server.                                                                          |
+| **MCP Drop-in Replacement**   | `LiopServer` mirrors the Anthropic MCP `Server` API — tools, resources, and prompts with `Zod` schemas.                             |
+| **Guardian AST**              | Zero-time heuristic inspection blocks sandbox escapes (`require`, `fs`, `eval`, `fetch`, prototype pollution).                     |
+| **WASI Sandbox**              | JavaScript payloads execute inside V8 isolates with CPU fuel limits and no access to Node.js globals.                                      |
+| **PII Shield**                | Multi-layer egress filter with Regional Presets (Email, Credit Card with Luhn, IP, Phone, SSN, IBAN Mod-97, Passport MRZ) and custom keys. |
+| **ZK-Receipts**               | Cryptographic proof (SHA-256 ImageID + HMAC-SHA256 seal) that the returned result was computed honestly from the injected logic.            |
+| **Worker Pool**               | Heavy computation (crypto, sandboxing) dispatched to OS threads via `piscina`, unblocking the V8 event loop.                             |
+| **Cross-AI Adapters**         | Zero-Shot system prompts automatically adapt instructions for Claude (XML-heavy) vs OpenAI/Gemini (JSON-schema).                           |
+| **MCP Bridge**                | `LiopMcpBridge` adapts any `LiopServer` to the JSON-RPC 2.0 / stdio protocol used by Claude Desktop, Cursor, etc.                      |
+| **Post-Quantum Ready**        | ML-KEM-768 (Kyber) handshake + AES-256-GCM symmetric encryption for transport-layer security.                                              |
+| **P2P Mesh**                  | Kademlia DHT discovery via `libp2p` with TCP + WebSocket + Yamux multiplexing and Noise encryption.                                      |
 
 ---
 
@@ -91,6 +91,7 @@ To use the Neural Mesh inside Claude Desktop, update your `claude_desktop_config
 ### Persistence & Identity
 
 The agent automatically manages your P2P identity:
+
 - **Identity Path**: `~/.liop/identity.json`. This file contains your unique PeerID. Keep it safe if you want to maintain a consistent identity in the mesh.
 - **Bootstrap Nodes**: By default, the agent connects to the **LIOP Alpha Nexus**. You can provide custom bootstrap addresses as CLI arguments:
   ```bash
@@ -187,9 +188,24 @@ new LiopServer(
   serverInfo: { name: string; version: string },
   config?: {
     capabilities?: Record<string, unknown>;
+    workerPool?: {
+      enabled?: boolean;           // Enable OS-thread sandboxing (default: true)
+      maxThreads?: number;         // Max worker threads (default: CPU count)
+      maxHeapMb?: number;          // V8 heap limit per worker (default: 64, env: LIOP_WORKER_MAX_HEAP_MB)
+    };
     security?: {
       piiPatterns?: PiiRule[];     // Regex/validator rules for PII detection
       forbiddenKeys?: string[];    // Keys stripped from outgoing responses
+      enableNerScanning?: boolean; // NLP entity detection via compromise (default: false)
+      rateLimit?: {                // Sliding window rate limiter per tool
+        maxPerWindow?: number;     // Max calls per window (default: 30)
+        windowMs?: number;         // Window duration in ms (default: 60000)
+      };
+    };
+    taxonomy?: {                   // Data domain classification
+      domain?: string;             // e.g., "finance", "healthcare"
+      clearanceTier?: string;      // e.g., "tier-0", "tier-1"
+      executionTypes?: string[];   // e.g., ["aggregation", "analytics"]
     };
   }
 )
@@ -197,24 +213,24 @@ new LiopServer(
 
 #### Methods
 
-| Method | Signature | Description |
-|:--|:--|:--|
-| `tool()` | `(name, description, zodSchema, handler)` | Registers a callable tool with Zod input validation. |
-| `prompt()` | `(name, description, args, handler)` | Registers a dynamic prompt template. |
-| `resource()` | `(name, uri, description?, mimeType?, content?)` | Registers a readable resource. |
-| `dataDictionary()` | `(schema, name?, uri?, description?)` | Broadcasts a data schema so LLMs can write accurate Logic-Injection-on-Origin code. |
-| `setSandboxData()` | `(records: Record[])` | Injects data into the sandbox as `env.records` for Logic-on-Origin tools. |
-| `enableZeroShotAutonomy()` | `()` | Registers the "Blind Analyst" prompt for autonomous code generation. |
-| `callTool()` | `(request: CallToolRequest)` | Invokes a registered tool (used locally or via MCP Bridge). |
-| `listTools()` | `()` | Returns all registered tools. |
-| `listPrompts()` | `()` | Returns all registered prompts. |
-| `getPrompt()` | `(request: GetPromptRequest)` | Returns a specific prompt by name. |
-| `listResources()` | `()` | Returns all registered resources. |
-| `readResource()` | `(uri: string)` | Reads a resource by URI. |
-| `getServerInfo()` | `()` | Returns the server's name and version. |
-| `connectToMesh()` | `()` | Connects to the libp2p Kademlia DHT. |
-| `clearAstCache()` | `()` | Invalidates the Guardian AST logic cache. |
-| `close()` | `()` | Destroys the worker pool and releases threads. |
+| Method                       | Signature                                          | Description                                                                         |
+| :--------------------------- | :------------------------------------------------- | :---------------------------------------------------------------------------------- |
+| `tool()`                   | `(name, description, zodSchema, handler)`        | Registers a callable tool with Zod input validation.                                |
+| `prompt()`                 | `(name, description, args, handler)`             | Registers a dynamic prompt template.                                                |
+| `resource()`               | `(name, uri, description?, mimeType?, content?)` | Registers a readable resource.                                                      |
+| `dataDictionary()`         | `(schema, name?, uri?, description?)`            | Broadcasts a data schema so LLMs can write accurate Logic-Injection-on-Origin code. |
+| `setSandboxData()`         | `(records: Record[])`                            | Injects data into the sandbox as `env.records` for Logic-on-Origin tools.         |
+| `enableZeroShotAutonomy()` | `()`                                             | Registers the "Blind Analyst" prompt for autonomous code generation.                |
+| `callTool()`               | `(request: CallToolRequest)`                     | Invokes a registered tool (used locally or via MCP Bridge).                         |
+| `listTools()`              | `()`                                             | Returns all registered tools.                                                       |
+| `listPrompts()`            | `()`                                             | Returns all registered prompts.                                                     |
+| `getPrompt()`              | `(request: GetPromptRequest)`                    | Returns a specific prompt by name.                                                  |
+| `listResources()`          | `()`                                             | Returns all registered resources.                                                   |
+| `readResource()`           | `(uri: string)`                                  | Reads a resource by URI.                                                            |
+| `getServerInfo()`          | `()`                                             | Returns the server's name and version.                                              |
+| `connectToMesh()`          | `()`                                             | Connects to the libp2p Kademlia DHT.                                                |
+| `clearAstCache()`          | `()`                                             | Invalidates the Guardian AST logic cache.                                           |
+| `close()`                  | `()`                                             | Destroys the worker pool and releases threads.                                      |
 
 ### `LiopMcpBridge`
 
@@ -226,6 +242,7 @@ await bridge.connect();
 ```
 
 **Supported JSON-RPC methods:**
+
 - `initialize` — Returns server capabilities and info
 - `tools/list` — Lists available tools
 - `tools/call` — Calls a tool (with ZK-Receipt verification)
@@ -241,22 +258,31 @@ await bridge.connect();
 ### The Shield — Multi-Layer Defense
 
 ```
-┌─────────────────────────────────────────────────────┐
-│  Layer 1: Guardian AST (Zero-Time Static Analysis)  │
-│  Blocks: require, import(), fs, eval, fetch,        │
-│  process, global, __proto__, XMLHttpRequest         │
-├─────────────────────────────────────────────────────┤
-│  Layer 2: WASI Sandbox (V8 Isolate)                 │
-│  No Node.js globals • CPU Fuel limits • 3s timeout  │
-├─────────────────────────────────────────────────────┤
-│  Layer 3: PII Shield (Egress Filter)                │
-│  Scans output for Email, SSN, Credit Card, IP       │
-│  Strips forbidden keys from response objects        │
-├─────────────────────────────────────────────────────┤
-│  Layer 4: ZK-Receipt (Integrity Verification)       │
-│  SHA-256 ImageID + SHA-512 RISC0-style Seal         │
-│  LiopMcpBridge verifies before forwarding to LLM     │
-└─────────────────────────────────────────────────────┘
+┌───────────────────────────────────────────────────────────┐
+│  Layer 1: Guardian AST (Zero-Time Static Analysis)        │
+│  Blocks: require, import(), fs, eval, fetch, process,     │
+│  global, __proto__, XMLHttpRequest • 128 import cap       │
+├───────────────────────────────────────────────────────────┤
+│  Layer 2: WASI Sandbox (V8 Isolate)                       │
+│  25 poisoned globals (incl. Date, TypedArrays) •          │
+│  CPU Fuel limits • 5s timeout • maxHeapMb (64MB default)  │
+├───────────────────────────────────────────────────────────┤
+│  Layer 3: Prototype Pollution Defense                     │
+│  Object.freeze() on 6 core prototypes (Object, Array,     │
+│  String, Number, Boolean, Function) inside sandbox IIFE   │
+├───────────────────────────────────────────────────────────┤
+│  Layer 4: PII Shield (Egress Filter)                      │
+│  Scans output for Email, SSN, Credit Card, IP, IBAN,      │
+│  Passport MRZ • Strips forbidden keys • NER opt-in        │
+├───────────────────────────────────────────────────────────┤
+│  Layer 5: Aggregation-First Policy                        │
+│  Blocks raw row export • maxOutputRows (default: 10) •    │
+│  Conditional error: detailed (dev) vs opaque (production) │
+├───────────────────────────────────────────────────────────┤
+│  Layer 6: ZK-Receipt (Integrity Verification)             │
+│  SHA-256 ImageID + HMAC-SHA256 Seal (Kyber768-derived)    │
+│  LiopMcpBridge verifies before forwarding to LLM          │
+└───────────────────────────────────────────────────────────┘
 ```
 
 ### PII Patterns
@@ -388,26 +414,27 @@ await server.connectToMesh();
 
 This package is continuously tested across multiple platforms and Node.js versions via CI/CD:
 
-- **51+ tests** spanning unit, integration, and conformance suites
+- **227+ tests** spanning unit, integration, conformance, adversarial, and crossnet suites
 - **Multi-OS matrix:** Ubuntu, Windows, macOS
 - **Node.js versions:** 22.x, 24.x
 - **Code quality:** Enforced by [Biome.js](https://biomejs.dev/) (linting + formatting)
+- **Security:** Verified defense-in-depth architecture — see [Security Architecture](https://nekzus-32.mintlify.app/typescript-sdk/security)
 
-> To run tests locally or contribute, clone the [repository](https://github.com/Nekzus/Neural-Mesh-Protocol) and follow the [Contributing Guide](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/CONTRIBUTING.md).
+> To run tests locally or contribute, clone the [repository](https://github.com/Nekzus/LIOP) and follow the [Contributing Guide](https://github.com/Nekzus/LIOP/blob/main/CONTRIBUTING.md).
 
 ---
 
 ## Related
 
-- [LIOP Documentation](https://liop.mintlify.app/) — Full conceptual and API documentation
-- [LIOP Specification](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/protocol/SPECIFICATION.md) — Technical specification
-- [LIOP Manifesto](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/MANIFESTO.md) — Project philosophy
-- [Contributing Guide](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/CONTRIBUTING.md) — How to contribute
-- [Rust Mesh Node](https://github.com/Nekzus/Neural-Mesh-Protocol/tree/main/servers/liop-node) — Native high-performance backend
-- [LIOP CLI](https://github.com/Nekzus/Neural-Mesh-Protocol/tree/main/tools/liop-cli) — Developer diagnostics
+- [LIOP Documentation](https://nekzus-32.mintlify.app/) — Full conceptual and API documentation
+- [LIOP Specification](https://github.com/Nekzus/LIOP/blob/main/protocol/SPECIFICATION.md) — Technical specification
+- [LIOP Manifesto](https://github.com/Nekzus/LIOP/blob/main/MANIFESTO.md) — Project philosophy
+- [Contributing Guide](https://github.com/Nekzus/LIOP/blob/main/CONTRIBUTING.md) — How to contribute
+- [Rust Mesh Node](https://github.com/Nekzus/LIOP/tree/main/servers/liop-node) — Native high-performance backend
+- [LIOP CLI](https://github.com/Nekzus/LIOP/tree/main/tools/liop-cli) — Developer diagnostics
 
 ---
 
 ## License
 
-[MIT](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/LICENSE) © [Nekzus](https://github.com/Nekzus)
+[MIT](https://github.com/Nekzus/LIOP/blob/main/LICENSE) © [Nekzus](https://github.com/Nekzus)

package/dist/bridge/stream.js

@@ -120,16 +120,24 @@ export class LiopStreamBridge {
     }
     setupRoutes() {
         this.app.use("*", cors());
+        // Initialize strict zero-trust token if not provided
+        if (!process.env.ZERO_TRUST_TOKEN) {
+            process.env.ZERO_TRUST_TOKEN = randomUUID();
+            log.info("=".repeat(60));
+            log.info("⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️");
+            log.info("No ZERO_TRUST_TOKEN found in environment.");
+            log.info("A secure ephemeral token has been generated for this session:");
+            log.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);
+            log.info("=".repeat(60));
+        }
         // ZTA (Zero-Trust Architecture) Security Middleware
         this.app.use("/mcp", async (c, next) => {
             const auth = c.req.header("Authorization");
             const expectedToken = process.env.ZERO_TRUST_TOKEN;
-            if (expectedToken) {
-                if (!auth?.startsWith("Bearer ") ||
-                    auth.split(" ")[1] !== expectedToken) {
-                    log.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.");
-                    return c.json({ error: "Unauthorized: LIOP Zero-Trust Policy Enforced" }, 401);
-                }
+            if (!auth?.startsWith("Bearer ") ||
+                auth.split(" ")[1] !== expectedToken) {
+                log.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.");
+                return c.json({ error: "Unauthorized: LIOP Zero-Trust Policy Enforced" }, 401);
             }
             await next();
         });

package/dist/client/index.js

@@ -147,19 +147,19 @@ export class LiopClient {
         const _safePayload = _wasmPayload || Buffer.from("");
         // Encrypt WASM binary
         const { ciphertext: encryptedWasm, nonce: aesNonce } = AesGcmWrapper.encryptPayload(_safePayload, sharedSecret);
-        // Encrypt inputs using the SAME session nonce for the multi-payload request (Standard LIOP V1)
+        // Encrypt inputs using a fresh random nonce per input to prevent AES-GCM nonce reuse
         const encryptedInputs = {};
+        const crypto = await import("node:crypto");
         for (const [key, value] of Object.entries(request.arguments || {})) {
-            // We manually encrypt with the same nonce/key to match the Proto structure
-            // ideally we'd have per-field nonces, but for Alpha we follow the liop_core.proto v1.
-            const crypto = await import("node:crypto");
-            const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, aesNonce);
+            const inputNonce = crypto.randomBytes(12);
+            const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, inputNonce);
             const encrypted = Buffer.concat([
                 cipher.update(JSON.stringify(value)),
                 cipher.final(),
             ]);
             const authTag = cipher.getAuthTag();
-            encryptedInputs[key] = Buffer.concat([encrypted, authTag]);
+            // Prepend the 12-byte nonce to the ciphertext
+            encryptedInputs[key] = Buffer.concat([inputNonce, encrypted, authTag]);
         }
         // 4. Assemble and Execute gRPC LogicRequest
         const logicRequest = {
@@ -183,7 +183,7 @@ export class LiopClient {
                 hasReceivedData = true;
                 log.info("[LiopClient] Logic Executed. Verification in progress...");
                 try {
-                    const isValid = await this.verifier.verifyZkReceipt(_safePayload, Buffer.from(response.cryptographic_proof).toString("hex"), Buffer.from(response.zk_receipt));
+                    const isValid = await this.verifier.verifyZkReceipt(_safePayload, Buffer.from(response.cryptographic_proof).toString("hex"), Buffer.from(response.zk_receipt), Buffer.from(sharedSecret));
                     if (!isValid) {
                         reject(new Error("PROTOCOL INTEGRITY VIOLATION: ZK-Receipt verification failed."));
                         return;

package/dist/crypto/verifier.d.ts

@@ -15,7 +15,7 @@ export declare class LiopVerifier {
      * @param remoteImageIdHex The ImageID reported by the provider (must match our local calculation).
      * @param zkReceipt The mathematical proof (Seal + Journal) from the zkVM.
      */
-    verifyZkReceipt(logicPayload: Buffer, remoteImageIdHex: string, zkReceipt: Buffer): Promise<boolean>;
+    verifyZkReceipt(logicPayload: Buffer, remoteImageIdHex: string, zkReceipt: Buffer, sessionSecret?: Buffer): Promise<boolean>;
     /**
      * Verifies if a node is running inside an authenticated TEE (e.g. AWS Nitro).
      *

package/dist/crypto/verifier.js

@@ -49,7 +49,7 @@ export class LiopVerifier {
      * @param remoteImageIdHex The ImageID reported by the provider (must match our local calculation).
      * @param zkReceipt The mathematical proof (Seal + Journal) from the zkVM.
      */
-    async verifyZkReceipt(logicPayload, remoteImageIdHex, zkReceipt) {
+    async verifyZkReceipt(logicPayload, remoteImageIdHex, zkReceipt, sessionSecret) {
         const pool = this.getZkPool();
         if (!pool)
             throw new Error("Worker pool initialization failed");
@@ -58,6 +58,7 @@ export class LiopVerifier {
             logicPayload: new Uint8Array(logicPayload),
             remoteImageIdHex,
             zkReceipt: new Uint8Array(zkReceipt),
+            sessionSecret: sessionSecret ? new Uint8Array(sessionSecret) : undefined,
         });
         if (result.verified) {
             log.info(`[LiopVerifier] ${result.message}`);

package/dist/gateway/router.d.ts

@@ -62,6 +62,13 @@ export declare class LiopMcpRouter {
      * by searching the manifest cache. Supports exact names and suffixed names.
      */
     private resolveManifestTarget;
+    /**
+     * Redacts a PeerID for external-facing diagnostics.
+     * LIOP_DIAGNOSTIC_LEVEL controls verbosity:
+     *   - "redacted" (default): truncated to last 8 chars
+     *   - "full": complete PeerID (development only)
+     */
+    private redactPeerId;
     private transcodeMcpToLiop;
     private routeToRemoteProvider;
     private performTranscoding;

package/dist/gateway/router.js

@@ -72,6 +72,11 @@ export class LiopMcpRouter {
                 log.info(`[LIOP-Router] Failed to announce manifest: ${err instanceof Error ? err.message : String(err)}`);
             });
         }
+        // [OWASP-A01] Startup warning when diagnostic level exposes full topology
+        if (process.env.LIOP_DIAGNOSTIC_LEVEL === "full") {
+            process.stderr.write("⚠️ [LIOP-Security] Diagnostic level set to FULL — " +
+                "PeerIDs and network topology are exposed. Do NOT use in production.\n");
+        }
     }
     shouldSkipManifestQuery(peerId) {
         const state = this.manifestFailureState.get(peerId);
@@ -691,6 +696,18 @@ export class LiopMcpRouter {
         }
         return null;
     }
+    /**
+     * Redacts a PeerID for external-facing diagnostics.
+     * LIOP_DIAGNOSTIC_LEVEL controls verbosity:
+     *   - "redacted" (default): truncated to last 8 chars
+     *   - "full": complete PeerID (development only)
+     */
+    redactPeerId(peerId) {
+        const level = process.env.LIOP_DIAGNOSTIC_LEVEL || "redacted";
+        if (level === "full")
+            return peerId;
+        return `***${peerId.slice(-8)}`;
+    }
     // biome-ignore lint/suspicious/noExplicitAny: MCP JSON-RPC params/id are polymorphic
     async transcodeMcpToLiop(id, params) {
         const toolName = params.name;
@@ -724,16 +741,17 @@ export class LiopMcpRouter {
                 .map((addr) => {
                 const parts = addr.split("/");
                 const id = parts[parts.length - 1];
-                return `  • ${id ? id.slice(-8) : "Unknown"} (${addr})`;
+                return `  • ${id ? id.slice(-8) : "Unknown"} (bootstrap)`;
             })
                 .join("\n");
             const routingTableSize = this.meshNode
                 ? // biome-ignore lint/suspicious/noExplicitAny: access internal nodes
                     this.meshNode.getRoutingTableSize()
                 : 0;
-            const localPeerId = this.meshNode?.getPeerId() || "Offline";
+            const rawPeerId = this.meshNode?.getPeerId() || "Offline";
+            const localPeerId = rawPeerId === "Offline" ? rawPeerId : this.redactPeerId(rawPeerId);
             const cachedToolList = Array.from(this.manifestCache.entries())
-                .flatMap(([peerId, { manifest }]) => manifest.tools.map((t) => `  • ${t.name} (from origin: ${peerId})`))
+                .flatMap(([peerId, { manifest }]) => manifest.tools.map((t) => `  • ${t.name} (from origin: ${this.redactPeerId(peerId)})`))
                 .join("\n");
             const statusText = [
                 `LIOP Mesh Status: ${meshState === "Active" ? "Active" : "Offline"}`,

package/dist/sandbox/guardian.js

@@ -20,13 +20,36 @@ export const ASTGuardian = {
     analyze(module) {
         const imports = WebAssembly.Module.imports(module);
         let _importCount = 0;
+        const ALLOWED_WASI_FUNCTIONS = new Set([
+            "fd_write",
+            "fd_read",
+            "fd_close",
+            "fd_seek",
+            "environ_get",
+            "environ_sizes_get",
+            "args_get",
+            "args_sizes_get",
+            "clock_time_get",
+            "random_get",
+            "proc_exit",
+            "fd_prestat_get",
+            "fd_prestat_dir_name",
+            "fd_fdstat_get",
+        ]);
         for (const imp of imports) {
-            // Strict Sandbox Validation: Only allow WASI preview 1 and native LIOP functions.
-            // Reject any custom or unexpected host imports.
-            if (imp.module !== "wasi_snapshot_preview1" && imp.module !== "LIOP") {
-                throw new GuardianError(`Banned Host Import Detected: ${imp.module}/${imp.name}`);
+            // Strict Sandbox Validation: Only allow WASI preview 1 specific whitelisted functions.
+            if (imp.module === "wasi_snapshot_preview1") {
+                if (!ALLOWED_WASI_FUNCTIONS.has(imp.name)) {
+                    throw new GuardianError(`Banned WASI Import Detected: ${imp.module}/${imp.name}`);
+                }
+            }
+            else {
+                throw new GuardianError(`Banned Host Import Module Detected: ${imp.module}`);
             }
             _importCount++;
+            if (_importCount > 128) {
+                throw new GuardianError("Import limit exceeded. Possible resource exhaustion attack.");
+            }
         }
         // In Node.js / V8, the maximum module size and function limits
         // are natively enforced by the engine during compilation.

package/dist/sandbox/wasi.js

@@ -116,6 +116,24 @@ export class WasiSandbox {
             sandboxEnv.queueMicrotask = undefined;
             sandboxEnv.eval = undefined;
             sandboxEnv.Function = undefined;
+            sandboxEnv.SharedArrayBuffer = undefined;
+            sandboxEnv.Date = undefined;
+            // [DoS Defense] Block off-heap memory allocation vectors.
+            // Logic-on-Origin operates on JSON data (env.records) — binary buffers
+            // serve no legitimate purpose and enable memory exhaustion DoS.
+            // (Uint8Array(2GB) bypassed Piscina's maxOldGenerationSizeMb limit)
+            sandboxEnv.ArrayBuffer = undefined;
+            sandboxEnv.Uint8Array = undefined;
+            sandboxEnv.Int8Array = undefined;
+            sandboxEnv.Uint16Array = undefined;
+            sandboxEnv.Int16Array = undefined;
+            sandboxEnv.Uint32Array = undefined;
+            sandboxEnv.Int32Array = undefined;
+            sandboxEnv.Float32Array = undefined;
+            sandboxEnv.Float64Array = undefined;
+            sandboxEnv.BigInt64Array = undefined;
+            sandboxEnv.BigUint64Array = undefined;
+            sandboxEnv.DataView = undefined;
             // Inject strictly monitored globals
             sandboxEnv.records = JSON.parse(JSON.stringify(records)); // Deep copy safety
             sandboxEnv.env = JSON.parse(JSON.stringify(env));
@@ -154,6 +172,13 @@ export class WasiSandbox {
             const scriptCode = `
 				(function() {
 					try {
+						Object.freeze(Object.prototype);
+						Object.freeze(Array.prototype);
+						Object.freeze(String.prototype);
+						Object.freeze(Number.prototype);
+						Object.freeze(Boolean.prototype);
+						Object.freeze(Object.getPrototypeOf(function(){}));
+
 						${processedLogic}
 						if (typeof liop_main === 'function') {
 							return liop_main(env);

package/dist/security/zk.d.ts

@@ -26,7 +26,7 @@ export declare const ZkVerifier: {
      * @throws ZkVerificationError if the proof is invalid or image IDs mismatch
      * @returns true if the proof mathematically verifies the execution
      */
-    verify(receipt: ZkReceipt, expectedImageId: Buffer): boolean;
+    verify(receipt: ZkReceipt, expectedImageId: Buffer, sessionSecret?: Buffer): boolean;
     /**
      * Derives a predictable ImageID (usually a Hash) from a raw WASM binary.
      *

package/dist/security/zk.js

@@ -22,7 +22,7 @@ export const ZkVerifier = {
      * @throws ZkVerificationError if the proof is invalid or image IDs mismatch
      * @returns true if the proof mathematically verifies the execution
      */
-    verify(receipt, expectedImageId) {
+    verify(receipt, expectedImageId, sessionSecret) {
         // 1. Verify Image ID (Ensures the host executed the exact logic we sent, not a malicious one)
         if (!receipt.imageId.equals(expectedImageId)) {
             throw new ZkVerificationError("ImageID mismatch. The remote origin executed a different WASM payload.");
@@ -52,6 +52,16 @@ export const ZkVerifier = {
         catch (_e) {
             throw new ZkVerificationError("Failed to parse journal data.");
         }
+        // 4. Mathematical Verification (HMAC-SHA256)
+        if (sessionSecret && sessionSecret.length > 0) {
+            const expectedSeal = crypto
+                .createHmac("sha256", sessionSecret)
+                .update(journal)
+                .digest();
+            if (!crypto.timingSafeEqual(seal, expectedSeal)) {
+                throw new ZkVerificationError("Invalid seal: HMAC verification failed.");
+            }
+        }
         return true;
     },
     /**

package/dist/server/index.d.ts

@@ -1,8 +1,9 @@
 import { z } from "zod";
 import { MeshNode } from "../mesh/node.js";
 import type { CallToolRequest, CallToolResult, GetPromptRequest, GetPromptResult, Prompt, Resource, ServerInfo, Tool } from "../types.js";
+import { NerScanner } from "./ner-scanner.js";
 import { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from "./pii.js";
-export { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };
+export { NerScanner, PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };
 export type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (args: z.infer<z.ZodObject<T>>, extra: {
     signal?: AbortSignal;
 }) => Promise<CallToolResult>;
@@ -13,10 +14,21 @@ export interface LiopServerOptions {
         minThreads?: number;
         maxThreads?: number;
         idleTimeout?: number;
+        /** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */
+        maxHeapMb?: number;
     };
     security?: {
         piiPatterns?: PiiRule[];
         forbiddenKeys?: string[];
+        /** Enable NLP-based Named Entity Recognition scanning on output values. */
+        enableNerScanning?: boolean;
+        /** Rate limiting configuration for tool calls (OWASP A01). */
+        rateLimit?: {
+            /** Maximum calls per window per tool (default: 30). */
+            maxPerWindow?: number;
+            /** Sliding window duration in milliseconds (default: 60000 = 1 min). */
+            windowMs?: number;
+        };
     };
     taxonomy?: {
         domain?: string;
@@ -53,6 +65,9 @@ export declare class LiopServer {
     private readonly CACHE_TTL_MS;
     private readonly THROTTLE_THRESHOLD;
     private readonly THROTTLE_COOLDOWN_MS;
+    private toolCallWindows;
+    private readonly toolCallMaxPerWindow;
+    private readonly toolCallWindowMs;
     private tools;
     private resources;
     private prompts;
@@ -128,6 +143,13 @@ export declare class LiopServer {
      * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).
      */
     clearAstCache(): void;
+    /**
+     * Sliding window rate limiter for tool call frequency.
+     * Prevents micro-query exfiltration attacks where an attacker
+     * makes hundreds of individually-legitimate calls to reconstruct
+     * the full dataset field by field. (OWASP A01)
+     */
+    private checkToolCallRateLimit;
     /**
      * Emulates calling a tool (used locally or via LIOPMcpBridge)
      */