@nekzus/liop 2.0.0-alpha.1 → 2.0.0-alpha.2

package/dist/types.d.ts

@@ -1,8 +1,9 @@
-import { z } from "zod";
+import { z } from 'zod';
+
 /**
  * Base Protocol Types representing parity with Model Context Protocol
  */
-export declare const ToolSchema: z.ZodObject<{
+declare const ToolSchema: z.ZodObject<{
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
     inputSchema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
@@ -15,8 +16,8 @@ export declare const ToolSchema: z.ZodObject<{
     inputSchema: Record<string, unknown>;
     description?: string | undefined;
 }>;
-export type Tool = z.infer<typeof ToolSchema>;
-export declare const ResourceSchema: z.ZodObject<{
+type Tool = z.infer<typeof ToolSchema>;
+declare const ResourceSchema: z.ZodObject<{
     uri: z.ZodString;
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
@@ -32,8 +33,8 @@ export declare const ResourceSchema: z.ZodObject<{
     description?: string | undefined;
     mimeType?: string | undefined;
 }>;
-export type Resource = z.infer<typeof ResourceSchema>;
-export declare const PromptSchema: z.ZodObject<{
+type Resource = z.infer<typeof ResourceSchema>;
+declare const PromptSchema: z.ZodObject<{
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
     arguments: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -66,12 +67,12 @@ export declare const PromptSchema: z.ZodObject<{
         required?: boolean | undefined;
     }[] | undefined;
 }>;
-export type Prompt = z.infer<typeof PromptSchema>;
-export interface CallToolRequest {
+type Prompt = z.infer<typeof PromptSchema>;
+interface CallToolRequest {
     name: string;
     arguments?: Record<string, unknown>;
 }
-export interface CallToolResult {
+interface CallToolResult {
     content: Array<{
         type: "text" | "image" | "resource";
         text?: string;
@@ -85,11 +86,11 @@ export interface CallToolResult {
     }>;
     isError?: boolean;
 }
-export interface GetPromptRequest {
+interface GetPromptRequest {
     name: string;
     arguments?: Record<string, string>;
 }
-export interface GetPromptResult {
+interface GetPromptResult {
     description?: string;
     messages: Array<{
         role: "user" | "assistant";
@@ -110,7 +111,7 @@ export interface GetPromptResult {
         };
     }>;
 }
-export interface ServerInfo {
+interface ServerInfo {
     name: string;
     version: string;
     capabilities?: {
@@ -127,13 +128,13 @@ export interface ServerInfo {
         logging?: Record<string, unknown>;
     };
 }
-export interface McpRequest {
+interface McpRequest {
     method: string;
     params?: unknown;
     id?: string | number | null;
     jsonrpc?: "2.0";
 }
-export interface McpResponse {
+interface McpResponse {
     jsonrpc: "2.0";
     id?: string | number | null;
     result?: unknown;
@@ -143,3 +144,5 @@ export interface McpResponse {
         data?: unknown;
     };
 }
+
+export { type CallToolRequest, type CallToolResult, type GetPromptRequest, type GetPromptResult, type McpRequest, type McpResponse, type Prompt, PromptSchema, type Resource, ResourceSchema, type ServerInfo, type Tool, ToolSchema };

package/dist/types.js

@@ -1,26 +1,2 @@
-import { z } from "zod";
-/**
- * Base Protocol Types representing parity with Model Context Protocol
- */
-export const ToolSchema = z.object({
-    name: z.string(),
-    description: z.string().optional(),
-    inputSchema: z.record(z.string(), z.unknown()), // Represents a JSON Schema
-});
-export const ResourceSchema = z.object({
-    uri: z.string(),
-    name: z.string(),
-    description: z.string().optional(),
-    mimeType: z.string().optional(),
-});
-export const PromptSchema = z.object({
-    name: z.string(),
-    description: z.string().optional(),
-    arguments: z
-        .array(z.object({
-        name: z.string(),
-        description: z.string().optional(),
-        required: z.boolean().optional(),
-    }))
-        .optional(),
-});
+export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-HQZHZM6U.js';//# sourceMappingURL=types.js.map
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"types.js"}

package/dist/{crypto/verifier.d.ts → verifier-DTCD9imJ.d.ts}

@@ -5,7 +5,7 @@
  * It validates both the integrity of the code (ZkImageID) and the mathematical proof
  * of its execution (ZkSeal), as well as hardware-level attestation (TEE).
  */
-export declare class LiopVerifier {
+declare class LiopVerifier {
     private static zkWorkerPool;
     private getZkPool;
     /**
@@ -27,3 +27,5 @@ export declare class LiopVerifier {
      */
     deriveImageId(logicPayload: Buffer): Buffer;
 }
+
+export { LiopVerifier as L };

package/dist/verifier-RQRYXA4C.js

@@ -0,0 +1,2 @@
+export{a as LiopVerifier}from'./chunk-UVTEJYHN.js';import'./chunk-ANFXJGMP.js';import'./chunk-S6RJHZV2.js';//# sourceMappingURL=verifier-RQRYXA4C.js.map
+//# sourceMappingURL=verifier-RQRYXA4C.js.map

package/dist/verifier-RQRYXA4C.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-RQRYXA4C.js"}

package/dist/workers/logic-execution.d.ts

@@ -1,4 +1,4 @@
-export interface WorkerData {
+interface WorkerData {
     ciphertext: Uint8Array;
     secretKeyObj: ArrayLike<number>;
     kyberPublicKey: Uint8Array;
@@ -9,9 +9,11 @@ export interface WorkerData {
     isEncrypted?: boolean;
     aesNonce?: Uint8Array;
 }
-export default function processLogicExecution(data: WorkerData): Promise<{
+declare function processLogicExecution(data: WorkerData): Promise<{
     image_id: string;
     output: unknown;
     fuel_consumed: number;
     zk_receipt?: string;
 }>;
+
+export { type WorkerData, processLogicExecution as default };

package/dist/workers/logic-execution.js

@@ -1,123 +1,2 @@
-import { Buffer } from "node:buffer";
-import crypto from "node:crypto";
-import { createMlKem768 } from "mlkem";
-import { deriveLogicImageDigest, normalizeLogicSource, } from "../crypto/logic-image-id.js";
-import { ASTGuardian } from "../sandbox/guardian.js";
-import { WasiSandbox } from "../sandbox/wasi.js";
-export default async function processLogicExecution(data) {
-    const { ciphertext, secretKeyObj, wasmBinary, inputs, aesNonce, records, isEncrypted = true, } = data;
-    let decryptedPayload;
-    const decryptedInputs = {};
-    let sessionSecret = Buffer.alloc(32); // Fallback if plain text (no PQC)
-    if (isEncrypted) {
-        // 1. Decapsulate Kyber secret
-        const sk = new Uint8Array(secretKeyObj);
-        const ct = new Uint8Array(ciphertext);
-        const kem = await createMlKem768();
-        const sharedSecret = kem.decap(ct, sk);
-        const aesKey = Buffer.from(sharedSecret);
-        sessionSecret = aesKey;
-        // 2. Decrypt Main Payload (WASM/JS Code)
-        // LIOP Serialization: Ciphertext = EncryptedData + 16-byte AuthTag
-        const wasmBuffer = Buffer.from(wasmBinary);
-        const authTag = wasmBuffer.subarray(-16);
-        const encryptedData = wasmBuffer.subarray(0, -16);
-        const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, Buffer.from(aesNonce || new Uint8Array(12)));
-        decipher.setAuthTag(authTag);
-        let decrypted = decipher.update(encryptedData);
-        decrypted = Buffer.concat([decrypted, decipher.final()]);
-        decryptedPayload = decrypted;
-        // 3. Decrypt Inputs
-        for (const [key, encValue] of Object.entries(inputs || {})) {
-            const valBuffer = Buffer.from(encValue);
-            // Extract 12-byte prepended nonce, ciphertext, and 16-byte AuthTag
-            const inputNonce = valBuffer.subarray(0, 12);
-            const valTag = valBuffer.subarray(-16);
-            const valData = valBuffer.subarray(12, -16);
-            const valDecipher = crypto.createDecipheriv("aes-256-gcm", aesKey, inputNonce);
-            valDecipher.setAuthTag(valTag);
-            let valDecrypted = valDecipher.update(valData);
-            valDecrypted = Buffer.concat([valDecrypted, valDecipher.final()]);
-            decryptedInputs[key] = JSON.parse(valDecrypted.toString("utf-8"));
-        }
-    }
-    else {
-        // Transparent mode: payload is provided directly
-        // If it's WASM (Magic bytes: \0asm), keep as Buffer
-        if (wasmBinary[0] === 0x00 &&
-            wasmBinary[1] === 0x61 &&
-            wasmBinary[2] === 0x73 &&
-            wasmBinary[3] === 0x6d) {
-            decryptedPayload = Buffer.from(wasmBinary);
-        }
-        else {
-            decryptedPayload = Buffer.from(wasmBinary).toString("utf-8");
-        }
-    }
-    // 3. Inspect AST with Guardian-TS (if WASM)
-    const isWasm = decryptedPayload[0] === 0x00 &&
-        decryptedPayload[1] === 0x61 &&
-        decryptedPayload[2] === 0x73 &&
-        decryptedPayload[3] === 0x6d;
-    if (decryptedPayload instanceof Buffer && isWasm) {
-        // Ensure we pass a compatible BufferSource
-        const wasmBytes = new Uint8Array(decryptedPayload);
-        const compiledModule = await WebAssembly.compile(wasmBytes);
-        ASTGuardian.analyze(compiledModule);
-    }
-    else if (decryptedPayload instanceof Buffer && !isWasm) {
-        decryptedPayload = decryptedPayload.toString("utf-8");
-    }
-    // Strip only a whole-document LIOP envelope (see logic-image-id.ts).
-    if (typeof decryptedPayload === "string") {
-        decryptedPayload = normalizeLogicSource(decryptedPayload);
-    }
-    // 4. Instantiate and Execute WASI Sandbox (or V8 Fallback)
-    const sandbox = new WasiSandbox();
-    await sandbox.init();
-    try {
-        const result = await sandbox.execute(decryptedPayload, records, decryptedInputs);
-        // 5. Generate Cryptographic Proof of Execution (HMAC-SHA256 Commitment)
-        let logicBytes;
-        if (typeof decryptedPayload === "string") {
-            logicBytes = Buffer.from(decryptedPayload, "utf-8");
-        }
-        else {
-            logicBytes = new Uint8Array(decryptedPayload);
-        }
-        const imageId = deriveLogicImageDigest(logicBytes).toString("hex");
-        const journal = Buffer.from(JSON.stringify({
-            image_id: imageId,
-            output_hash: crypto
-                .createHash("sha256")
-                .update(typeof result.output === "string"
-                ? result.output
-                : JSON.stringify(result.output))
-                .digest("hex"),
-            fuel: result.fuelConsumed,
-            ts: Date.now(),
-        }));
-        const seal = crypto
-            .createHmac("sha256", sessionSecret)
-            .update(journal)
-            .digest();
-        const journalLen = Buffer.alloc(2);
-        journalLen.writeUInt16BE(journal.length);
-        const receiptBuf = Buffer.concat([
-            Buffer.from([0x01]), // Receipt format v1
-            journalLen,
-            journal,
-            seal, // 32 bytes HMAC
-        ]);
-        const zkReceipt = receiptBuf.toString("base64");
-        return {
-            image_id: imageId,
-            zk_receipt: zkReceipt,
-            output: result.output,
-            fuel_consumed: result.fuelConsumed,
-        };
-    }
-    finally {
-        await sandbox.teardown();
-    }
-}
+import {a,b}from'../chunk-HNDVAKEK.js';import {a as a$1,b as b$1}from'../chunk-ANFXJGMP.js';import {Buffer}from'buffer';import c from'crypto';import {createMlKem768}from'mlkem';async function I(B){let{ciphertext:D,secretKeyObj:v,wasmBinary:n,inputs:_,aesNonce:N,records:O,isEncrypted:T=true}=B,e,w={},x=Buffer.alloc(32);if(T){let r=new Uint8Array(v),o=new Uint8Array(D),a=(await createMlKem768()).decap(o,r),s=Buffer.from(a);x=s;let i=Buffer.from(n),h=i.subarray(-16),p=i.subarray(0,-16),m=c.createDecipheriv("aes-256-gcm",s,Buffer.from(N||new Uint8Array(12)));m.setAuthTag(h);let y=m.update(p);y=Buffer.concat([y,m.final()]),e=y;for(let[j,z]of Object.entries(_||{})){let l=Buffer.from(z),K=l.subarray(0,12),L=l.subarray(-16),W=l.subarray(12,-16),d=c.createDecipheriv("aes-256-gcm",s,K);d.setAuthTag(L);let g=d.update(W);g=Buffer.concat([g,d.final()]),w[j]=JSON.parse(g.toString("utf-8"));}}else n[0]===0&&n[1]===97&&n[2]===115&&n[3]===109?e=Buffer.from(n):e=Buffer.from(n).toString("utf-8");let b$2=e[0]===0&&e[1]===97&&e[2]===115&&e[3]===109;if(e instanceof Buffer&&b$2){let r=new Uint8Array(e),o=await WebAssembly.compile(r);a.analyze(o);}else e instanceof Buffer&&!b$2&&(e=e.toString("utf-8"));typeof e=="string"&&(e=a$1(e));let u=new b;await u.init();try{let r=await u.execute(e,O,w),o;typeof e=="string"?o=Buffer.from(e,"utf-8"):o=new Uint8Array(e);let f=b$1(o).toString("hex"),a=Buffer.from(JSON.stringify({image_id:f,output_hash:c.createHash("sha256").update(typeof r.output=="string"?r.output:JSON.stringify(r.output)).digest("hex"),fuel:r.fuelConsumed,ts:Date.now()})),s=c.createHmac("sha256",x).update(a).digest(),i=Buffer.alloc(2);i.writeUInt16BE(a.length);let p=Buffer.concat([Buffer.from([1]),i,a,s]).toString("base64");return {image_id:f,zk_receipt:p,output:r.output,fuel_consumed:r.fuelConsumed}}finally{await u.teardown();}}export{I as default};//# sourceMappingURL=logic-execution.js.map
+//# sourceMappingURL=logic-execution.js.map

package/dist/workers/logic-execution.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/workers/logic-execution.ts"],"names":["processLogicExecution","data","ciphertext","secretKeyObj","wasmBinary","inputs","aesNonce","records","isEncrypted","decryptedPayload","decryptedInputs","sessionSecret","Buffer","sk","ct","sharedSecret","createMlKem768","aesKey","wasmBuffer","authTag","encryptedData","decipher","crypto","decrypted","key","encValue","valBuffer","inputNonce","valTag","valData","valDecipher","valDecrypted","isWasm","wasmBytes","compiledModule","ASTGuardian","normalizeLogicSource","sandbox","WasiSandbox","result","logicBytes","imageId","deriveLogicImageDigest","journal","seal","journalLen","zkReceipt"],"mappings":"iLAsBA,eAAOA,EAA6CC,CAAAA,CAKjD,CACF,GAAM,CACL,UAAA,CAAAC,EACA,YAAA,CAAAC,CAAAA,CACA,UAAA,CAAAC,CAAAA,CACA,MAAA,CAAAC,CAAAA,CACA,SAAAC,CAAAA,CACA,OAAA,CAAAC,EACA,WAAA,CAAAC,CAAAA,CAAc,IACf,CAAA,CAAIP,CAAAA,CAEAQ,CAAAA,CACEC,CAAAA,CAA2C,EAAC,CAC9CC,EAAgBC,MAAAA,CAAO,KAAA,CAAM,EAAE,CAAA,CAEnC,GAAIJ,CAAAA,CAAa,CAEhB,IAAMK,CAAAA,CAAK,IAAI,UAAA,CAAWV,CAAY,CAAA,CAChCW,EAAK,IAAI,UAAA,CAAWZ,CAAU,CAAA,CAE9Ba,CAAAA,CAAAA,CADM,MAAMC,cAAAA,EAAe,EACR,KAAA,CAAMF,CAAAA,CAAID,CAAE,CAAA,CAC/BI,EAASL,MAAAA,CAAO,IAAA,CAAKG,CAAY,CAAA,CACvCJ,CAAAA,CAAgBM,EAIhB,IAAMC,CAAAA,CAAaN,MAAAA,CAAO,IAAA,CAAKR,CAAU,CAAA,CACnCe,EAAUD,CAAAA,CAAW,QAAA,CAAS,GAAG,CAAA,CACjCE,CAAAA,CAAgBF,EAAW,QAAA,CAAS,CAAA,CAAG,GAAG,CAAA,CAE1CG,CAAAA,CAAWC,CAAAA,CAAO,iBACvB,aAAA,CACAL,CAAAA,CACAL,MAAAA,CAAO,IAAA,CAAKN,CAAAA,EAAY,IAAI,WAAW,EAAE,CAAC,CAC3C,CAAA,CACAe,CAAAA,CAAS,UAAA,CAAWF,CAAO,CAAA,CAC3B,IAAII,EAAYF,CAAAA,CAAS,MAAA,CAAOD,CAAa,CAAA,CAC7CG,CAAAA,CAAYX,MAAAA,CAAO,MAAA,CAAO,CAACW,CAAAA,CAAWF,EAAS,KAAA,EAAO,CAAC,CAAA,CACvDZ,CAAAA,CAAmBc,EAGnB,IAAA,GAAW,CAACC,CAAAA,CAAKC,CAAQ,CAAA,GAAK,MAAA,CAAO,QAAQpB,CAAAA,EAAU,EAAE,CAAA,CAAG,CAC3D,IAAMqB,CAAAA,CAAYd,MAAAA,CAAO,IAAA,CAAKa,CAAQ,CAAA,CAEhCE,CAAAA,CAAaD,EAAU,QAAA,CAAS,CAAA,CAAG,EAAE,CAAA,CACrCE,CAAAA,CAASF,CAAAA,CAAU,SAAS,GAAG,CAAA,CAC/BG,CAAAA,CAAUH,CAAAA,CAAU,QAAA,CAAS,EAAA,CAAI,GAAG,CAAA,CAEpCI,CAAAA,CAAcR,EAAO,gBAAA,CAC1B,aAAA,CACAL,EACAU,CACD,CAAA,CACAG,CAAAA,CAAY,UAAA,CAAWF,CAAM,CAAA,CAC7B,IAAIG,CAAAA,CAAeD,CAAAA,CAAY,MAAA,CAAOD,CAAO,CAAA,CAC7CE,CAAAA,CAAenB,OAAO,MAAA,CAAO,CAACmB,CAAAA,CAAcD,CAAAA,CAAY,KAAA,EAAO,CAAC,CAAA,CAChEpB,CAAAA,CAAgBc,CAAG,CAAA,CAAI,IAAA,CAAK,MAAMO,CAAAA,CAAa,QAAA,CAAS,OAAO,CAAC,EACjE,CACD,MAIE3B,CAAAA,CAAW,CAAC,CAAA,GAAM,CAAA,EAClBA,CAAAA,CAAW,CAAC,IAAM,EAAA,EAClBA,CAAAA,CAAW,CAAC,CAAA,GAAM,GAAA,EAClBA,CAAAA,CAAW,CAAC,CAAA,GAAM,GAAA,CAElBK,EAAmBG,MAAAA,CAAO,IAAA,CAAKR,CAAU,CAAA,CAEzCK,CAAAA,CAAmBG,MAAAA,CAAO,IAAA,CAAKR,CAAU,CAAA,CAAE,SAAS,OAAO,CAAA,CAK7D,IAAM4B,GAAAA,CACLvB,CAAAA,CAAiB,CAAC,CAAA,GAAM,CAAA,EACxBA,CAAAA,CAAiB,CAAC,CAAA,GAAM,EAAA,EACxBA,EAAiB,CAAC,CAAA,GAAM,KACxBA,CAAAA,CAAiB,CAAC,IAAM,GAAA,CAEzB,GAAIA,CAAAA,YAA4BG,MAAAA,EAAUoB,GAAAA,CAAQ,CAEjD,IAAMC,CAAAA,CAAY,IAAI,UAAA,CAAWxB,CAAgB,CAAA,CAC3CyB,CAAAA,CAAiB,MAAM,WAAA,CAAY,OAAA,CAAQD,CAAS,CAAA,CAC1DE,CAAAA,CAAY,OAAA,CAAQD,CAAc,EACnC,CAAA,KAAWzB,aAA4BG,MAAAA,EAAU,CAACoB,MACjDvB,CAAAA,CAAmBA,CAAAA,CAAiB,QAAA,CAAS,OAAO,CAAA,CAAA,CAIjD,OAAOA,GAAqB,QAAA,GAC/BA,CAAAA,CAAmB2B,GAAAA,CAAqB3B,CAAgB,CAAA,CAAA,CAIzD,IAAM4B,EAAU,IAAIC,CAAAA,CACpB,MAAMD,CAAAA,CAAQ,IAAA,EAAK,CAEnB,GAAI,CACH,IAAME,EAAS,MAAMF,CAAAA,CAAQ,QAC5B5B,CAAAA,CACAF,CAAAA,CACAG,CACD,CAAA,CAGI8B,CAAAA,CACA,OAAO/B,GAAqB,QAAA,CAC/B+B,CAAAA,CAAa5B,MAAAA,CAAO,IAAA,CAAKH,CAAAA,CAAkB,OAAO,EAElD+B,CAAAA,CAAa,IAAI,UAAA,CAAW/B,CAAgB,CAAA,CAE7C,IAAMgC,EAAUC,GAAAA,CAAuBF,CAAU,EAAE,QAAA,CAAS,KAAK,EAE3DG,CAAAA,CAAU/B,MAAAA,CAAO,IAAA,CACtB,IAAA,CAAK,SAAA,CAAU,CACd,SAAU6B,CAAAA,CACV,WAAA,CAAanB,EACX,UAAA,CAAW,QAAQ,EACnB,MAAA,CACA,OAAOiB,CAAAA,CAAO,MAAA,EAAW,QAAA,CACtBA,CAAAA,CAAO,OACP,IAAA,CAAK,SAAA,CAAUA,EAAO,MAAM,CAChC,EACC,MAAA,CAAO,KAAK,CAAA,CACd,IAAA,CAAMA,CAAAA,CAAO,YAAA,CACb,GAAI,IAAA,CAAK,GAAA,EACV,CAAC,CACF,CAAA,CAEMK,EAAOtB,CAAAA,CACX,UAAA,CAAW,QAAA,CAAUX,CAAa,CAAA,CAClC,MAAA,CAAOgC,CAAO,CAAA,CACd,MAAA,GACIE,CAAAA,CAAajC,MAAAA,CAAO,MAAM,CAAC,CAAA,CACjCiC,CAAAA,CAAW,aAAA,CAAcF,CAAAA,CAAQ,MAAM,EAOvC,IAAMG,CAAAA,CANalC,MAAAA,CAAO,MAAA,CAAO,CAChCA,MAAAA,CAAO,KAAK,CAAC,CAAI,CAAC,CAAA,CAClBiC,CAAAA,CACAF,CAAAA,CACAC,CACD,CAAC,CAAA,CAC4B,SAAS,QAAQ,CAAA,CAE9C,OAAO,CACN,QAAA,CAAUH,CAAAA,CACV,UAAA,CAAYK,CAAAA,CACZ,MAAA,CAAQP,EAAO,MAAA,CACf,aAAA,CAAeA,CAAAA,CAAO,YACvB,CACD,CAAA,OAAE,CACD,MAAMF,CAAAA,CAAQ,QAAA,GACf,CACD","file":"logic-execution.js","sourcesContent":["import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport { createMlKem768 } from \"mlkem\";\nimport {\n\tderiveLogicImageDigest,\n\tnormalizeLogicSource,\n} from \"../crypto/logic-image-id.js\";\nimport { ASTGuardian } from \"../sandbox/guardian.js\";\nimport { WasiSandbox } from \"../sandbox/wasi.js\";\n\nexport interface WorkerData {\n\tciphertext: Uint8Array;\n\tsecretKeyObj: ArrayLike<number>;\n\tkyberPublicKey: Uint8Array;\n\twasmBinary: Uint8Array; // Can also be JS code in non-encrypted mode\n\tinputs: Record<string, Uint8Array>;\n\trecords?: Record<string, unknown>[];\n\tsessionToken: string;\n\tisEncrypted?: boolean;\n\taesNonce?: Uint8Array;\n}\n\nexport default async function processLogicExecution(data: WorkerData): Promise<{\n\timage_id: string;\n\toutput: unknown;\n\tfuel_consumed: number;\n\tzk_receipt?: string;\n}> {\n\tconst {\n\t\tciphertext,\n\t\tsecretKeyObj,\n\t\twasmBinary,\n\t\tinputs,\n\t\taesNonce,\n\t\trecords,\n\t\tisEncrypted = true,\n\t} = data;\n\n\tlet decryptedPayload: Buffer | string;\n\tconst decryptedInputs: Record<string, unknown> = {};\n\tlet sessionSecret = Buffer.alloc(32); // Fallback if plain text (no PQC)\n\n\tif (isEncrypted) {\n\t\t// 1. Decapsulate Kyber secret\n\t\tconst sk = new Uint8Array(secretKeyObj);\n\t\tconst ct = new Uint8Array(ciphertext);\n\t\tconst kem = await createMlKem768();\n\t\tconst sharedSecret = kem.decap(ct, sk);\n\t\tconst aesKey = Buffer.from(sharedSecret);\n\t\tsessionSecret = aesKey;\n\n\t\t// 2. Decrypt Main Payload (WASM/JS Code)\n\t\t// LIOP Serialization: Ciphertext = EncryptedData + 16-byte AuthTag\n\t\tconst wasmBuffer = Buffer.from(wasmBinary);\n\t\tconst authTag = wasmBuffer.subarray(-16);\n\t\tconst encryptedData = wasmBuffer.subarray(0, -16);\n\n\t\tconst decipher = crypto.createDecipheriv(\n\t\t\t\"aes-256-gcm\",\n\t\t\taesKey,\n\t\t\tBuffer.from(aesNonce || new Uint8Array(12)),\n\t\t);\n\t\tdecipher.setAuthTag(authTag);\n\t\tlet decrypted = decipher.update(encryptedData);\n\t\tdecrypted = Buffer.concat([decrypted, decipher.final()]);\n\t\tdecryptedPayload = decrypted;\n\n\t\t// 3. Decrypt Inputs\n\t\tfor (const [key, encValue] of Object.entries(inputs || {})) {\n\t\t\tconst valBuffer = Buffer.from(encValue);\n\t\t\t// Extract 12-byte prepended nonce, ciphertext, and 16-byte AuthTag\n\t\t\tconst inputNonce = valBuffer.subarray(0, 12);\n\t\t\tconst valTag = valBuffer.subarray(-16);\n\t\t\tconst valData = valBuffer.subarray(12, -16);\n\n\t\t\tconst valDecipher = crypto.createDecipheriv(\n\t\t\t\t\"aes-256-gcm\",\n\t\t\t\taesKey,\n\t\t\t\tinputNonce,\n\t\t\t);\n\t\t\tvalDecipher.setAuthTag(valTag);\n\t\t\tlet valDecrypted = valDecipher.update(valData);\n\t\t\tvalDecrypted = Buffer.concat([valDecrypted, valDecipher.final()]);\n\t\t\tdecryptedInputs[key] = JSON.parse(valDecrypted.toString(\"utf-8\"));\n\t\t}\n\t} else {\n\t\t// Transparent mode: payload is provided directly\n\t\t// If it's WASM (Magic bytes: \\0asm), keep as Buffer\n\t\tif (\n\t\t\twasmBinary[0] === 0x00 &&\n\t\t\twasmBinary[1] === 0x61 &&\n\t\t\twasmBinary[2] === 0x73 &&\n\t\t\twasmBinary[3] === 0x6d\n\t\t) {\n\t\t\tdecryptedPayload = Buffer.from(wasmBinary);\n\t\t} else {\n\t\t\tdecryptedPayload = Buffer.from(wasmBinary).toString(\"utf-8\");\n\t\t}\n\t}\n\n\t// 3. Inspect AST with Guardian-TS (if WASM)\n\tconst isWasm =\n\t\tdecryptedPayload[0] === 0x00 &&\n\t\tdecryptedPayload[1] === 0x61 &&\n\t\tdecryptedPayload[2] === 0x73 &&\n\t\tdecryptedPayload[3] === 0x6d;\n\n\tif (decryptedPayload instanceof Buffer && isWasm) {\n\t\t// Ensure we pass a compatible BufferSource\n\t\tconst wasmBytes = new Uint8Array(decryptedPayload);\n\t\tconst compiledModule = await WebAssembly.compile(wasmBytes);\n\t\tASTGuardian.analyze(compiledModule);\n\t} else if (decryptedPayload instanceof Buffer && !isWasm) {\n\t\tdecryptedPayload = decryptedPayload.toString(\"utf-8\");\n\t}\n\n\t// Strip only a whole-document LIOP envelope (see logic-image-id.ts).\n\tif (typeof decryptedPayload === \"string\") {\n\t\tdecryptedPayload = normalizeLogicSource(decryptedPayload);\n\t}\n\n\t// 4. Instantiate and Execute WASI Sandbox (or V8 Fallback)\n\tconst sandbox = new WasiSandbox();\n\tawait sandbox.init();\n\n\ttry {\n\t\tconst result = await sandbox.execute(\n\t\t\tdecryptedPayload,\n\t\t\trecords,\n\t\t\tdecryptedInputs,\n\t\t);\n\n\t\t// 5. Generate Cryptographic Proof of Execution (HMAC-SHA256 Commitment)\n\t\tlet logicBytes: Uint8Array;\n\t\tif (typeof decryptedPayload === \"string\") {\n\t\t\tlogicBytes = Buffer.from(decryptedPayload, \"utf-8\");\n\t\t} else {\n\t\t\tlogicBytes = new Uint8Array(decryptedPayload);\n\t\t}\n\t\tconst imageId = deriveLogicImageDigest(logicBytes).toString(\"hex\");\n\n\t\tconst journal = Buffer.from(\n\t\t\tJSON.stringify({\n\t\t\t\timage_id: imageId,\n\t\t\t\toutput_hash: crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(\n\t\t\t\t\t\ttypeof result.output === \"string\"\n\t\t\t\t\t\t\t? result.output\n\t\t\t\t\t\t\t: JSON.stringify(result.output),\n\t\t\t\t\t)\n\t\t\t\t\t.digest(\"hex\"),\n\t\t\t\tfuel: result.fuelConsumed,\n\t\t\t\tts: Date.now(),\n\t\t\t}),\n\t\t);\n\n\t\tconst seal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tconst journalLen = Buffer.alloc(2);\n\t\tjournalLen.writeUInt16BE(journal.length);\n\t\tconst receiptBuf = Buffer.concat([\n\t\t\tBuffer.from([0x01]), // Receipt format v1\n\t\t\tjournalLen,\n\t\t\tjournal,\n\t\t\tseal, // 32 bytes HMAC\n\t\t]);\n\t\tconst zkReceipt = receiptBuf.toString(\"base64\");\n\n\t\treturn {\n\t\t\timage_id: imageId,\n\t\t\tzk_receipt: zkReceipt,\n\t\t\toutput: result.output,\n\t\t\tfuel_consumed: result.fuelConsumed,\n\t\t};\n\t} finally {\n\t\tawait sandbox.teardown();\n\t}\n}\n"]}

package/dist/workers/zk-verifier.d.ts

@@ -2,7 +2,7 @@
  * ZK Verification Payload Structure.
  * Modeled after RISC Zero & SP1 Receipt formats.
  */
-export interface ZkVerificationPayload {
+interface ZkVerificationPayload {
     action: "verify_receipt";
     /** Original logic payload (JS/WASM) sent by client */
     logicPayload: Uint8Array;
@@ -16,7 +16,9 @@ export interface ZkVerificationPayload {
 /**
  * Main worker entry point for Piscina.
  */
-export default function workerHandler(task: ZkVerificationPayload): Promise<{
+declare function workerHandler(task: ZkVerificationPayload): Promise<{
     verified: boolean;
     message: string;
 }>;
+
+export { type ZkVerificationPayload, workerHandler as default };

package/dist/workers/zk-verifier.js

@@ -1,98 +1,2 @@
-import crypto from "node:crypto";
-import { parentPort } from "node:worker_threads";
-import { deriveLogicImageDigest } from "../crypto/logic-image-id.js";
-// Ensure this worker is used via Piscina pool
-if (!parentPort) {
-    // Not fatal in Piscina, but handled appropriately
-}
-function deriveImageId(logicPayload) {
-    return deriveLogicImageDigest(logicPayload);
-}
-/**
- * Simulates heavy ZK-Proof cryptographic verification.
- * In a real environment, this delegates to @risc0/verifier or SP1 FFI bindings.
- */
-async function verifyZkReceipt(payload) {
-    const { logicPayload, remoteImageIdHex, zkReceipt, sessionSecret } = payload;
-    // 1. Calculate local ImageID (Integrity Check)
-    const localImageId = deriveImageId(logicPayload);
-    const localImageIdHex = localImageId.toString("hex");
-    if (localImageIdHex !== remoteImageIdHex) {
-        return {
-            verified: false,
-            message: `Integrity Violation: Local (${localImageIdHex.slice(0, 8)}) != Remote (${remoteImageIdHex.slice(0, 8)})`,
-        };
-    }
-    // 2. Structural Verification: Deserialize Binary Receipt
-    const receiptBuf = Buffer.from(zkReceipt);
-    if (receiptBuf.length < 35) {
-        // 1 version + 2 len + 32 seal minimum
-        return {
-            verified: false,
-            message: "Receipt too short for binary format.",
-        };
-    }
-    const version = receiptBuf[0];
-    if (version !== 0x01) {
-        return {
-            verified: false,
-            message: `Unknown receipt version: ${version}`,
-        };
-    }
-    const journalLen = receiptBuf.readUInt16BE(1);
-    const journal = receiptBuf.subarray(3, 3 + journalLen);
-    const seal = receiptBuf.subarray(3 + journalLen);
-    if (seal.length !== 32) {
-        return {
-            verified: false,
-            message: "Invalid seal length (expected 32 bytes HMAC-SHA256).",
-        };
-    }
-    // 3. Parse journal and verify imageId
-    try {
-        const journalData = JSON.parse(journal.toString());
-        if (journalData.image_id !== localImageIdHex) {
-            return {
-                verified: false,
-                message: `Journal ImageID mismatch: ${journalData.image_id.slice(0, 8)} != ${localImageIdHex.slice(0, 8)}`,
-            };
-        }
-    }
-    catch (_e) {
-        return { verified: false, message: "Failed to parse journal data." };
-    }
-    // 4. Mathematical Verification (HMAC-SHA256)
-    if (sessionSecret && sessionSecret.length > 0) {
-        const expectedSeal = crypto
-            .createHmac("sha256", sessionSecret)
-            .update(journal)
-            .digest();
-        if (!crypto.timingSafeEqual(seal, expectedSeal)) {
-            return {
-                verified: false,
-                message: "Invalid seal: HMAC verification failed.",
-            };
-        }
-    }
-    return {
-        verified: true,
-        message: "HMAC Commitment Verified: Integrity intact.",
-    };
-}
-/**
- * Main worker entry point for Piscina.
- */
-export default async function workerHandler(task) {
-    try {
-        if (task.action === "verify_receipt") {
-            return await verifyZkReceipt(task);
-        }
-        throw new Error("Unknown action in ZkVerifier Worker.");
-    }
-    catch (error) {
-        return {
-            verified: false,
-            message: `Verification Error: ${error.message}`,
-        };
-    }
-}
+import {b}from'../chunk-ANFXJGMP.js';import d from'crypto';import'worker_threads';function u(e){return b(e)}async function y(e){let{logicPayload:t,remoteImageIdHex:o,zkReceipt:g,sessionSecret:n}=e,a=u(t).toString("hex");if(a!==o)return {verified:false,message:`Integrity Violation: Local (${a.slice(0,8)}) != Remote (${o.slice(0,8)})`};let r=Buffer.from(g);if(r.length<35)return {verified:false,message:"Receipt too short for binary format."};let s=r[0];if(s!==1)return {verified:false,message:`Unknown receipt version: ${s}`};let c=r.readUInt16BE(1),f=r.subarray(3,3+c),l=r.subarray(3+c);if(l.length!==32)return {verified:false,message:"Invalid seal length (expected 32 bytes HMAC-SHA256)."};try{let i=JSON.parse(f.toString());if(i.image_id!==a)return {verified:!1,message:`Journal ImageID mismatch: ${i.image_id.slice(0,8)} != ${a.slice(0,8)}`}}catch{return {verified:false,message:"Failed to parse journal data."}}if(n&&n.length>0){let i=d.createHmac("sha256",n).update(f).digest();if(!d.timingSafeEqual(l,i))return {verified:false,message:"Invalid seal: HMAC verification failed."}}return {verified:true,message:"HMAC Commitment Verified: Integrity intact."}}async function v(e){try{if(e.action==="verify_receipt")return await y(e);throw new Error("Unknown action in ZkVerifier Worker.")}catch(t){return {verified:false,message:`Verification Error: ${t.message}`}}}export{v as default};//# sourceMappingURL=zk-verifier.js.map
+//# sourceMappingURL=zk-verifier.js.map

package/dist/workers/zk-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/workers/zk-verifier.ts"],"names":["deriveImageId","logicPayload","deriveLogicImageDigest","verifyZkReceipt","payload","remoteImageIdHex","zkReceipt","sessionSecret","localImageIdHex","receiptBuf","version","journalLen","journal","seal","journalData","expectedSeal","crypto","workerHandler","task","error"],"mappings":"kFAyBA,SAASA,CAAAA,CAAcC,CAAAA,CAAkC,CACxD,OAAOC,CAAAA,CAAuBD,CAAY,CAC3C,CAMA,eAAeE,CAAAA,CACdC,CAAAA,CACkD,CAClD,GAAM,CAAE,YAAA,CAAAH,CAAAA,CAAc,gBAAA,CAAAI,CAAAA,CAAkB,SAAA,CAAAC,CAAAA,CAAW,aAAA,CAAAC,CAAc,CAAA,CAAIH,CAAAA,CAI/DI,CAAAA,CADeR,CAAAA,CAAcC,CAAY,CAAA,CACV,QAAA,CAAS,KAAK,CAAA,CAEnD,GAAIO,CAAAA,GAAoBH,CAAAA,CACvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,4BAAA,EAA+BG,CAAAA,CAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,aAAA,EAAgBH,CAAAA,CAAiB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CAAA,CAChH,EAID,IAAMI,CAAAA,CAAa,MAAA,CAAO,IAAA,CAAKH,CAAS,CAAA,CACxC,GAAIG,CAAAA,CAAW,MAAA,CAAS,EAAA,CAEvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,sCACV,CAAA,CAGD,IAAMC,CAAAA,CAAUD,CAAAA,CAAW,CAAC,CAAA,CAC5B,GAAIC,CAAAA,GAAY,CAAA,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,4BAA4BA,CAAO,CAAA,CAC7C,CAAA,CAGD,IAAMC,CAAAA,CAAaF,CAAAA,CAAW,YAAA,CAAa,CAAC,CAAA,CACtCG,CAAAA,CAAUH,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAG,CAAA,CAAIE,CAAU,CAAA,CAC/CE,CAAAA,CAAOJ,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAIE,CAAU,CAAA,CAE/C,GAAIE,CAAAA,CAAK,MAAA,GAAW,EAAA,CACnB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,QAAS,sDACV,CAAA,CAID,GAAI,CACH,IAAMC,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAAA,CAAQ,QAAA,EAAU,CAAA,CACjD,GAAIE,CAAAA,CAAY,WAAaN,CAAAA,CAC5B,OAAO,CACN,QAAA,CAAU,CAAA,CAAA,CACV,OAAA,CAAS,CAAA,0BAAA,EAA6BM,CAAAA,CAAY,QAAA,CAAS,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,IAAA,EAAON,EAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CACzG,CAEF,CAAA,KAAa,CACZ,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,OAAA,CAAS,+BAAgC,CACpE,CAGA,GAAID,CAAAA,EAAiBA,CAAAA,CAAc,MAAA,CAAS,CAAA,CAAG,CAC9C,IAAMQ,CAAAA,CAAeC,CAAAA,CACnB,UAAA,CAAW,QAAA,CAAUT,CAAa,CAAA,CAClC,MAAA,CAAOK,CAAO,CAAA,CACd,MAAA,EAAO,CACT,GAAI,CAACI,CAAAA,CAAO,eAAA,CAAgBH,CAAAA,CAAME,CAAY,CAAA,CAC7C,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,yCACV,CAEF,CAEA,OAAO,CACN,QAAA,CAAU,IAAA,CACV,OAAA,CAAS,6CACV,CACD,CAKA,eAAOE,CAAAA,CACNC,CAAAA,CACkD,CAClD,GAAI,CACH,GAAIA,CAAAA,CAAK,MAAA,GAAW,gBAAA,CACnB,OAAO,MAAMf,CAAAA,CAAgBe,CAAI,CAAA,CAElC,MAAM,IAAI,KAAA,CAAM,sCAAsC,CACvD,CAAA,MAASC,CAAAA,CAAO,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,oBAAA,EAAwBA,CAAAA,CAAgB,OAAO,CAAA,CACzD,CACD,CACD","file":"zk-verifier.js","sourcesContent":["import crypto from \"node:crypto\";\nimport { parentPort } from \"node:worker_threads\";\nimport { deriveLogicImageDigest } from \"../crypto/logic-image-id.js\";\n\n// Ensure this worker is used via Piscina pool\nif (!parentPort) {\n\t// Not fatal in Piscina, but handled appropriately\n}\n\n/**\n * ZK Verification Payload Structure.\n * Modeled after RISC Zero & SP1 Receipt formats.\n */\nexport interface ZkVerificationPayload {\n\taction: \"verify_receipt\";\n\t/** Original logic payload (JS/WASM) sent by client */\n\tlogicPayload: Uint8Array;\n\t/** Expected ImageID (SHA-256) of the execution state */\n\tremoteImageIdHex: string;\n\t/** Cbor-encoded or raw buffer containing the execution Receipt (Journal + Seal) */\n\tzkReceipt: Uint8Array;\n\t/** Kyber-derived session secret to verify HMAC signature */\n\tsessionSecret?: Uint8Array;\n}\n\nfunction deriveImageId(logicPayload: Uint8Array): Buffer {\n\treturn deriveLogicImageDigest(logicPayload);\n}\n\n/**\n * Simulates heavy ZK-Proof cryptographic verification.\n * In a real environment, this delegates to @risc0/verifier or SP1 FFI bindings.\n */\nasync function verifyZkReceipt(\n\tpayload: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\tconst { logicPayload, remoteImageIdHex, zkReceipt, sessionSecret } = payload;\n\n\t// 1. Calculate local ImageID (Integrity Check)\n\tconst localImageId = deriveImageId(logicPayload);\n\tconst localImageIdHex = localImageId.toString(\"hex\");\n\n\tif (localImageIdHex !== remoteImageIdHex) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Integrity Violation: Local (${localImageIdHex.slice(0, 8)}) != Remote (${remoteImageIdHex.slice(0, 8)})`,\n\t\t};\n\t}\n\n\t// 2. Structural Verification: Deserialize Binary Receipt\n\tconst receiptBuf = Buffer.from(zkReceipt);\n\tif (receiptBuf.length < 35) {\n\t\t// 1 version + 2 len + 32 seal minimum\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Receipt too short for binary format.\",\n\t\t};\n\t}\n\n\tconst version = receiptBuf[0];\n\tif (version !== 0x01) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Unknown receipt version: ${version}`,\n\t\t};\n\t}\n\n\tconst journalLen = receiptBuf.readUInt16BE(1);\n\tconst journal = receiptBuf.subarray(3, 3 + journalLen);\n\tconst seal = receiptBuf.subarray(3 + journalLen);\n\n\tif (seal.length !== 32) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Invalid seal length (expected 32 bytes HMAC-SHA256).\",\n\t\t};\n\t}\n\n\t// 3. Parse journal and verify imageId\n\ttry {\n\t\tconst journalData = JSON.parse(journal.toString());\n\t\tif (journalData.image_id !== localImageIdHex) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: `Journal ImageID mismatch: ${journalData.image_id.slice(0, 8)} != ${localImageIdHex.slice(0, 8)}`,\n\t\t\t};\n\t\t}\n\t} catch (_e) {\n\t\treturn { verified: false, message: \"Failed to parse journal data.\" };\n\t}\n\n\t// 4. Mathematical Verification (HMAC-SHA256)\n\tif (sessionSecret && sessionSecret.length > 0) {\n\t\tconst expectedSeal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tif (!crypto.timingSafeEqual(seal, expectedSeal)) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: \"Invalid seal: HMAC verification failed.\",\n\t\t\t};\n\t\t}\n\t}\n\n\treturn {\n\t\tverified: true,\n\t\tmessage: \"HMAC Commitment Verified: Integrity intact.\",\n\t};\n}\n\n/**\n * Main worker entry point for Piscina.\n */\nexport default async function workerHandler(\n\ttask: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\ttry {\n\t\tif (task.action === \"verify_receipt\") {\n\t\t\treturn await verifyZkReceipt(task);\n\t\t}\n\t\tthrow new Error(\"Unknown action in ZkVerifier Worker.\");\n\t} catch (error) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Verification Error: ${(error as Error).message}`,\n\t\t};\n\t}\n}\n"]}

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "@nekzus/liop",
-  "version": "2.0.0-alpha.1",
+  "version": "2.0.0-alpha.2",
   "description": "Official SDK for Logic-Injection-on-Origin Protocol (LIOP). Deploy Logic-on-Origin with WebAssembly at gRPC speed and bidirectional MCP compatibility.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {
     "liop-agent": "./dist/bin/agent.js"
   },
+  "sideEffects": false,
   "files": [
     "dist",
     "README.md",
@@ -15,35 +16,35 @@
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "default": "./dist/index.js"
+      "import": "./dist/index.js"
     },
     "./client": {
-      "types": "./dist/client/index.d.ts",
-      "default": "./dist/client/index.js"
+      "types": "./dist/client.d.ts",
+      "import": "./dist/client.js"
     },
     "./server": {
-      "types": "./dist/server/index.d.ts",
-      "default": "./dist/server/index.js"
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
     },
     "./types": {
       "types": "./dist/types.d.ts",
-      "default": "./dist/types.js"
+      "import": "./dist/types.js"
     },
     "./bridge": {
-      "types": "./dist/bridge/index.d.ts",
-      "default": "./dist/bridge/index.js"
+      "types": "./dist/bridge.d.ts",
+      "import": "./dist/bridge.js"
     },
     "./gateway": {
-      "types": "./dist/gateway/hybrid.d.ts",
-      "default": "./dist/gateway/hybrid.js"
+      "types": "./dist/gateway.d.ts",
+      "import": "./dist/gateway.js"
     },
     "./mesh": {
-      "types": "./dist/mesh/index.d.ts",
-      "default": "./dist/mesh/index.js"
+      "types": "./dist/mesh.d.ts",
+      "import": "./dist/mesh.js"
     }
   },
   "scripts": {
-    "build": "tsc -p tsconfig.build.json && npx tsx scripts/copy-protos.ts",
+    "build": "tsup && npx tsx scripts/copy-protos.ts",
     "test": "vitest run --fileParallelism=false",
     "test:all": "vitest run --fileParallelism=false",
     "test:integration": "vitest run tests/integration --fileParallelism=false",
@@ -107,6 +108,7 @@
     "@opentelemetry/sdk-metrics": "^2.7.0",
     "@types/node": "^25.3.1",
     "@vitest/coverage-v8": "^4.0.18",
+    "tsup": "^8.5.1",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
@@ -122,17 +124,15 @@
     "@libp2p/identify": "^4.0.14",
     "@libp2p/kad-dht": "^16.1.7",
     "@libp2p/mplex": "^12.0.11",
-    "@libp2p/noise": "^1.0.1",
     "@libp2p/peer-id": "^4.0.10",
     "@libp2p/peer-id-factory": "^4.0.10",
     "@libp2p/ping": "^3.0.12",
     "@libp2p/tcp": "^11.0.14",
     "@libp2p/websockets": "^10.1.7",
-    "@modelcontextprotocol/sdk": "^1.28.0",
     "@multiformats/multiaddr": "^13.0.1",
     "@opentelemetry/api": "^1.9.1",
-    "compromise": "14.15.0",
-    "gpt-tokenizer": "^3.4.0",
+    "acorn": "^8.16.0",
+    "acorn-walk": "^8.3.5",
     "hono": "^4.12.5",
     "it-pipe": "^3.0.1",
     "libp2p": "^3.1.3",
@@ -144,5 +144,18 @@
     "uint8arrays": "^3.1.1",
     "zod": "^3.23.11",
     "zod-to-json-schema": "^3.24.1"
+  },
+  "optionalDependencies": {
+    "@modelcontextprotocol/sdk": "^1.28.0",
+    "compromise": "14.15.0",
+    "gpt-tokenizer": "^3.4.0"
+  },
+  "peerDependencies": {
+    "@modelcontextprotocol/sdk": "^1.28.0"
+  },
+  "peerDependenciesMeta": {
+    "@modelcontextprotocol/sdk": {
+      "optional": true
+    }
   }
 }

package/dist/bridge/index.d.ts

@@ -1,37 +0,0 @@
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import type { LiopServerOptions } from "../server/index.js";
-import { LiopServer } from "../server/index.js";
-export interface LiopBridgeOptions {
-    publishToMesh?: boolean;
-    meshIdentity?: string;
-    serverInfo?: {
-        name: string;
-        version: string;
-    };
-    security?: LiopServerOptions["security"];
-}
-/**
- * LIOP MCP Bridge
- * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,
- * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.
- */
-export declare class LiopMcpBridge {
-    private options;
-    private liopServer;
-    private legacyMcpServer;
-    constructor(source: LiopServer | McpServer, options?: LiopBridgeOptions);
-    /**
-     * Handles an incoming standard MCP JSON-RPC 2.0 payload.
-     * Pipes it to the underlying server (LIOP or Legacy MCP).
-     */
-    handleJsonRpcRequest(payload: Record<string, unknown>): Promise<unknown>;
-    private handleLiopToMcp;
-    private successResponse;
-    private errorResponse;
-    private verifyZkReceipt;
-    /**
-     * Connects the bridge via stdio or Mesh depending on mode.
-     */
-    connect(): Promise<void>;
-}
-export * from "./stream.js";