@nekzus/liop 2.0.0-alpha.1 → 2.0.0-alpha.3

package/dist/prompts/adapters.d.ts

@@ -1,16 +0,0 @@
-/**
- * LIOP Cross-AI Prompt Adapters (Fase 92)
- *
- * Normalizes system instructions for different LLM providers (Claude, OpenAI, Gemini)
- * to ensure they understand how to generate "Logic-on-Origin" WASM-compatible payload structures.
- */
-export type AIProvider = "claude" | "openai" | "gemini";
-export interface PromptConfig {
-    xmlStandard: boolean;
-    jsonSchemaPreferred: boolean;
-}
-/**
- * Generates specific System Prompts optimized for the provided AI.
- * This instructs the LLM on how to bypass Context-Pulling and use Logic-Injection (Zero-Shot).
- */
-export declare function generateSystemInstructions(provider: AIProvider): string;

package/dist/prompts/adapters.js

@@ -1,55 +0,0 @@
-/**
- * LIOP Cross-AI Prompt Adapters (Fase 92)
- *
- * Normalizes system instructions for different LLM providers (Claude, OpenAI, Gemini)
- * to ensure they understand how to generate "Logic-on-Origin" WASM-compatible payload structures.
- */
-const PROVIDER_CONFIGS = {
-    claude: { xmlStandard: true, jsonSchemaPreferred: false },
-    openai: { xmlStandard: false, jsonSchemaPreferred: true },
-    gemini: { xmlStandard: false, jsonSchemaPreferred: true },
-};
-/**
- * Generates specific System Prompts optimized for the provided AI.
- * This instructs the LLM on how to bypass Context-Pulling and use Logic-Injection (Zero-Shot).
- */
-export function generateSystemInstructions(provider) {
-    const config = PROVIDER_CONFIGS[provider];
-    let instructions = `[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
-You are interacting with a Logic-Injection-on-Origin Protocol (LIOP) Mesh Network.
-Unlike standard MCP where you pull context to evaluate it remotely, in LIOP you WRITE code that executes on the data's origin.
-
-### CORE PARADIGM
-When you call a tool or resource, you MUST provide a payload that represents secure sandboxed logic to be executed on the remote Node.
-The node will execute your logic securely on the raw secure data, and return only the RESULT, avoiding PII data egress.
-
-### EXECUTION RULES
-1. Provide a self-contained JavaScript syntax block that we will compile to WASM-Sandboxed logic.
-2. Rely only on standard ECMA script features (No Node.js polyfills).
-3. The logic must end by returning the calculated insights, not the raw data.
-`;
-    if (config.xmlStandard) {
-        instructions += `
-### PAYLOAD FORMATTING (CLAUDE-XML PREFERRED)
-You must wrap your logic precisely within <liop_logic> tags.
-Example:
-<liop_logic>
-const records = await liop.readResource("liop://vault/patients");
-const filtered = records.filter(r => r.disease === "Hypertension");
-return { alert: "High risk demographic", targetCount: filtered.length };
-</liop_logic>
-`;
-    }
-    else if (config.jsonSchemaPreferred) {
-        instructions += `
-### PAYLOAD FORMATTING (JSON PARSING PREFERRED)
-You must provide your logic strictly within a JSON string key called \`"logic_blob"\` inside your tool call parameters.
-Example:
-{
-  "target": "liop://vault/patients",
-  "logic_blob": "const records = await liop.readResource(args.target); return { targetCount: records.filter(r => r.disease === 'Hypertension').length };"
-}
-`;
-    }
-    return instructions;
-}

package/dist/rpc/client.d.ts

@@ -1,22 +0,0 @@
-import type * as grpc from "@grpc/grpc-js";
-import { type LiopTlsOptions } from "./tls.js";
-import type { IntentRequest, IntentResponse, LogicRequest, LogicResponse } from "./types.js";
-/**
- * LIOP gRPC Client Implementation
- * Provides a high-level interface for secure intent negotiation and logic execution.
- */
-export declare class LiopRpcClient {
-    private client;
-    constructor(address: string, tls?: LiopTlsOptions);
-    /**
-     * Negotiates intent with the remote host.
-     * Returns the ephemeral Kyber public key for payload encryption.
-     */
-    negotiateIntent(request: IntentRequest): Promise<IntentResponse>;
-    /**
-     * Pushes the encrypted Logic-on-Origin payload to the origin.
-     * Returns a stream of semantic responses and ZK proofs.
-     */
-    executeLogic(request: LogicRequest): grpc.ClientReadableStream<LogicResponse>;
-    close(): void;
-}

package/dist/rpc/client.js

@@ -1,40 +0,0 @@
-import { liopV1 } from "./proto.js";
-import { createChannelCredentials } from "./tls.js";
-/**
- * LIOP gRPC Client Implementation
- * Provides a high-level interface for secure intent negotiation and logic execution.
- */
-export class LiopRpcClient {
-    // biome-ignore lint/suspicious/noExplicitAny: internal gRPC client type
-    client;
-    constructor(address, tls) {
-        const credentials = createChannelCredentials(tls);
-        this.client = new liopV1.LogicMesh(address, credentials);
-    }
-    /**
-     * Negotiates intent with the remote host.
-     * Returns the ephemeral Kyber public key for payload encryption.
-     */
-    async negotiateIntent(request) {
-        return new Promise((resolve, reject) => {
-            this.client.NegotiateIntent(request, (error, response) => {
-                if (error) {
-                    reject(error);
-                }
-                else {
-                    resolve(response);
-                }
-            });
-        });
-    }
-    /**
-     * Pushes the encrypted Logic-on-Origin payload to the origin.
-     * Returns a stream of semantic responses and ZK proofs.
-     */
-    executeLogic(request) {
-        return this.client.ExecuteLogic(request);
-    }
-    close() {
-        this.client.close();
-    }
-}

package/dist/rpc/codec/lpm.d.ts

@@ -1,20 +0,0 @@
-/**
- * LIOP gRPC Length-Prefixed Message (LPM) Codec
- *
- * Implements the standard gRPC-over-HTTP2 framing:
- * [1 byte: Compressed Flag] [4 bytes: Message Length] [Data]
- */
-export declare class LpmCodec {
-    /**
-     * Encodes a data buffer into a gRPC Length-Prefixed Message
-     */
-    static encode(data: Uint8Array): Uint8Array;
-    /**
-     * Decodes a gRPC Length-Prefixed Message from a buffer
-     * Returns the data and the remaining buffer
-     */
-    static decode(buffer: Uint8Array): {
-        data: Uint8Array | null;
-        remaining: Uint8Array;
-    };
-}

package/dist/rpc/codec/lpm.js

@@ -1,36 +0,0 @@
-/**
- * LIOP gRPC Length-Prefixed Message (LPM) Codec
- *
- * Implements the standard gRPC-over-HTTP2 framing:
- * [1 byte: Compressed Flag] [4 bytes: Message Length] [Data]
- */
-// biome-ignore lint/complexity/noStaticOnlyClass: organizational class pattern
-export class LpmCodec {
-    /**
-     * Encodes a data buffer into a gRPC Length-Prefixed Message
-     */
-    static encode(data) {
-        const result = new Uint8Array(5 + data.length);
-        result[0] = 0; // Compressed flag
-        const dv = new DataView(result.buffer);
-        dv.setUint32(1, data.length); // Big-endian by default
-        result.set(data, 5);
-        return result;
-    }
-    /**
-     * Decodes a gRPC Length-Prefixed Message from a buffer
-     * Returns the data and the remaining buffer
-     */
-    static decode(buffer) {
-        if (buffer.length < 5)
-            return { data: null, remaining: buffer };
-        const dv = new DataView(buffer.buffer, buffer.byteOffset, buffer.byteLength);
-        const length = dv.getUint32(1);
-        if (buffer.length < 5 + length) {
-            return { data: null, remaining: buffer };
-        }
-        const data = buffer.slice(5, 5 + length);
-        const remaining = buffer.slice(5 + length);
-        return { data, remaining };
-    }
-}

package/dist/rpc/crypto/aes.d.ts

@@ -1,22 +0,0 @@
-/**
- * LIOP Symmetric Payload Encryption Wrapper
- * Uses AES-256-GCM to secure WASM Code transport over Zero-Trust networks.
- * Fully compatible with the `aes-gcm` Rust crate used by Wasmtime.
- */
-export declare const AesGcmWrapper: {
-    /**
-     * Encrypts a raw WASM payload using the shared secret negotiated via Kyber768.
-     *
-     * @param payload Raw incoming WASM byte array or string.
-     * @param sharedSecret A perfectly derived 32-byte (256-bit) shared secret array
-     * @returns The encrypted buffer to push to the GRPc stream, along with the 12-byte initialization vector natively generated.
-     */
-    encryptPayload(payload: Uint8Array | Buffer, sharedSecret: Uint8Array): {
-        ciphertext: Buffer;
-        nonce: Buffer;
-    };
-    /**
-     * Decrypts a remote Zero-Knowledge receipt using AES-256-GCM.
-     */
-    decryptPayload(ciphertextBuffer: Buffer, nonce: Buffer, sharedSecret: Uint8Array): Buffer;
-};

package/dist/rpc/crypto/aes.js

@@ -1,47 +0,0 @@
-import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
-/**
- * LIOP Symmetric Payload Encryption Wrapper
- * Uses AES-256-GCM to secure WASM Code transport over Zero-Trust networks.
- * Fully compatible with the `aes-gcm` Rust crate used by Wasmtime.
- */
-export const AesGcmWrapper = {
-    /**
-     * Encrypts a raw WASM payload using the shared secret negotiated via Kyber768.
-     *
-     * @param payload Raw incoming WASM byte array or string.
-     * @param sharedSecret A perfectly derived 32-byte (256-bit) shared secret array
-     * @returns The encrypted buffer to push to the GRPc stream, along with the 12-byte initialization vector natively generated.
-     */
-    encryptPayload(payload, sharedSecret) {
-        if (sharedSecret.length !== 32) {
-            throw new Error("Symmetric Key must be exactly 32 bytes (256 bits).");
-        }
-        // LIOP standard demands 96-bit (12 byte) IVs/Nonces for AES-GCM
-        const nonce = randomBytes(12);
-        const cipher = createCipheriv("aes-256-gcm", sharedSecret, nonce);
-        // Encrypt the payload and seal the tag
-        const encrypted = Buffer.concat([cipher.update(payload), cipher.final()]);
-        const authTag = cipher.getAuthTag(); // 16 bytes for GCM integrity
-        // In LIOP, the auth tag is strictly appended to the end of the ciphertext bytes
-        // mirroring the default serialization logic within `aes_gcm::Aes256Gcm` in Rust
-        const finalCiphertext = Buffer.concat([encrypted, authTag]);
-        return {
-            ciphertext: finalCiphertext,
-            nonce: nonce,
-        };
-    },
-    /**
-     * Decrypts a remote Zero-Knowledge receipt using AES-256-GCM.
-     */
-    decryptPayload(ciphertextBuffer, nonce, sharedSecret) {
-        if (ciphertextBuffer.length < 16) {
-            throw new Error("Invalid GCM Ciphertext; missing authentication tag length");
-        }
-        // The last 16 bytes represent the AuthTag appended by rust-aes-gcm
-        const encryptedData = ciphertextBuffer.subarray(0, -16);
-        const authTag = ciphertextBuffer.subarray(-16);
-        const decipher = createDecipheriv("aes-256-gcm", sharedSecret, nonce);
-        decipher.setAuthTag(authTag);
-        return Buffer.concat([decipher.update(encryptedData), decipher.final()]);
-    },
-};

package/dist/rpc/crypto/kyber.d.ts

@@ -1,27 +0,0 @@
-export declare const Kyber768Wrapper: {
-    /**
-     * Extracts and validates the 1184-byte Public Key from the Rust LIOP Data Node
-     * @param buffer Raw buffer sent via gRPC IntentResponse
-     */
-    importPublicKey(buffer: Uint8Array): Uint8Array;
-    /**
-     * Encapsulates a shared secret using the server's public key.
-     * Returns the 1088-byte ciphertext to be sent back, and the 32-byte shared AES secret.
-     */
-    encapsulateAsymmetric(publicKey: Uint8Array): Promise<{
-        ciphertext: Uint8Array;
-        sharedSecret: Uint8Array;
-    }>;
-    /**
-     * Generates a Kyber768 KeyPair for the server to accept intents.
-     */
-    generateKeyPair(): Promise<{
-        publicKey: Uint8Array;
-        secretKey: Uint8Array;
-    }>;
-    /**
-     * Decapsulates the shared secret using the server's secret key.
-     * Zero-fills the shared secret buffer after extraction for side-channel protection.
-     */
-    decapsulateSymmetric(ciphertext: Uint8Array, secretKey: Uint8Array): Promise<Uint8Array>;
-};

package/dist/rpc/crypto/kyber.js

@@ -1,70 +0,0 @@
-import { createMlKem768 } from "mlkem";
-/**
- * LIOP Post-Quantum Cryptography Wrapper
- * Implements ML-KEM-768 (NIST FIPS 203) for Zero-Trust secure key encapsulation
- * directly compatible with `pqcrypto-kyber` on the Mesh-Node Backend.
- *
- * Uses the `mlkem` package which provides:
- * - FIPS 203 compliance (ML-KEM standard)
- * - Constant-time validation (KyberSlash patched)
- * - ~3.5x performance improvement over legacy crystals-kyber
- */
-/** Lazy-initialized singleton for the ML-KEM-768 engine */
-let kemInstance = null;
-async function getKemInstance() {
-    if (!kemInstance) {
-        kemInstance = await createMlKem768();
-    }
-    return kemInstance;
-}
-export const Kyber768Wrapper = {
-    /**
-     * Extracts and validates the 1184-byte Public Key from the Rust LIOP Data Node
-     * @param buffer Raw buffer sent via gRPC IntentResponse
-     */
-    importPublicKey(buffer) {
-        if (buffer.length !== 1184) {
-            throw new Error(`Kyber768 Public Key must be exactly 1184 bytes (Received: ${buffer.length})`);
-        }
-        return buffer;
-    },
-    /**
-     * Encapsulates a shared secret using the server's public key.
-     * Returns the 1088-byte ciphertext to be sent back, and the 32-byte shared AES secret.
-     */
-    async encapsulateAsymmetric(publicKey) {
-        try {
-            if (publicKey.length !== 1184) {
-                throw new Error("Kyber768 Public Key must be exactly 1184 bytes.");
-            }
-            const kem = await getKemInstance();
-            const [ct, ss] = kem.encap(publicKey);
-            return {
-                ciphertext: ct,
-                sharedSecret: ss,
-            };
-        }
-        catch (error) {
-            throw new Error(`Failed to perform PQC encapsulation: ${error.message}`);
-        }
-    },
-    /**
-     * Generates a Kyber768 KeyPair for the server to accept intents.
-     */
-    async generateKeyPair() {
-        const kem = await getKemInstance();
-        const [pk, sk] = kem.generateKeyPair();
-        return {
-            publicKey: pk,
-            secretKey: sk,
-        };
-    },
-    /**
-     * Decapsulates the shared secret using the server's secret key.
-     * Zero-fills the shared secret buffer after extraction for side-channel protection.
-     */
-    async decapsulateSymmetric(ciphertext, secretKey) {
-        const kem = await getKemInstance();
-        return kem.decap(ciphertext, secretKey);
-    },
-};

package/dist/rpc/proto.d.ts

@@ -1,2 +0,0 @@
-export declare const liopProto: any;
-export declare const liopV1: any;

package/dist/rpc/proto.js

@@ -1,33 +0,0 @@
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import * as grpc from "@grpc/grpc-js";
-import * as protoLoader from "@grpc/proto-loader";
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-import * as fs from "node:fs";
-import { log } from "../utils/logger.js";
-// Selection logic
-const PROD_PROTO_PATH = path.resolve(__dirname, "../protocol/liop_core.proto");
-// 2. Fallback to monorepo development path
-const DEV_PROTO_PATH = path.resolve(__dirname, "../../../../protocol/proto/liop_core.proto");
-// Selection logic
-const PROTO_PATH = fs.existsSync(PROD_PROTO_PATH)
-    ? PROD_PROTO_PATH
-    : DEV_PROTO_PATH;
-if (!fs.existsSync(PROTO_PATH)) {
-    log.error(`[LIOP-Proto] CRITICAL: Proto file not found at ${PROTO_PATH}`);
-}
-/**
- * LIOP Proto Loader
- * Loads the core gRPC definitions for the Logic-Injection-on-Origin Protocol.
- */
-const packageDefinition = protoLoader.loadSync(PROTO_PATH, {
-    keepCase: true,
-    longs: String,
-    enums: String,
-    defaults: true,
-    oneofs: true,
-});
-// biome-ignore lint/suspicious/noExplicitAny: gRPC dynamic loading requires any for the service definition map
-export const liopProto = grpc.loadPackageDefinition(packageDefinition);
-export const liopV1 = liopProto.liop.v1;

package/dist/rpc/server.d.ts

@@ -1,13 +0,0 @@
-import * as grpc from "@grpc/grpc-js";
-import { type LiopTlsOptions } from "./tls.js";
-import type { IntentRequest, IntentResponse, LogicRequest, LogicResponse } from "./types.js";
-export declare class LiopRpcServer {
-    private server;
-    constructor();
-    addService(handlers: {
-        negotiateIntent: (call: grpc.ServerUnaryCall<IntentRequest, IntentResponse>, callback: grpc.sendUnaryData<IntentResponse>) => void;
-        executeLogic: (call: grpc.ServerWritableStream<LogicRequest, LogicResponse>) => void;
-    }): void;
-    listen(port?: number, tls?: LiopTlsOptions): Promise<number>;
-    stop(): Promise<void>;
-}

package/dist/rpc/server.js

@@ -1,50 +0,0 @@
-import * as grpc from "@grpc/grpc-js";
-import { log } from "../utils/logger.js";
-import { liopV1 } from "./proto.js";
-import { createServerCredentials } from "./tls.js";
-/**
- * LIOP gRPC Service Implementation
- * Handles intent negotiation and secure logic execution.
- */
-/** Production-grade gRPC channel options per official grpc-node recommendations */
-const GRPC_CHANNEL_OPTIONS = {
-    "grpc.keepalive_time_ms": 30_000,
-    "grpc.keepalive_timeout_ms": 10_000,
-    "grpc.keepalive_permit_without_calls": 1,
-    "grpc.max_send_message_length": -1,
-    "grpc.max_receive_message_length": -1,
-    "grpc.enable_retries": 1,
-};
-export class LiopRpcServer {
-    server;
-    constructor() {
-        this.server = new grpc.Server(GRPC_CHANNEL_OPTIONS);
-    }
-    addService(handlers) {
-        this.server.addService(liopV1.LogicMesh.service, {
-            NegotiateIntent: handlers.negotiateIntent,
-            ExecuteLogic: handlers.executeLogic,
-        });
-    }
-    async listen(port = 50051, tls) {
-        const credentials = createServerCredentials(tls);
-        return new Promise((resolve, reject) => {
-            this.server.bindAsync(`0.0.0.0:${port}`, credentials, (error, assignedPort) => {
-                if (error) {
-                    reject(error);
-                    return;
-                }
-                log.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);
-                resolve(assignedPort);
-            });
-        });
-    }
-    async stop() {
-        return new Promise((resolve) => {
-            this.server.tryShutdown(() => {
-                log.info("[LIOP-RPC] Server shut down");
-                resolve();
-            });
-        });
-    }
-}

package/dist/rpc/tls.d.ts

@@ -1,26 +0,0 @@
-/**
- * LIOP TLS Configuration
- *
- * Provides conditional TLS credential factories for gRPC connections.
- * When TLS options are provided, connections are secured with mutual TLS.
- * Otherwise, falls back to insecure credentials (alpha/development mode).
- */
-import * as grpc from "@grpc/grpc-js";
-export interface LiopTlsOptions {
-    /** Path to the root CA certificate (PEM format) */
-    rootCert?: string;
-    /** Path to the server/client certificate (PEM format) */
-    certChain?: string;
-    /** Path to the private key (PEM format) */
-    privateKey?: string;
-}
-/**
- * Creates gRPC server credentials from TLS options.
- * Falls back to insecure if no options are provided.
- */
-export declare function createServerCredentials(tls?: LiopTlsOptions): grpc.ServerCredentials;
-/**
- * Creates gRPC channel credentials from TLS options.
- * Falls back to insecure if no options are provided.
- */
-export declare function createChannelCredentials(tls?: LiopTlsOptions): grpc.ChannelCredentials;

package/dist/rpc/tls.js

@@ -1,54 +0,0 @@
-/**
- * LIOP TLS Configuration
- *
- * Provides conditional TLS credential factories for gRPC connections.
- * When TLS options are provided, connections are secured with mutual TLS.
- * Otherwise, falls back to insecure credentials (alpha/development mode).
- */
-import * as fs from "node:fs";
-import * as grpc from "@grpc/grpc-js";
-import { log } from "../utils/logger.js";
-/**
- * Creates gRPC server credentials from TLS options.
- * Falls back to insecure if no options are provided.
- */
-export function createServerCredentials(tls) {
-    if (!tls?.certChain || !tls?.privateKey) {
-        return grpc.ServerCredentials.createInsecure();
-    }
-    try {
-        const rootCert = tls.rootCert ? fs.readFileSync(tls.rootCert) : null;
-        const certChain = fs.readFileSync(tls.certChain);
-        const privateKey = fs.readFileSync(tls.privateKey);
-        return grpc.ServerCredentials.createSsl(rootCert, [
-            { cert_chain: certChain, private_key: privateKey },
-        ]);
-    }
-    catch (error) {
-        log.info(`[LIOP-TLS] Failed to load certificates, falling back to insecure: ${error}`);
-        return grpc.ServerCredentials.createInsecure();
-    }
-}
-/**
- * Creates gRPC channel credentials from TLS options.
- * Falls back to insecure if no options are provided.
- */
-export function createChannelCredentials(tls) {
-    if (!tls?.rootCert) {
-        return grpc.credentials.createInsecure();
-    }
-    try {
-        const rootCert = fs.readFileSync(tls.rootCert);
-        const certChain = tls.certChain
-            ? fs.readFileSync(tls.certChain)
-            : undefined;
-        const privateKey = tls.privateKey
-            ? fs.readFileSync(tls.privateKey)
-            : undefined;
-        return grpc.credentials.createSsl(rootCert, privateKey, certChain);
-    }
-    catch (error) {
-        log.info(`[LIOP-TLS] Failed to load certificates, falling back to insecure: ${error}`);
-        return grpc.credentials.createInsecure();
-    }
-}

package/dist/rpc/types.d.ts

@@ -1,28 +0,0 @@
-/**
- * TypeScript interfaces reflecting liop_core.proto (LIOP v1)
- * Optimized for logic-on-origin and high-performance serialization.
- */
-export interface IntentRequest {
-    agent_did: string;
-    capability_hash: string;
-    proof_of_intent: Uint8Array;
-}
-export interface IntentResponse {
-    accepted: boolean;
-    session_token: string;
-    error_message: string;
-    kyber_public_key: Uint8Array;
-}
-export interface LogicRequest {
-    session_token: string;
-    wasm_binary: Uint8Array;
-    inputs: Record<string, Uint8Array>;
-    pqc_ciphertext: Uint8Array;
-    aes_nonce: Uint8Array;
-}
-export interface LogicResponse {
-    semantic_evidence: string;
-    cryptographic_proof: Uint8Array;
-    zk_receipt: Uint8Array;
-    is_error: boolean;
-}

package/dist/rpc/types.js

@@ -1,5 +0,0 @@
-/**
- * TypeScript interfaces reflecting liop_core.proto (LIOP v1)
- * Optimized for logic-on-origin and high-performance serialization.
- */
-export {};

package/dist/sandbox/guardian.d.ts

@@ -1,18 +0,0 @@
-export declare class GuardianError extends Error {
-    constructor(message: string);
-}
-/**
- * The Guardian-TS Module
- * Scans the Abstract Syntax Tree (AST) imports of incoming WASM
- * before it reaches the V8 Wasmtime engine to prevent sandbox-escape
- * zero-days, resource exhaustion bombs, and evasive execution.
- */
-export declare const ASTGuardian: {
-    /**
-     * Analyzes the WebAssembly Module interface proactively.
-     *
-     * @param module - The compiled WebAssembly.Module to inspect
-     * @throws {GuardianError} If illegal imports or capabilities are detected
-     */
-    analyze(module: WebAssembly.Module): void;
-};

package/dist/sandbox/guardian.js

@@ -1,58 +0,0 @@
-export class GuardianError extends Error {
-    constructor(message) {
-        super(`AST Sec-Policy Violation: ${message}`);
-        this.name = "GuardianError";
-    }
-}
-/**
- * The Guardian-TS Module
- * Scans the Abstract Syntax Tree (AST) imports of incoming WASM
- * before it reaches the V8 Wasmtime engine to prevent sandbox-escape
- * zero-days, resource exhaustion bombs, and evasive execution.
- */
-export const ASTGuardian = {
-    /**
-     * Analyzes the WebAssembly Module interface proactively.
-     *
-     * @param module - The compiled WebAssembly.Module to inspect
-     * @throws {GuardianError} If illegal imports or capabilities are detected
-     */
-    analyze(module) {
-        const imports = WebAssembly.Module.imports(module);
-        let _importCount = 0;
-        const ALLOWED_WASI_FUNCTIONS = new Set([
-            "fd_write",
-            "fd_read",
-            "fd_close",
-            "fd_seek",
-            "environ_get",
-            "environ_sizes_get",
-            "args_get",
-            "args_sizes_get",
-            "clock_time_get",
-            "random_get",
-            "proc_exit",
-            "fd_prestat_get",
-            "fd_prestat_dir_name",
-            "fd_fdstat_get",
-        ]);
-        for (const imp of imports) {
-            // Strict Sandbox Validation: Only allow WASI preview 1 specific whitelisted functions.
-            if (imp.module === "wasi_snapshot_preview1") {
-                if (!ALLOWED_WASI_FUNCTIONS.has(imp.name)) {
-                    throw new GuardianError(`Banned WASI Import Detected: ${imp.module}/${imp.name}`);
-                }
-            }
-            else {
-                throw new GuardianError(`Banned Host Import Module Detected: ${imp.module}`);
-            }
-            _importCount++;
-            if (_importCount > 128) {
-                throw new GuardianError("Import limit exceeded. Possible resource exhaustion attack.");
-            }
-        }
-        // In Node.js / V8, the maximum module size and function limits
-        // are natively enforced by the engine during compilation.
-        // A successfully compiled WebAssembly.Module already passed structural checks.
-    },
-};