@nekzus/liop 2.0.0-alpha.25 → 2.0.0-alpha.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/dist/bin/agent.js +1 -1
  2. package/dist/bridge.js +1 -1
  3. package/dist/{chunk-ISKM7EAL.js → chunk-AKTU6ZMX.js} +2 -2
  4. package/dist/{chunk-ISKM7EAL.js.map → chunk-AKTU6ZMX.js.map} +1 -1
  5. package/dist/{chunk-GD6EOKYV.js → chunk-BDQZURCS.js} +9 -9
  6. package/dist/chunk-BDQZURCS.js.map +1 -0
  7. package/dist/{chunk-LJQF6ULT.js → chunk-GFRRQ2EB.js} +3 -3
  8. package/dist/{chunk-LJQF6ULT.js.map → chunk-GFRRQ2EB.js.map} +1 -1
  9. package/dist/{chunk-F7B6B4XS.js → chunk-GYK2HORK.js} +3 -3
  10. package/dist/{chunk-F7B6B4XS.js.map → chunk-GYK2HORK.js.map} +1 -1
  11. package/dist/chunk-SW53FNSN.js +2 -0
  12. package/dist/chunk-SW53FNSN.js.map +1 -0
  13. package/dist/{chunk-ALLOYPMN.js → chunk-YTIMVS2I.js} +3 -3
  14. package/dist/{chunk-ALLOYPMN.js.map → chunk-YTIMVS2I.js.map} +1 -1
  15. package/dist/client.js +1 -1
  16. package/dist/gateway.js +1 -1
  17. package/dist/index.js +1 -1
  18. package/dist/server.js +1 -1
  19. package/dist/verifier-Z26UC7M4.js +2 -0
  20. package/dist/{verifier-6M7GY4TW.js.map → verifier-Z26UC7M4.js.map} +1 -1
  21. package/dist/workers/logic-execution.d.ts +7 -6
  22. package/dist/workers/logic-execution.js +1 -1
  23. package/dist/workers/logic-execution.js.map +1 -1
  24. package/dist/workers/zk-verifier.d.ts +4 -4
  25. package/dist/workers/zk-verifier.js +1 -1
  26. package/dist/workers/zk-verifier.js.map +1 -1
  27. package/package.json +1 -1
  28. package/dist/chunk-GD6EOKYV.js.map +0 -1
  29. package/dist/chunk-UVTEJYHN.js +0 -2
  30. package/dist/chunk-UVTEJYHN.js.map +0 -1
  31. package/dist/verifier-6M7GY4TW.js +0 -2
package/dist/{chunk-F7B6B4XS.js → chunk-GYK2HORK.js} RENAMED
@@ -1,3 +1,3 @@
1
- import {a}from'./chunk-S6RJHZV2.js';import {randomUUID}from'crypto';import {serve}from'@hono/node-server';import {Hono}from'hono';import {cors}from'hono/cors';var T=10,R=1800*1e3,y=60*1e3,f=class{constructor(e,r={}){this.options=r;this.app=new Hono,this.bridgeLogic=new p(e),this.activeSessions=new Map,this.maxSessionsPerIp=r.maxSessionsPerIp??T,this.sessionTimeoutMs=r.sessionTimeoutMs??R,this.setupRoutes();}app;httpServer=null;bridgeLogic;activeSessions;evictionTimer=null;maxSessionsPerIp;sessionTimeoutMs;async createSessionTransport(e){let{WebStandardStreamableHTTPServerTransport:r}=await import('@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'),s=new r({sessionIdGenerator:()=>randomUUID(),onsessioninitialized:t=>{this.activeSessions.set(t,{transport:s,lastActivity:Date.now(),clientIp:e}),a.info(`[LIOP-StreamBridge] Session opened: ${t} (IP: ${e})`);}});return s.onmessage=async t=>{if(s.sessionId){let i=this.activeSessions.get(s.sessionId);i&&(i.lastActivity=Date.now());}try{let i=await this.bridgeLogic.handleJsonRpcRequest(t);i!==void 0&&await s.send(i);}catch(i){a.info("[LIOP-StreamBridge] JSON-RPC error:",i.message);}},s.onclose=()=>{s.sessionId&&(this.activeSessions.delete(s.sessionId),a.info(`[LIOP-StreamBridge] Session closed: ${s.sessionId}`));},s}countSessionsByIp(e){let r=0;for(let s of this.activeSessions.values())s.clientIp===e&&r++;return r}getClientIp(e){return e.req.header("x-forwarded-for")?.split(",")[0]?.trim()||e.req.header("x-real-ip")||"unknown"}evictIdleSessions(){let e=Date.now();for(let[r,s]of this.activeSessions)e-s.lastActivity>this.sessionTimeoutMs&&(a.info(`[LIOP-StreamBridge] Evicting idle session: ${r}`),s.transport.close().catch(()=>{}),this.activeSessions.delete(r));}setupRoutes(){this.app.use("*",cors()),process.env.ZERO_TRUST_TOKEN||(process.env.ZERO_TRUST_TOKEN=randomUUID(),a.info("=".repeat(60)),a.info("\u26A0\uFE0F STRICT ZERO-TRUST MODE ENABLED \u26A0\uFE0F"),a.info("No ZERO_TRUST_TOKEN found in environment."),a.info("A secure ephemeral token has been generated for this session:"),a.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`),a.info("=".repeat(60))),this.app.use("/mcp",async(e,r)=>{let s=e.req.header("Authorization"),t=process.env.ZERO_TRUST_TOKEN;if(!s?.startsWith("Bearer ")||s.split(" ")[1]!==t)return a.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token."),e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401);await r();}),this.app.all("/mcp",async e=>{let r=e.req.header("mcp-session-id");if(r){let o=this.activeSessions.get(r);if(!o)return e.json({error:"Session not found"},404);o.lastActivity=Date.now();let c=await o.transport.handleRequest(e.req.raw);return e.req.method==="DELETE"&&(this.activeSessions.delete(r),a.info(`[LIOP-StreamBridge] Session closed (DELETE): ${r}`)),c}let s=this.getClientIp(e),t=this.countSessionsByIp(s);return t>=this.maxSessionsPerIp?(a.info(`[LIOP-StreamBridge] Rate limit hit for IP: ${s} (${t} sessions)`),e.json({error:"Too Many Sessions: Rate limit exceeded"},429)):await(await this.createSessionTransport(s)).handleRequest(e.req.raw)});}async start(e){let r=e??this.options.port??3e3;return this.evictionTimer=setInterval(()=>this.evictIdleSessions(),y),new Promise(s=>{this.httpServer=serve({fetch:this.app.fetch,port:r},t=>{a.info(`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${t.port}/mcp`),s();});})}async stop(){this.evictionTimer&&(clearInterval(this.evictionTimer),this.evictionTimer=null);for(let[e,r]of this.activeSessions)await r.transport.close(),this.activeSessions.delete(e);this.httpServer&&(this.httpServer.close(),a.info("[LIOP-StreamBridge] HTTP ports released."));}};var p=class{constructor(e,r={}){this.options=r;e?.constructor?.name==="LiopServer"?(this.liopServer=e,a.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)")):e?.constructor?.name==="McpServer"?(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)")):(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)"));}liopServer=null;legacyMcpServer=null;async handleJsonRpcRequest(e){let r=e.id,s=e.method,t=e.params;return e.jsonrpc!=="2.0"?this.errorResponse(r,-32600,"Invalid Request"):this.liopServer?this.handleLiopToMcp(r,s,t):this.legacyMcpServer&&this.liopServer?this.handleLiopToMcp(r,s,t):this.errorResponse(r,-32601,"Bridge source not configured")}async handleLiopToMcp(e,r,s){if(!this.liopServer)return null;if(r==="initialize")return this.successResponse(e,{protocolVersion:"2025-11-25",capabilities:{prompts:{},resources:{},tools:{}},serverInfo:this.liopServer.getServerInfo()});if(r!=="notifications/initialized"){if(r==="ping")return this.successResponse(e,{});if(r==="tools/list"){let t=this.liopServer.listTools();return this.successResponse(e,{tools:t})}if(r==="resources/list"){let t=this.liopServer.listResources();return this.successResponse(e,{resources:t})}if(r==="prompts/list"){let t=this.liopServer.listPrompts();return this.successResponse(e,{prompts:t})}if(r==="prompts/get"){if(!s?.name)return this.errorResponse(e,-32602,"Missing prompt name");try{let t=await this.liopServer.getPrompt({name:s.name,arguments:s.arguments});return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="resources/read"){if(!s?.uri)return this.errorResponse(e,-32602,"Missing resource URI");try{let t=await this.liopServer.readResource(s.uri);return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="tools/call"){if(!s?.name)return this.errorResponse(e,-32602,"Missing tool name");let t={name:s.name,arguments:s.arguments||{}};try{let i=await this.liopServer.callTool(t);return (i.isError?!0:await this.verifyZkReceipt(t,i))?this.successResponse(e,i):this.successResponse(e,{content:[{type:"text",text:"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload."}],isError:!0})}catch(i){return this.errorResponse(e,-32e3,i.message)}}return this.errorResponse(e,-32601,"Method not found")}}successResponse(e,r){return {jsonrpc:"2.0",id:e,result:r}}errorResponse(e,r,s){return {jsonrpc:"2.0",id:e,error:{code:r,message:s}}}async verifyZkReceipt(e,r){if(!e.arguments?.payload||typeof e.arguments.payload!="string")return true;try{let s=e.arguments.payload,t=r.content[0]?.text;if(t&&typeof t=="string")try{let i=JSON.parse(t);if(i.image_id||i.zk_receipt){let{LiopVerifier:o}=await import('./verifier-6M7GY4TW.js');if(!await new o().verifyZkReceipt(Buffer.from(s,"utf-8"),i.image_id,Buffer.from(i.zk_receipt||"","base64")))return !1;i.audit_status="VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge",r.content[0].text=JSON.stringify(i);}}catch{}return !0}catch(s){return a.info("[LIOP-Bridge] ZK-Verifier Failure:",s),false}}async connect(){if(this.legacyMcpServer){let{LiopServer:t}=await import('./server.js');if(this.liopServer=new t(this.options.serverInfo||{name:"liop-bridge",version:"1.0.0"},{security:this.options.security}),this.options.publishToMesh){await this.liopServer.connect();let i=this.legacyMcpServer;if(i._registeredTools)for(let[o,c]of Object.entries(i._registeredTools)){let a=c;this.liopServer.tool(o,a.description||"",a.inputSchema||{},async l=>await a.handler(l));}if(i._registeredResources)for(let[o,c]of Object.entries(i._registeredResources)){let a=c;this.liopServer.resource(a.name,o,a.metadata?.description||"",a.metadata?.mimeType||"application/octet-stream",async()=>(await a.readCallback(new URL(o))).contents[0].text);}}return}let r=(await import('readline')).createInterface({input:process.stdin,output:process.stdout,terminal:false}),s=async()=>{a.info("[LIOP-Bridge] Disconnecting session..."),this.liopServer&&await this.liopServer.close(),process.exit(0);};r.on("close",s),process.on("SIGINT",s),process.on("SIGTERM",s),r.on("line",async t=>{if(t.trim())try{let i=JSON.parse(t),o=await this.handleJsonRpcRequest(i);o&&process.stdout.write(`${JSON.stringify(o)}
2
- `);}catch(i){a.error(`[LIOP-Bridge] Error: ${i.message}`);}});}};export{f as a,p as b};//# sourceMappingURL=chunk-F7B6B4XS.js.map
3
- //# sourceMappingURL=chunk-F7B6B4XS.js.map
1
+ import {a}from'./chunk-S6RJHZV2.js';import {randomUUID}from'crypto';import {serve}from'@hono/node-server';import {Hono}from'hono';import {cors}from'hono/cors';var T=10,R=1800*1e3,y=60*1e3,f=class{constructor(e,r={}){this.options=r;this.app=new Hono,this.bridgeLogic=new p(e),this.activeSessions=new Map,this.maxSessionsPerIp=r.maxSessionsPerIp??T,this.sessionTimeoutMs=r.sessionTimeoutMs??R,this.setupRoutes();}app;httpServer=null;bridgeLogic;activeSessions;evictionTimer=null;maxSessionsPerIp;sessionTimeoutMs;async createSessionTransport(e){let{WebStandardStreamableHTTPServerTransport:r}=await import('@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'),s=new r({sessionIdGenerator:()=>randomUUID(),onsessioninitialized:t=>{this.activeSessions.set(t,{transport:s,lastActivity:Date.now(),clientIp:e}),a.info(`[LIOP-StreamBridge] Session opened: ${t} (IP: ${e})`);}});return s.onmessage=async t=>{if(s.sessionId){let i=this.activeSessions.get(s.sessionId);i&&(i.lastActivity=Date.now());}try{let i=await this.bridgeLogic.handleJsonRpcRequest(t);i!==void 0&&await s.send(i);}catch(i){a.info("[LIOP-StreamBridge] JSON-RPC error:",i.message);}},s.onclose=()=>{s.sessionId&&(this.activeSessions.delete(s.sessionId),a.info(`[LIOP-StreamBridge] Session closed: ${s.sessionId}`));},s}countSessionsByIp(e){let r=0;for(let s of this.activeSessions.values())s.clientIp===e&&r++;return r}getClientIp(e){return e.req.header("x-forwarded-for")?.split(",")[0]?.trim()||e.req.header("x-real-ip")||"unknown"}evictIdleSessions(){let e=Date.now();for(let[r,s]of this.activeSessions)e-s.lastActivity>this.sessionTimeoutMs&&(a.info(`[LIOP-StreamBridge] Evicting idle session: ${r}`),s.transport.close().catch(()=>{}),this.activeSessions.delete(r));}setupRoutes(){this.app.use("*",cors()),process.env.ZERO_TRUST_TOKEN||(process.env.ZERO_TRUST_TOKEN=randomUUID(),a.info("=".repeat(60)),a.info("\u26A0\uFE0F STRICT ZERO-TRUST MODE ENABLED \u26A0\uFE0F"),a.info("No ZERO_TRUST_TOKEN found in environment."),a.info("A secure ephemeral token has been generated for this session:"),a.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`),a.info("=".repeat(60))),this.app.use("/mcp",async(e,r)=>{let s=e.req.header("Authorization"),t=process.env.ZERO_TRUST_TOKEN;if(!s?.startsWith("Bearer ")||s.split(" ")[1]!==t)return a.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token."),e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401);await r();}),this.app.all("/mcp",async e=>{let r=e.req.header("mcp-session-id");if(r){let o=this.activeSessions.get(r);if(!o)return e.json({error:"Session not found"},404);o.lastActivity=Date.now();let c=await o.transport.handleRequest(e.req.raw);return e.req.method==="DELETE"&&(this.activeSessions.delete(r),a.info(`[LIOP-StreamBridge] Session closed (DELETE): ${r}`)),c}let s=this.getClientIp(e),t=this.countSessionsByIp(s);return t>=this.maxSessionsPerIp?(a.info(`[LIOP-StreamBridge] Rate limit hit for IP: ${s} (${t} sessions)`),e.json({error:"Too Many Sessions: Rate limit exceeded"},429)):await(await this.createSessionTransport(s)).handleRequest(e.req.raw)});}async start(e){let r=e??this.options.port??3e3;return this.evictionTimer=setInterval(()=>this.evictIdleSessions(),y),new Promise(s=>{this.httpServer=serve({fetch:this.app.fetch,port:r},t=>{a.info(`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${t.port}/mcp`),s();});})}async stop(){this.evictionTimer&&(clearInterval(this.evictionTimer),this.evictionTimer=null);for(let[e,r]of this.activeSessions)await r.transport.close(),this.activeSessions.delete(e);this.httpServer&&(this.httpServer.close(),a.info("[LIOP-StreamBridge] HTTP ports released."));}};var p=class{constructor(e,r={}){this.options=r;e?.constructor?.name==="LiopServer"?(this.liopServer=e,a.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)")):e?.constructor?.name==="McpServer"?(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)")):(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)"));}liopServer=null;legacyMcpServer=null;async handleJsonRpcRequest(e){let r=e.id,s=e.method,t=e.params;return e.jsonrpc!=="2.0"?this.errorResponse(r,-32600,"Invalid Request"):this.liopServer?this.handleLiopToMcp(r,s,t):this.legacyMcpServer&&this.liopServer?this.handleLiopToMcp(r,s,t):this.errorResponse(r,-32601,"Bridge source not configured")}async handleLiopToMcp(e,r,s){if(!this.liopServer)return null;if(r==="initialize")return this.successResponse(e,{protocolVersion:"2025-11-25",capabilities:{prompts:{},resources:{},tools:{}},serverInfo:this.liopServer.getServerInfo()});if(r!=="notifications/initialized"){if(r==="ping")return this.successResponse(e,{});if(r==="tools/list"){let t=this.liopServer.listTools();return this.successResponse(e,{tools:t})}if(r==="resources/list"){let t=this.liopServer.listResources();return this.successResponse(e,{resources:t})}if(r==="prompts/list"){let t=this.liopServer.listPrompts();return this.successResponse(e,{prompts:t})}if(r==="prompts/get"){if(!s?.name)return this.errorResponse(e,-32602,"Missing prompt name");try{let t=await this.liopServer.getPrompt({name:s.name,arguments:s.arguments});return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="resources/read"){if(!s?.uri)return this.errorResponse(e,-32602,"Missing resource URI");try{let t=await this.liopServer.readResource(s.uri);return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="tools/call"){if(!s?.name)return this.errorResponse(e,-32602,"Missing tool name");let t={name:s.name,arguments:s.arguments||{}};try{let i=await this.liopServer.callTool(t);return (i.isError?!0:await this.verifyZkReceipt(t,i))?this.successResponse(e,i):this.successResponse(e,{content:[{type:"text",text:"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload."}],isError:!0})}catch(i){return this.errorResponse(e,-32e3,i.message)}}return this.errorResponse(e,-32601,"Method not found")}}successResponse(e,r){return {jsonrpc:"2.0",id:e,result:r}}errorResponse(e,r,s){return {jsonrpc:"2.0",id:e,error:{code:r,message:s}}}async verifyZkReceipt(e,r){if(!e.arguments?.payload||typeof e.arguments.payload!="string")return true;try{let s=e.arguments.payload,t=r.content[0]?.text;if(t&&typeof t=="string")try{let i=JSON.parse(t);if(i.image_id||i.zk_receipt){let{LiopVerifier:o}=await import('./verifier-Z26UC7M4.js');if(!await new o().verifyZkReceipt(Buffer.from(s,"utf-8"),i.image_id,Buffer.from(i.zk_receipt||"","base64")))return !1;i.audit_status="VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge",r.content[0].text=JSON.stringify(i);}}catch{}return !0}catch(s){return a.info("[LIOP-Bridge] ZK-Verifier Failure:",s),false}}async connect(){if(this.legacyMcpServer){let{LiopServer:t}=await import('./server.js');if(this.liopServer=new t(this.options.serverInfo||{name:"liop-bridge",version:"1.0.0"},{security:this.options.security}),this.options.publishToMesh){await this.liopServer.connect();let i=this.legacyMcpServer;if(i._registeredTools)for(let[o,c]of Object.entries(i._registeredTools)){let a=c;this.liopServer.tool(o,a.description||"",a.inputSchema||{},async l=>await a.handler(l));}if(i._registeredResources)for(let[o,c]of Object.entries(i._registeredResources)){let a=c;this.liopServer.resource(a.name,o,a.metadata?.description||"",a.metadata?.mimeType||"application/octet-stream",async()=>(await a.readCallback(new URL(o))).contents[0].text);}}return}let r=(await import('readline')).createInterface({input:process.stdin,output:process.stdout,terminal:false}),s=async()=>{a.info("[LIOP-Bridge] Disconnecting session..."),this.liopServer&&await this.liopServer.close(),process.exit(0);};r.on("close",s),process.on("SIGINT",s),process.on("SIGTERM",s),r.on("line",async t=>{if(t.trim())try{let i=JSON.parse(t),o=await this.handleJsonRpcRequest(i);o&&process.stdout.write(`${JSON.stringify(o)}
2
+ `);}catch(i){a.error(`[LIOP-Bridge] Error: ${i.message}`);}});}};export{f as a,p as b};//# sourceMappingURL=chunk-GYK2HORK.js.map
3
+ //# sourceMappingURL=chunk-GYK2HORK.js.map
package/dist/{chunk-F7B6B4XS.js.map → chunk-GYK2HORK.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/bridge/stream.ts","../src/bridge/index.ts"],"names":["DEFAULT_MAX_SESSIONS_PER_IP","DEFAULT_SESSION_TIMEOUT_MS","EVICTION_INTERVAL_MS","LiopStreamBridge","internalServer","options","Hono","LiopMcpBridge","clientIp","WebStandardStreamableHTTPServerTransport","transport","randomUUID","sessionId","log","message","entry","result","err","ip","count","c","now","cors","next","auth","expectedToken","existing","response","currentSessions","port","listenPort","resolve","serve","info","id","source","payload","method","params","tools","resources","prompts","request","code","contentText","data","LiopVerifier","e","LiopServer","legacy","name","tool","t","args","uri","resource","r","rl","shutdown","line"],"mappings":"+JA6BA,IAAMA,EAA8B,EAAA,CAC9BC,CAAAA,CAA6B,IAAA,CAAU,GAAA,CACvCC,EAAuB,EAAA,CAAK,GAAA,CAgBrBC,CAAAA,CAAN,KAAuB,CAS7B,WAAA,CACCC,CAAAA,CACQC,CAAAA,CAAmC,GAC1C,CADO,IAAA,CAAA,OAAA,CAAAA,EAER,IAAA,CAAK,GAAA,CAAM,IAAIC,IAAAA,CACf,IAAA,CAAK,WAAA,CAAc,IAAIC,EAAcH,CAAc,CAAA,CACnD,IAAA,CAAK,cAAA,CAAiB,IAAI,GAAA,CAC1B,IAAA,CAAK,gBAAA,CACJC,CAAAA,CAAQ,kBAAoBL,CAAAA,CAC7B,IAAA,CAAK,iBACJK,CAAAA,CAAQ,gBAAA,EAAoBJ,EAE7B,IAAA,CAAK,WAAA,GACN,CArBQ,IACA,UAAA,CAA8C,IAAA,CAC9C,WAAA,CACA,cAAA,CACA,cAAuD,IAAA,CACvD,gBAAA,CACA,gBAAA,CAoBR,MAAc,uBACbO,CAAAA,CACoD,CACpD,GAAM,CAAE,wCAAA,CAAAC,CAAyC,CAAA,CAAI,MAAM,OAC1D,+DACD,EACMC,CAAAA,CAAY,IAAID,CAAAA,CAAyC,CAC9D,mBAAoB,IAAME,UAAAA,EAAW,CACrC,oBAAA,CAAuBC,GAAsB,CAC5C,IAAA,CAAK,eAAe,GAAA,CAAIA,CAAAA,CAAW,CAClC,SAAA,CAAAF,CAAAA,CACA,YAAA,CAAc,IAAA,CAAK,KAAI,CACvB,QAAA,CAAAF,CACD,CAAC,EACDK,CAAAA,CAAI,IAAA,CACH,CAAA,oCAAA,EAAuCD,CAAS,SAASJ,CAAQ,CAAA,CAAA,CAClE,EACD,CACD,CAAC,EAGD,OAAAE,CAAAA,CAAU,SAAA,CAAY,MAAOI,GAA4B,CAExD,GAAIJ,CAAAA,CAAU,SAAA,CAAW,CACxB,IAAMK,CAAAA,CAAQ,IAAA,CAAK,cAAA,CAAe,IAAIL,CAAAA,CAAU,SAAS,EACrDK,CAAAA,GAAOA,CAAAA,CAAM,aAAe,IAAA,CAAK,GAAA,EAAI,EAC1C,CAEA,GAAI,CACH,IAAMC,CAAAA,CAAS,MAAM,KAAK,WAAA,CAAY,oBAAA,CACrCF,CACD,CAAA,CAEIE,IAAW,KAAA,CAAA,EACd,MAAMN,EAAU,IAAA,CAAKM,CAAwB,EAE/C,CAAA,MAASC,CAAAA,CAAc,CACtBJ,CAAAA,CAAI,KAAK,qCAAA,CAAwCI,CAAAA,CAAc,OAAO,EACvE,CACD,CAAA,CAEAP,CAAAA,CAAU,OAAA,CAAU,IAAM,CACrBA,CAAAA,CAAU,SAAA,GACb,KAAK,cAAA,CAAe,MAAA,CAAOA,EAAU,SAAS,CAAA,CAC9CG,CAAAA,CAAI,IAAA,CAAK,uCAAuCH,CAAAA,CAAU,SAAS,CAAA,CAAE,CAAA,EAEvE,EAEOA,CACR,CAKQ,iBAAA,CAAkBQ,CAAAA,CAAoB,CAC7C,IAAIC,CAAAA,CAAQ,EACZ,IAAA,IAAWJ,CAAAA,IAAS,KAAK,cAAA,CAAe,MAAA,EAAO,CAC1CA,CAAAA,CAAM,WAAaG,CAAAA,EAAIC,CAAAA,EAAAA,CAE5B,OAAOA,CACR,CAKQ,WAAA,CAAYC,CAAAA,CAET,CACV,OACCA,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,IAChDA,CAAAA,CAAE,GAAA,CAAI,MAAA,CAAO,WAAW,GACxB,SAEF,CAKQ,iBAAA,EAA0B,CACjC,IAAMC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACrB,IAAA,GAAW,CAACT,CAAAA,CAAWG,CAAK,CAAA,GAAK,IAAA,CAAK,eACjCM,CAAAA,CAAMN,CAAAA,CAAM,YAAA,CAAe,IAAA,CAAK,mBACnCF,CAAAA,CAAI,IAAA,CAAK,CAAA,2CAAA,EAA8CD,CAAS,EAAE,CAAA,CAClEG,CAAAA,CAAM,UAAU,KAAA,EAAM,CAAE,MAAM,IAAM,CAEpC,CAAC,CAAA,CACD,KAAK,cAAA,CAAe,MAAA,CAAOH,CAAS,CAAA,EAGvC,CAEQ,WAAA,EAAc,CACrB,IAAA,CAAK,GAAA,CAAI,IAAI,GAAA,CAAKU,IAAAA,EAAM,CAAA,CAGnB,OAAA,CAAQ,IAAI,gBAAA,GAChB,OAAA,CAAQ,GAAA,CAAI,gBAAA,CAAmBX,YAAW,CAC1CE,CAAAA,CAAI,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,CAAC,CAAA,CACvBA,CAAAA,CAAI,KAAK,0DAAsC,CAAA,CAC/CA,EAAI,IAAA,CAAK,2CAA2C,EACpDA,CAAAA,CAAI,IAAA,CAAK,+DAA+D,CAAA,CACxEA,EAAI,IAAA,CAAK,CAAA,OAAA,EAAU,QAAQ,GAAA,CAAI,gBAAgB,EAAE,CAAA,CACjDA,CAAAA,CAAI,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,CAAC,GAIxB,IAAA,CAAK,GAAA,CAAI,IAAI,MAAA,CAAQ,MAAOO,CAAAA,CAAGG,CAAAA,GAAS,CACvC,IAAMC,CAAAA,CAAOJ,CAAAA,CAAE,GAAA,CAAI,OAAO,eAAe,CAAA,CAEnCK,CAAAA,CAAgB,OAAA,CAAQ,IAAI,gBAAA,CAClC,GACC,CAACD,CAAAA,EAAM,UAAA,CAAW,SAAS,CAAA,EAC3BA,CAAAA,CAAK,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA,GAAMC,CAAAA,CAEvB,OAAAZ,EAAI,IAAA,CACH,sEACD,CAAA,CACOO,CAAAA,CAAE,KACR,CAAE,KAAA,CAAO,+CAAgD,CAAA,CACzD,GACD,EAGD,MAAMG,CAAAA,GACP,CAAC,EAGD,IAAA,CAAK,GAAA,CAAI,GAAA,CAAI,MAAA,CAAQ,MAAOH,CAAAA,EAAM,CACjC,IAAMR,CAAAA,CAAYQ,EAAE,GAAA,CAAI,MAAA,CAAO,gBAAgB,CAAA,CAG/C,GAAIR,EAAW,CACd,IAAMc,CAAAA,CAAW,IAAA,CAAK,eAAe,GAAA,CAAId,CAAS,CAAA,CAClD,GAAI,CAACc,CAAAA,CACJ,OAAON,CAAAA,CAAE,IAAA,CAAK,CAAE,KAAA,CAAO,mBAAoB,EAAG,GAAG,CAAA,CAGlDM,EAAS,YAAA,CAAe,IAAA,CAAK,GAAA,EAAI,CAEjC,IAAMC,CAAAA,CAAW,MAAMD,CAAAA,CAAS,SAAA,CAAU,cAAcN,CAAAA,CAAE,GAAA,CAAI,GAAG,CAAA,CAIjE,OAAIA,CAAAA,CAAE,GAAA,CAAI,SAAW,QAAA,GACpB,IAAA,CAAK,eAAe,MAAA,CAAOR,CAAS,CAAA,CACpCC,CAAAA,CAAI,KAAK,CAAA,6CAAA,EAAgDD,CAAS,CAAA,CAAE,CAAA,CAAA,CAG9De,CACR,CAIA,IAAMnB,CAAAA,CAAW,IAAA,CAAK,YAAYY,CAAC,CAAA,CAC7BQ,EAAkB,IAAA,CAAK,iBAAA,CAAkBpB,CAAQ,CAAA,CACvD,OAAIoB,CAAAA,EAAmB,IAAA,CAAK,kBAC3Bf,CAAAA,CAAI,IAAA,CACH,CAAA,2CAAA,EAA8CL,CAAQ,KAAKoB,CAAe,CAAA,UAAA,CAC3E,CAAA,CACOR,CAAAA,CAAE,KAAK,CAAE,KAAA,CAAO,wCAAyC,CAAA,CAAG,GAAG,GAIhE,KAAA,CADW,MAAM,IAAA,CAAK,sBAAA,CAAuBZ,CAAQ,CAAA,EACrC,aAAA,CAAcY,EAAE,GAAA,CAAI,GAAG,CAC/C,CAAC,EACF,CAKA,MAAa,MAAMS,CAAAA,CAA8B,CAChD,IAAMC,CAAAA,CAAaD,CAAAA,EAAQ,KAAK,OAAA,CAAQ,IAAA,EAAQ,GAAA,CAGhD,OAAA,IAAA,CAAK,cAAgB,WAAA,CACpB,IAAM,IAAA,CAAK,iBAAA,GACX3B,CACD,CAAA,CAEO,IAAI,OAAA,CAAS6B,GAAY,CAC/B,IAAA,CAAK,WAAaC,KAAAA,CACjB,CACC,MAAO,IAAA,CAAK,GAAA,CAAI,KAAA,CAChB,IAAA,CAAMF,CACP,CAAA,CACCG,CAAAA,EAAS,CACTpB,CAAAA,CAAI,KACH,CAAA,gEAAA,EAAmEoB,CAAAA,CAAK,IAAI,CAAA,IAAA,CAC7E,EACAF,CAAAA,GACD,CACD,EACD,CAAC,CACF,CAKA,MAAa,IAAA,EAAsB,CAC9B,KAAK,aAAA,GACR,aAAA,CAAc,IAAA,CAAK,aAAa,EAChC,IAAA,CAAK,aAAA,CAAgB,IAAA,CAAA,CAGtB,IAAA,GAAW,CAACG,CAAAA,CAAInB,CAAK,IAAK,IAAA,CAAK,cAAA,CAC9B,MAAMA,CAAAA,CAAM,SAAA,CAAU,KAAA,EAAM,CAC5B,KAAK,cAAA,CAAe,MAAA,CAAOmB,CAAE,CAAA,CAG1B,KAAK,UAAA,GACR,IAAA,CAAK,UAAA,CAAW,KAAA,GAChBrB,CAAAA,CAAI,IAAA,CAAK,0CAA0C,CAAA,EAErD,CACD,EC5QO,IAAMN,CAAAA,CAAN,KAAoB,CAG1B,YAEC4B,CAAAA,CACQ9B,CAAAA,CAA6B,EAAC,CACrC,CADO,IAAA,CAAA,OAAA,CAAAA,CAAAA,CAIJ8B,CAAAA,EAAQ,WAAA,EAAa,OAAS,YAAA,EACjC,IAAA,CAAK,WAAaA,CAAAA,CAClBtB,CAAAA,CAAI,KAAK,gDAAgD,CAAA,EAC/CsB,CAAAA,EAAQ,WAAA,EAAa,OAAS,WAAA,EACxC,IAAA,CAAK,eAAA,CAAkBA,CAAAA,CACvBtB,EAAI,IAAA,CAAK,oDAAoD,CAAA,GAG7D,IAAA,CAAK,gBAAkBsB,CAAAA,CACvBtB,CAAAA,CAAI,KAAK,6DAA6D,CAAA,EAExE,CApBQ,UAAA,CAAgC,IAAA,CAChC,eAAA,CAAoC,IAAA,CAyB5C,MAAa,oBAAA,CACZuB,CAAAA,CACmB,CACnB,IAAMF,EAAKE,CAAAA,CAAQ,EAAA,CACbC,CAAAA,CAASD,CAAAA,CAAQ,OACjBE,CAAAA,CAASF,CAAAA,CAAQ,OAEvB,OAAIA,CAAAA,CAAQ,UAAY,KAAA,CAChB,IAAA,CAAK,aAAA,CAAcF,CAAAA,CAAI,OAAQ,iBAAiB,CAAA,CAIpD,KAAK,UAAA,CACD,IAAA,CAAK,gBAAgBA,CAAAA,CAAIG,CAAAA,CAAQC,CAAM,CAAA,CAI3C,KAAK,eAAA,EAAmB,IAAA,CAAK,WACzB,IAAA,CAAK,eAAA,CAAgBJ,EAAIG,CAAAA,CAAQC,CAAM,CAAA,CAGxC,IAAA,CAAK,cAAcJ,CAAAA,CAAI,MAAA,CAAQ,8BAA8B,CACrE,CAEA,MAAc,eAAA,CACbA,CAAAA,CACAG,CAAAA,CACAC,EACmB,CACnB,GAAI,CAAC,IAAA,CAAK,UAAA,CAAY,OAAO,IAAA,CAE7B,GAAID,CAAAA,GAAW,YAAA,CACd,OAAO,IAAA,CAAK,eAAA,CAAgBH,CAAAA,CAAI,CAC/B,gBAAiB,YAAA,CACjB,YAAA,CAAc,CACb,OAAA,CAAS,EAAC,CACV,SAAA,CAAW,EAAC,CACZ,KAAA,CAAO,EACR,CAAA,CACA,UAAA,CAAY,IAAA,CAAK,WAAW,aAAA,EAC7B,CAAC,CAAA,CAGF,GAAIG,CAAAA,GAAW,2BAAA,CACf,CAAA,GAAIA,CAAAA,GAAW,OAAQ,OAAO,IAAA,CAAK,gBAAgBH,CAAAA,CAAI,EAAE,CAAA,CAEzD,GAAIG,CAAAA,GAAW,YAAA,CAAc,CAC5B,IAAME,CAAAA,CAAQ,IAAA,CAAK,UAAA,CAAW,WAAU,CACxC,OAAO,IAAA,CAAK,eAAA,CAAgBL,EAAI,CAAE,KAAA,CAAAK,CAAM,CAAC,CAC1C,CAEA,GAAIF,CAAAA,GAAW,gBAAA,CAAkB,CAChC,IAAMG,CAAAA,CAAY,IAAA,CAAK,UAAA,CAAW,aAAA,GAClC,OAAO,IAAA,CAAK,eAAA,CAAgBN,CAAAA,CAAI,CAAE,SAAA,CAAAM,CAAU,CAAC,CAC9C,CAEA,GAAIH,CAAAA,GAAW,cAAA,CAAgB,CAC9B,IAAMI,EAAU,IAAA,CAAK,UAAA,CAAW,WAAA,EAAY,CAC5C,OAAO,IAAA,CAAK,eAAA,CAAgBP,CAAAA,CAAI,CAAE,QAAAO,CAAQ,CAAC,CAC5C,CAEA,GAAIJ,IAAW,aAAA,CAAe,CAC7B,GAAI,CAACC,GAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,qBAAqB,CAAA,CAE5D,GAAI,CACH,IAAMlB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,UAAU,CAC9C,IAAA,CAAMsB,CAAAA,CAAO,IAAA,CACb,UAAWA,CAAAA,CAAO,SACnB,CAAC,CAAA,CACD,OAAO,KAAK,eAAA,CAAgBJ,CAAAA,CAAIlB,CAAM,CACvC,OAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAciB,EAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIoB,CAAAA,GAAW,gBAAA,CAAkB,CAChC,GAAI,CAACC,CAAAA,EAAQ,GAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,sBAAsB,EAE7D,GAAI,CACH,IAAMlB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,YAAA,CAAasB,CAAAA,CAAO,GAAa,CAAA,CACtE,OAAO,IAAA,CAAK,eAAA,CAAgBJ,EAAIlB,CAAM,CACvC,OAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAciB,CAAAA,CAAI,KAAA,CAASjB,EAAc,OAAO,CAC7D,CACD,CAEA,GAAIoB,CAAAA,GAAW,YAAA,CAAc,CAC5B,GAAI,CAACC,CAAAA,EAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,mBAAmB,CAAA,CAE1D,IAAMQ,EAA2B,CAChC,IAAA,CAAMJ,CAAAA,CAAO,IAAA,CACb,UAAYA,CAAAA,CAAO,SAAA,EAAyC,EAC7D,EAEA,GAAI,CACH,IAAMtB,CAAAA,CAAyB,MAAM,KAAK,UAAA,CAAW,QAAA,CAAS0B,CAAO,CAAA,CAOrE,QAJmB1B,CAAAA,CAAO,OAAA,CACvB,CAAA,CAAA,CACA,MAAM,KAAK,eAAA,CAAgB0B,CAAAA,CAAS1B,CAAM,CAAA,EActC,KAAK,eAAA,CAAgBkB,CAAAA,CAAIlB,CAAM,CAAA,CAX9B,IAAA,CAAK,gBAAgBkB,CAAAA,CAAI,CAC/B,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,sHACP,CACD,CAAA,CACA,OAAA,CAAS,CAAA,CACV,CAAC,CAIH,CAAA,MAASjB,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,cAAciB,CAAAA,CAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,OAAO,IAAA,CAAK,cAAciB,CAAAA,CAAI,MAAA,CAAQ,kBAAkB,CAAA,CACzD,CAEQ,eAAA,CACPA,CAAAA,CACAlB,EACC,CACD,OAAO,CAAE,OAAA,CAAS,KAAA,CAAO,EAAA,CAAAkB,CAAAA,CAAI,OAAAlB,CAAO,CACrC,CAEQ,aAAA,CAAckB,CAAAA,CAAqBS,EAAc7B,CAAAA,CAAiB,CACzE,OAAO,CAAE,QAAS,KAAA,CAAO,EAAA,CAAAoB,EAAI,KAAA,CAAO,CAAE,KAAAS,CAAAA,CAAM,OAAA,CAAA7B,CAAQ,CAAE,CACvD,CAEA,MAAc,eAAA,CACb4B,CAAAA,CACA1B,EACmB,CACnB,GACC,CAAC0B,CAAAA,CAAQ,WAAW,OAAA,EACpB,OAAOA,EAAQ,SAAA,CAAU,OAAA,EAAY,SAErC,OAAO,KAAA,CAGR,GAAI,CACH,IAAMN,CAAAA,CAAUM,CAAAA,CAAQ,SAAA,CAAU,OAAA,CAC5BE,EAAc5B,CAAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,EAAG,KAEvC,GAAI4B,CAAAA,EAAe,OAAOA,CAAAA,EAAgB,QAAA,CACzC,GAAI,CACH,IAAMC,CAAAA,CAAO,IAAA,CAAK,MAAMD,CAAW,CAAA,CAEnC,GAAIC,CAAAA,CAAK,UAAYA,CAAAA,CAAK,UAAA,CAAY,CAErC,GAAM,CAAE,YAAA,CAAAC,CAAa,EAAI,MAAM,OAAO,wBAAuB,CAAA,CAU7D,GAAI,CANgB,MAHH,IAAIA,CAAAA,EAAa,CAGC,eAAA,CAClC,MAAA,CAAO,KAAKV,CAAAA,CAAS,OAAO,CAAA,CAC5BS,CAAAA,CAAK,SACL,MAAA,CAAO,IAAA,CAAKA,EAAK,UAAA,EAAc,EAAA,CAAI,QAAQ,CAC5C,CAAA,CAGC,OAAO,CAAA,CAAA,CAGRA,EAAK,YAAA,CACJ,yEAAA,CACD7B,CAAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,CAAE,IAAA,CAAO,IAAA,CAAK,SAAA,CAAU6B,CAAI,EAC7C,CACD,MAAQ,CAER,CAED,OAAO,CAAA,CACR,CAAA,MAASE,CAAAA,CAAG,CACX,OAAAlC,CAAAA,CAAI,IAAA,CAAK,oCAAA,CAAsCkC,CAAC,EACzC,KACR,CACD,CAKA,MAAa,SAAyB,CAErC,GAAI,KAAK,eAAA,CAAiB,CACzB,GAAM,CAAE,UAAA,CAAAC,CAAW,CAAA,CAAI,MAAM,OAAO,aAAoB,CAAA,CASxD,GARA,KAAK,UAAA,CAAa,IAAIA,CAAAA,CACrB,IAAA,CAAK,QAAQ,UAAA,EAAc,CAC1B,KAAM,aAAA,CACN,OAAA,CAAS,OACV,CAAA,CACA,CAAE,QAAA,CAAU,IAAA,CAAK,QAAQ,QAAS,CACnC,EAEI,IAAA,CAAK,OAAA,CAAQ,cAAe,CAC/B,MAAM,IAAA,CAAK,UAAA,CAAW,SAAQ,CAI9B,IAAMC,EAAS,IAAA,CAAK,eAAA,CAGpB,GAAIA,CAAAA,CAAO,gBAAA,CACV,IAAA,GAAW,CAACC,EAAMC,CAAI,CAAA,GAAK,MAAA,CAAO,OAAA,CAAQF,EAAO,gBAAgB,CAAA,CAAG,CAEnE,IAAMG,EAAID,CAAAA,CACV,IAAA,CAAK,WAAW,IAAA,CACfD,CAAAA,CACAE,EAAE,WAAA,EAAe,EAAA,CACjBA,CAAAA,CAAE,WAAA,EAAe,EAAC,CAElB,MAAOC,CAAAA,EACC,MAAMD,EAAE,OAAA,CAAQC,CAAI,CAE7B,EACD,CAID,GAAIJ,CAAAA,CAAO,qBACV,IAAA,GAAW,CAACK,EAAKC,CAAQ,CAAA,GAAK,MAAA,CAAO,OAAA,CACpCN,EAAO,oBACR,CAAA,CAAG,CAEF,IAAMO,EAAID,CAAAA,CACV,IAAA,CAAK,UAAA,CAAW,QAAA,CACfC,EAAE,IAAA,CACFF,CAAAA,CACAE,EAAE,QAAA,EAAU,WAAA,EAAe,GAC3BA,CAAAA,CAAE,QAAA,EAAU,QAAA,EAAY,0BAAA,CACxB,UACa,MAAMA,CAAAA,CAAE,YAAA,CAAa,IAAI,IAAIF,CAAG,CAAC,CAAA,EAClC,QAAA,CAAS,CAAC,CAAA,CAAE,IAEzB,EACD,CAEF,CACA,MACD,CAIA,IAAMG,CAAAA,CAAAA,CADW,aAAa,UAAe,CAAA,EACzB,eAAA,CAAgB,CACnC,MAAO,OAAA,CAAQ,KAAA,CACf,MAAA,CAAQ,OAAA,CAAQ,OAChB,QAAA,CAAU,KACX,CAAC,CAAA,CAEKC,CAAAA,CAAW,SAAY,CAC5B7C,CAAAA,CAAI,IAAA,CAAK,wCAAwC,EAC7C,IAAA,CAAK,UAAA,EAAY,MAAM,IAAA,CAAK,WAAW,KAAA,EAAM,CACjD,OAAA,CAAQ,IAAA,CAAK,CAAC,EACf,CAAA,CAEA4C,EAAG,EAAA,CAAG,OAAA,CAASC,CAAQ,CAAA,CACvB,OAAA,CAAQ,EAAA,CAAG,QAAA,CAAUA,CAAQ,CAAA,CAC7B,OAAA,CAAQ,EAAA,CAAG,SAAA,CAAWA,CAAQ,CAAA,CAE9BD,CAAAA,CAAG,EAAA,CAAG,MAAA,CAAQ,MAAOE,CAAAA,EAAS,CAC7B,GAAKA,CAAAA,CAAK,IAAA,GACV,GAAI,CACH,IAAMvB,CAAAA,CAAU,KAAK,KAAA,CAAMuB,CAAI,EACzBhC,CAAAA,CAAW,MAAM,KAAK,oBAAA,CAAqBS,CAAO,CAAA,CACpDT,CAAAA,EACH,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,IAAA,CAAK,SAAA,CAAUA,CAAQ,CAAC;AAAA,CAAI,EAEtD,CAAA,MAASoB,CAAAA,CAAY,CACpBlC,EAAI,KAAA,CAAM,CAAA,qBAAA,EAAyBkC,CAAAA,CAAY,OAAO,CAAA,CAAE,EACzD,CACD,CAAC,EACF,CACD","file":"chunk-F7B6B4XS.js","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { serve } from \"@hono/node-server\";\nimport type { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\";\nimport type { JSONRPCMessage } from \"@modelcontextprotocol/sdk/types.js\";\nimport { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpBridge } from \"./index.js\";\n\n/**\n * Configuration options for LiopStreamBridge.\n */\nexport interface LiopStreamBridgeOptions {\n\t/** Port to listen on (default: 3000) */\n\tport?: number;\n\t/** Max concurrent sessions per IP (default: 5) */\n\tmaxSessionsPerIp?: number;\n\t/** Session idle timeout in milliseconds (default: 30 min) */\n\tsessionTimeoutMs?: number;\n}\n\n/** Internal metadata for tracked sessions */\ninterface SessionEntry {\n\ttransport: WebStandardStreamableHTTPServerTransport;\n\tlastActivity: number;\n\tclientIp: string;\n}\n\nconst DEFAULT_MAX_SESSIONS_PER_IP = 10;\nconst DEFAULT_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes\nconst EVICTION_INTERVAL_MS = 60 * 1000; // Check every minute\n\n/**\n * LiopStreamBridge\n *\n * Exposes a LiopServer over a remote HTTP network using the industry-standard\n * MCP Streamable HTTP Transport + Hono JS.\n *\n * Supports concurrent multi-client connections via per-session transport instances (Map pattern).\n * External agents connect using only a URL + Bearer Token (Zero-Trust).\n *\n * Security hardening:\n * - Zero-Trust Bearer Token enforcement\n * - Per-IP rate limiting on session creation\n * - Automatic eviction of idle sessions (TTL)\n */\nexport class LiopStreamBridge {\n\tprivate app: Hono;\n\tprivate httpServer: ReturnType<typeof serve> | null = null;\n\tprivate bridgeLogic: LiopMcpBridge;\n\tprivate activeSessions: Map<string, SessionEntry>;\n\tprivate evictionTimer: ReturnType<typeof setInterval> | null = null;\n\tprivate maxSessionsPerIp: number;\n\tprivate sessionTimeoutMs: number;\n\n\tconstructor(\n\t\tinternalServer: LiopServer,\n\t\tprivate options: LiopStreamBridgeOptions = {},\n\t) {\n\t\tthis.app = new Hono();\n\t\tthis.bridgeLogic = new LiopMcpBridge(internalServer);\n\t\tthis.activeSessions = new Map();\n\t\tthis.maxSessionsPerIp =\n\t\t\toptions.maxSessionsPerIp ?? DEFAULT_MAX_SESSIONS_PER_IP;\n\t\tthis.sessionTimeoutMs =\n\t\t\toptions.sessionTimeoutMs ?? DEFAULT_SESSION_TIMEOUT_MS;\n\n\t\tthis.setupRoutes();\n\t}\n\n\t/**\n\t * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.\n\t */\n\tprivate async createSessionTransport(\n\t\tclientIp: string,\n\t): Promise<WebStandardStreamableHTTPServerTransport> {\n\t\tconst { WebStandardStreamableHTTPServerTransport } = await import(\n\t\t\t\"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\"\n\t\t);\n\t\tconst transport = new WebStandardStreamableHTTPServerTransport({\n\t\t\tsessionIdGenerator: () => randomUUID(),\n\t\t\tonsessioninitialized: (sessionId: string) => {\n\t\t\t\tthis.activeSessions.set(sessionId, {\n\t\t\t\t\ttransport,\n\t\t\t\t\tlastActivity: Date.now(),\n\t\t\t\t\tclientIp,\n\t\t\t\t});\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Session opened: ${sessionId} (IP: ${clientIp})`,\n\t\t\t\t);\n\t\t\t},\n\t\t});\n\n\t\t// Wire the transport's incoming messages to the LiopMcpBridge JSON-RPC router\n\t\ttransport.onmessage = async (message: JSONRPCMessage) => {\n\t\t\t// Touch activity timestamp on every message\n\t\t\tif (transport.sessionId) {\n\t\t\t\tconst entry = this.activeSessions.get(transport.sessionId);\n\t\t\t\tif (entry) entry.lastActivity = Date.now();\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst result = await this.bridgeLogic.handleJsonRpcRequest(\n\t\t\t\t\tmessage as unknown as Record<string, unknown>,\n\t\t\t\t);\n\t\t\t\t// Notifications return undefined — no response needed\n\t\t\t\tif (result !== undefined) {\n\t\t\t\t\tawait transport.send(result as JSONRPCMessage);\n\t\t\t\t}\n\t\t\t} catch (err: unknown) {\n\t\t\t\tlog.info(\"[LIOP-StreamBridge] JSON-RPC error:\", (err as Error).message);\n\t\t\t}\n\t\t};\n\n\t\ttransport.onclose = () => {\n\t\t\tif (transport.sessionId) {\n\t\t\t\tthis.activeSessions.delete(transport.sessionId);\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed: ${transport.sessionId}`);\n\t\t\t}\n\t\t};\n\n\t\treturn transport;\n\t}\n\n\t/**\n\t * Returns the number of active sessions for a given IP.\n\t */\n\tprivate countSessionsByIp(ip: string): number {\n\t\tlet count = 0;\n\t\tfor (const entry of this.activeSessions.values()) {\n\t\t\tif (entry.clientIp === ip) count++;\n\t\t}\n\t\treturn count;\n\t}\n\n\t/**\n\t * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).\n\t */\n\tprivate getClientIp(c: {\n\t\treq: { header: (name: string) => string | undefined };\n\t}): string {\n\t\treturn (\n\t\t\tc.req.header(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ||\n\t\t\tc.req.header(\"x-real-ip\") ||\n\t\t\t\"unknown\"\n\t\t);\n\t}\n\n\t/**\n\t * Evicts sessions that have been idle longer than the configured timeout.\n\t */\n\tprivate evictIdleSessions(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.activeSessions) {\n\t\t\tif (now - entry.lastActivity > this.sessionTimeoutMs) {\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Evicting idle session: ${sessionId}`);\n\t\t\t\tentry.transport.close().catch(() => {\n\t\t\t\t\t/* Swallow close errors */\n\t\t\t\t});\n\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate setupRoutes() {\n\t\tthis.app.use(\"*\", cors());\n\n\t\t// Initialize strict zero-trust token if not provided\n\t\tif (!process.env.ZERO_TRUST_TOKEN) {\n\t\t\tprocess.env.ZERO_TRUST_TOKEN = randomUUID();\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t\tlog.info(\"⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️\");\n\t\t\tlog.info(\"No ZERO_TRUST_TOKEN found in environment.\");\n\t\t\tlog.info(\"A secure ephemeral token has been generated for this session:\");\n\t\t\tlog.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t}\n\n\t\t// ZTA (Zero-Trust Architecture) Security Middleware\n\t\tthis.app.use(\"/mcp\", async (c, next) => {\n\t\t\tconst auth = c.req.header(\"Authorization\");\n\n\t\t\tconst expectedToken = process.env.ZERO_TRUST_TOKEN;\n\t\t\tif (\n\t\t\t\t!auth?.startsWith(\"Bearer \") ||\n\t\t\t\tauth.split(\" \")[1] !== expectedToken\n\t\t\t) {\n\t\t\t\tlog.info(\n\t\t\t\t\t\"[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.\",\n\t\t\t\t);\n\t\t\t\treturn c.json(\n\t\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t\t401,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tawait next();\n\t\t});\n\n\t\t// Multi-Session Streamable HTTP Handler\n\t\tthis.app.all(\"/mcp\", async (c) => {\n\t\t\tconst sessionId = c.req.header(\"mcp-session-id\");\n\n\t\t\t// Route to existing session if session ID is present\n\t\t\tif (sessionId) {\n\t\t\t\tconst existing = this.activeSessions.get(sessionId);\n\t\t\t\tif (!existing) {\n\t\t\t\t\treturn c.json({ error: \"Session not found\" }, 404);\n\t\t\t\t}\n\t\t\t\t// Touch activity on every routed request\n\t\t\t\texisting.lastActivity = Date.now();\n\n\t\t\t\tconst response = await existing.transport.handleRequest(c.req.raw);\n\n\t\t\t\t// If DELETE, the transport closes internally but onclose may not fire.\n\t\t\t\t// Explicitly clean up the session from the Map.\n\t\t\t\tif (c.req.method === \"DELETE\") {\n\t\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed (DELETE): ${sessionId}`);\n\t\t\t\t}\n\n\t\t\t\treturn response;\n\t\t\t}\n\n\t\t\t// No session ID → New client initializing.\n\t\t\t// Rate-limit: enforce max sessions per IP\n\t\t\tconst clientIp = this.getClientIp(c);\n\t\t\tconst currentSessions = this.countSessionsByIp(clientIp);\n\t\t\tif (currentSessions >= this.maxSessionsPerIp) {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Rate limit hit for IP: ${clientIp} (${currentSessions} sessions)`,\n\t\t\t\t);\n\t\t\t\treturn c.json({ error: \"Too Many Sessions: Rate limit exceeded\" }, 429);\n\t\t\t}\n\n\t\t\tconst transport = await this.createSessionTransport(clientIp);\n\t\t\treturn await transport.handleRequest(c.req.raw);\n\t\t});\n\t}\n\n\t/**\n\t * Starts the LiopStreamBridge HTTP server and session eviction timer.\n\t */\n\tpublic async start(port?: number): Promise<void> {\n\t\tconst listenPort = port ?? this.options.port ?? 3000;\n\n\t\t// Start the idle session eviction timer\n\t\tthis.evictionTimer = setInterval(\n\t\t\t() => this.evictIdleSessions(),\n\t\t\tEVICTION_INTERVAL_MS,\n\t\t);\n\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.httpServer = serve(\n\t\t\t\t{\n\t\t\t\t\tfetch: this.app.fetch,\n\t\t\t\t\tport: listenPort,\n\t\t\t\t},\n\t\t\t\t(info) => {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${info.port}/mcp`,\n\t\t\t\t\t);\n\t\t\t\t\tresolve();\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\t/**\n\t * Graceful shutdown — closes all active sessions, stops timers, and releases port.\n\t */\n\tpublic async stop(): Promise<void> {\n\t\tif (this.evictionTimer) {\n\t\t\tclearInterval(this.evictionTimer);\n\t\t\tthis.evictionTimer = null;\n\t\t}\n\n\t\tfor (const [id, entry] of this.activeSessions) {\n\t\t\tawait entry.transport.close();\n\t\t\tthis.activeSessions.delete(id);\n\t\t}\n\n\t\tif (this.httpServer) {\n\t\t\tthis.httpServer.close();\n\t\t\tlog.info(\"[LIOP-StreamBridge] HTTP ports released.\");\n\t\t}\n\t}\n}\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { LiopServer, LiopServerOptions } from \"../server/index.js\";\nimport type { CallToolRequest, CallToolResult } from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\n\nexport interface LiopBridgeOptions {\n\tpublishToMesh?: boolean;\n\tmeshIdentity?: string;\n\tserverInfo?: {\n\t\tname: string;\n\t\tversion: string;\n\t};\n\tsecurity?: LiopServerOptions[\"security\"];\n}\n\n/**\n * LIOP MCP Bridge\n * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,\n * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.\n */\nexport class LiopMcpBridge {\n\tprivate liopServer: LiopServer | null = null;\n\tprivate legacyMcpServer: McpServer | null = null;\n\tconstructor(\n\t\t// biome-ignore lint/suspicious/noExplicitAny: polymorphic source detection\n\t\tsource: LiopServer | McpServer | any,\n\t\tprivate options: LiopBridgeOptions = {},\n\t) {\n\t\t// Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)\n\t\t// We use constructor name check to avoid hard dependency on optional SDK at runtime start\n\t\tif (source?.constructor?.name === \"LiopServer\") {\n\t\t\tthis.liopServer = source as LiopServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)\");\n\t\t} else if (source?.constructor?.name === \"McpServer\") {\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)\");\n\t\t} else {\n\t\t\t// Fallback for inferred legacy MCP servers\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)\");\n\t\t}\n\t}\n\n\t/**\n\t * Handles an incoming standard MCP JSON-RPC 2.0 payload.\n\t * Pipes it to the underlying server (LIOP or Legacy MCP).\n\t */\n\tpublic async handleJsonRpcRequest(\n\t\tpayload: Record<string, unknown>,\n\t): Promise<unknown> {\n\t\tconst id = payload.id as string | number;\n\t\tconst method = payload.method as string;\n\t\tconst params = payload.params as Record<string, unknown> | undefined;\n\n\t\tif (payload.jsonrpc !== \"2.0\") {\n\t\t\treturn this.errorResponse(id, -32600, \"Invalid Request\");\n\t\t}\n\n\t\t// Mode: EXPOSE (Standard behavior used by Claude Desktop)\n\t\tif (this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\t// Mode: WRAP (Redirecting via internal LiopServer after connect())\n\t\tif (this.legacyMcpServer && this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Bridge source not configured\");\n\t}\n\n\tprivate async handleLiopToMcp(\n\t\tid: string | number,\n\t\tmethod: string,\n\t\tparams: Record<string, unknown> | undefined,\n\t): Promise<unknown> {\n\t\tif (!this.liopServer) return null;\n\n\t\tif (method === \"initialize\") {\n\t\t\treturn this.successResponse(id, {\n\t\t\t\tprotocolVersion: \"2025-11-25\",\n\t\t\t\tcapabilities: {\n\t\t\t\t\tprompts: {},\n\t\t\t\t\tresources: {},\n\t\t\t\t\ttools: {},\n\t\t\t\t},\n\t\t\t\tserverInfo: this.liopServer.getServerInfo(),\n\t\t\t});\n\t\t}\n\n\t\tif (method === \"notifications/initialized\") return undefined;\n\t\tif (method === \"ping\") return this.successResponse(id, {});\n\n\t\tif (method === \"tools/list\") {\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\treturn this.successResponse(id, { tools });\n\t\t}\n\n\t\tif (method === \"resources/list\") {\n\t\t\tconst resources = this.liopServer.listResources();\n\t\t\treturn this.successResponse(id, { resources });\n\t\t}\n\n\t\tif (method === \"prompts/list\") {\n\t\t\tconst prompts = this.liopServer.listPrompts();\n\t\t\treturn this.successResponse(id, { prompts });\n\t\t}\n\n\t\tif (method === \"prompts/get\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing prompt name\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.getPrompt({\n\t\t\t\t\tname: params.name as string,\n\t\t\t\t\targuments: params.arguments as Record<string, string> | undefined,\n\t\t\t\t});\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"resources/read\") {\n\t\t\tif (!params?.uri) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing resource URI\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.readResource(params.uri as string);\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"tools/call\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing tool name\");\n\t\t\t}\n\t\t\tconst request: CallToolRequest = {\n\t\t\t\tname: params.name as string,\n\t\t\t\targuments: (params.arguments as Record<string, unknown>) || {},\n\t\t\t};\n\n\t\t\ttry {\n\t\t\t\tconst result: CallToolResult = await this.liopServer.callTool(request);\n\t\t\t\t// If the tool execution returned an error (e.g. policy violation), we bypass\n\t\t\t\t// ZK-Receipt verification because no cryptographic proof is generated for errors.\n\t\t\t\tconst isVerified = result.isError\n\t\t\t\t\t? true\n\t\t\t\t\t: await this.verifyZkReceipt(request, result);\n\n\t\t\t\tif (!isVerified) {\n\t\t\t\t\treturn this.successResponse(id, {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Method not found\");\n\t}\n\n\tprivate successResponse(\n\t\tid: string | number | null | undefined,\n\t\tresult: unknown,\n\t) {\n\t\treturn { jsonrpc: \"2.0\", id, result };\n\t}\n\n\tprivate errorResponse(id: string | number, code: number, message: string) {\n\t\treturn { jsonrpc: \"2.0\", id, error: { code, message } };\n\t}\n\n\tprivate async verifyZkReceipt(\n\t\trequest: CallToolRequest,\n\t\tresult: CallToolResult,\n\t): Promise<boolean> {\n\t\tif (\n\t\t\t!request.arguments?.payload ||\n\t\t\ttypeof request.arguments.payload !== \"string\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\ttry {\n\t\t\tconst payload = request.arguments.payload as string;\n\t\t\tconst contentText = result.content[0]?.text;\n\n\t\t\tif (contentText && typeof contentText === \"string\") {\n\t\t\t\ttry {\n\t\t\t\t\tconst data = JSON.parse(contentText);\n\n\t\t\t\t\tif (data.image_id || data.zk_receipt) {\n\t\t\t\t\t\t// 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )\n\t\t\t\t\t\tconst { LiopVerifier } = await import(\"../crypto/verifier.js\");\n\t\t\t\t\t\tconst verifier = new LiopVerifier();\n\n\t\t\t\t\t\t// 2. Delegate the heavy mathematical check (ZK Journal + Seal)\n\t\t\t\t\t\tconst isAuthentic = await verifier.verifyZkReceipt(\n\t\t\t\t\t\t\tBuffer.from(payload, \"utf-8\"),\n\t\t\t\t\t\t\tdata.image_id,\n\t\t\t\t\t\t\tBuffer.from(data.zk_receipt || \"\", \"base64\"),\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (!isAuthentic) {\n\t\t\t\t\t\t\treturn false;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tdata.audit_status =\n\t\t\t\t\t\t\t\"VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge\";\n\t\t\t\t\t\tresult.content[0].text = JSON.stringify(data);\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Output not JSON\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn true;\n\t\t} catch (e) {\n\t\t\tlog.info(\"[LIOP-Bridge] ZK-Verifier Failure:\", e);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Connects the bridge via stdio or Mesh depending on mode.\n\t */\n\tpublic async connect(): Promise<void> {\n\t\t// In WRAP mode, we actually need to create a LiopServer and join the mesh\n\t\tif (this.legacyMcpServer) {\n\t\t\tconst { LiopServer } = await import(\"../server/index.js\");\n\t\t\tthis.liopServer = new LiopServer(\n\t\t\t\tthis.options.serverInfo || {\n\t\t\t\t\tname: \"liop-bridge\",\n\t\t\t\t\tversion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t\t{ security: this.options.security },\n\t\t\t);\n\n\t\t\tif (this.options.publishToMesh) {\n\t\t\t\tawait this.liopServer.connect();\n\n\t\t\t\t// Automatically Bridge Legacy Capabilities to LIOP Mesh\n\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported\n\t\t\t\tconst legacy = this.legacyMcpServer as any;\n\n\t\t\t\t// 1. Sync Tools\n\t\t\t\tif (legacy._registeredTools) {\n\t\t\t\t\tfor (const [name, tool] of Object.entries(legacy._registeredTools)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst t = tool as any;\n\t\t\t\t\t\tthis.liopServer.tool(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tt.description || \"\",\n\t\t\t\t\t\t\tt.inputSchema || {},\n\t\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args\n\t\t\t\t\t\t\tasync (args: any) => {\n\t\t\t\t\t\t\t\treturn await t.handler(args);\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// 2. Sync Resources\n\t\t\t\tif (legacy._registeredResources) {\n\t\t\t\t\tfor (const [uri, resource] of Object.entries(\n\t\t\t\t\t\tlegacy._registeredResources,\n\t\t\t\t\t)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst r = resource as any;\n\t\t\t\t\t\tthis.liopServer.resource(\n\t\t\t\t\t\t\tr.name,\n\t\t\t\t\t\t\turi,\n\t\t\t\t\t\t\tr.metadata?.description || \"\",\n\t\t\t\t\t\t\tr.metadata?.mimeType || \"application/octet-stream\",\n\t\t\t\t\t\t\tasync () => {\n\t\t\t\t\t\t\t\tconst res = await r.readCallback(new URL(uri));\n\t\t\t\t\t\t\t\treturn res.contents[0].text;\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\n\t\t// In EXPOSE mode, listen to stdio (Claude Desktop)\n\t\tconst readline = await import(\"node:readline\");\n\t\tconst rl = readline.createInterface({\n\t\t\tinput: process.stdin,\n\t\t\toutput: process.stdout,\n\t\t\tterminal: false,\n\t\t});\n\n\t\tconst shutdown = async () => {\n\t\t\tlog.info(\"[LIOP-Bridge] Disconnecting session...\");\n\t\t\tif (this.liopServer) await this.liopServer.close();\n\t\t\tprocess.exit(0);\n\t\t};\n\n\t\trl.on(\"close\", shutdown);\n\t\tprocess.on(\"SIGINT\", shutdown);\n\t\tprocess.on(\"SIGTERM\", shutdown);\n\n\t\trl.on(\"line\", async (line) => {\n\t\t\tif (!line.trim()) return;\n\t\t\ttry {\n\t\t\t\tconst payload = JSON.parse(line);\n\t\t\t\tconst response = await this.handleJsonRpcRequest(payload);\n\t\t\t\tif (response) {\n\t\t\t\t\tprocess.stdout.write(`${JSON.stringify(response)}\\n`);\n\t\t\t\t}\n\t\t\t} catch (e: unknown) {\n\t\t\t\tlog.error(`[LIOP-Bridge] Error: ${(e as Error).message}`);\n\t\t\t}\n\t\t});\n\t}\n}\n\nexport * from \"./stream.js\";\n"]}
1
+ {"version":3,"sources":["../src/bridge/stream.ts","../src/bridge/index.ts"],"names":["DEFAULT_MAX_SESSIONS_PER_IP","DEFAULT_SESSION_TIMEOUT_MS","EVICTION_INTERVAL_MS","LiopStreamBridge","internalServer","options","Hono","LiopMcpBridge","clientIp","WebStandardStreamableHTTPServerTransport","transport","randomUUID","sessionId","log","message","entry","result","err","ip","count","c","now","cors","next","auth","expectedToken","existing","response","currentSessions","port","listenPort","resolve","serve","info","id","source","payload","method","params","tools","resources","prompts","request","code","contentText","data","LiopVerifier","e","LiopServer","legacy","name","tool","t","args","uri","resource","r","rl","shutdown","line"],"mappings":"+JA6BA,IAAMA,EAA8B,EAAA,CAC9BC,CAAAA,CAA6B,IAAA,CAAU,GAAA,CACvCC,EAAuB,EAAA,CAAK,GAAA,CAgBrBC,CAAAA,CAAN,KAAuB,CAS7B,WAAA,CACCC,CAAAA,CACQC,CAAAA,CAAmC,GAC1C,CADO,IAAA,CAAA,OAAA,CAAAA,EAER,IAAA,CAAK,GAAA,CAAM,IAAIC,IAAAA,CACf,IAAA,CAAK,WAAA,CAAc,IAAIC,EAAcH,CAAc,CAAA,CACnD,IAAA,CAAK,cAAA,CAAiB,IAAI,GAAA,CAC1B,IAAA,CAAK,gBAAA,CACJC,CAAAA,CAAQ,kBAAoBL,CAAAA,CAC7B,IAAA,CAAK,iBACJK,CAAAA,CAAQ,gBAAA,EAAoBJ,EAE7B,IAAA,CAAK,WAAA,GACN,CArBQ,IACA,UAAA,CAA8C,IAAA,CAC9C,WAAA,CACA,cAAA,CACA,cAAuD,IAAA,CACvD,gBAAA,CACA,gBAAA,CAoBR,MAAc,uBACbO,CAAAA,CACoD,CACpD,GAAM,CAAE,wCAAA,CAAAC,CAAyC,CAAA,CAAI,MAAM,OAC1D,+DACD,EACMC,CAAAA,CAAY,IAAID,CAAAA,CAAyC,CAC9D,mBAAoB,IAAME,UAAAA,EAAW,CACrC,oBAAA,CAAuBC,GAAsB,CAC5C,IAAA,CAAK,eAAe,GAAA,CAAIA,CAAAA,CAAW,CAClC,SAAA,CAAAF,CAAAA,CACA,YAAA,CAAc,IAAA,CAAK,KAAI,CACvB,QAAA,CAAAF,CACD,CAAC,EACDK,CAAAA,CAAI,IAAA,CACH,CAAA,oCAAA,EAAuCD,CAAS,SAASJ,CAAQ,CAAA,CAAA,CAClE,EACD,CACD,CAAC,EAGD,OAAAE,CAAAA,CAAU,SAAA,CAAY,MAAOI,GAA4B,CAExD,GAAIJ,CAAAA,CAAU,SAAA,CAAW,CACxB,IAAMK,CAAAA,CAAQ,IAAA,CAAK,cAAA,CAAe,IAAIL,CAAAA,CAAU,SAAS,EACrDK,CAAAA,GAAOA,CAAAA,CAAM,aAAe,IAAA,CAAK,GAAA,EAAI,EAC1C,CAEA,GAAI,CACH,IAAMC,CAAAA,CAAS,MAAM,KAAK,WAAA,CAAY,oBAAA,CACrCF,CACD,CAAA,CAEIE,IAAW,KAAA,CAAA,EACd,MAAMN,EAAU,IAAA,CAAKM,CAAwB,EAE/C,CAAA,MAASC,CAAAA,CAAc,CACtBJ,CAAAA,CAAI,KAAK,qCAAA,CAAwCI,CAAAA,CAAc,OAAO,EACvE,CACD,CAAA,CAEAP,CAAAA,CAAU,OAAA,CAAU,IAAM,CACrBA,CAAAA,CAAU,SAAA,GACb,KAAK,cAAA,CAAe,MAAA,CAAOA,EAAU,SAAS,CAAA,CAC9CG,CAAAA,CAAI,IAAA,CAAK,uCAAuCH,CAAAA,CAAU,SAAS,CAAA,CAAE,CAAA,EAEvE,EAEOA,CACR,CAKQ,iBAAA,CAAkBQ,CAAAA,CAAoB,CAC7C,IAAIC,CAAAA,CAAQ,EACZ,IAAA,IAAWJ,CAAAA,IAAS,KAAK,cAAA,CAAe,MAAA,EAAO,CAC1CA,CAAAA,CAAM,WAAaG,CAAAA,EAAIC,CAAAA,EAAAA,CAE5B,OAAOA,CACR,CAKQ,WAAA,CAAYC,CAAAA,CAET,CACV,OACCA,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,IAChDA,CAAAA,CAAE,GAAA,CAAI,MAAA,CAAO,WAAW,GACxB,SAEF,CAKQ,iBAAA,EAA0B,CACjC,IAAMC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACrB,IAAA,GAAW,CAACT,CAAAA,CAAWG,CAAK,CAAA,GAAK,IAAA,CAAK,eACjCM,CAAAA,CAAMN,CAAAA,CAAM,YAAA,CAAe,IAAA,CAAK,mBACnCF,CAAAA,CAAI,IAAA,CAAK,CAAA,2CAAA,EAA8CD,CAAS,EAAE,CAAA,CAClEG,CAAAA,CAAM,UAAU,KAAA,EAAM,CAAE,MAAM,IAAM,CAEpC,CAAC,CAAA,CACD,KAAK,cAAA,CAAe,MAAA,CAAOH,CAAS,CAAA,EAGvC,CAEQ,WAAA,EAAc,CACrB,IAAA,CAAK,GAAA,CAAI,IAAI,GAAA,CAAKU,IAAAA,EAAM,CAAA,CAGnB,OAAA,CAAQ,IAAI,gBAAA,GAChB,OAAA,CAAQ,GAAA,CAAI,gBAAA,CAAmBX,YAAW,CAC1CE,CAAAA,CAAI,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,CAAC,CAAA,CACvBA,CAAAA,CAAI,KAAK,0DAAsC,CAAA,CAC/CA,EAAI,IAAA,CAAK,2CAA2C,EACpDA,CAAAA,CAAI,IAAA,CAAK,+DAA+D,CAAA,CACxEA,EAAI,IAAA,CAAK,CAAA,OAAA,EAAU,QAAQ,GAAA,CAAI,gBAAgB,EAAE,CAAA,CACjDA,CAAAA,CAAI,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,CAAC,GAIxB,IAAA,CAAK,GAAA,CAAI,IAAI,MAAA,CAAQ,MAAOO,CAAAA,CAAGG,CAAAA,GAAS,CACvC,IAAMC,CAAAA,CAAOJ,CAAAA,CAAE,GAAA,CAAI,OAAO,eAAe,CAAA,CAEnCK,CAAAA,CAAgB,OAAA,CAAQ,IAAI,gBAAA,CAClC,GACC,CAACD,CAAAA,EAAM,UAAA,CAAW,SAAS,CAAA,EAC3BA,CAAAA,CAAK,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA,GAAMC,CAAAA,CAEvB,OAAAZ,EAAI,IAAA,CACH,sEACD,CAAA,CACOO,CAAAA,CAAE,KACR,CAAE,KAAA,CAAO,+CAAgD,CAAA,CACzD,GACD,EAGD,MAAMG,CAAAA,GACP,CAAC,EAGD,IAAA,CAAK,GAAA,CAAI,GAAA,CAAI,MAAA,CAAQ,MAAOH,CAAAA,EAAM,CACjC,IAAMR,CAAAA,CAAYQ,EAAE,GAAA,CAAI,MAAA,CAAO,gBAAgB,CAAA,CAG/C,GAAIR,EAAW,CACd,IAAMc,CAAAA,CAAW,IAAA,CAAK,eAAe,GAAA,CAAId,CAAS,CAAA,CAClD,GAAI,CAACc,CAAAA,CACJ,OAAON,CAAAA,CAAE,IAAA,CAAK,CAAE,KAAA,CAAO,mBAAoB,EAAG,GAAG,CAAA,CAGlDM,EAAS,YAAA,CAAe,IAAA,CAAK,GAAA,EAAI,CAEjC,IAAMC,CAAAA,CAAW,MAAMD,CAAAA,CAAS,SAAA,CAAU,cAAcN,CAAAA,CAAE,GAAA,CAAI,GAAG,CAAA,CAIjE,OAAIA,CAAAA,CAAE,GAAA,CAAI,SAAW,QAAA,GACpB,IAAA,CAAK,eAAe,MAAA,CAAOR,CAAS,CAAA,CACpCC,CAAAA,CAAI,KAAK,CAAA,6CAAA,EAAgDD,CAAS,CAAA,CAAE,CAAA,CAAA,CAG9De,CACR,CAIA,IAAMnB,CAAAA,CAAW,IAAA,CAAK,YAAYY,CAAC,CAAA,CAC7BQ,EAAkB,IAAA,CAAK,iBAAA,CAAkBpB,CAAQ,CAAA,CACvD,OAAIoB,CAAAA,EAAmB,IAAA,CAAK,kBAC3Bf,CAAAA,CAAI,IAAA,CACH,CAAA,2CAAA,EAA8CL,CAAQ,KAAKoB,CAAe,CAAA,UAAA,CAC3E,CAAA,CACOR,CAAAA,CAAE,KAAK,CAAE,KAAA,CAAO,wCAAyC,CAAA,CAAG,GAAG,GAIhE,KAAA,CADW,MAAM,IAAA,CAAK,sBAAA,CAAuBZ,CAAQ,CAAA,EACrC,aAAA,CAAcY,EAAE,GAAA,CAAI,GAAG,CAC/C,CAAC,EACF,CAKA,MAAa,MAAMS,CAAAA,CAA8B,CAChD,IAAMC,CAAAA,CAAaD,CAAAA,EAAQ,KAAK,OAAA,CAAQ,IAAA,EAAQ,GAAA,CAGhD,OAAA,IAAA,CAAK,cAAgB,WAAA,CACpB,IAAM,IAAA,CAAK,iBAAA,GACX3B,CACD,CAAA,CAEO,IAAI,OAAA,CAAS6B,GAAY,CAC/B,IAAA,CAAK,WAAaC,KAAAA,CACjB,CACC,MAAO,IAAA,CAAK,GAAA,CAAI,KAAA,CAChB,IAAA,CAAMF,CACP,CAAA,CACCG,CAAAA,EAAS,CACTpB,CAAAA,CAAI,KACH,CAAA,gEAAA,EAAmEoB,CAAAA,CAAK,IAAI,CAAA,IAAA,CAC7E,EACAF,CAAAA,GACD,CACD,EACD,CAAC,CACF,CAKA,MAAa,IAAA,EAAsB,CAC9B,KAAK,aAAA,GACR,aAAA,CAAc,IAAA,CAAK,aAAa,EAChC,IAAA,CAAK,aAAA,CAAgB,IAAA,CAAA,CAGtB,IAAA,GAAW,CAACG,CAAAA,CAAInB,CAAK,IAAK,IAAA,CAAK,cAAA,CAC9B,MAAMA,CAAAA,CAAM,SAAA,CAAU,KAAA,EAAM,CAC5B,KAAK,cAAA,CAAe,MAAA,CAAOmB,CAAE,CAAA,CAG1B,KAAK,UAAA,GACR,IAAA,CAAK,UAAA,CAAW,KAAA,GAChBrB,CAAAA,CAAI,IAAA,CAAK,0CAA0C,CAAA,EAErD,CACD,EC5QO,IAAMN,CAAAA,CAAN,KAAoB,CAG1B,YAEC4B,CAAAA,CACQ9B,CAAAA,CAA6B,EAAC,CACrC,CADO,IAAA,CAAA,OAAA,CAAAA,CAAAA,CAIJ8B,CAAAA,EAAQ,WAAA,EAAa,OAAS,YAAA,EACjC,IAAA,CAAK,WAAaA,CAAAA,CAClBtB,CAAAA,CAAI,KAAK,gDAAgD,CAAA,EAC/CsB,CAAAA,EAAQ,WAAA,EAAa,OAAS,WAAA,EACxC,IAAA,CAAK,eAAA,CAAkBA,CAAAA,CACvBtB,EAAI,IAAA,CAAK,oDAAoD,CAAA,GAG7D,IAAA,CAAK,gBAAkBsB,CAAAA,CACvBtB,CAAAA,CAAI,KAAK,6DAA6D,CAAA,EAExE,CApBQ,UAAA,CAAgC,IAAA,CAChC,eAAA,CAAoC,IAAA,CAyB5C,MAAa,oBAAA,CACZuB,CAAAA,CACmB,CACnB,IAAMF,EAAKE,CAAAA,CAAQ,EAAA,CACbC,CAAAA,CAASD,CAAAA,CAAQ,OACjBE,CAAAA,CAASF,CAAAA,CAAQ,OAEvB,OAAIA,CAAAA,CAAQ,UAAY,KAAA,CAChB,IAAA,CAAK,aAAA,CAAcF,CAAAA,CAAI,OAAQ,iBAAiB,CAAA,CAIpD,KAAK,UAAA,CACD,IAAA,CAAK,gBAAgBA,CAAAA,CAAIG,CAAAA,CAAQC,CAAM,CAAA,CAI3C,KAAK,eAAA,EAAmB,IAAA,CAAK,WACzB,IAAA,CAAK,eAAA,CAAgBJ,EAAIG,CAAAA,CAAQC,CAAM,CAAA,CAGxC,IAAA,CAAK,cAAcJ,CAAAA,CAAI,MAAA,CAAQ,8BAA8B,CACrE,CAEA,MAAc,eAAA,CACbA,CAAAA,CACAG,CAAAA,CACAC,EACmB,CACnB,GAAI,CAAC,IAAA,CAAK,UAAA,CAAY,OAAO,IAAA,CAE7B,GAAID,CAAAA,GAAW,YAAA,CACd,OAAO,IAAA,CAAK,eAAA,CAAgBH,CAAAA,CAAI,CAC/B,gBAAiB,YAAA,CACjB,YAAA,CAAc,CACb,OAAA,CAAS,EAAC,CACV,SAAA,CAAW,EAAC,CACZ,KAAA,CAAO,EACR,CAAA,CACA,UAAA,CAAY,IAAA,CAAK,WAAW,aAAA,EAC7B,CAAC,CAAA,CAGF,GAAIG,CAAAA,GAAW,2BAAA,CACf,CAAA,GAAIA,CAAAA,GAAW,OAAQ,OAAO,IAAA,CAAK,gBAAgBH,CAAAA,CAAI,EAAE,CAAA,CAEzD,GAAIG,CAAAA,GAAW,YAAA,CAAc,CAC5B,IAAME,CAAAA,CAAQ,IAAA,CAAK,UAAA,CAAW,WAAU,CACxC,OAAO,IAAA,CAAK,eAAA,CAAgBL,EAAI,CAAE,KAAA,CAAAK,CAAM,CAAC,CAC1C,CAEA,GAAIF,CAAAA,GAAW,gBAAA,CAAkB,CAChC,IAAMG,CAAAA,CAAY,IAAA,CAAK,UAAA,CAAW,aAAA,GAClC,OAAO,IAAA,CAAK,eAAA,CAAgBN,CAAAA,CAAI,CAAE,SAAA,CAAAM,CAAU,CAAC,CAC9C,CAEA,GAAIH,CAAAA,GAAW,cAAA,CAAgB,CAC9B,IAAMI,EAAU,IAAA,CAAK,UAAA,CAAW,WAAA,EAAY,CAC5C,OAAO,IAAA,CAAK,eAAA,CAAgBP,CAAAA,CAAI,CAAE,QAAAO,CAAQ,CAAC,CAC5C,CAEA,GAAIJ,IAAW,aAAA,CAAe,CAC7B,GAAI,CAACC,GAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,qBAAqB,CAAA,CAE5D,GAAI,CACH,IAAMlB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,UAAU,CAC9C,IAAA,CAAMsB,CAAAA,CAAO,IAAA,CACb,UAAWA,CAAAA,CAAO,SACnB,CAAC,CAAA,CACD,OAAO,KAAK,eAAA,CAAgBJ,CAAAA,CAAIlB,CAAM,CACvC,OAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAciB,EAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIoB,CAAAA,GAAW,gBAAA,CAAkB,CAChC,GAAI,CAACC,CAAAA,EAAQ,GAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,sBAAsB,EAE7D,GAAI,CACH,IAAMlB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,YAAA,CAAasB,CAAAA,CAAO,GAAa,CAAA,CACtE,OAAO,IAAA,CAAK,eAAA,CAAgBJ,EAAIlB,CAAM,CACvC,OAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAciB,CAAAA,CAAI,KAAA,CAASjB,EAAc,OAAO,CAC7D,CACD,CAEA,GAAIoB,CAAAA,GAAW,YAAA,CAAc,CAC5B,GAAI,CAACC,CAAAA,EAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,mBAAmB,CAAA,CAE1D,IAAMQ,EAA2B,CAChC,IAAA,CAAMJ,CAAAA,CAAO,IAAA,CACb,UAAYA,CAAAA,CAAO,SAAA,EAAyC,EAC7D,EAEA,GAAI,CACH,IAAMtB,CAAAA,CAAyB,MAAM,KAAK,UAAA,CAAW,QAAA,CAAS0B,CAAO,CAAA,CAOrE,QAJmB1B,CAAAA,CAAO,OAAA,CACvB,CAAA,CAAA,CACA,MAAM,KAAK,eAAA,CAAgB0B,CAAAA,CAAS1B,CAAM,CAAA,EActC,KAAK,eAAA,CAAgBkB,CAAAA,CAAIlB,CAAM,CAAA,CAX9B,IAAA,CAAK,gBAAgBkB,CAAAA,CAAI,CAC/B,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,sHACP,CACD,CAAA,CACA,OAAA,CAAS,CAAA,CACV,CAAC,CAIH,CAAA,MAASjB,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,cAAciB,CAAAA,CAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,OAAO,IAAA,CAAK,cAAciB,CAAAA,CAAI,MAAA,CAAQ,kBAAkB,CAAA,CACzD,CAEQ,eAAA,CACPA,CAAAA,CACAlB,EACC,CACD,OAAO,CAAE,OAAA,CAAS,KAAA,CAAO,EAAA,CAAAkB,CAAAA,CAAI,OAAAlB,CAAO,CACrC,CAEQ,aAAA,CAAckB,CAAAA,CAAqBS,EAAc7B,CAAAA,CAAiB,CACzE,OAAO,CAAE,QAAS,KAAA,CAAO,EAAA,CAAAoB,EAAI,KAAA,CAAO,CAAE,KAAAS,CAAAA,CAAM,OAAA,CAAA7B,CAAQ,CAAE,CACvD,CAEA,MAAc,eAAA,CACb4B,CAAAA,CACA1B,EACmB,CACnB,GACC,CAAC0B,CAAAA,CAAQ,WAAW,OAAA,EACpB,OAAOA,EAAQ,SAAA,CAAU,OAAA,EAAY,SAErC,OAAO,KAAA,CAGR,GAAI,CACH,IAAMN,CAAAA,CAAUM,CAAAA,CAAQ,SAAA,CAAU,OAAA,CAC5BE,EAAc5B,CAAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,EAAG,KAEvC,GAAI4B,CAAAA,EAAe,OAAOA,CAAAA,EAAgB,QAAA,CACzC,GAAI,CACH,IAAMC,CAAAA,CAAO,IAAA,CAAK,MAAMD,CAAW,CAAA,CAEnC,GAAIC,CAAAA,CAAK,UAAYA,CAAAA,CAAK,UAAA,CAAY,CAErC,GAAM,CAAE,YAAA,CAAAC,CAAa,EAAI,MAAM,OAAO,wBAAuB,CAAA,CAU7D,GAAI,CANgB,MAHH,IAAIA,CAAAA,EAAa,CAGC,eAAA,CAClC,MAAA,CAAO,KAAKV,CAAAA,CAAS,OAAO,CAAA,CAC5BS,CAAAA,CAAK,SACL,MAAA,CAAO,IAAA,CAAKA,EAAK,UAAA,EAAc,EAAA,CAAI,QAAQ,CAC5C,CAAA,CAGC,OAAO,CAAA,CAAA,CAGRA,EAAK,YAAA,CACJ,yEAAA,CACD7B,CAAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,CAAE,IAAA,CAAO,IAAA,CAAK,SAAA,CAAU6B,CAAI,EAC7C,CACD,MAAQ,CAER,CAED,OAAO,CAAA,CACR,CAAA,MAASE,CAAAA,CAAG,CACX,OAAAlC,CAAAA,CAAI,IAAA,CAAK,oCAAA,CAAsCkC,CAAC,EACzC,KACR,CACD,CAKA,MAAa,SAAyB,CAErC,GAAI,KAAK,eAAA,CAAiB,CACzB,GAAM,CAAE,UAAA,CAAAC,CAAW,CAAA,CAAI,MAAM,OAAO,aAAoB,CAAA,CASxD,GARA,KAAK,UAAA,CAAa,IAAIA,CAAAA,CACrB,IAAA,CAAK,QAAQ,UAAA,EAAc,CAC1B,KAAM,aAAA,CACN,OAAA,CAAS,OACV,CAAA,CACA,CAAE,QAAA,CAAU,IAAA,CAAK,QAAQ,QAAS,CACnC,EAEI,IAAA,CAAK,OAAA,CAAQ,cAAe,CAC/B,MAAM,IAAA,CAAK,UAAA,CAAW,SAAQ,CAI9B,IAAMC,EAAS,IAAA,CAAK,eAAA,CAGpB,GAAIA,CAAAA,CAAO,gBAAA,CACV,IAAA,GAAW,CAACC,EAAMC,CAAI,CAAA,GAAK,MAAA,CAAO,OAAA,CAAQF,EAAO,gBAAgB,CAAA,CAAG,CAEnE,IAAMG,EAAID,CAAAA,CACV,IAAA,CAAK,WAAW,IAAA,CACfD,CAAAA,CACAE,EAAE,WAAA,EAAe,EAAA,CACjBA,CAAAA,CAAE,WAAA,EAAe,EAAC,CAElB,MAAOC,CAAAA,EACC,MAAMD,EAAE,OAAA,CAAQC,CAAI,CAE7B,EACD,CAID,GAAIJ,CAAAA,CAAO,qBACV,IAAA,GAAW,CAACK,EAAKC,CAAQ,CAAA,GAAK,MAAA,CAAO,OAAA,CACpCN,EAAO,oBACR,CAAA,CAAG,CAEF,IAAMO,EAAID,CAAAA,CACV,IAAA,CAAK,UAAA,CAAW,QAAA,CACfC,EAAE,IAAA,CACFF,CAAAA,CACAE,EAAE,QAAA,EAAU,WAAA,EAAe,GAC3BA,CAAAA,CAAE,QAAA,EAAU,QAAA,EAAY,0BAAA,CACxB,UACa,MAAMA,CAAAA,CAAE,YAAA,CAAa,IAAI,IAAIF,CAAG,CAAC,CAAA,EAClC,QAAA,CAAS,CAAC,CAAA,CAAE,IAEzB,EACD,CAEF,CACA,MACD,CAIA,IAAMG,CAAAA,CAAAA,CADW,aAAa,UAAe,CAAA,EACzB,eAAA,CAAgB,CACnC,MAAO,OAAA,CAAQ,KAAA,CACf,MAAA,CAAQ,OAAA,CAAQ,OAChB,QAAA,CAAU,KACX,CAAC,CAAA,CAEKC,CAAAA,CAAW,SAAY,CAC5B7C,CAAAA,CAAI,IAAA,CAAK,wCAAwC,EAC7C,IAAA,CAAK,UAAA,EAAY,MAAM,IAAA,CAAK,WAAW,KAAA,EAAM,CACjD,OAAA,CAAQ,IAAA,CAAK,CAAC,EACf,CAAA,CAEA4C,EAAG,EAAA,CAAG,OAAA,CAASC,CAAQ,CAAA,CACvB,OAAA,CAAQ,EAAA,CAAG,QAAA,CAAUA,CAAQ,CAAA,CAC7B,OAAA,CAAQ,EAAA,CAAG,SAAA,CAAWA,CAAQ,CAAA,CAE9BD,CAAAA,CAAG,EAAA,CAAG,MAAA,CAAQ,MAAOE,CAAAA,EAAS,CAC7B,GAAKA,CAAAA,CAAK,IAAA,GACV,GAAI,CACH,IAAMvB,CAAAA,CAAU,KAAK,KAAA,CAAMuB,CAAI,EACzBhC,CAAAA,CAAW,MAAM,KAAK,oBAAA,CAAqBS,CAAO,CAAA,CACpDT,CAAAA,EACH,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,IAAA,CAAK,SAAA,CAAUA,CAAQ,CAAC;AAAA,CAAI,EAEtD,CAAA,MAASoB,CAAAA,CAAY,CACpBlC,EAAI,KAAA,CAAM,CAAA,qBAAA,EAAyBkC,CAAAA,CAAY,OAAO,CAAA,CAAE,EACzD,CACD,CAAC,EACF,CACD","file":"chunk-GYK2HORK.js","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { serve } from \"@hono/node-server\";\nimport type { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\";\nimport type { JSONRPCMessage } from \"@modelcontextprotocol/sdk/types.js\";\nimport { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpBridge } from \"./index.js\";\n\n/**\n * Configuration options for LiopStreamBridge.\n */\nexport interface LiopStreamBridgeOptions {\n\t/** Port to listen on (default: 3000) */\n\tport?: number;\n\t/** Max concurrent sessions per IP (default: 5) */\n\tmaxSessionsPerIp?: number;\n\t/** Session idle timeout in milliseconds (default: 30 min) */\n\tsessionTimeoutMs?: number;\n}\n\n/** Internal metadata for tracked sessions */\ninterface SessionEntry {\n\ttransport: WebStandardStreamableHTTPServerTransport;\n\tlastActivity: number;\n\tclientIp: string;\n}\n\nconst DEFAULT_MAX_SESSIONS_PER_IP = 10;\nconst DEFAULT_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes\nconst EVICTION_INTERVAL_MS = 60 * 1000; // Check every minute\n\n/**\n * LiopStreamBridge\n *\n * Exposes a LiopServer over a remote HTTP network using the industry-standard\n * MCP Streamable HTTP Transport + Hono JS.\n *\n * Supports concurrent multi-client connections via per-session transport instances (Map pattern).\n * External agents connect using only a URL + Bearer Token (Zero-Trust).\n *\n * Security hardening:\n * - Zero-Trust Bearer Token enforcement\n * - Per-IP rate limiting on session creation\n * - Automatic eviction of idle sessions (TTL)\n */\nexport class LiopStreamBridge {\n\tprivate app: Hono;\n\tprivate httpServer: ReturnType<typeof serve> | null = null;\n\tprivate bridgeLogic: LiopMcpBridge;\n\tprivate activeSessions: Map<string, SessionEntry>;\n\tprivate evictionTimer: ReturnType<typeof setInterval> | null = null;\n\tprivate maxSessionsPerIp: number;\n\tprivate sessionTimeoutMs: number;\n\n\tconstructor(\n\t\tinternalServer: LiopServer,\n\t\tprivate options: LiopStreamBridgeOptions = {},\n\t) {\n\t\tthis.app = new Hono();\n\t\tthis.bridgeLogic = new LiopMcpBridge(internalServer);\n\t\tthis.activeSessions = new Map();\n\t\tthis.maxSessionsPerIp =\n\t\t\toptions.maxSessionsPerIp ?? DEFAULT_MAX_SESSIONS_PER_IP;\n\t\tthis.sessionTimeoutMs =\n\t\t\toptions.sessionTimeoutMs ?? DEFAULT_SESSION_TIMEOUT_MS;\n\n\t\tthis.setupRoutes();\n\t}\n\n\t/**\n\t * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.\n\t */\n\tprivate async createSessionTransport(\n\t\tclientIp: string,\n\t): Promise<WebStandardStreamableHTTPServerTransport> {\n\t\tconst { WebStandardStreamableHTTPServerTransport } = await import(\n\t\t\t\"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\"\n\t\t);\n\t\tconst transport = new WebStandardStreamableHTTPServerTransport({\n\t\t\tsessionIdGenerator: () => randomUUID(),\n\t\t\tonsessioninitialized: (sessionId: string) => {\n\t\t\t\tthis.activeSessions.set(sessionId, {\n\t\t\t\t\ttransport,\n\t\t\t\t\tlastActivity: Date.now(),\n\t\t\t\t\tclientIp,\n\t\t\t\t});\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Session opened: ${sessionId} (IP: ${clientIp})`,\n\t\t\t\t);\n\t\t\t},\n\t\t});\n\n\t\t// Wire the transport's incoming messages to the LiopMcpBridge JSON-RPC router\n\t\ttransport.onmessage = async (message: JSONRPCMessage) => {\n\t\t\t// Touch activity timestamp on every message\n\t\t\tif (transport.sessionId) {\n\t\t\t\tconst entry = this.activeSessions.get(transport.sessionId);\n\t\t\t\tif (entry) entry.lastActivity = Date.now();\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst result = await this.bridgeLogic.handleJsonRpcRequest(\n\t\t\t\t\tmessage as unknown as Record<string, unknown>,\n\t\t\t\t);\n\t\t\t\t// Notifications return undefined — no response needed\n\t\t\t\tif (result !== undefined) {\n\t\t\t\t\tawait transport.send(result as JSONRPCMessage);\n\t\t\t\t}\n\t\t\t} catch (err: unknown) {\n\t\t\t\tlog.info(\"[LIOP-StreamBridge] JSON-RPC error:\", (err as Error).message);\n\t\t\t}\n\t\t};\n\n\t\ttransport.onclose = () => {\n\t\t\tif (transport.sessionId) {\n\t\t\t\tthis.activeSessions.delete(transport.sessionId);\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed: ${transport.sessionId}`);\n\t\t\t}\n\t\t};\n\n\t\treturn transport;\n\t}\n\n\t/**\n\t * Returns the number of active sessions for a given IP.\n\t */\n\tprivate countSessionsByIp(ip: string): number {\n\t\tlet count = 0;\n\t\tfor (const entry of this.activeSessions.values()) {\n\t\t\tif (entry.clientIp === ip) count++;\n\t\t}\n\t\treturn count;\n\t}\n\n\t/**\n\t * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).\n\t */\n\tprivate getClientIp(c: {\n\t\treq: { header: (name: string) => string | undefined };\n\t}): string {\n\t\treturn (\n\t\t\tc.req.header(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ||\n\t\t\tc.req.header(\"x-real-ip\") ||\n\t\t\t\"unknown\"\n\t\t);\n\t}\n\n\t/**\n\t * Evicts sessions that have been idle longer than the configured timeout.\n\t */\n\tprivate evictIdleSessions(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.activeSessions) {\n\t\t\tif (now - entry.lastActivity > this.sessionTimeoutMs) {\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Evicting idle session: ${sessionId}`);\n\t\t\t\tentry.transport.close().catch(() => {\n\t\t\t\t\t/* Swallow close errors */\n\t\t\t\t});\n\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate setupRoutes() {\n\t\tthis.app.use(\"*\", cors());\n\n\t\t// Initialize strict zero-trust token if not provided\n\t\tif (!process.env.ZERO_TRUST_TOKEN) {\n\t\t\tprocess.env.ZERO_TRUST_TOKEN = randomUUID();\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t\tlog.info(\"⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️\");\n\t\t\tlog.info(\"No ZERO_TRUST_TOKEN found in environment.\");\n\t\t\tlog.info(\"A secure ephemeral token has been generated for this session:\");\n\t\t\tlog.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t}\n\n\t\t// ZTA (Zero-Trust Architecture) Security Middleware\n\t\tthis.app.use(\"/mcp\", async (c, next) => {\n\t\t\tconst auth = c.req.header(\"Authorization\");\n\n\t\t\tconst expectedToken = process.env.ZERO_TRUST_TOKEN;\n\t\t\tif (\n\t\t\t\t!auth?.startsWith(\"Bearer \") ||\n\t\t\t\tauth.split(\" \")[1] !== expectedToken\n\t\t\t) {\n\t\t\t\tlog.info(\n\t\t\t\t\t\"[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.\",\n\t\t\t\t);\n\t\t\t\treturn c.json(\n\t\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t\t401,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tawait next();\n\t\t});\n\n\t\t// Multi-Session Streamable HTTP Handler\n\t\tthis.app.all(\"/mcp\", async (c) => {\n\t\t\tconst sessionId = c.req.header(\"mcp-session-id\");\n\n\t\t\t// Route to existing session if session ID is present\n\t\t\tif (sessionId) {\n\t\t\t\tconst existing = this.activeSessions.get(sessionId);\n\t\t\t\tif (!existing) {\n\t\t\t\t\treturn c.json({ error: \"Session not found\" }, 404);\n\t\t\t\t}\n\t\t\t\t// Touch activity on every routed request\n\t\t\t\texisting.lastActivity = Date.now();\n\n\t\t\t\tconst response = await existing.transport.handleRequest(c.req.raw);\n\n\t\t\t\t// If DELETE, the transport closes internally but onclose may not fire.\n\t\t\t\t// Explicitly clean up the session from the Map.\n\t\t\t\tif (c.req.method === \"DELETE\") {\n\t\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed (DELETE): ${sessionId}`);\n\t\t\t\t}\n\n\t\t\t\treturn response;\n\t\t\t}\n\n\t\t\t// No session ID → New client initializing.\n\t\t\t// Rate-limit: enforce max sessions per IP\n\t\t\tconst clientIp = this.getClientIp(c);\n\t\t\tconst currentSessions = this.countSessionsByIp(clientIp);\n\t\t\tif (currentSessions >= this.maxSessionsPerIp) {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Rate limit hit for IP: ${clientIp} (${currentSessions} sessions)`,\n\t\t\t\t);\n\t\t\t\treturn c.json({ error: \"Too Many Sessions: Rate limit exceeded\" }, 429);\n\t\t\t}\n\n\t\t\tconst transport = await this.createSessionTransport(clientIp);\n\t\t\treturn await transport.handleRequest(c.req.raw);\n\t\t});\n\t}\n\n\t/**\n\t * Starts the LiopStreamBridge HTTP server and session eviction timer.\n\t */\n\tpublic async start(port?: number): Promise<void> {\n\t\tconst listenPort = port ?? this.options.port ?? 3000;\n\n\t\t// Start the idle session eviction timer\n\t\tthis.evictionTimer = setInterval(\n\t\t\t() => this.evictIdleSessions(),\n\t\t\tEVICTION_INTERVAL_MS,\n\t\t);\n\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.httpServer = serve(\n\t\t\t\t{\n\t\t\t\t\tfetch: this.app.fetch,\n\t\t\t\t\tport: listenPort,\n\t\t\t\t},\n\t\t\t\t(info) => {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${info.port}/mcp`,\n\t\t\t\t\t);\n\t\t\t\t\tresolve();\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\t/**\n\t * Graceful shutdown — closes all active sessions, stops timers, and releases port.\n\t */\n\tpublic async stop(): Promise<void> {\n\t\tif (this.evictionTimer) {\n\t\t\tclearInterval(this.evictionTimer);\n\t\t\tthis.evictionTimer = null;\n\t\t}\n\n\t\tfor (const [id, entry] of this.activeSessions) {\n\t\t\tawait entry.transport.close();\n\t\t\tthis.activeSessions.delete(id);\n\t\t}\n\n\t\tif (this.httpServer) {\n\t\t\tthis.httpServer.close();\n\t\t\tlog.info(\"[LIOP-StreamBridge] HTTP ports released.\");\n\t\t}\n\t}\n}\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { LiopServer, LiopServerOptions } from \"../server/index.js\";\nimport type { CallToolRequest, CallToolResult } from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\n\nexport interface LiopBridgeOptions {\n\tpublishToMesh?: boolean;\n\tmeshIdentity?: string;\n\tserverInfo?: {\n\t\tname: string;\n\t\tversion: string;\n\t};\n\tsecurity?: LiopServerOptions[\"security\"];\n}\n\n/**\n * LIOP MCP Bridge\n * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,\n * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.\n */\nexport class LiopMcpBridge {\n\tprivate liopServer: LiopServer | null = null;\n\tprivate legacyMcpServer: McpServer | null = null;\n\tconstructor(\n\t\t// biome-ignore lint/suspicious/noExplicitAny: polymorphic source detection\n\t\tsource: LiopServer | McpServer | any,\n\t\tprivate options: LiopBridgeOptions = {},\n\t) {\n\t\t// Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)\n\t\t// We use constructor name check to avoid hard dependency on optional SDK at runtime start\n\t\tif (source?.constructor?.name === \"LiopServer\") {\n\t\t\tthis.liopServer = source as LiopServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)\");\n\t\t} else if (source?.constructor?.name === \"McpServer\") {\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)\");\n\t\t} else {\n\t\t\t// Fallback for inferred legacy MCP servers\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)\");\n\t\t}\n\t}\n\n\t/**\n\t * Handles an incoming standard MCP JSON-RPC 2.0 payload.\n\t * Pipes it to the underlying server (LIOP or Legacy MCP).\n\t */\n\tpublic async handleJsonRpcRequest(\n\t\tpayload: Record<string, unknown>,\n\t): Promise<unknown> {\n\t\tconst id = payload.id as string | number;\n\t\tconst method = payload.method as string;\n\t\tconst params = payload.params as Record<string, unknown> | undefined;\n\n\t\tif (payload.jsonrpc !== \"2.0\") {\n\t\t\treturn this.errorResponse(id, -32600, \"Invalid Request\");\n\t\t}\n\n\t\t// Mode: EXPOSE (Standard behavior used by Claude Desktop)\n\t\tif (this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\t// Mode: WRAP (Redirecting via internal LiopServer after connect())\n\t\tif (this.legacyMcpServer && this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Bridge source not configured\");\n\t}\n\n\tprivate async handleLiopToMcp(\n\t\tid: string | number,\n\t\tmethod: string,\n\t\tparams: Record<string, unknown> | undefined,\n\t): Promise<unknown> {\n\t\tif (!this.liopServer) return null;\n\n\t\tif (method === \"initialize\") {\n\t\t\treturn this.successResponse(id, {\n\t\t\t\tprotocolVersion: \"2025-11-25\",\n\t\t\t\tcapabilities: {\n\t\t\t\t\tprompts: {},\n\t\t\t\t\tresources: {},\n\t\t\t\t\ttools: {},\n\t\t\t\t},\n\t\t\t\tserverInfo: this.liopServer.getServerInfo(),\n\t\t\t});\n\t\t}\n\n\t\tif (method === \"notifications/initialized\") return undefined;\n\t\tif (method === \"ping\") return this.successResponse(id, {});\n\n\t\tif (method === \"tools/list\") {\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\treturn this.successResponse(id, { tools });\n\t\t}\n\n\t\tif (method === \"resources/list\") {\n\t\t\tconst resources = this.liopServer.listResources();\n\t\t\treturn this.successResponse(id, { resources });\n\t\t}\n\n\t\tif (method === \"prompts/list\") {\n\t\t\tconst prompts = this.liopServer.listPrompts();\n\t\t\treturn this.successResponse(id, { prompts });\n\t\t}\n\n\t\tif (method === \"prompts/get\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing prompt name\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.getPrompt({\n\t\t\t\t\tname: params.name as string,\n\t\t\t\t\targuments: params.arguments as Record<string, string> | undefined,\n\t\t\t\t});\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"resources/read\") {\n\t\t\tif (!params?.uri) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing resource URI\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.readResource(params.uri as string);\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"tools/call\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing tool name\");\n\t\t\t}\n\t\t\tconst request: CallToolRequest = {\n\t\t\t\tname: params.name as string,\n\t\t\t\targuments: (params.arguments as Record<string, unknown>) || {},\n\t\t\t};\n\n\t\t\ttry {\n\t\t\t\tconst result: CallToolResult = await this.liopServer.callTool(request);\n\t\t\t\t// If the tool execution returned an error (e.g. policy violation), we bypass\n\t\t\t\t// ZK-Receipt verification because no cryptographic proof is generated for errors.\n\t\t\t\tconst isVerified = result.isError\n\t\t\t\t\t? true\n\t\t\t\t\t: await this.verifyZkReceipt(request, result);\n\n\t\t\t\tif (!isVerified) {\n\t\t\t\t\treturn this.successResponse(id, {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Method not found\");\n\t}\n\n\tprivate successResponse(\n\t\tid: string | number | null | undefined,\n\t\tresult: unknown,\n\t) {\n\t\treturn { jsonrpc: \"2.0\", id, result };\n\t}\n\n\tprivate errorResponse(id: string | number, code: number, message: string) {\n\t\treturn { jsonrpc: \"2.0\", id, error: { code, message } };\n\t}\n\n\tprivate async verifyZkReceipt(\n\t\trequest: CallToolRequest,\n\t\tresult: CallToolResult,\n\t): Promise<boolean> {\n\t\tif (\n\t\t\t!request.arguments?.payload ||\n\t\t\ttypeof request.arguments.payload !== \"string\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\ttry {\n\t\t\tconst payload = request.arguments.payload as string;\n\t\t\tconst contentText = result.content[0]?.text;\n\n\t\t\tif (contentText && typeof contentText === \"string\") {\n\t\t\t\ttry {\n\t\t\t\t\tconst data = JSON.parse(contentText);\n\n\t\t\t\t\tif (data.image_id || data.zk_receipt) {\n\t\t\t\t\t\t// 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )\n\t\t\t\t\t\tconst { LiopVerifier } = await import(\"../crypto/verifier.js\");\n\t\t\t\t\t\tconst verifier = new LiopVerifier();\n\n\t\t\t\t\t\t// 2. Delegate the heavy mathematical check (ZK Journal + Seal)\n\t\t\t\t\t\tconst isAuthentic = await verifier.verifyZkReceipt(\n\t\t\t\t\t\t\tBuffer.from(payload, \"utf-8\"),\n\t\t\t\t\t\t\tdata.image_id,\n\t\t\t\t\t\t\tBuffer.from(data.zk_receipt || \"\", \"base64\"),\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (!isAuthentic) {\n\t\t\t\t\t\t\treturn false;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tdata.audit_status =\n\t\t\t\t\t\t\t\"VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge\";\n\t\t\t\t\t\tresult.content[0].text = JSON.stringify(data);\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Output not JSON\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn true;\n\t\t} catch (e) {\n\t\t\tlog.info(\"[LIOP-Bridge] ZK-Verifier Failure:\", e);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Connects the bridge via stdio or Mesh depending on mode.\n\t */\n\tpublic async connect(): Promise<void> {\n\t\t// In WRAP mode, we actually need to create a LiopServer and join the mesh\n\t\tif (this.legacyMcpServer) {\n\t\t\tconst { LiopServer } = await import(\"../server/index.js\");\n\t\t\tthis.liopServer = new LiopServer(\n\t\t\t\tthis.options.serverInfo || {\n\t\t\t\t\tname: \"liop-bridge\",\n\t\t\t\t\tversion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t\t{ security: this.options.security },\n\t\t\t);\n\n\t\t\tif (this.options.publishToMesh) {\n\t\t\t\tawait this.liopServer.connect();\n\n\t\t\t\t// Automatically Bridge Legacy Capabilities to LIOP Mesh\n\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported\n\t\t\t\tconst legacy = this.legacyMcpServer as any;\n\n\t\t\t\t// 1. Sync Tools\n\t\t\t\tif (legacy._registeredTools) {\n\t\t\t\t\tfor (const [name, tool] of Object.entries(legacy._registeredTools)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst t = tool as any;\n\t\t\t\t\t\tthis.liopServer.tool(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tt.description || \"\",\n\t\t\t\t\t\t\tt.inputSchema || {},\n\t\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args\n\t\t\t\t\t\t\tasync (args: any) => {\n\t\t\t\t\t\t\t\treturn await t.handler(args);\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// 2. Sync Resources\n\t\t\t\tif (legacy._registeredResources) {\n\t\t\t\t\tfor (const [uri, resource] of Object.entries(\n\t\t\t\t\t\tlegacy._registeredResources,\n\t\t\t\t\t)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst r = resource as any;\n\t\t\t\t\t\tthis.liopServer.resource(\n\t\t\t\t\t\t\tr.name,\n\t\t\t\t\t\t\turi,\n\t\t\t\t\t\t\tr.metadata?.description || \"\",\n\t\t\t\t\t\t\tr.metadata?.mimeType || \"application/octet-stream\",\n\t\t\t\t\t\t\tasync () => {\n\t\t\t\t\t\t\t\tconst res = await r.readCallback(new URL(uri));\n\t\t\t\t\t\t\t\treturn res.contents[0].text;\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\n\t\t// In EXPOSE mode, listen to stdio (Claude Desktop)\n\t\tconst readline = await import(\"node:readline\");\n\t\tconst rl = readline.createInterface({\n\t\t\tinput: process.stdin,\n\t\t\toutput: process.stdout,\n\t\t\tterminal: false,\n\t\t});\n\n\t\tconst shutdown = async () => {\n\t\t\tlog.info(\"[LIOP-Bridge] Disconnecting session...\");\n\t\t\tif (this.liopServer) await this.liopServer.close();\n\t\t\tprocess.exit(0);\n\t\t};\n\n\t\trl.on(\"close\", shutdown);\n\t\tprocess.on(\"SIGINT\", shutdown);\n\t\tprocess.on(\"SIGTERM\", shutdown);\n\n\t\trl.on(\"line\", async (line) => {\n\t\t\tif (!line.trim()) return;\n\t\t\ttry {\n\t\t\t\tconst payload = JSON.parse(line);\n\t\t\t\tconst response = await this.handleJsonRpcRequest(payload);\n\t\t\t\tif (response) {\n\t\t\t\t\tprocess.stdout.write(`${JSON.stringify(response)}\\n`);\n\t\t\t\t}\n\t\t\t} catch (e: unknown) {\n\t\t\t\tlog.error(`[LIOP-Bridge] Error: ${(e as Error).message}`);\n\t\t\t}\n\t\t});\n\t}\n}\n\nexport * from \"./stream.js\";\n"]}
package/dist/chunk-SW53FNSN.js ADDED
@@ -0,0 +1,2 @@
1
+ import {b}from'./chunk-ANFXJGMP.js';import {a as a$1}from'./chunk-S6RJHZV2.js';import*as u from'fs';import {createRequire}from'module';import a from'path';import {fileURLToPath,pathToFileURL}from'url';import {Piscina}from'piscina';var h=fileURLToPath(import.meta.url),m=a.dirname(h),c=class s{static zkWorkerPool=null;getZkPool(){if(!s.zkWorkerPool){let r=import.meta.url.endsWith(".ts"),i=r?".ts":".js",t=[];if(r)try{let p=createRequire(import.meta.url).resolve("tsx/package.json");t=["--import",pathToFileURL(a.join(a.dirname(p),"dist","loader.mjs")).href];}catch{t=["--import","tsx"];}let n=[a.resolve(m,`./workers/zk-verifier${i}`),a.resolve(m,`../workers/zk-verifier${i}`)],f=n.find(e=>u.existsSync(e))||n[1];s.zkWorkerPool=new Piscina({filename:f,minThreads:1,maxThreads:2,idleTimeout:3e4,execArgv:t}),s.zkWorkerPool.run({action:"warmup"}).catch(e=>{a$1.debug(`[LiopVerifier] Verification pool warm-up ping failed: ${e.message}`);});}return s.zkWorkerPool}async verifyZkReceipt(r,i,t,n){let f=this.getZkPool();if(!f)throw new Error("Worker pool initialization failed");let e=await f.run({action:"verify_receipt",logicPayload:new Uint8Array(r),remoteImageIdHex:i,zkReceipt:new Uint8Array(t),sessionSecret:n?new Uint8Array(n):void 0});return e.verified?(a$1.info(`[LiopVerifier] ${e.message}`),true):(a$1.error(`[LiopVerifier] FAILED: ${e.message}`),false)}async verifyTeeAttestation(r){if(r.length===0)return true;try{return a$1.info("[LiopVerifier] TEE Attestation: Not configured (no-op)."),!0}catch(i){return a$1.error("[LiopVerifier] TEE Verification Failed:",i),false}}deriveImageId(r){return b(r)}};export{c as a};//# sourceMappingURL=chunk-SW53FNSN.js.map
2
+ //# sourceMappingURL=chunk-SW53FNSN.js.map
package/dist/chunk-SW53FNSN.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/crypto/verifier.ts"],"names":["__filename","fileURLToPath","__dirname","path","LiopVerifier","_LiopVerifier","isTS","workerExt","execArgv","tsxPkg","createRequire","pathToFileURL","workerPaths","workerFilename","p","Piscina","err","log","logicPayload","remoteImageIdHex","zkReceipt","sessionSecret","pool","result","attestationReport","deriveLogicImageDigest"],"mappings":"uOAQA,IAAMA,CAAAA,CAAaC,aAAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA,CAC1CC,CAAAA,CAAYC,CAAAA,CAAK,OAAA,CAAQH,CAAU,EAS5BI,CAAAA,CAAN,MAAMC,CAAa,CAEzB,OAAe,YAAA,CAA+B,IAAA,CAEtC,SAAA,EAAY,CACnB,GAAI,CAACA,CAAAA,CAAa,YAAA,CAAc,CAC/B,IAAMC,CAAAA,CAAO,YAAY,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA,CACrCC,CAAAA,CAAYD,CAAAA,CAAO,KAAA,CAAQ,KAAA,CAE7BE,EAAqB,EAAC,CAC1B,GAAIF,CAAAA,CACH,GAAI,CAEH,IAAMG,CAAAA,CADMC,cAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA,CACtB,OAAA,CAAQ,kBAAkB,CAAA,CAI7CF,CAAAA,CAAW,CAAC,UAAA,CAHQG,aAAAA,CACnBR,CAAAA,CAAK,IAAA,CAAKA,CAAAA,CAAK,OAAA,CAAQM,CAAM,CAAA,CAAG,OAAQ,YAAY,CACrD,CAAA,CAAE,IACiC,EACpC,CAAA,KAAa,CACZD,CAAAA,CAAW,CAAC,UAAA,CAAY,KAAK,EAC9B,CAID,IAAMI,CAAAA,CAAc,CACnBT,EAAK,OAAA,CAAQD,CAAAA,CAAW,CAAA,qBAAA,EAAwBK,CAAS,CAAA,CAAE,CAAA,CAC3DJ,CAAAA,CAAK,OAAA,CAAQD,CAAAA,CAAW,CAAA,sBAAA,EAAyBK,CAAS,CAAA,CAAE,CAC7D,CAAA,CAEMM,CAAAA,CACLD,CAAAA,CAAY,KAAME,CAAAA,EAAS,CAAA,CAAA,UAAA,CAAWA,CAAC,CAAC,CAAA,EAAKF,CAAAA,CAAY,CAAC,CAAA,CAE3DP,EAAa,YAAA,CAAe,IAAIU,OAAAA,CAAQ,CACvC,QAAA,CAAUF,CAAAA,CACV,UAAA,CAAY,CAAA,CACZ,WAAY,CAAA,CACZ,WAAA,CAAa,GAAA,CACb,QAAA,CAAAL,CACD,CAAC,CAAA,CAGDH,CAAAA,CAAa,YAAA,CAAa,GAAA,CAAI,CAAE,MAAA,CAAQ,QAAS,CAAC,CAAA,CAAE,KAAA,CAAOW,GAAQ,CAClEC,GAAAA,CAAI,KAAA,CACH,CAAA,sDAAA,EAAyDD,CAAAA,CAAI,OAAO,CAAA,CACrE,EACD,CAAC,EACF,CACA,OAAOX,CAAAA,CAAa,YACrB,CASA,MAAa,gBACZa,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACmB,CACnB,IAAMC,CAAAA,CAAO,IAAA,CAAK,SAAA,EAAU,CAC5B,GAAI,CAACA,CAAAA,CAAM,MAAM,IAAI,KAAA,CAAM,mCAAmC,CAAA,CAC9D,IAAMC,CAAAA,CAAS,MAAMD,CAAAA,CAAK,GAAA,CAAI,CAC7B,MAAA,CAAQ,iBACR,YAAA,CAAc,IAAI,UAAA,CAAWJ,CAAY,CAAA,CACzC,gBAAA,CAAAC,CAAAA,CACA,SAAA,CAAW,IAAI,UAAA,CAAWC,CAAS,CAAA,CACnC,aAAA,CAAeC,CAAAA,CAAgB,IAAI,UAAA,CAAWA,CAAa,CAAA,CAAI,MAChE,CAAC,CAAA,CAED,OAAIE,CAAAA,CAAO,QAAA,EACVN,GAAAA,CAAI,KAAK,CAAA,eAAA,EAAkBM,CAAAA,CAAO,OAAO,CAAA,CAAE,CAAA,CACpC,IAAA,GAGRN,GAAAA,CAAI,KAAA,CAAM,CAAA,uBAAA,EAA0BM,CAAAA,CAAO,OAAO,CAAA,CAAE,CAAA,CAC7C,KAAA,CACR,CAOA,MAAa,qBACZC,CAAAA,CACmB,CACnB,GAAIA,CAAAA,CAAkB,MAAA,GAAW,CAAA,CAAG,OAAO,KAAA,CAE3C,GAAI,CAKH,OAAAP,GAAAA,CAAI,IAAA,CAAK,yDAAyD,CAAA,CAC3D,CAAA,CACR,OAASD,CAAAA,CAAK,CACb,OAAAC,GAAAA,CAAI,KAAA,CAAM,yCAAA,CAA2CD,CAAG,CAAA,CACjD,KACR,CACD,CAKO,aAAA,CAAcE,CAAAA,CAA8B,CAClD,OAAOO,CAAAA,CAAuBP,CAAY,CAC3C,CACD","file":"chunk-SW53FNSN.js","sourcesContent":["import * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport { Piscina } from \"piscina\";\nimport { log } from \"../utils/logger.js\";\nimport { deriveLogicImageDigest } from \"./logic-image-id.js\";\n\nconst __filename = fileURLToPath(import.meta.url);\nconst __dirname = path.dirname(__filename);\n\n/**\n * LIOP Tier-0 Industrial Verifier\n *\n * This engine is responsible for the trustless verification of remote logic execution.\n * It validates both the integrity of the code (ZkImageID) and the mathematical proof\n * of its execution (ZkSeal), as well as hardware-level attestation (TEE).\n */\nexport class LiopVerifier {\n\t// Singleton Worker Pool for heavy ZK verification\n\tprivate static zkWorkerPool: Piscina | null = null;\n\n\tprivate getZkPool() {\n\t\tif (!LiopVerifier.zkWorkerPool) {\n\t\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\t\tlet execArgv: string[] = [];\n\t\t\tif (isTS) {\n\t\t\t\ttry {\n\t\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t\t).href;\n\t\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t\t} catch (_e) {\n\t\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Support both flat dist/ and original src/ structure\n\t\t\tconst workerPaths = [\n\t\t\t\tpath.resolve(__dirname, `./workers/zk-verifier${workerExt}`), // Flat dist/ (tsup)\n\t\t\t\tpath.resolve(__dirname, `../workers/zk-verifier${workerExt}`), // Original src/\n\t\t\t];\n\n\t\t\tconst workerFilename =\n\t\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\t\tLiopVerifier.zkWorkerPool = new Piscina({\n\t\t\t\tfilename: workerFilename,\n\t\t\t\tminThreads: 1,\n\t\t\t\tmaxThreads: 2, // Minimal footprint since verification is fast compared to generation\n\t\t\t\tidleTimeout: 30000,\n\t\t\t\texecArgv,\n\t\t\t});\n\n\t\t\t// Pre-warm the verification worker\n\t\t\tLiopVerifier.zkWorkerPool.run({ action: \"warmup\" }).catch((err) => {\n\t\t\t\tlog.debug(\n\t\t\t\t\t`[LiopVerifier] Verification pool warm-up ping failed: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t\treturn LiopVerifier.zkWorkerPool;\n\t}\n\n\t/**\n\t * Verifies a Zero-Knowledge Receipt from a remote LIOP node via Worker Pool.\n\t *\n\t * @param logicPayload The raw WASM or JS logic that was sent to the provider.\n\t * @param remoteImageIdHex The ImageID reported by the provider (must match our local calculation).\n\t * @param zkReceipt The mathematical proof (Seal + Journal) from the zkVM.\n\t */\n\tpublic async verifyZkReceipt(\n\t\tlogicPayload: Buffer,\n\t\tremoteImageIdHex: string,\n\t\tzkReceipt: Buffer,\n\t\tsessionSecret?: Buffer,\n\t): Promise<boolean> {\n\t\tconst pool = this.getZkPool();\n\t\tif (!pool) throw new Error(\"Worker pool initialization failed\");\n\t\tconst result = await pool.run({\n\t\t\taction: \"verify_receipt\",\n\t\t\tlogicPayload: new Uint8Array(logicPayload),\n\t\t\tremoteImageIdHex,\n\t\t\tzkReceipt: new Uint8Array(zkReceipt),\n\t\t\tsessionSecret: sessionSecret ? new Uint8Array(sessionSecret) : undefined,\n\t\t});\n\n\t\tif (result.verified) {\n\t\t\tlog.info(`[LiopVerifier] ${result.message}`);\n\t\t\treturn true;\n\t\t}\n\n\t\tlog.error(`[LiopVerifier] FAILED: ${result.message}`);\n\t\treturn false;\n\t}\n\n\t/**\n\t * Verifies if a node is running inside an authenticated TEE (e.g. AWS Nitro).\n\t *\n\t * @param attestationReport The COSE-signed attestation document from the hardware.\n\t */\n\tpublic async verifyTeeAttestation(\n\t\tattestationReport: Buffer,\n\t): Promise<boolean> {\n\t\tif (attestationReport.length === 0) return true; // Optional in Mesh Alpha\n\n\t\ttry {\n\t\t\t// Architecture for AWS Nitro Enclaves:\n\t\t\t// 1. Decode CBOR/COSE\n\t\t\t// 2. Verify Signature against AWS Nitro Root CA\n\t\t\t// 3. Compare PCRs\n\t\t\tlog.info(\"[LiopVerifier] TEE Attestation: Not configured (no-op).\");\n\t\t\treturn true;\n\t\t} catch (err) {\n\t\t\tlog.error(\"[LiopVerifier] TEE Verification Failed:\", err);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Derives the ImageID of a logic payload following the LIOP v1 Standard.\n\t */\n\tpublic deriveImageId(logicPayload: Buffer): Buffer {\n\t\treturn deriveLogicImageDigest(logicPayload);\n\t}\n}\n"]}
package/dist/{chunk-ALLOYPMN.js → chunk-YTIMVS2I.js} RENAMED
@@ -1,4 +1,4 @@
1
- import {g}from'./chunk-LJQF6ULT.js';import {a}from'./chunk-S6RJHZV2.js';import*as d from'http';import*as c from'http2';import*as l from'net';var h=class{constructor(e,r=null,o=50051){this.liopServer=e;this.meshNode=r;this.router=new g(this.liopServer,this.meshNode,o),this.h2Server=c.createServer(),this.setupH2Routes(),this.h1Server=d.createServer(),this.setupH1Routes(),this.netServer=l.createServer(t=>{t.once("data",n=>{let s=n.toString().startsWith("PRI * HTTP/2.0");a.info(`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${s?"HTTP/2 (gRPC)":"HTTP/1.1 (MCP)"}`),s?this.h2Server.emit("connection",t):this.h1Server.emit("connection",t),t.unshift(n);}),t.on("error",n=>a.error(`[LIOP-Gateway] NetServer Socket Error: ${n.message}`));}),this.h1Server.on("error",t=>a.error(`[LIOP-Gateway] H1 Server Error: ${t.message}`)),this.h2Server.on("error",t=>a.error(`[LIOP-Gateway] H2 Server Error: ${t.message}`)),a.info("[LIOP-Gateway] Hybrid adapter initialized.");}netServer;h2Server;h1Server;router;setupH2Routes(){this.h2Server.on("stream",(e,r)=>{let o=r["content-type"],t=r[":path"];o==="application/grpc"?this.handleGrpcStream(e):t==="/mcp"&&this.handleMcpH2Stream(e,r);});}setupH1Routes(){this.h1Server.on("request",async(e,r)=>{let o=e.url||"",t=e.method;if(t==="GET"&&(o==="/"||o==="/mcp"||o==="/health")){if(o==="/health"&&e.headers.accept?.includes("application/json")){let n=this.meshNode?{peerId:this.meshNode.getPeerId()?.toString()||"",multiaddrs:this.meshNode.getMultiaddrs().map(s=>s.toString())}:null;r.writeHead(200,{"Content-Type":"application/json"}),r.end(JSON.stringify({status:"healthy",node:this.liopServer.getServerInfo(),mesh:n,tools:this.liopServer.listTools().map(s=>s.name),timestamp:new Date().toISOString()}));return}r.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),r.end(`
1
+ import {g}from'./chunk-GFRRQ2EB.js';import {a}from'./chunk-S6RJHZV2.js';import*as d from'http';import*as c from'http2';import*as l from'net';var h=class{constructor(e,r=null,o=50051){this.liopServer=e;this.meshNode=r;this.router=new g(this.liopServer,this.meshNode,o),this.h2Server=c.createServer(),this.setupH2Routes(),this.h1Server=d.createServer(),this.setupH1Routes(),this.netServer=l.createServer(t=>{t.once("data",n=>{let s=n.toString().startsWith("PRI * HTTP/2.0");a.info(`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${s?"HTTP/2 (gRPC)":"HTTP/1.1 (MCP)"}`),s?this.h2Server.emit("connection",t):this.h1Server.emit("connection",t),t.unshift(n);}),t.on("error",n=>a.error(`[LIOP-Gateway] NetServer Socket Error: ${n.message}`));}),this.h1Server.on("error",t=>a.error(`[LIOP-Gateway] H1 Server Error: ${t.message}`)),this.h2Server.on("error",t=>a.error(`[LIOP-Gateway] H2 Server Error: ${t.message}`)),a.info("[LIOP-Gateway] Hybrid adapter initialized.");}netServer;h2Server;h1Server;router;setupH2Routes(){this.h2Server.on("stream",(e,r)=>{let o=r["content-type"],t=r[":path"];o==="application/grpc"?this.handleGrpcStream(e):t==="/mcp"&&this.handleMcpH2Stream(e,r);});}setupH1Routes(){this.h1Server.on("request",async(e,r)=>{let o=e.url||"",t=e.method;if(t==="GET"&&(o==="/"||o==="/mcp"||o==="/health")){if(o==="/health"&&e.headers.accept?.includes("application/json")){let n=this.meshNode?{peerId:this.meshNode.getPeerId()?.toString()||"",multiaddrs:this.meshNode.getMultiaddrs().map(s=>s.toString())}:null;r.writeHead(200,{"Content-Type":"application/json"}),r.end(JSON.stringify({status:"healthy",node:this.liopServer.getServerInfo(),mesh:n,tools:this.liopServer.listTools().map(s=>s.name),timestamp:new Date().toISOString()}));return}r.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),r.end(`
2
2
  <body style="background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0">
3
3
  <div style="background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)">
4
4
  <h1 style="color:#38bdf8;margin-top:0">LIOP Protocol Transformer</h1>
@@ -9,5 +9,5 @@ import {g}from'./chunk-LJQF6ULT.js';import {a}from'./chunk-S6RJHZV2.js';import*a
9
9
  </div>
10
10
  </div>
11
11
  </body>
12
- `);return}if(o==="/mcp"&&t==="POST"){let n="";e.on("data",s=>n+=s.toString()),e.on("end",async()=>{try{let s=JSON.parse(n),a=await this.router.dispatch(s);r.writeHead(200,{"Content-Type":"application/json"}),r.end(JSON.stringify(a));}catch(s){a.info(`[LIOP-Gateway] Error processing JSON-RPC payload: ${s.message}`),r.writeHead(400),r.end(JSON.stringify({jsonrpc:"2.0",error:{code:-32700,message:"Parse error"}}));}});}else r.writeHead(404),r.end("Not Found");});}handleGrpcStream(e){e.on("data",r=>{let o=r;o&&a.info(`[LIOP-Gateway] Native gRPC Proxy passing ${o.length} bytes`);}),e.respond({":status":200,"content-type":"application/grpc"}),e.end();}handleMcpH2Stream(e,r){let o="";e.on("data",t=>o+=t.toString()),e.on("end",async()=>{try{let t=await this.router.dispatch(JSON.parse(o));t?(e.respond({":status":200,"content-type":"application/json"}),e.end(JSON.stringify(t))):e.close();}catch{e.respond({":status":400}),e.end();}});}async listen(e,r="0.0.0.0"){if(this.meshNode){await this.meshNode.start();let o=this.liopServer.listTools();for(let t of o)await this.meshNode.announceCapability(t.name),a.info(`[LIOP-Gateway] \u{1F4E1} Announced local tool to Mesh: ${t.name}`);}return new Promise((o,t)=>{this.netServer.on("error",n=>{n.code==="EADDRINUSE"?a.info(`[LIOP-Gateway] FATAL: Port ${e} is already in use by another process.`):a.error(`[LIOP-Gateway] Binding Error: ${n.message}`),t(n);}),this.netServer.listen(e,r,()=>{let n=this.netServer.address(),s=typeof n=="string"?n:n?.address||r,a$1=typeof n=="string"?e:n?.port||e;a.info(`[LIOP-Gateway] \u2705 Transformer Mesh Gateway READY and listening on ${s}:${a$1}`),o(a$1);});})}async stop(){this.meshNode&&await this.meshNode.stop(),this.netServer.close(),this.h2Server.close(),this.h1Server.close();}getRouter(){return this.router}};export{h as a};//# sourceMappingURL=chunk-ALLOYPMN.js.map
13
- //# sourceMappingURL=chunk-ALLOYPMN.js.map
12
+ `);return}if(o==="/mcp"&&t==="POST"){let n="";e.on("data",s=>n+=s.toString()),e.on("end",async()=>{try{let s=JSON.parse(n),a=await this.router.dispatch(s);r.writeHead(200,{"Content-Type":"application/json"}),r.end(JSON.stringify(a));}catch(s){a.info(`[LIOP-Gateway] Error processing JSON-RPC payload: ${s.message}`),r.writeHead(400),r.end(JSON.stringify({jsonrpc:"2.0",error:{code:-32700,message:"Parse error"}}));}});}else r.writeHead(404),r.end("Not Found");});}handleGrpcStream(e){e.on("data",r=>{let o=r;o&&a.info(`[LIOP-Gateway] Native gRPC Proxy passing ${o.length} bytes`);}),e.respond({":status":200,"content-type":"application/grpc"}),e.end();}handleMcpH2Stream(e,r){let o="";e.on("data",t=>o+=t.toString()),e.on("end",async()=>{try{let t=await this.router.dispatch(JSON.parse(o));t?(e.respond({":status":200,"content-type":"application/json"}),e.end(JSON.stringify(t))):e.close();}catch{e.respond({":status":400}),e.end();}});}async listen(e,r="0.0.0.0"){if(this.meshNode){await this.meshNode.start();let o=this.liopServer.listTools();for(let t of o)await this.meshNode.announceCapability(t.name),a.info(`[LIOP-Gateway] \u{1F4E1} Announced local tool to Mesh: ${t.name}`);}return new Promise((o,t)=>{this.netServer.on("error",n=>{n.code==="EADDRINUSE"?a.info(`[LIOP-Gateway] FATAL: Port ${e} is already in use by another process.`):a.error(`[LIOP-Gateway] Binding Error: ${n.message}`),t(n);}),this.netServer.listen(e,r,()=>{let n=this.netServer.address(),s=typeof n=="string"?n:n?.address||r,a$1=typeof n=="string"?e:n?.port||e;a.info(`[LIOP-Gateway] \u2705 Transformer Mesh Gateway READY and listening on ${s}:${a$1}`),o(a$1);});})}async stop(){this.meshNode&&await this.meshNode.stop(),this.netServer.close(),this.h2Server.close(),this.h1Server.close();}getRouter(){return this.router}};export{h as a};//# sourceMappingURL=chunk-YTIMVS2I.js.map
13
+ //# sourceMappingURL=chunk-YTIMVS2I.js.map
package/dist/{chunk-ALLOYPMN.js.map → chunk-YTIMVS2I.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/gateway/hybrid.ts"],"names":["LiopHybridGateway","liopServer","meshNode","rpcPort","LiopMcpRouter","socket","buffer","isHttp2","log","err","stream","headers","contentType","path","req","res","url","method","meshInfo","m","t","body","chunk","jsonRequest","response","e","data","_headers","port","host","tools","tool","resolve","reject","addr","actualHost","assignedPort"],"mappings":"6IAYO,IAAMA,CAAAA,CAAN,KAAwB,CAM9B,WAAA,CACSC,EACAC,CAAAA,CAA4B,IAAA,CACpCC,CAAAA,CAAkB,KAAA,CACjB,CAHO,IAAA,CAAA,UAAA,CAAAF,CAAAA,CACA,IAAA,CAAA,QAAA,CAAAC,EAIR,IAAA,CAAK,MAAA,CAAS,IAAIE,CAAAA,CAAc,KAAK,UAAA,CAAY,IAAA,CAAK,QAAA,CAAUD,CAAO,EAGvE,IAAA,CAAK,QAAA,CAAiB,CAAA,CAAA,YAAA,EAAa,CACnC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAgB,CAAA,CAAA,YAAA,EAAa,CAClC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAA,CAAgB,CAAA,CAAA,YAAA,CAAcE,GAAW,CAC7CA,CAAAA,CAAO,IAAA,CAAK,MAAA,CAASC,CAAAA,EAAW,CAC/B,IAAMC,CAAAA,CAAUD,EAAO,QAAA,EAAS,CAAE,UAAA,CAAW,gBAAgB,EAC7DE,CAAAA,CAAI,IAAA,CACH,CAAA,iDAAA,EAAoDD,CAAAA,CAAU,gBAAkB,gBAAgB,CAAA,CACjG,CAAA,CACIA,CAAAA,CACH,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcF,CAAM,CAAA,CAEvC,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcA,CAAM,CAAA,CAExCA,CAAAA,CAAO,QAAQC,CAAM,EACtB,CAAC,CAAA,CACDD,CAAAA,CAAO,EAAA,CAAG,OAAA,CAAUI,CAAAA,EACnBD,EAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CC,CAAAA,CAAI,OAAO,EAAE,CAClE,EACD,CAAC,CAAA,CAGD,KAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,CAAAA,CAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CACA,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,EAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CAEAD,CAAAA,CAAI,KAAK,4CAA4C,EACtD,CAjDQ,SAAA,CACA,SACA,QAAA,CACA,MAAA,CAgDA,aAAA,EAAgB,CACvB,KAAK,QAAA,CAAS,EAAA,CAAG,QAAA,CAAU,CAACE,CAAAA,CAAQC,CAAAA,GAAY,CAC/C,IAAMC,EAAcD,CAAAA,CAAQ,cAAc,CAAA,CACpCE,CAAAA,CAAOF,CAAAA,CAAQ,OAAO,CAAA,CAExBC,CAAAA,GAAgB,mBACnB,IAAA,CAAK,gBAAA,CAAiBF,CAAiC,CAAA,CAC7CG,CAAAA,GAAS,MAAA,EACnB,IAAA,CAAK,iBAAA,CAAkBH,EAAmCC,CAAO,EAEnE,CAAC,EACF,CAEQ,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,GAAG,SAAA,CAAW,MAAOG,CAAAA,CAAKC,CAAAA,GAAQ,CAC/C,IAAMC,CAAAA,CAAMF,CAAAA,CAAI,KAAO,EAAA,CACjBG,CAAAA,CAASH,CAAAA,CAAI,MAAA,CAEnB,GACCG,CAAAA,GAAW,KAAA,GACVD,CAAAA,GAAQ,KAAOA,CAAAA,GAAQ,MAAA,EAAUA,CAAAA,GAAQ,SAAA,CAAA,CACzC,CACD,GACCA,CAAAA,GAAQ,SAAA,EACRF,EAAI,OAAA,CAAQ,MAAA,EAAQ,QAAA,CAAS,kBAAkB,EAC9C,CACD,IAAMI,CAAAA,CAAW,IAAA,CAAK,SACnB,CACA,MAAA,CAAQ,IAAA,CAAK,QAAA,CAAS,SAAA,EAAU,EAAG,QAAA,EAAS,EAAK,GACjD,UAAA,CAAY,IAAA,CAAK,QAAA,CACf,aAAA,EAAc,CACd,GAAA,CAAKC,CAAAA,EAAMA,CAAAA,CAAE,UAAU,CAC1B,CAAA,CACC,IAAA,CACHJ,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,eAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,IACH,IAAA,CAAK,SAAA,CAAU,CACd,MAAA,CAAQ,UACR,IAAA,CAAM,IAAA,CAAK,UAAA,CAAW,aAAA,EAAc,CACpC,IAAA,CAAMG,CAAAA,CACN,KAAA,CAAO,KAAK,UAAA,CAAW,SAAA,EAAU,CAAE,GAAA,CAAKE,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CAAA,CACpD,UAAW,IAAI,IAAA,EAAK,CAAE,WAAA,EACvB,CAAC,CACF,CAAA,CACA,MACD,CAEAL,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,0BAA2B,CAAC,CAAA,CACjEA,EAAI,GAAA,CAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,CAWK,EACb,MACD,CAEA,GAAIC,CAAAA,GAAQ,MAAA,EAAUC,IAAW,MAAA,CAAQ,CACxC,IAAII,CAAAA,CAAO,GACXP,CAAAA,CAAI,EAAA,CAAG,OAASQ,CAAAA,EAAWD,CAAAA,EAAQC,EAAM,QAAA,EAAW,CAAA,CACpDR,CAAAA,CAAI,GAAG,KAAA,CAAO,SAAY,CACzB,GAAI,CACH,IAAMS,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAI,EAC7BG,CAAAA,CAAW,MAAM,KAAK,MAAA,CAAO,QAAA,CAASD,CAAW,CAAA,CACvDR,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAUS,CAAQ,CAAC,EACjC,CAAA,MAASC,CAAAA,CAAY,CACpBjB,CAAAA,CAAI,IAAA,CACH,qDAAsDiB,CAAAA,CAAY,OAAO,CAAA,CAC1E,CAAA,CACAV,EAAI,SAAA,CAAU,GAAG,EACjBA,CAAAA,CAAI,GAAA,CACH,KAAK,SAAA,CAAU,CACd,QAAS,KAAA,CACT,KAAA,CAAO,CAAE,IAAA,CAAM,MAAA,CAAQ,QAAS,aAAc,CAC/C,CAAC,CACF,EACD,CACD,CAAC,EACF,CAAA,KACCA,CAAAA,CAAI,UAAU,GAAG,CAAA,CACjBA,EAAI,GAAA,CAAI,WAAW,EAErB,CAAC,EACF,CAEQ,gBAAA,CAAiBL,EAAiC,CACzDA,CAAAA,CAAO,GAAG,MAAA,CAASY,CAAAA,EAAmB,CAErC,IAAMI,EAAOJ,CAAAA,CACTI,CAAAA,EACHlB,EAAI,IAAA,CACH,CAAA,yCAAA,EAA4CkB,EAAK,MAAM,CAAA,MAAA,CACxD,EACF,CAAC,EACDhB,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAA,CAAK,eAAgB,kBAAmB,CAAC,CAAA,CACrEA,CAAAA,CAAO,MACR,CAEQ,kBACPA,CAAAA,CACAiB,CAAAA,CACC,CACD,IAAIN,CAAAA,CAAO,EAAA,CACXX,CAAAA,CAAO,GAAG,MAAA,CAASY,CAAAA,EAAWD,GAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACvDZ,CAAAA,CAAO,EAAA,CAAG,KAAA,CAAO,SAAY,CAC5B,GAAI,CACH,IAAMc,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,SAAS,IAAA,CAAK,KAAA,CAAMH,CAAI,CAAC,CAAA,CACxDG,GACHd,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,IAAI,IAAA,CAAK,SAAA,CAAUc,CAAQ,CAAC,CAAA,EAC7Bd,CAAAA,CAAO,KAAA,GACf,CAAA,KAAa,CACZA,EAAO,OAAA,CAAQ,CAAE,UAAW,GAAI,CAAC,CAAA,CACjCA,CAAAA,CAAO,MACR,CACD,CAAC,EACF,CAEA,MAAa,MAAA,CAAOkB,CAAAA,CAAcC,CAAAA,CAAe,SAAA,CAA4B,CAC5E,GAAI,IAAA,CAAK,SAAU,CAClB,MAAM,KAAK,QAAA,CAAS,KAAA,EAAM,CAG1B,IAAMC,EAAQ,IAAA,CAAK,UAAA,CAAW,WAAU,CACxC,IAAA,IAAWC,KAAQD,CAAAA,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,mBAAmBC,CAAAA,CAAK,IAAI,EAChDvB,CAAAA,CAAI,IAAA,CACH,0DAAmDuB,CAAAA,CAAK,IAAI,CAAA,CAC7D,EAEF,CACA,OAAO,IAAI,QAAQ,CAACC,CAAAA,CAASC,IAAW,CACvC,IAAA,CAAK,UAAU,EAAA,CAAG,OAAA,CAAUxB,GAAmC,CAC1DA,CAAAA,CAAI,OAAS,YAAA,CAChBD,CAAAA,CAAI,KACH,CAAA,2BAAA,EAA8BoB,CAAI,CAAA,sCAAA,CACnC,CAAA,CAEApB,EAAI,KAAA,CAAM,CAAA,8BAAA,EAAiCC,EAAI,OAAO,CAAA,CAAE,EAEzDwB,CAAAA,CAAOxB,CAAG,EACX,CAAC,EAED,IAAA,CAAK,SAAA,CAAU,OAAOmB,CAAAA,CAAMC,CAAAA,CAAM,IAAM,CACvC,IAAMK,CAAAA,CAAO,IAAA,CAAK,UAAU,OAAA,EAAQ,CAC9BC,EACL,OAAOD,CAAAA,EAAS,SAAWA,CAAAA,CAAOA,CAAAA,EAAM,OAAA,EAAWL,CAAAA,CAC9CO,IACL,OAAOF,CAAAA,EAAS,SAAWN,CAAAA,CAAOM,CAAAA,EAAM,MAAQN,CAAAA,CAEjDpB,CAAAA,CAAI,IAAA,CACH,CAAA,sEAAA,EAAoE2B,CAAU,CAAA,CAAA,EAAIC,GAAY,EAC/F,CAAA,CACAJ,CAAAA,CAAQI,GAAY,EACrB,CAAC,EACF,CAAC,CACF,CAEA,MAAa,MAAO,CACf,IAAA,CAAK,UACR,MAAM,IAAA,CAAK,QAAA,CAAS,IAAA,GAErB,IAAA,CAAK,SAAA,CAAU,OAAM,CACrB,IAAA,CAAK,SAAS,KAAA,EAAM,CACpB,KAAK,QAAA,CAAS,KAAA,GACf,CAEO,SAAA,EAA2B,CACjC,OAAO,IAAA,CAAK,MACb,CACD","file":"chunk-ALLOYPMN.js","sourcesContent":["import * as http from \"node:http\";\nimport * as http2 from \"node:http2\";\nimport * as net from \"node:net\";\nimport type { MeshNode } from \"../mesh/index.js\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpRouter } from \"./router.js\";\n\n/**\n * LIOP Hybrid Gateway\n * High-level orchestration for connecting MCP (JSON-RPC) clients to the LIOP Mesh.\n */\nexport class LiopHybridGateway {\n\tprivate netServer: net.Server;\n\tprivate h2Server: http2.Http2Server;\n\tprivate h1Server: http.Server;\n\tprivate router: LiopMcpRouter;\n\n\tconstructor(\n\t\tprivate liopServer: LiopServer,\n\t\tprivate meshNode: MeshNode | null = null,\n\t\trpcPort: number = 50051,\n\t) {\n\t\t// Initialize the Universal Router\n\t\tthis.router = new LiopMcpRouter(this.liopServer, this.meshNode, rpcPort);\n\n\t\t// Internal HTTP/2 Server (for Native gRPC Proxying)\n\t\tthis.h2Server = http2.createServer();\n\t\tthis.setupH2Routes();\n\n\t\t// Internal HTTP/1 Server (for Browser/MCP)\n\t\tthis.h1Server = http.createServer();\n\t\tthis.setupH1Routes();\n\n\t\t// Primary Multiplexer (L4)\n\t\tthis.netServer = net.createServer((socket) => {\n\t\t\tsocket.once(\"data\", (buffer) => {\n\t\t\t\tconst isHttp2 = buffer.toString().startsWith(\"PRI * HTTP/2.0\");\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${isHttp2 ? \"HTTP/2 (gRPC)\" : \"HTTP/1.1 (MCP)\"}`,\n\t\t\t\t);\n\t\t\t\tif (isHttp2) {\n\t\t\t\t\tthis.h2Server.emit(\"connection\", socket);\n\t\t\t\t} else {\n\t\t\t\t\tthis.h1Server.emit(\"connection\", socket);\n\t\t\t\t}\n\t\t\t\tsocket.unshift(buffer);\n\t\t\t});\n\t\t\tsocket.on(\"error\", (err) =>\n\t\t\t\tlog.error(`[LIOP-Gateway] NetServer Socket Error: ${err.message}`),\n\t\t\t);\n\t\t});\n\n\t\t// Attach error listeners to sub-servers to catch silent failures\n\t\tthis.h1Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H1 Server Error: ${err.message}`),\n\t\t);\n\t\tthis.h2Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H2 Server Error: ${err.message}`),\n\t\t);\n\n\t\tlog.info(\"[LIOP-Gateway] Hybrid adapter initialized.\");\n\t}\n\n\tprivate setupH2Routes() {\n\t\tthis.h2Server.on(\"stream\", (stream, headers) => {\n\t\t\tconst contentType = headers[\"content-type\"] as string;\n\t\t\tconst path = headers[\":path\"] as string;\n\n\t\t\tif (contentType === \"application/grpc\") {\n\t\t\t\tthis.handleGrpcStream(stream as http2.ServerHttp2Stream);\n\t\t\t} else if (path === \"/mcp\") {\n\t\t\t\tthis.handleMcpH2Stream(stream as http2.ServerHttp2Stream, headers);\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate setupH1Routes() {\n\t\tthis.h1Server.on(\"request\", async (req, res) => {\n\t\t\tconst url = req.url || \"\";\n\t\t\tconst method = req.method;\n\n\t\t\tif (\n\t\t\t\tmethod === \"GET\" &&\n\t\t\t\t(url === \"/\" || url === \"/mcp\" || url === \"/health\")\n\t\t\t) {\n\t\t\t\tif (\n\t\t\t\t\turl === \"/health\" &&\n\t\t\t\t\treq.headers.accept?.includes(\"application/json\")\n\t\t\t\t) {\n\t\t\t\t\tconst meshInfo = this.meshNode\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tpeerId: this.meshNode.getPeerId()?.toString() || \"\",\n\t\t\t\t\t\t\t\tmultiaddrs: this.meshNode\n\t\t\t\t\t\t\t\t\t.getMultiaddrs()\n\t\t\t\t\t\t\t\t\t.map((m) => m.toString()),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: null;\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(\n\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\tstatus: \"healthy\",\n\t\t\t\t\t\t\tnode: this.liopServer.getServerInfo(),\n\t\t\t\t\t\t\tmesh: meshInfo,\n\t\t\t\t\t\t\ttools: this.liopServer.listTools().map((t) => t.name),\n\t\t\t\t\t\t\ttimestamp: new Date().toISOString(),\n\t\t\t\t\t\t}),\n\t\t\t\t\t);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tres.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n\t\t\t\tres.end(`\n <body style=\"background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0\">\n <div style=\"background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)\">\n <h1 style=\"color:#38bdf8;margin-top:0\">LIOP Protocol Transformer</h1>\n <p style=\"opacity:0.8;font-weight:600\">L4/L7 Transcoding: JSON-RPC &harr; gRPC</p>\n <p style=\"opacity:0.6;font-size:14px\">Active Protections: Kyber768 + AES-256-GCM + ZK-Proof Ready</p>\n <div style=\"background:#0f172a;padding:15px;border-radius:8px;margin-top:20px;border:1px dashed #334155\">\n <code style=\"color:#10b981\">Endpoint: http://localhost:3000/mcp</code>\n </div>\n </div>\n </body>\n `);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (url === \"/mcp\" && method === \"POST\") {\n\t\t\t\tlet body = \"\";\n\t\t\t\treq.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\t\t\treq.on(\"end\", async () => {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst jsonRequest = JSON.parse(body);\n\t\t\t\t\t\tconst response = await this.router.dispatch(jsonRequest);\n\t\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\t\tres.end(JSON.stringify(response));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-Gateway] Error processing JSON-RPC payload: ${(e as Error).message}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tres.writeHead(400);\n\t\t\t\t\t\tres.end(\n\t\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\t\tjsonrpc: \"2.0\",\n\t\t\t\t\t\t\t\terror: { code: -32700, message: \"Parse error\" },\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate handleGrpcStream(stream: http2.ServerHttp2Stream) {\n\t\tstream.on(\"data\", (chunk: unknown) => {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Standard gRPC stream data is Buffer\n\t\t\tconst data = chunk as any;\n\t\t\tif (data)\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Native gRPC Proxy passing ${data.length} bytes`,\n\t\t\t\t);\n\t\t});\n\t\tstream.respond({ \":status\": 200, \"content-type\": \"application/grpc\" });\n\t\tstream.end();\n\t}\n\n\tprivate handleMcpH2Stream(\n\t\tstream: http2.ServerHttp2Stream,\n\t\t_headers: http2.IncomingHttpHeaders,\n\t) {\n\t\tlet body = \"\";\n\t\tstream.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\tstream.on(\"end\", async () => {\n\t\t\ttry {\n\t\t\t\tconst response = await this.router.dispatch(JSON.parse(body));\n\t\t\t\tif (response) {\n\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\":status\": 200,\n\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t});\n\t\t\t\t\tstream.end(JSON.stringify(response));\n\t\t\t\t} else stream.close();\n\t\t\t} catch (_e) {\n\t\t\t\tstream.respond({ \":status\": 400 });\n\t\t\t\tstream.end();\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic async listen(port: number, host: string = \"0.0.0.0\"): Promise<number> {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.start();\n\n\t\t\t// Announce all local tools to the DHT\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\tfor (const tool of tools) {\n\t\t\t\tawait this.meshNode.announceCapability(tool.name);\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] 📡 Announced local tool to Mesh: ${tool.name}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.netServer.on(\"error\", (err: Error & { code?: string }) => {\n\t\t\t\tif (err.code === \"EADDRINUSE\") {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-Gateway] FATAL: Port ${port} is already in use by another process.`,\n\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\tlog.error(`[LIOP-Gateway] Binding Error: ${err.message}`);\n\t\t\t\t}\n\t\t\t\treject(err);\n\t\t\t});\n\n\t\t\tthis.netServer.listen(port, host, () => {\n\t\t\t\tconst addr = this.netServer.address();\n\t\t\t\tconst actualHost =\n\t\t\t\t\ttypeof addr === \"string\" ? addr : addr?.address || host;\n\t\t\t\tconst assignedPort =\n\t\t\t\t\ttypeof addr === \"string\" ? port : addr?.port || port;\n\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] ✅ Transformer Mesh Gateway READY and listening on ${actualHost}:${assignedPort}`,\n\t\t\t\t);\n\t\t\t\tresolve(assignedPort);\n\t\t\t});\n\t\t});\n\t}\n\n\tpublic async stop() {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t\tthis.netServer.close();\n\t\tthis.h2Server.close();\n\t\tthis.h1Server.close();\n\t}\n\n\tpublic getRouter(): LiopMcpRouter {\n\t\treturn this.router;\n\t}\n}\n"]}
1
+ {"version":3,"sources":["../src/gateway/hybrid.ts"],"names":["LiopHybridGateway","liopServer","meshNode","rpcPort","LiopMcpRouter","socket","buffer","isHttp2","log","err","stream","headers","contentType","path","req","res","url","method","meshInfo","m","t","body","chunk","jsonRequest","response","e","data","_headers","port","host","tools","tool","resolve","reject","addr","actualHost","assignedPort"],"mappings":"6IAYO,IAAMA,CAAAA,CAAN,KAAwB,CAM9B,WAAA,CACSC,EACAC,CAAAA,CAA4B,IAAA,CACpCC,CAAAA,CAAkB,KAAA,CACjB,CAHO,IAAA,CAAA,UAAA,CAAAF,CAAAA,CACA,IAAA,CAAA,QAAA,CAAAC,EAIR,IAAA,CAAK,MAAA,CAAS,IAAIE,CAAAA,CAAc,KAAK,UAAA,CAAY,IAAA,CAAK,QAAA,CAAUD,CAAO,EAGvE,IAAA,CAAK,QAAA,CAAiB,CAAA,CAAA,YAAA,EAAa,CACnC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAgB,CAAA,CAAA,YAAA,EAAa,CAClC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAA,CAAgB,CAAA,CAAA,YAAA,CAAcE,GAAW,CAC7CA,CAAAA,CAAO,IAAA,CAAK,MAAA,CAASC,CAAAA,EAAW,CAC/B,IAAMC,CAAAA,CAAUD,EAAO,QAAA,EAAS,CAAE,UAAA,CAAW,gBAAgB,EAC7DE,CAAAA,CAAI,IAAA,CACH,CAAA,iDAAA,EAAoDD,CAAAA,CAAU,gBAAkB,gBAAgB,CAAA,CACjG,CAAA,CACIA,CAAAA,CACH,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcF,CAAM,CAAA,CAEvC,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcA,CAAM,CAAA,CAExCA,CAAAA,CAAO,QAAQC,CAAM,EACtB,CAAC,CAAA,CACDD,CAAAA,CAAO,EAAA,CAAG,OAAA,CAAUI,CAAAA,EACnBD,EAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CC,CAAAA,CAAI,OAAO,EAAE,CAClE,EACD,CAAC,CAAA,CAGD,KAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,CAAAA,CAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CACA,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,EAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CAEAD,CAAAA,CAAI,KAAK,4CAA4C,EACtD,CAjDQ,SAAA,CACA,SACA,QAAA,CACA,MAAA,CAgDA,aAAA,EAAgB,CACvB,KAAK,QAAA,CAAS,EAAA,CAAG,QAAA,CAAU,CAACE,CAAAA,CAAQC,CAAAA,GAAY,CAC/C,IAAMC,EAAcD,CAAAA,CAAQ,cAAc,CAAA,CACpCE,CAAAA,CAAOF,CAAAA,CAAQ,OAAO,CAAA,CAExBC,CAAAA,GAAgB,mBACnB,IAAA,CAAK,gBAAA,CAAiBF,CAAiC,CAAA,CAC7CG,CAAAA,GAAS,MAAA,EACnB,IAAA,CAAK,iBAAA,CAAkBH,EAAmCC,CAAO,EAEnE,CAAC,EACF,CAEQ,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,GAAG,SAAA,CAAW,MAAOG,CAAAA,CAAKC,CAAAA,GAAQ,CAC/C,IAAMC,CAAAA,CAAMF,CAAAA,CAAI,KAAO,EAAA,CACjBG,CAAAA,CAASH,CAAAA,CAAI,MAAA,CAEnB,GACCG,CAAAA,GAAW,KAAA,GACVD,CAAAA,GAAQ,KAAOA,CAAAA,GAAQ,MAAA,EAAUA,CAAAA,GAAQ,SAAA,CAAA,CACzC,CACD,GACCA,CAAAA,GAAQ,SAAA,EACRF,EAAI,OAAA,CAAQ,MAAA,EAAQ,QAAA,CAAS,kBAAkB,EAC9C,CACD,IAAMI,CAAAA,CAAW,IAAA,CAAK,SACnB,CACA,MAAA,CAAQ,IAAA,CAAK,QAAA,CAAS,SAAA,EAAU,EAAG,QAAA,EAAS,EAAK,GACjD,UAAA,CAAY,IAAA,CAAK,QAAA,CACf,aAAA,EAAc,CACd,GAAA,CAAKC,CAAAA,EAAMA,CAAAA,CAAE,UAAU,CAC1B,CAAA,CACC,IAAA,CACHJ,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,eAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,IACH,IAAA,CAAK,SAAA,CAAU,CACd,MAAA,CAAQ,UACR,IAAA,CAAM,IAAA,CAAK,UAAA,CAAW,aAAA,EAAc,CACpC,IAAA,CAAMG,CAAAA,CACN,KAAA,CAAO,KAAK,UAAA,CAAW,SAAA,EAAU,CAAE,GAAA,CAAKE,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CAAA,CACpD,UAAW,IAAI,IAAA,EAAK,CAAE,WAAA,EACvB,CAAC,CACF,CAAA,CACA,MACD,CAEAL,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,0BAA2B,CAAC,CAAA,CACjEA,EAAI,GAAA,CAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,CAWK,EACb,MACD,CAEA,GAAIC,CAAAA,GAAQ,MAAA,EAAUC,IAAW,MAAA,CAAQ,CACxC,IAAII,CAAAA,CAAO,GACXP,CAAAA,CAAI,EAAA,CAAG,OAASQ,CAAAA,EAAWD,CAAAA,EAAQC,EAAM,QAAA,EAAW,CAAA,CACpDR,CAAAA,CAAI,GAAG,KAAA,CAAO,SAAY,CACzB,GAAI,CACH,IAAMS,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAI,EAC7BG,CAAAA,CAAW,MAAM,KAAK,MAAA,CAAO,QAAA,CAASD,CAAW,CAAA,CACvDR,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAUS,CAAQ,CAAC,EACjC,CAAA,MAASC,CAAAA,CAAY,CACpBjB,CAAAA,CAAI,IAAA,CACH,qDAAsDiB,CAAAA,CAAY,OAAO,CAAA,CAC1E,CAAA,CACAV,EAAI,SAAA,CAAU,GAAG,EACjBA,CAAAA,CAAI,GAAA,CACH,KAAK,SAAA,CAAU,CACd,QAAS,KAAA,CACT,KAAA,CAAO,CAAE,IAAA,CAAM,MAAA,CAAQ,QAAS,aAAc,CAC/C,CAAC,CACF,EACD,CACD,CAAC,EACF,CAAA,KACCA,CAAAA,CAAI,UAAU,GAAG,CAAA,CACjBA,EAAI,GAAA,CAAI,WAAW,EAErB,CAAC,EACF,CAEQ,gBAAA,CAAiBL,EAAiC,CACzDA,CAAAA,CAAO,GAAG,MAAA,CAASY,CAAAA,EAAmB,CAErC,IAAMI,EAAOJ,CAAAA,CACTI,CAAAA,EACHlB,EAAI,IAAA,CACH,CAAA,yCAAA,EAA4CkB,EAAK,MAAM,CAAA,MAAA,CACxD,EACF,CAAC,EACDhB,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAA,CAAK,eAAgB,kBAAmB,CAAC,CAAA,CACrEA,CAAAA,CAAO,MACR,CAEQ,kBACPA,CAAAA,CACAiB,CAAAA,CACC,CACD,IAAIN,CAAAA,CAAO,EAAA,CACXX,CAAAA,CAAO,GAAG,MAAA,CAASY,CAAAA,EAAWD,GAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACvDZ,CAAAA,CAAO,EAAA,CAAG,KAAA,CAAO,SAAY,CAC5B,GAAI,CACH,IAAMc,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,SAAS,IAAA,CAAK,KAAA,CAAMH,CAAI,CAAC,CAAA,CACxDG,GACHd,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,IAAI,IAAA,CAAK,SAAA,CAAUc,CAAQ,CAAC,CAAA,EAC7Bd,CAAAA,CAAO,KAAA,GACf,CAAA,KAAa,CACZA,EAAO,OAAA,CAAQ,CAAE,UAAW,GAAI,CAAC,CAAA,CACjCA,CAAAA,CAAO,MACR,CACD,CAAC,EACF,CAEA,MAAa,MAAA,CAAOkB,CAAAA,CAAcC,CAAAA,CAAe,SAAA,CAA4B,CAC5E,GAAI,IAAA,CAAK,SAAU,CAClB,MAAM,KAAK,QAAA,CAAS,KAAA,EAAM,CAG1B,IAAMC,EAAQ,IAAA,CAAK,UAAA,CAAW,WAAU,CACxC,IAAA,IAAWC,KAAQD,CAAAA,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,mBAAmBC,CAAAA,CAAK,IAAI,EAChDvB,CAAAA,CAAI,IAAA,CACH,0DAAmDuB,CAAAA,CAAK,IAAI,CAAA,CAC7D,EAEF,CACA,OAAO,IAAI,QAAQ,CAACC,CAAAA,CAASC,IAAW,CACvC,IAAA,CAAK,UAAU,EAAA,CAAG,OAAA,CAAUxB,GAAmC,CAC1DA,CAAAA,CAAI,OAAS,YAAA,CAChBD,CAAAA,CAAI,KACH,CAAA,2BAAA,EAA8BoB,CAAI,CAAA,sCAAA,CACnC,CAAA,CAEApB,EAAI,KAAA,CAAM,CAAA,8BAAA,EAAiCC,EAAI,OAAO,CAAA,CAAE,EAEzDwB,CAAAA,CAAOxB,CAAG,EACX,CAAC,EAED,IAAA,CAAK,SAAA,CAAU,OAAOmB,CAAAA,CAAMC,CAAAA,CAAM,IAAM,CACvC,IAAMK,CAAAA,CAAO,IAAA,CAAK,UAAU,OAAA,EAAQ,CAC9BC,EACL,OAAOD,CAAAA,EAAS,SAAWA,CAAAA,CAAOA,CAAAA,EAAM,OAAA,EAAWL,CAAAA,CAC9CO,IACL,OAAOF,CAAAA,EAAS,SAAWN,CAAAA,CAAOM,CAAAA,EAAM,MAAQN,CAAAA,CAEjDpB,CAAAA,CAAI,IAAA,CACH,CAAA,sEAAA,EAAoE2B,CAAU,CAAA,CAAA,EAAIC,GAAY,EAC/F,CAAA,CACAJ,CAAAA,CAAQI,GAAY,EACrB,CAAC,EACF,CAAC,CACF,CAEA,MAAa,MAAO,CACf,IAAA,CAAK,UACR,MAAM,IAAA,CAAK,QAAA,CAAS,IAAA,GAErB,IAAA,CAAK,SAAA,CAAU,OAAM,CACrB,IAAA,CAAK,SAAS,KAAA,EAAM,CACpB,KAAK,QAAA,CAAS,KAAA,GACf,CAEO,SAAA,EAA2B,CACjC,OAAO,IAAA,CAAK,MACb,CACD","file":"chunk-YTIMVS2I.js","sourcesContent":["import * as http from \"node:http\";\nimport * as http2 from \"node:http2\";\nimport * as net from \"node:net\";\nimport type { MeshNode } from \"../mesh/index.js\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpRouter } from \"./router.js\";\n\n/**\n * LIOP Hybrid Gateway\n * High-level orchestration for connecting MCP (JSON-RPC) clients to the LIOP Mesh.\n */\nexport class LiopHybridGateway {\n\tprivate netServer: net.Server;\n\tprivate h2Server: http2.Http2Server;\n\tprivate h1Server: http.Server;\n\tprivate router: LiopMcpRouter;\n\n\tconstructor(\n\t\tprivate liopServer: LiopServer,\n\t\tprivate meshNode: MeshNode | null = null,\n\t\trpcPort: number = 50051,\n\t) {\n\t\t// Initialize the Universal Router\n\t\tthis.router = new LiopMcpRouter(this.liopServer, this.meshNode, rpcPort);\n\n\t\t// Internal HTTP/2 Server (for Native gRPC Proxying)\n\t\tthis.h2Server = http2.createServer();\n\t\tthis.setupH2Routes();\n\n\t\t// Internal HTTP/1 Server (for Browser/MCP)\n\t\tthis.h1Server = http.createServer();\n\t\tthis.setupH1Routes();\n\n\t\t// Primary Multiplexer (L4)\n\t\tthis.netServer = net.createServer((socket) => {\n\t\t\tsocket.once(\"data\", (buffer) => {\n\t\t\t\tconst isHttp2 = buffer.toString().startsWith(\"PRI * HTTP/2.0\");\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${isHttp2 ? \"HTTP/2 (gRPC)\" : \"HTTP/1.1 (MCP)\"}`,\n\t\t\t\t);\n\t\t\t\tif (isHttp2) {\n\t\t\t\t\tthis.h2Server.emit(\"connection\", socket);\n\t\t\t\t} else {\n\t\t\t\t\tthis.h1Server.emit(\"connection\", socket);\n\t\t\t\t}\n\t\t\t\tsocket.unshift(buffer);\n\t\t\t});\n\t\t\tsocket.on(\"error\", (err) =>\n\t\t\t\tlog.error(`[LIOP-Gateway] NetServer Socket Error: ${err.message}`),\n\t\t\t);\n\t\t});\n\n\t\t// Attach error listeners to sub-servers to catch silent failures\n\t\tthis.h1Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H1 Server Error: ${err.message}`),\n\t\t);\n\t\tthis.h2Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H2 Server Error: ${err.message}`),\n\t\t);\n\n\t\tlog.info(\"[LIOP-Gateway] Hybrid adapter initialized.\");\n\t}\n\n\tprivate setupH2Routes() {\n\t\tthis.h2Server.on(\"stream\", (stream, headers) => {\n\t\t\tconst contentType = headers[\"content-type\"] as string;\n\t\t\tconst path = headers[\":path\"] as string;\n\n\t\t\tif (contentType === \"application/grpc\") {\n\t\t\t\tthis.handleGrpcStream(stream as http2.ServerHttp2Stream);\n\t\t\t} else if (path === \"/mcp\") {\n\t\t\t\tthis.handleMcpH2Stream(stream as http2.ServerHttp2Stream, headers);\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate setupH1Routes() {\n\t\tthis.h1Server.on(\"request\", async (req, res) => {\n\t\t\tconst url = req.url || \"\";\n\t\t\tconst method = req.method;\n\n\t\t\tif (\n\t\t\t\tmethod === \"GET\" &&\n\t\t\t\t(url === \"/\" || url === \"/mcp\" || url === \"/health\")\n\t\t\t) {\n\t\t\t\tif (\n\t\t\t\t\turl === \"/health\" &&\n\t\t\t\t\treq.headers.accept?.includes(\"application/json\")\n\t\t\t\t) {\n\t\t\t\t\tconst meshInfo = this.meshNode\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tpeerId: this.meshNode.getPeerId()?.toString() || \"\",\n\t\t\t\t\t\t\t\tmultiaddrs: this.meshNode\n\t\t\t\t\t\t\t\t\t.getMultiaddrs()\n\t\t\t\t\t\t\t\t\t.map((m) => m.toString()),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: null;\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(\n\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\tstatus: \"healthy\",\n\t\t\t\t\t\t\tnode: this.liopServer.getServerInfo(),\n\t\t\t\t\t\t\tmesh: meshInfo,\n\t\t\t\t\t\t\ttools: this.liopServer.listTools().map((t) => t.name),\n\t\t\t\t\t\t\ttimestamp: new Date().toISOString(),\n\t\t\t\t\t\t}),\n\t\t\t\t\t);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tres.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n\t\t\t\tres.end(`\n <body style=\"background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0\">\n <div style=\"background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)\">\n <h1 style=\"color:#38bdf8;margin-top:0\">LIOP Protocol Transformer</h1>\n <p style=\"opacity:0.8;font-weight:600\">L4/L7 Transcoding: JSON-RPC &harr; gRPC</p>\n <p style=\"opacity:0.6;font-size:14px\">Active Protections: Kyber768 + AES-256-GCM + ZK-Proof Ready</p>\n <div style=\"background:#0f172a;padding:15px;border-radius:8px;margin-top:20px;border:1px dashed #334155\">\n <code style=\"color:#10b981\">Endpoint: http://localhost:3000/mcp</code>\n </div>\n </div>\n </body>\n `);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (url === \"/mcp\" && method === \"POST\") {\n\t\t\t\tlet body = \"\";\n\t\t\t\treq.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\t\t\treq.on(\"end\", async () => {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst jsonRequest = JSON.parse(body);\n\t\t\t\t\t\tconst response = await this.router.dispatch(jsonRequest);\n\t\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\t\tres.end(JSON.stringify(response));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-Gateway] Error processing JSON-RPC payload: ${(e as Error).message}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tres.writeHead(400);\n\t\t\t\t\t\tres.end(\n\t\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\t\tjsonrpc: \"2.0\",\n\t\t\t\t\t\t\t\terror: { code: -32700, message: \"Parse error\" },\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate handleGrpcStream(stream: http2.ServerHttp2Stream) {\n\t\tstream.on(\"data\", (chunk: unknown) => {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Standard gRPC stream data is Buffer\n\t\t\tconst data = chunk as any;\n\t\t\tif (data)\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Native gRPC Proxy passing ${data.length} bytes`,\n\t\t\t\t);\n\t\t});\n\t\tstream.respond({ \":status\": 200, \"content-type\": \"application/grpc\" });\n\t\tstream.end();\n\t}\n\n\tprivate handleMcpH2Stream(\n\t\tstream: http2.ServerHttp2Stream,\n\t\t_headers: http2.IncomingHttpHeaders,\n\t) {\n\t\tlet body = \"\";\n\t\tstream.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\tstream.on(\"end\", async () => {\n\t\t\ttry {\n\t\t\t\tconst response = await this.router.dispatch(JSON.parse(body));\n\t\t\t\tif (response) {\n\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\":status\": 200,\n\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t});\n\t\t\t\t\tstream.end(JSON.stringify(response));\n\t\t\t\t} else stream.close();\n\t\t\t} catch (_e) {\n\t\t\t\tstream.respond({ \":status\": 400 });\n\t\t\t\tstream.end();\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic async listen(port: number, host: string = \"0.0.0.0\"): Promise<number> {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.start();\n\n\t\t\t// Announce all local tools to the DHT\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\tfor (const tool of tools) {\n\t\t\t\tawait this.meshNode.announceCapability(tool.name);\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] 📡 Announced local tool to Mesh: ${tool.name}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.netServer.on(\"error\", (err: Error & { code?: string }) => {\n\t\t\t\tif (err.code === \"EADDRINUSE\") {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-Gateway] FATAL: Port ${port} is already in use by another process.`,\n\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\tlog.error(`[LIOP-Gateway] Binding Error: ${err.message}`);\n\t\t\t\t}\n\t\t\t\treject(err);\n\t\t\t});\n\n\t\t\tthis.netServer.listen(port, host, () => {\n\t\t\t\tconst addr = this.netServer.address();\n\t\t\t\tconst actualHost =\n\t\t\t\t\ttypeof addr === \"string\" ? addr : addr?.address || host;\n\t\t\t\tconst assignedPort =\n\t\t\t\t\ttypeof addr === \"string\" ? port : addr?.port || port;\n\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] ✅ Transformer Mesh Gateway READY and listening on ${actualHost}:${assignedPort}`,\n\t\t\t\t);\n\t\t\t\tresolve(assignedPort);\n\t\t\t});\n\t\t});\n\t}\n\n\tpublic async stop() {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t\tthis.netServer.close();\n\t\tthis.h2Server.close();\n\t\tthis.h1Server.close();\n\t}\n\n\tpublic getRouter(): LiopMcpRouter {\n\t\treturn this.router;\n\t}\n}\n"]}
package/dist/client.js CHANGED
@@ -1,2 +1,2 @@
1
- export{b as LiopClient}from'./chunk-ISKM7EAL.js';import'./chunk-UVTEJYHN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-7I6YJS3C.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=client.js.map
1
+ export{b as LiopClient}from'./chunk-AKTU6ZMX.js';import'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-7I6YJS3C.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=client.js.map
2
2
  //# sourceMappingURL=client.js.map
package/dist/gateway.js CHANGED
@@ -1,2 +1,2 @@
1
- export{a as LiopHybridGateway}from'./chunk-ALLOYPMN.js';import'./chunk-LJQF6ULT.js';import'./chunk-UVTEJYHN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=gateway.js.map
1
+ export{a as LiopHybridGateway}from'./chunk-YTIMVS2I.js';import'./chunk-GFRRQ2EB.js';import'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=gateway.js.map
2
2
  //# sourceMappingURL=gateway.js.map
package/dist/index.js CHANGED
@@ -1,4 +1,4 @@
1
- export{b as WasiSandbox}from'./chunk-C65RM2A3.js';export{b as LiopClient,a as LiopRpcClient}from'./chunk-ISKM7EAL.js';export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-TNMS53OP.js';export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-F7B6B4XS.js';export{a as LiopHybridGateway}from'./chunk-ALLOYPMN.js';export{a as LiopRpcServer,g as LiopServer,b as NerScanner,d as PII_PATTERNS,e as PII_PRESETS,f as PiiScanner,c as sanitizeOutput}from'./chunk-GD6EOKYV.js';import'./chunk-2MGFSIXN.js';export{b as HeuristicTokenEstimator,e as LiopOTelBridge,a as RealTokenEstimator,f as TokenTelemetryEngine,d as createSyncTokenEstimator,c as createTokenEstimator}from'./chunk-LJQF6ULT.js';import'./chunk-UVTEJYHN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';export{a as MeshNode}from'./chunk-7I6YJS3C.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';var m=(e=>(e.CapabilityViolation="CapabilityViolation",e.SandboxEscape="SandboxEscape",e.PiiLeak="PiiLeak",e.InvalidIntent="InvalidIntent",e.Throttled="Throttled",e.ZkVerificationFailed="ZkVerificationFailed",e.MeshUnavailable="MeshUnavailable",e.ConnectionFailed="ConnectionFailed",e))(m||{}),n=class extends Error{code;constructor(o,t){super(t),this.name="LiopError",this.code=o;}};var g={claude:{xmlStandard:true,jsonSchemaPreferred:false},openai:{xmlStandard:false,jsonSchemaPreferred:true},gemini:{xmlStandard:false,jsonSchemaPreferred:true}};function _(i){let o=g[i],t=`[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
1
+ export{b as WasiSandbox}from'./chunk-C65RM2A3.js';export{b as LiopClient,a as LiopRpcClient}from'./chunk-AKTU6ZMX.js';export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-TNMS53OP.js';export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-GYK2HORK.js';export{a as LiopHybridGateway}from'./chunk-YTIMVS2I.js';export{a as LiopRpcServer,g as LiopServer,b as NerScanner,d as PII_PATTERNS,e as PII_PRESETS,f as PiiScanner,c as sanitizeOutput}from'./chunk-BDQZURCS.js';import'./chunk-2MGFSIXN.js';export{b as HeuristicTokenEstimator,e as LiopOTelBridge,a as RealTokenEstimator,f as TokenTelemetryEngine,d as createSyncTokenEstimator,c as createTokenEstimator}from'./chunk-GFRRQ2EB.js';import'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';export{a as MeshNode}from'./chunk-7I6YJS3C.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';var m=(e=>(e.CapabilityViolation="CapabilityViolation",e.SandboxEscape="SandboxEscape",e.PiiLeak="PiiLeak",e.InvalidIntent="InvalidIntent",e.Throttled="Throttled",e.ZkVerificationFailed="ZkVerificationFailed",e.MeshUnavailable="MeshUnavailable",e.ConnectionFailed="ConnectionFailed",e))(m||{}),n=class extends Error{code;constructor(o,t){super(t),this.name="LiopError",this.code=o;}};var g={claude:{xmlStandard:true,jsonSchemaPreferred:false},openai:{xmlStandard:false,jsonSchemaPreferred:true},gemini:{xmlStandard:false,jsonSchemaPreferred:true}};function _(i){let o=g[i],t=`[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
2
2
  You are interacting with a Logic-Injection-on-Origin Protocol (LIOP) Mesh Network.
3
3
  Unlike standard MCP where you pull context to evaluate it remotely, in LIOP you WRITE code that executes on the data's origin.
4
4
 
package/dist/server.js CHANGED
@@ -1,2 +1,2 @@
1
- export{g as LiopServer,b as NerScanner,d as PII_PATTERNS,e as PII_PRESETS,f as PiiScanner,c as sanitizeOutput}from'./chunk-GD6EOKYV.js';import'./chunk-2MGFSIXN.js';import'./chunk-V5MKJT6S.js';import'./chunk-7I6YJS3C.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=server.js.map
1
+ export{g as LiopServer,b as NerScanner,d as PII_PATTERNS,e as PII_PRESETS,f as PiiScanner,c as sanitizeOutput}from'./chunk-BDQZURCS.js';import'./chunk-2MGFSIXN.js';import'./chunk-V5MKJT6S.js';import'./chunk-7I6YJS3C.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=server.js.map
2
2
  //# sourceMappingURL=server.js.map
package/dist/verifier-Z26UC7M4.js ADDED
@@ -0,0 +1,2 @@
1
+ export{a as LiopVerifier}from'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=verifier-Z26UC7M4.js.map
2
+ //# sourceMappingURL=verifier-Z26UC7M4.js.map
package/dist/{verifier-6M7GY4TW.js.map → verifier-Z26UC7M4.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-6M7GY4TW.js"}
1
+ {"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-Z26UC7M4.js"}
package/dist/workers/logic-execution.d.ts CHANGED
@@ -1,11 +1,12 @@
1
1
  interface WorkerData {
2
- ciphertext: Uint8Array;
3
- secretKeyObj: ArrayLike<number>;
4
- kyberPublicKey: Uint8Array;
5
- wasmBinary: Uint8Array;
6
- inputs: Record<string, Uint8Array>;
2
+ isWarmup?: boolean;
3
+ ciphertext?: Uint8Array;
4
+ secretKeyObj?: ArrayLike<number>;
5
+ kyberPublicKey?: Uint8Array;
6
+ wasmBinary?: Uint8Array;
7
+ inputs?: Record<string, Uint8Array>;
7
8
  records?: Record<string, unknown>[];
8
- sessionToken: string;
9
+ sessionToken?: string;
9
10
  isEncrypted?: boolean;
10
11
  aesNonce?: Uint8Array;
11
12
  dpConfig?: {
package/dist/workers/logic-execution.js CHANGED
@@ -1,2 +1,2 @@
1
- import {a,b}from'../chunk-C65RM2A3.js';import {a as a$1,b as b$1}from'../chunk-ANFXJGMP.js';import'../chunk-4C666HHU.js';import {Buffer}from'buffer';import g from'crypto';import {createMlKem768}from'mlkem';var C={epsilon:1,sensitivity:1,smallDatasetThreshold:50},I=1,K=10;function V(t,r){let n;do r?n=g.createHash("sha256").update(`${r.seed}:${r.counter++}`).digest().readUInt32BE(0)/4294967296-.5:n=g.randomBytes(4).readUInt32BE(0)/4294967296-.5;while(n===0||n===-0.5);return -t*Math.sign(n)*Math.log(1-2*Math.abs(n))}function G(t,r={},n){let e={...C,...r},a=e.sensitivity/e.epsilon,o=t+V(a,n);return Math.round(o*1e4)/1e4}function R(t,r,n){if(!t)return r;let e=t.toLowerCase(),a=/count|length|size|num|gainer|loser|positive|negative|nan_|null_|empty_|finite_|non_finite_/i.test(e),o=e==="total"||e==="n"||e==="total_records"||e.startsWith("total_")||e.startsWith("num_")||/total.*(count|items|entries|rows|records|tickers)/i.test(e);return a||o?1:/avg|mean|average/.test(e)&&n>0?r/n:r}function M(t,r={},n){let e={...C,...r};if(n>=e.smallDatasetThreshold)return t;n<K&&e.epsilon<I&&(e.epsilon=I);let a;return e.seed&&(a={seed:e.seed,counter:0}),A(t,e,n,void 0,a)}function A(t,r,n,e,a){if(typeof t=="number"&&Number.isFinite(t)){let o=R(e,r.sensitivity,n),u=G(t,{...r,sensitivity:o},a),p=e!=null&&R(e,r.sensitivity,n)===1;return (Number.isInteger(t)||p)&&(u=Math.round(u)),t>=0&&(u=Math.max(0,u)),u}if(Array.isArray(t))return t.map(o=>A(o,r,n,e,a));if(t!==null&&typeof t=="object"){let o={};for(let[u,p]of Object.entries(t))o[u]=A(p,r,n,u,a);return o}return t}async function Q(t){let{ciphertext:r,secretKeyObj:n,wasmBinary:e,inputs:a$2,aesNonce:o,records:u,isEncrypted:p=true,dpConfig:S}=t,s,O={},T=Buffer.alloc(32);if(p){let l=new Uint8Array(n),c=new Uint8Array(r),d=(await createMlKem768()).decap(c,l),f=Buffer.from(d);T=f;let m=Buffer.from(e),k=m.subarray(-16),b=m.subarray(0,-16),w=g.createDecipheriv("aes-256-gcm",f,Buffer.from(o||new Uint8Array(12)));w.setAuthTag(k);let y=w.update(b);y=Buffer.concat([y,w.final()]),s=y;for(let[W,j]of Object.entries(a$2||{})){let D=Buffer.from(j),H=D.subarray(0,12),z=D.subarray(-16),F=D.subarray(12,-16),_=g.createDecipheriv("aes-256-gcm",f,H);_.setAuthTag(z);let v=_.update(F);v=Buffer.concat([v,_.final()]),O[W]=JSON.parse(v.toString("utf-8"));}}else e[0]===0&&e[1]===97&&e[2]===115&&e[3]===109?s=Buffer.from(e):s=Buffer.from(e).toString("utf-8");let U=s[0]===0&&s[1]===97&&s[2]===115&&s[3]===109;if(s instanceof Buffer&&U){let l=new Uint8Array(s),c=await WebAssembly.compile(l);a.analyze(c);}else s instanceof Buffer&&!U&&(s=s.toString("utf-8"));typeof s=="string"&&(s=a$1(s));let x=new b;await x.init();try{let l=await x.execute(s,u,O),c=l.output,h;typeof s=="string"?h=Buffer.from(s,"utf-8"):h=new Uint8Array(s);let d=b$1(h).toString("hex"),f=g.createHash("sha256").update(JSON.stringify(u||[])).digest("hex");S&&(c=M(c,{...S,seed:`${f}:${d}`},u?.length||0));let m=Buffer.from(JSON.stringify({image_id:d,dataset_hash:f,output_hash:g.createHash("sha256").update(typeof c=="string"?c:JSON.stringify(c)).digest("hex"),fuel:l.fuelConsumed,ts:Date.now()})),k=g.createHmac("sha256",T).update(m).digest(),b=Buffer.alloc(2);b.writeUInt16BE(m.length);let y=Buffer.concat([Buffer.from([1]),b,m,k]).toString("base64");return {image_id:d,zk_receipt:y,output:c,fuel_consumed:l.fuelConsumed}}finally{await x.teardown();}}export{Q as default};//# sourceMappingURL=logic-execution.js.map
1
+ import {a,b}from'../chunk-C65RM2A3.js';import {a as a$1,b as b$1}from'../chunk-ANFXJGMP.js';import'../chunk-4C666HHU.js';import {Buffer}from'buffer';import g from'crypto';import {createMlKem768}from'mlkem';var R={epsilon:1,sensitivity:1,smallDatasetThreshold:50},E=1,K=10;function V(t,r){let n;do r?n=g.createHash("sha256").update(`${r.seed}:${r.counter++}`).digest().readUInt32BE(0)/4294967296-.5:n=g.randomBytes(4).readUInt32BE(0)/4294967296-.5;while(n===0||n===-0.5);return -t*Math.sign(n)*Math.log(1-2*Math.abs(n))}function G(t,r={},n){let e={...R,...r},a=e.sensitivity/e.epsilon,o=t+V(a,n);return Math.round(o*1e4)/1e4}function I(t,r,n){if(!t)return r;let e=t.toLowerCase(),a=/count|length|size|num|gainer|loser|positive|negative|nan_|null_|empty_|finite_|non_finite_/i.test(e),o=e==="total"||e==="n"||e==="total_records"||e.startsWith("total_")||e.startsWith("num_")||/total.*(count|items|entries|rows|records|tickers)/i.test(e);return a||o?1:/avg|mean|average/.test(e)&&n>0?r/n:r}function C(t,r={},n){let e={...R,...r};if(n>=e.smallDatasetThreshold)return t;n<K&&e.epsilon<E&&(e.epsilon=E);let a;return e.seed&&(a={seed:e.seed,counter:0}),A(t,e,n,void 0,a)}function A(t,r,n,e,a){if(typeof t=="number"&&Number.isFinite(t)){let o=I(e,r.sensitivity,n),u=G(t,{...r,sensitivity:o},a),p=e!=null&&I(e,r.sensitivity,n)===1;return (Number.isInteger(t)||p)&&(u=Math.round(u)),t>=0&&(u=Math.max(0,u)),u}if(Array.isArray(t))return t.map(o=>A(o,r,n,e,a));if(t!==null&&typeof t=="object"){let o={};for(let[u,p]of Object.entries(t))o[u]=A(p,r,n,u,a);return o}return t}async function Q(t){if(t.isWarmup)return {image_id:"",output:"warm",fuel_consumed:0};let{ciphertext:r,secretKeyObj:n,wasmBinary:e,inputs:a$2,aesNonce:o,records:u,isEncrypted:p=true,dpConfig:S}=t,s,O={},T=Buffer.alloc(32);if(p){let l=new Uint8Array(n),c=new Uint8Array(r),d=(await createMlKem768()).decap(c,l),f=Buffer.from(d);T=f;let m=Buffer.from(e),k=m.subarray(-16),b=m.subarray(0,-16),w=g.createDecipheriv("aes-256-gcm",f,Buffer.from(o||new Uint8Array(12)));w.setAuthTag(k);let y=w.update(b);y=Buffer.concat([y,w.final()]),s=y;for(let[M,j]of Object.entries(a$2||{})){let D=Buffer.from(j),H=D.subarray(0,12),z=D.subarray(-16),F=D.subarray(12,-16),_=g.createDecipheriv("aes-256-gcm",f,H);_.setAuthTag(z);let v=_.update(F);v=Buffer.concat([v,_.final()]),O[M]=JSON.parse(v.toString("utf-8"));}}else e[0]===0&&e[1]===97&&e[2]===115&&e[3]===109?s=Buffer.from(e):s=Buffer.from(e).toString("utf-8");let U=s[0]===0&&s[1]===97&&s[2]===115&&s[3]===109;if(s instanceof Buffer&&U){let l=new Uint8Array(s),c=await WebAssembly.compile(l);a.analyze(c);}else s instanceof Buffer&&!U&&(s=s.toString("utf-8"));typeof s=="string"&&(s=a$1(s));let x=new b;await x.init();try{let l=await x.execute(s,u,O),c=l.output,h;typeof s=="string"?h=Buffer.from(s,"utf-8"):h=new Uint8Array(s);let d=b$1(h).toString("hex"),f=g.createHash("sha256").update(JSON.stringify(u||[])).digest("hex");S&&(c=C(c,{...S,seed:`${f}:${d}`},u?.length||0));let m=Buffer.from(JSON.stringify({image_id:d,dataset_hash:f,output_hash:g.createHash("sha256").update(typeof c=="string"?c:JSON.stringify(c)).digest("hex"),fuel:l.fuelConsumed,ts:Date.now()})),k=g.createHmac("sha256",T).update(m).digest(),b=Buffer.alloc(2);b.writeUInt16BE(m.length);let y=Buffer.concat([Buffer.from([1]),b,m,k]).toString("base64");return {image_id:d,zk_receipt:y,output:c,fuel_consumed:l.fuelConsumed}}finally{await x.teardown();}}export{Q as default};//# sourceMappingURL=logic-execution.js.map
2
2
  //# sourceMappingURL=logic-execution.js.map
package/dist/workers/logic-execution.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/security/dp-engine.ts","../../src/workers/logic-execution.ts"],"names":["DEFAULT_DP_CONFIG","EPSILON_FLOOR","EPSILON_FLOOR_THRESHOLD","laplaceSample","scale","prngState","u","crypto","addLaplaceNoise","value","config","merged","noisyValue","deriveFieldSensitivity","key","globalSensitivity","recordCount","lk","isCountWord","isTotalCount","applyDpToOutput","output","walkAndNoise","node","currentKey","fieldSensitivity","isCountKey","item","result","processLogicExecution","data","ciphertext","secretKeyObj","wasmBinary","inputs","aesNonce","records","isEncrypted","dpConfig","decryptedPayload","decryptedInputs","sessionSecret","Buffer","sk","ct","sharedSecret","createMlKem768","aesKey","wasmBuffer","authTag","encryptedData","decipher","decrypted","encValue","valBuffer","inputNonce","valTag","valData","valDecipher","valDecrypted","isWasm","wasmBytes","compiledModule","ASTGuardian","normalizeLogicSource","sandbox","WasiSandbox","finalOutput","logicBytes","imageId","deriveLogicImageDigest","datasetHash","journal","seal","journalLen","zkReceipt"],"mappings":"8MAqDA,IAAMA,CAAAA,CAA8B,CACnC,QAAS,CAAA,CACT,WAAA,CAAa,CAAA,CACb,qBAAA,CAAuB,EACxB,CAAA,CAOMC,EAAgB,CAAA,CAChBC,CAAAA,CAA0B,GAyBhC,SAASC,CAAAA,CAAcC,EAAeC,CAAAA,CAA+B,CACpE,IAAIC,CAAAA,CACJ,GACKD,EAMHC,CAAAA,CALaC,CAAAA,CACX,WAAW,QAAQ,CAAA,CACnB,OAAO,CAAA,EAAGF,CAAAA,CAAU,IAAI,CAAA,CAAA,EAAIA,CAAAA,CAAU,OAAA,EAAS,EAAE,CAAA,CACjD,MAAA,GAEO,YAAA,CAAa,CAAC,EAAI,UAAA,CAAc,EAAA,CAGzCC,EADYC,CAAAA,CAAO,WAAA,CAAY,CAAC,CAAA,CACxB,YAAA,CAAa,CAAC,CAAA,CAAI,UAAA,CAAc,SAEjCD,CAAAA,GAAM,CAAA,EAAKA,CAAAA,GAAM,IAAA,EAC1B,OAAO,CAACF,EAAQ,IAAA,CAAK,IAAA,CAAKE,CAAC,CAAA,CAAI,IAAA,CAAK,IAAI,CAAA,CAAI,CAAA,CAAI,KAAK,GAAA,CAAIA,CAAC,CAAC,CAC5D,CAUO,SAASE,CAAAA,CACfC,CAAAA,CACAC,EAA4B,EAAC,CAC7BL,CAAAA,CACS,CACT,IAAMM,CAAAA,CAAS,CAAE,GAAGX,CAAAA,CAAmB,GAAGU,CAAO,CAAA,CAC3CN,EAAQO,CAAAA,CAAO,WAAA,CAAcA,EAAO,OAAA,CACpCC,CAAAA,CAAaH,EAAQN,CAAAA,CAAcC,CAAAA,CAAOC,CAAS,CAAA,CAGzD,OAAO,KAAK,KAAA,CAAMO,CAAAA,CAAa,GAAK,CAAA,CAAI,GACzC,CAmBA,SAASC,CAAAA,CACRC,CAAAA,CACAC,EACAC,CAAAA,CACS,CACT,GAAI,CAACF,CAAAA,CAAK,OAAOC,CAAAA,CAEjB,IAAME,EAAKH,CAAAA,CAAI,WAAA,GAOTI,CAAAA,CACL,6FAAA,CAA8F,KAC7FD,CACD,CAAA,CACKE,CAAAA,CACLF,CAAAA,GAAO,OAAA,EACPA,CAAAA,GAAO,KACPA,CAAAA,GAAO,eAAA,EACPA,EAAG,UAAA,CAAW,QAAQ,GACtBA,CAAAA,CAAG,UAAA,CAAW,MAAM,CAAA,EACpB,oDAAA,CAAqD,KAAKA,CAAE,CAAA,CAC7D,OAAIC,CAAAA,EAAeC,CAAAA,CAAqB,EAGpC,kBAAA,CAAmB,IAAA,CAAKF,CAAE,CAAA,EAAKD,CAAAA,CAAc,CAAA,CACzCD,EAAoBC,CAAAA,CAIrBD,CACR,CAkBO,SAASK,CAAAA,CACfC,EACAX,CAAAA,CAA4B,GAC5BM,CAAAA,CACU,CACV,IAAML,CAAAA,CAAS,CAAE,GAAGX,CAAAA,CAAmB,GAAGU,CAAO,CAAA,CAGjD,GAAIM,CAAAA,EAAeL,CAAAA,CAAO,qBAAA,CACzB,OAAOU,EAOJL,CAAAA,CAAcd,CAAAA,EAA2BS,EAAO,OAAA,CAAUV,CAAAA,GAC7DU,EAAO,OAAA,CAAUV,CAAAA,CAAAA,CAGlB,IAAII,CAAAA,CACJ,OAAIM,EAAO,IAAA,GACVN,CAAAA,CAAY,CAAE,IAAA,CAAMM,CAAAA,CAAO,KAAM,OAAA,CAAS,CAAE,CAAA,CAAA,CAGtCW,CAAAA,CAAaD,CAAAA,CAAQV,CAAAA,CAAQK,EAAa,MAAA,CAAWX,CAAS,CACtE,CASA,SAASiB,EACRC,CAAAA,CACAb,CAAAA,CACAM,EACAQ,CAAAA,CACAnB,CAAAA,CACU,CACV,GAAI,OAAOkB,GAAS,QAAA,EAAY,MAAA,CAAO,SAASA,CAAI,CAAA,CAAG,CAEtD,IAAME,CAAAA,CAAmBZ,CAAAA,CACxBW,EACAd,CAAAA,CAAO,WAAA,CACPM,CACD,CAAA,CACIJ,CAAAA,CAAaJ,EAChBe,CAAAA,CACA,CACC,GAAGb,CAAAA,CACH,WAAA,CAAae,CACd,CAAA,CACApB,CACD,EAIMqB,CAAAA,CACLF,CAAAA,EAAc,MACdX,CAAAA,CAAuBW,CAAAA,CAAYd,CAAAA,CAAO,WAAA,CAAaM,CAAW,CAAA,GAAM,EAIzE,OAAA,CAAI,MAAA,CAAO,UAAUO,CAAI,CAAA,EAAKG,KAC7Bd,CAAAA,CAAa,IAAA,CAAK,MAAMA,CAAU,CAAA,CAAA,CAK/BW,GAAQ,CAAA,GACXX,CAAAA,CAAa,KAAK,GAAA,CAAI,CAAA,CAAGA,CAAU,CAAA,CAAA,CAG7BA,CACR,CAEA,GAAI,KAAA,CAAM,OAAA,CAAQW,CAAI,CAAA,CAErB,OAAOA,EAAK,GAAA,CAAKI,CAAAA,EAChBL,EAAaK,CAAAA,CAAMjB,CAAAA,CAAQM,EAAaQ,CAAAA,CAAYnB,CAAS,CAC9D,CAAA,CAGD,GAAIkB,IAAS,IAAA,EAAQ,OAAOA,GAAS,QAAA,CAAU,CAC9C,IAAMK,CAAAA,CAAkC,EAAC,CACzC,OAAW,CAACd,CAAAA,CAAKL,CAAK,CAAA,GAAK,MAAA,CAAO,QACjCc,CACD,CAAA,CACCK,EAAOd,CAAG,CAAA,CAAIQ,EAAab,CAAAA,CAAOC,CAAAA,CAAQM,EAAaF,CAAAA,CAAKT,CAAS,EAEtE,OAAOuB,CACR,CAGA,OAAOL,CACR,CC5QA,eAAOM,CAAAA,CAA6CC,CAAAA,CAKjD,CACF,GAAM,CACL,WAAAC,CAAAA,CACA,YAAA,CAAAC,EACA,UAAA,CAAAC,CAAAA,CACA,OAAAC,GAAAA,CACA,QAAA,CAAAC,EACA,OAAA,CAAAC,CAAAA,CACA,YAAAC,CAAAA,CAAc,IAAA,CACd,QAAA,CAAAC,CACD,CAAA,CAAIR,CAAAA,CAEAS,EACEC,CAAAA,CAA2C,GAC7CC,CAAAA,CAAgBC,MAAAA,CAAO,MAAM,EAAE,CAAA,CAEnC,GAAIL,CAAAA,CAAa,CAEhB,IAAMM,EAAK,IAAI,UAAA,CAAWX,CAAY,CAAA,CAChCY,CAAAA,CAAK,IAAI,UAAA,CAAWb,CAAU,CAAA,CAE9Bc,CAAAA,CAAAA,CADM,MAAMC,cAAAA,IACO,KAAA,CAAMF,CAAAA,CAAID,CAAE,CAAA,CAC/BI,CAAAA,CAASL,OAAO,IAAA,CAAKG,CAAY,EACvCJ,CAAAA,CAAgBM,CAAAA,CAIhB,IAAMC,CAAAA,CAAaN,MAAAA,CAAO,KAAKT,CAAU,CAAA,CACnCgB,EAAUD,CAAAA,CAAW,QAAA,CAAS,GAAG,CAAA,CACjCE,CAAAA,CAAgBF,CAAAA,CAAW,SAAS,CAAA,CAAG,GAAG,EAE1CG,CAAAA,CAAW5C,CAAAA,CAAO,iBACvB,aAAA,CACAwC,CAAAA,CACAL,OAAO,IAAA,CAAKP,CAAAA,EAAY,IAAI,UAAA,CAAW,EAAE,CAAC,CAC3C,CAAA,CACAgB,EAAS,UAAA,CAAWF,CAAO,CAAA,CAC3B,IAAIG,CAAAA,CAAYD,CAAAA,CAAS,OAAOD,CAAa,CAAA,CAC7CE,EAAYV,MAAAA,CAAO,MAAA,CAAO,CAACU,CAAAA,CAAWD,CAAAA,CAAS,OAAO,CAAC,EACvDZ,CAAAA,CAAmBa,CAAAA,CAGnB,OAAW,CAACtC,CAAAA,CAAKuC,CAAQ,CAAA,GAAK,MAAA,CAAO,OAAA,CAAQnB,GAAAA,EAAU,EAAE,EAAG,CAC3D,IAAMoB,EAAYZ,MAAAA,CAAO,IAAA,CAAKW,CAAQ,CAAA,CAEhCE,CAAAA,CAAaD,EAAU,QAAA,CAAS,CAAA,CAAG,EAAE,CAAA,CACrCE,CAAAA,CAASF,EAAU,QAAA,CAAS,GAAG,EAC/BG,CAAAA,CAAUH,CAAAA,CAAU,QAAA,CAAS,EAAA,CAAI,GAAG,CAAA,CAEpCI,EAAcnD,CAAAA,CAAO,gBAAA,CAC1B,cACAwC,CAAAA,CACAQ,CACD,EACAG,CAAAA,CAAY,UAAA,CAAWF,CAAM,CAAA,CAC7B,IAAIG,EAAeD,CAAAA,CAAY,MAAA,CAAOD,CAAO,CAAA,CAC7CE,CAAAA,CAAejB,OAAO,MAAA,CAAO,CAACiB,CAAAA,CAAcD,CAAAA,CAAY,KAAA,EAAO,CAAC,CAAA,CAChElB,CAAAA,CAAgB1B,CAAG,CAAA,CAAI,IAAA,CAAK,MAAM6C,CAAAA,CAAa,QAAA,CAAS,OAAO,CAAC,EACjE,CACD,CAAA,KAIE1B,CAAAA,CAAW,CAAC,CAAA,GAAM,CAAA,EAClBA,EAAW,CAAC,CAAA,GAAM,EAAA,EAClBA,CAAAA,CAAW,CAAC,CAAA,GAAM,KAClBA,CAAAA,CAAW,CAAC,IAAM,GAAA,CAElBM,CAAAA,CAAmBG,OAAO,IAAA,CAAKT,CAAU,EAEzCM,CAAAA,CAAmBG,MAAAA,CAAO,KAAKT,CAAU,CAAA,CAAE,SAAS,OAAO,CAAA,CAK7D,IAAM2B,CAAAA,CACLrB,CAAAA,CAAiB,CAAC,CAAA,GAAM,CAAA,EACxBA,CAAAA,CAAiB,CAAC,CAAA,GAAM,EAAA,EACxBA,EAAiB,CAAC,CAAA,GAAM,KACxBA,CAAAA,CAAiB,CAAC,CAAA,GAAM,GAAA,CAEzB,GAAIA,CAAAA,YAA4BG,QAAUkB,CAAAA,CAAQ,CAEjD,IAAMC,CAAAA,CAAY,IAAI,WAAWtB,CAAgB,CAAA,CAC3CuB,CAAAA,CAAiB,MAAM,WAAA,CAAY,OAAA,CAAQD,CAAS,CAAA,CAC1DE,CAAAA,CAAY,QAAQD,CAAc,EACnC,MAAWvB,CAAAA,YAA4BG,MAAAA,EAAU,CAACkB,CAAAA,GACjDrB,CAAAA,CAAmBA,EAAiB,QAAA,CAAS,OAAO,GAIjD,OAAOA,CAAAA,EAAqB,WAC/BA,CAAAA,CAAmByB,GAAAA,CAAqBzB,CAAgB,CAAA,CAAA,CAIzD,IAAM0B,CAAAA,CAAU,IAAIC,CAAAA,CACpB,MAAMD,EAAQ,IAAA,EAAK,CAEnB,GAAI,CACH,IAAMrC,EAAS,MAAMqC,CAAAA,CAAQ,QAC5B1B,CAAAA,CACAH,CAAAA,CACAI,CACD,CAAA,CAEI2B,CAAAA,CAAcvC,EAAO,MAAA,CAGrBwC,CAAAA,CACA,OAAO7B,CAAAA,EAAqB,QAAA,CAC/B6B,CAAAA,CAAa1B,OAAO,IAAA,CAAKH,CAAAA,CAAkB,OAAO,CAAA,CAElD6B,CAAAA,CAAa,IAAI,UAAA,CAAW7B,CAAgB,EAE7C,IAAM8B,CAAAA,CAAUC,IAAuBF,CAAU,CAAA,CAAE,SAAS,KAAK,CAAA,CAK3DG,EAAchE,CAAAA,CAClB,UAAA,CAAW,QAAQ,CAAA,CACnB,MAAA,CAAO,IAAA,CAAK,UAAU6B,CAAAA,EAAW,EAAE,CAAC,CAAA,CACpC,OAAO,KAAK,CAAA,CAGVE,IACH6B,CAAAA,CAAc/C,CAAAA,CACb+C,EACA,CACC,GAAG7B,EACH,IAAA,CAAM,CAAA,EAAGiC,CAAW,CAAA,CAAA,EAAIF,CAAO,CAAA,CAChC,CAAA,CACAjC,CAAAA,EAAS,MAAA,EAAU,CACpB,CAAA,CAAA,CAKD,IAAMoC,EAAU9B,MAAAA,CAAO,IAAA,CACtB,KAAK,SAAA,CAAU,CACd,SAAU2B,CAAAA,CACV,YAAA,CAAcE,EACd,WAAA,CAAahE,CAAAA,CACX,WAAW,QAAQ,CAAA,CACnB,OACA,OAAO4D,CAAAA,EAAgB,QAAA,CACpBA,CAAAA,CACA,IAAA,CAAK,SAAA,CAAUA,CAAW,CAC9B,CAAA,CACC,OAAO,KAAK,CAAA,CACd,KAAMvC,CAAAA,CAAO,YAAA,CACb,GAAI,IAAA,CAAK,GAAA,EACV,CAAC,CACF,EAEM6C,CAAAA,CAAOlE,CAAAA,CACX,WAAW,QAAA,CAAUkC,CAAa,CAAA,CAClC,MAAA,CAAO+B,CAAO,CAAA,CACd,QAAO,CACHE,CAAAA,CAAahC,OAAO,KAAA,CAAM,CAAC,EACjCgC,CAAAA,CAAW,aAAA,CAAcF,EAAQ,MAAM,CAAA,CAOvC,IAAMG,CAAAA,CANajC,MAAAA,CAAO,OAAO,CAChCA,MAAAA,CAAO,KAAK,CAAC,CAAI,CAAC,CAAA,CAClBgC,CAAAA,CACAF,CAAAA,CACAC,CACD,CAAC,CAAA,CAC4B,SAAS,QAAQ,CAAA,CAE9C,OAAO,CACN,QAAA,CAAUJ,CAAAA,CACV,UAAA,CAAYM,CAAAA,CACZ,MAAA,CAAQR,EACR,aAAA,CAAevC,CAAAA,CAAO,YACvB,CACD,CAAA,OAAE,CACD,MAAMqC,CAAAA,CAAQ,QAAA,GACf,CACD","file":"logic-execution.js","sourcesContent":["/**\n * LIOP Differential Privacy Engine — Laplace Mechanism (NIST SP 800-226)\n *\n * Applies calibrated Laplace noise to numeric query outputs,\n * providing ε-differential privacy guarantees against differencing\n * and binary search attacks (F-01, F-02 from security audit).\n *\n * Key design decisions (Phase 110 — Industrial Recalibration):\n * 1. CSPRNG: Uses crypto.randomBytes() instead of Math.random()\n * to prevent state-reconstruction attacks on the noise generator.\n * 2. Query-Aware Sensitivity: COUNT keys get sensitivity=1,\n * AVG keys get sensitivity/n, SUM keys use global config.\n * 3. Epsilon Floor: Auto-enforce ε≥1.0 for datasets with n<10\n * to prevent catastrophic utility destruction.\n *\n * Reference: Dwork & Roth 2014, \"The Algorithmic Foundations of Differential Privacy\"\n * Standards: NIST SP 800-226, Google DP Library, US Census TopDown, Apple iOS DP\n * Industry precedent: Apple (ε=2.0 Health, ε=8.0 Keyboard), US Census (ε=1.0–4.0)\n */\n\nimport crypto from \"node:crypto\";\n\n// ── Public Configuration ─────────────────────────────────────────────\n\nexport interface DpConfig {\n\t/**\n\t * Privacy budget per query (default: 1.0).\n\t * Lower = stronger privacy + more noise. Higher = weaker privacy + less noise.\n\t * Industry standard: Apple iOS Health uses ε=2.0, US Census uses ε=1.0–4.0.\n\t */\n\tepsilon: number;\n\t/**\n\t * Max change in output when one record is added/removed.\n\t * For SUM queries: set to the max plausible value of the field.\n\t * For COUNT queries: the engine automatically overrides to 1.\n\t * For AVG queries: the engine automatically divides by recordCount.\n\t * Default: 1.0 (appropriate for counts and ratios).\n\t */\n\tsensitivity: number;\n\t/**\n\t * Only apply DP noise when dataset size is below this threshold.\n\t * Large datasets have natural statistical privacy (k-anonymity).\n\t * Default: 50 (aligned with HIPAA Safe Harbor minimum).\n\t */\n\tsmallDatasetThreshold: number;\n\t/**\n\t * Optional deterministic seed (e.g., datasetHash + imageId).\n\t * Enables Deterministic Differential Privacy (DDP) for audit modes,\n\t * ensuring perfectly reproducible ZK-Receipts while preserving DP.\n\t */\n\tseed?: string;\n}\n\nconst DEFAULT_DP_CONFIG: DpConfig = {\n\tepsilon: 1.0,\n\tsensitivity: 1.0,\n\tsmallDatasetThreshold: 50,\n};\n\n/**\n * Minimum epsilon enforced for very small datasets (n < 10).\n * Apple's most sensitive category (Health Data) uses ε=2.0 on millions of records.\n * Using ε<1.0 on datasets with <10 records destroys utility completely.\n */\nconst EPSILON_FLOOR = 1.0;\nconst EPSILON_FLOOR_THRESHOLD = 10;\n\n// ── Core Laplace Mechanism ───────────────────────────────────────────\n\nexport interface PrngState {\n\tseed: string;\n\tcounter: number;\n}\n\n/**\n * Generates a sample from the Laplace(0, scale) distribution\n * using inverse CDF sampling with a CSPRNG source.\n *\n * SECURITY: Uses crypto.randomBytes() (OS-level entropy pool) instead of\n * Math.random() (Xorshift128+ PRNG). This prevents state-reconstruction\n * attacks where an adversary observing 3-5 noisy outputs could predict\n * all future noise values and strip the DP protection entirely.\n *\n * Deterministic Audit Mode: If prngState is provided, derives cryptographic\n * entropy using SHA-256 over the seed and an auto-incrementing counter,\n * guaranteeing ZK-Receipt determinism while retaining mathematical privacy.\n *\n * Reference: NIST SP 800-226 §3.2 — \"Implementations must use a CSPRNG\n * for noise generation to maintain the mathematical privacy guarantee.\"\n */\nfunction laplaceSample(scale: number, prngState?: PrngState): number {\n\tlet u: number;\n\tdo {\n\t\tif (prngState) {\n\t\t\tconst hash = crypto\n\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t.update(`${prngState.seed}:${prngState.counter++}`)\n\t\t\t\t.digest();\n\t\t\t// 4 bytes → Uint32 → uniform float in (-0.5, 0.5)\n\t\t\tu = hash.readUInt32BE(0) / 0x100000000 - 0.5;\n\t\t} else {\n\t\t\tconst buf = crypto.randomBytes(4);\n\t\t\tu = buf.readUInt32BE(0) / 0x100000000 - 0.5;\n\t\t}\n\t} while (u === 0 || u === -0.5); // Ensure no exactly 0 or -0.5 for log domain\n\treturn -scale * Math.sign(u) * Math.log(1 - 2 * Math.abs(u));\n}\n\n/**\n * Applies Laplace noise to a single numeric value.\n *\n * @param value - The true computed result\n * @param config - DP configuration (epsilon, sensitivity, seed)\n * @param prngState - Optional state tracking for deterministic sampling\n * @returns Noisy value with ε-differential privacy guarantee\n */\nexport function addLaplaceNoise(\n\tvalue: number,\n\tconfig: Partial<DpConfig> = {},\n\tprngState?: PrngState,\n): number {\n\tconst merged = { ...DEFAULT_DP_CONFIG, ...config };\n\tconst scale = merged.sensitivity / merged.epsilon;\n\tconst noisyValue = value + laplaceSample(scale, prngState);\n\t// Round to 4 decimal places to prevent long random digit strings\n\t// from triggering regex-based PII egress filters (e.g. phone numbers)\n\treturn Math.round(noisyValue * 10000) / 10000;\n}\n\n// ── Query-Aware Sensitivity ─────────────────────────────────────────\n\n/**\n * Derives field-level sensitivity based on key name semantics.\n *\n * This follows Google DP's architectural separation of CountParams,\n * SumParams, and MeanParams — each with independent sensitivity.\n *\n * Axioms (Dwork & Roth 2014):\n * - COUNT: Adding/removing one record changes count by at most 1.\n * - SUM: Adding/removing one record changes sum by at most max_value.\n * - AVG: Sensitivity = max_value / n (bounded contribution).\n *\n * @param key - Output field name (e.g., \"count\", \"avg_balance\", \"totalRevenue\")\n * @param globalSensitivity - Operator-configured max change per record\n * @param recordCount - Dataset size for average normalization\n */\nfunction deriveFieldSensitivity(\n\tkey: string | undefined,\n\tglobalSensitivity: number,\n\trecordCount: number,\n): number {\n\tif (!key) return globalSensitivity;\n\n\tconst lk = key.toLowerCase();\n\n\t// COUNT queries: sensitivity is ALWAYS 1 (fundamental DP axiom)\n\t// Match unambiguous count words: count, length, size, num (anywhere in key),\n\t// as well as common filter prefixes used in audits (nan_, negative_, positive_, null_, empty_, finite_, non_finite_).\n\t// \"total\" is ambiguous (\"totalRevenue\" = SUM, \"total\" or \"total_records\" = COUNT).\n\t// Only treat \"total\" as count when it IS the key or ends with a count suffix.\n\tconst isCountWord =\n\t\t/count|length|size|num|gainer|loser|positive|negative|nan_|null_|empty_|finite_|non_finite_/i.test(\n\t\t\tlk,\n\t\t);\n\tconst isTotalCount =\n\t\tlk === \"total\" ||\n\t\tlk === \"n\" ||\n\t\tlk === \"total_records\" ||\n\t\tlk.startsWith(\"total_\") || // Catch total_tickers, total_users\n\t\tlk.startsWith(\"num_\") || // Catch num_records, num_ticks\n\t\t/total.*(count|items|entries|rows|records|tickers)/i.test(lk);\n\tif (isCountWord || isTotalCount) return 1;\n\n\t// AVERAGE queries: sensitivity = globalSensitivity / n\n\tif (/avg|mean|average/.test(lk) && recordCount > 0) {\n\t\treturn globalSensitivity / recordCount;\n\t}\n\n\t// SUM / unknown: use operator-configured sensitivity\n\treturn globalSensitivity;\n}\n\n// ── Output Walker ────────────────────────────────────────────────────\n\n/**\n * Recursively walks a JSON output object and applies Laplace noise\n * to all finite numeric leaf values. Non-numeric values (strings,\n * booleans, null) are preserved unchanged.\n *\n * IMPORTANT: This function NEVER mutates the input object.\n * It always returns a new object tree, preserving data integrity\n * of the original sandbox output for ZK-Receipt verification.\n *\n * @param output - The sandbox computation result\n * @param config - DP configuration (epsilon, sensitivity, threshold)\n * @param recordCount - Source dataset size (noise only if < threshold)\n * @returns New object with noisy numeric values (never mutates input)\n */\nexport function applyDpToOutput(\n\toutput: unknown,\n\tconfig: Partial<DpConfig> = {},\n\trecordCount: number,\n): unknown {\n\tconst merged = { ...DEFAULT_DP_CONFIG, ...config };\n\n\t// Large datasets have natural statistical privacy — skip noise\n\tif (recordCount >= merged.smallDatasetThreshold) {\n\t\treturn output;\n\t}\n\n\t// NIST SP 800-226: For very small datasets, enforce minimum epsilon\n\t// to prevent catastrophic utility destruction. Apple uses ε≥2.0 even\n\t// for health data on millions of records; using ε<1.0 on n<10 is\n\t// mathematically equivalent to random number generation.\n\tif (recordCount < EPSILON_FLOOR_THRESHOLD && merged.epsilon < EPSILON_FLOOR) {\n\t\tmerged.epsilon = EPSILON_FLOOR;\n\t}\n\n\tlet prngState: PrngState | undefined;\n\tif (merged.seed) {\n\t\tprngState = { seed: merged.seed, counter: 0 };\n\t}\n\n\treturn walkAndNoise(output, merged, recordCount, undefined, prngState);\n}\n\n/**\n * Internal recursive walker that applies noise to numeric leaves.\n * Handles: numbers, arrays, objects (arbitrary nesting depth).\n *\n * Uses query-aware sensitivity: COUNT keys → sensitivity=1,\n * AVG keys → sensitivity/n, SUM/unknown → global sensitivity.\n */\nfunction walkAndNoise(\n\tnode: unknown,\n\tconfig: DpConfig,\n\trecordCount: number,\n\tcurrentKey?: string,\n\tprngState?: PrngState,\n): unknown {\n\tif (typeof node === \"number\" && Number.isFinite(node)) {\n\t\t// Query-aware sensitivity per Google DP / NIST SP 800-226\n\t\tconst fieldSensitivity = deriveFieldSensitivity(\n\t\t\tcurrentKey,\n\t\t\tconfig.sensitivity,\n\t\t\trecordCount,\n\t\t);\n\t\tlet noisyValue = addLaplaceNoise(\n\t\t\tnode,\n\t\t\t{\n\t\t\t\t...config,\n\t\t\t\tsensitivity: fieldSensitivity,\n\t\t\t},\n\t\t\tprngState,\n\t\t);\n\n\t\t// Semantic heuristics to preserve structural invariants:\n\t\t// Reuse the same count-key detection logic as deriveFieldSensitivity\n\t\tconst isCountKey =\n\t\t\tcurrentKey != null &&\n\t\t\tderiveFieldSensitivity(currentKey, config.sensitivity, recordCount) === 1;\n\n\t\t// If original was an integer OR key suggests a count, force integer\n\t\t// (US Census TopDown: all counts must be non-negative integers)\n\t\tif (Number.isInteger(node) || isCountKey) {\n\t\t\tnoisyValue = Math.round(noisyValue);\n\t\t}\n\n\t\t// If original was non-negative, clamp to 0\n\t\t// (US Census TopDown: enforces non-negative constraint in post-processing)\n\t\tif (node >= 0) {\n\t\t\tnoisyValue = Math.max(0, noisyValue);\n\t\t}\n\n\t\treturn noisyValue;\n\t}\n\n\tif (Array.isArray(node)) {\n\t\t// Pass currentKey down for array items so they inherit semantics\n\t\treturn node.map((item) =>\n\t\t\twalkAndNoise(item, config, recordCount, currentKey, prngState),\n\t\t);\n\t}\n\n\tif (node !== null && typeof node === \"object\") {\n\t\tconst result: Record<string, unknown> = {};\n\t\tfor (const [key, value] of Object.entries(\n\t\t\tnode as Record<string, unknown>,\n\t\t)) {\n\t\t\tresult[key] = walkAndNoise(value, config, recordCount, key, prngState);\n\t\t}\n\t\treturn result;\n\t}\n\n\t// Strings, booleans, null — pass through unchanged\n\treturn node;\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport { createMlKem768 } from \"mlkem\";\nimport {\n\tderiveLogicImageDigest,\n\tnormalizeLogicSource,\n} from \"../crypto/logic-image-id.js\";\nimport { ASTGuardian } from \"../sandbox/guardian.js\";\nimport { WasiSandbox } from \"../sandbox/wasi.js\";\nimport { applyDpToOutput } from \"../security/dp-engine.js\";\n\nexport interface WorkerData {\n\tciphertext: Uint8Array;\n\tsecretKeyObj: ArrayLike<number>;\n\tkyberPublicKey: Uint8Array;\n\twasmBinary: Uint8Array; // Can also be JS code in non-encrypted mode\n\tinputs: Record<string, Uint8Array>;\n\trecords?: Record<string, unknown>[];\n\tsessionToken: string;\n\tisEncrypted?: boolean;\n\taesNonce?: Uint8Array;\n\tdpConfig?: {\n\t\tepsilon: number;\n\t\tsensitivity: number;\n\t\tsmallDatasetThreshold: number;\n\t};\n}\n\nexport default async function processLogicExecution(data: WorkerData): Promise<{\n\timage_id: string;\n\toutput: unknown;\n\tfuel_consumed: number;\n\tzk_receipt?: string;\n}> {\n\tconst {\n\t\tciphertext,\n\t\tsecretKeyObj,\n\t\twasmBinary,\n\t\tinputs,\n\t\taesNonce,\n\t\trecords,\n\t\tisEncrypted = true,\n\t\tdpConfig,\n\t} = data;\n\n\tlet decryptedPayload: Buffer | string;\n\tconst decryptedInputs: Record<string, unknown> = {};\n\tlet sessionSecret = Buffer.alloc(32); // Fallback if plain text (no PQC)\n\n\tif (isEncrypted) {\n\t\t// 1. Decapsulate Kyber secret\n\t\tconst sk = new Uint8Array(secretKeyObj);\n\t\tconst ct = new Uint8Array(ciphertext);\n\t\tconst kem = await createMlKem768();\n\t\tconst sharedSecret = kem.decap(ct, sk);\n\t\tconst aesKey = Buffer.from(sharedSecret);\n\t\tsessionSecret = aesKey;\n\n\t\t// 2. Decrypt Main Payload (WASM/JS Code)\n\t\t// LIOP Serialization: Ciphertext = EncryptedData + 16-byte AuthTag\n\t\tconst wasmBuffer = Buffer.from(wasmBinary);\n\t\tconst authTag = wasmBuffer.subarray(-16);\n\t\tconst encryptedData = wasmBuffer.subarray(0, -16);\n\n\t\tconst decipher = crypto.createDecipheriv(\n\t\t\t\"aes-256-gcm\",\n\t\t\taesKey,\n\t\t\tBuffer.from(aesNonce || new Uint8Array(12)),\n\t\t);\n\t\tdecipher.setAuthTag(authTag);\n\t\tlet decrypted = decipher.update(encryptedData);\n\t\tdecrypted = Buffer.concat([decrypted, decipher.final()]);\n\t\tdecryptedPayload = decrypted;\n\n\t\t// 3. Decrypt Inputs\n\t\tfor (const [key, encValue] of Object.entries(inputs || {})) {\n\t\t\tconst valBuffer = Buffer.from(encValue);\n\t\t\t// Extract 12-byte prepended nonce, ciphertext, and 16-byte AuthTag\n\t\t\tconst inputNonce = valBuffer.subarray(0, 12);\n\t\t\tconst valTag = valBuffer.subarray(-16);\n\t\t\tconst valData = valBuffer.subarray(12, -16);\n\n\t\t\tconst valDecipher = crypto.createDecipheriv(\n\t\t\t\t\"aes-256-gcm\",\n\t\t\t\taesKey,\n\t\t\t\tinputNonce,\n\t\t\t);\n\t\t\tvalDecipher.setAuthTag(valTag);\n\t\t\tlet valDecrypted = valDecipher.update(valData);\n\t\t\tvalDecrypted = Buffer.concat([valDecrypted, valDecipher.final()]);\n\t\t\tdecryptedInputs[key] = JSON.parse(valDecrypted.toString(\"utf-8\"));\n\t\t}\n\t} else {\n\t\t// Transparent mode: payload is provided directly\n\t\t// If it's WASM (Magic bytes: \\0asm), keep as Buffer\n\t\tif (\n\t\t\twasmBinary[0] === 0x00 &&\n\t\t\twasmBinary[1] === 0x61 &&\n\t\t\twasmBinary[2] === 0x73 &&\n\t\t\twasmBinary[3] === 0x6d\n\t\t) {\n\t\t\tdecryptedPayload = Buffer.from(wasmBinary);\n\t\t} else {\n\t\t\tdecryptedPayload = Buffer.from(wasmBinary).toString(\"utf-8\");\n\t\t}\n\t}\n\n\t// 3. Inspect AST with Guardian-TS (if WASM)\n\tconst isWasm =\n\t\tdecryptedPayload[0] === 0x00 &&\n\t\tdecryptedPayload[1] === 0x61 &&\n\t\tdecryptedPayload[2] === 0x73 &&\n\t\tdecryptedPayload[3] === 0x6d;\n\n\tif (decryptedPayload instanceof Buffer && isWasm) {\n\t\t// Ensure we pass a compatible BufferSource\n\t\tconst wasmBytes = new Uint8Array(decryptedPayload);\n\t\tconst compiledModule = await WebAssembly.compile(wasmBytes);\n\t\tASTGuardian.analyze(compiledModule);\n\t} else if (decryptedPayload instanceof Buffer && !isWasm) {\n\t\tdecryptedPayload = decryptedPayload.toString(\"utf-8\");\n\t}\n\n\t// Strip only a whole-document LIOP envelope (see logic-image-id.ts).\n\tif (typeof decryptedPayload === \"string\") {\n\t\tdecryptedPayload = normalizeLogicSource(decryptedPayload);\n\t}\n\n\t// 4. Instantiate and Execute WASI Sandbox (or V8 Fallback)\n\tconst sandbox = new WasiSandbox();\n\tawait sandbox.init();\n\n\ttry {\n\t\tconst result = await sandbox.execute(\n\t\t\tdecryptedPayload,\n\t\t\trecords,\n\t\t\tdecryptedInputs,\n\t\t);\n\n\t\tlet finalOutput = result.output;\n\n\t\t// Pre-compute Image ID and Dataset Hash for Audit Trail & DP Seeding\n\t\tlet logicBytes: Uint8Array;\n\t\tif (typeof decryptedPayload === \"string\") {\n\t\t\tlogicBytes = Buffer.from(decryptedPayload, \"utf-8\");\n\t\t} else {\n\t\t\tlogicBytes = new Uint8Array(decryptedPayload);\n\t\t}\n\t\tconst imageId = deriveLogicImageDigest(logicBytes).toString(\"hex\");\n\n\t\t// Phase 110: Include dataset_hash for SOX audit trail compliance.\n\t\t// This SHA-256 anchor proves the underlying dataset was identical\n\t\t// across consecutive queries, separating DP noise from data mutation.\n\t\tconst datasetHash = crypto\n\t\t\t.createHash(\"sha256\")\n\t\t\t.update(JSON.stringify(records || []))\n\t\t\t.digest(\"hex\");\n\n\t\t// Apply Differential Privacy before committing to the ZK-Receipt\n\t\tif (dpConfig) {\n\t\t\tfinalOutput = applyDpToOutput(\n\t\t\t\tfinalOutput,\n\t\t\t\t{\n\t\t\t\t\t...dpConfig,\n\t\t\t\t\tseed: `${datasetHash}:${imageId}`,\n\t\t\t\t},\n\t\t\t\trecords?.length || 0,\n\t\t\t);\n\t\t}\n\n\t\t// 5. Generate Cryptographic Proof of Execution (HMAC-SHA256 Commitment)\n\n\t\tconst journal = Buffer.from(\n\t\t\tJSON.stringify({\n\t\t\t\timage_id: imageId,\n\t\t\t\tdataset_hash: datasetHash,\n\t\t\t\toutput_hash: crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(\n\t\t\t\t\t\ttypeof finalOutput === \"string\"\n\t\t\t\t\t\t\t? finalOutput\n\t\t\t\t\t\t\t: JSON.stringify(finalOutput),\n\t\t\t\t\t)\n\t\t\t\t\t.digest(\"hex\"),\n\t\t\t\tfuel: result.fuelConsumed,\n\t\t\t\tts: Date.now(),\n\t\t\t}),\n\t\t);\n\n\t\tconst seal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tconst journalLen = Buffer.alloc(2);\n\t\tjournalLen.writeUInt16BE(journal.length);\n\t\tconst receiptBuf = Buffer.concat([\n\t\t\tBuffer.from([0x01]), // Receipt format v1\n\t\t\tjournalLen,\n\t\t\tjournal,\n\t\t\tseal, // 32 bytes HMAC\n\t\t]);\n\t\tconst zkReceipt = receiptBuf.toString(\"base64\");\n\n\t\treturn {\n\t\t\timage_id: imageId,\n\t\t\tzk_receipt: zkReceipt,\n\t\t\toutput: finalOutput,\n\t\t\tfuel_consumed: result.fuelConsumed,\n\t\t};\n\t} finally {\n\t\tawait sandbox.teardown();\n\t}\n}\n"]}
1
+ {"version":3,"sources":["../../src/security/dp-engine.ts","../../src/workers/logic-execution.ts"],"names":["DEFAULT_DP_CONFIG","EPSILON_FLOOR","EPSILON_FLOOR_THRESHOLD","laplaceSample","scale","prngState","u","crypto","addLaplaceNoise","value","config","merged","noisyValue","deriveFieldSensitivity","key","globalSensitivity","recordCount","lk","isCountWord","isTotalCount","applyDpToOutput","output","walkAndNoise","node","currentKey","fieldSensitivity","isCountKey","item","result","processLogicExecution","data","ciphertext","secretKeyObj","wasmBinary","inputs","aesNonce","records","isEncrypted","dpConfig","decryptedPayload","decryptedInputs","sessionSecret","Buffer","sk","ct","sharedSecret","createMlKem768","aesKey","wasmBuffer","authTag","encryptedData","decipher","decrypted","encValue","valBuffer","inputNonce","valTag","valData","valDecipher","valDecrypted","isWasm","wasmBytes","compiledModule","ASTGuardian","normalizeLogicSource","sandbox","WasiSandbox","finalOutput","logicBytes","imageId","deriveLogicImageDigest","datasetHash","journal","seal","journalLen","zkReceipt"],"mappings":"8MAqDA,IAAMA,CAAAA,CAA8B,CACnC,QAAS,CAAA,CACT,WAAA,CAAa,CAAA,CACb,qBAAA,CAAuB,EACxB,CAAA,CAOMC,EAAgB,CAAA,CAChBC,CAAAA,CAA0B,GAyBhC,SAASC,CAAAA,CAAcC,EAAeC,CAAAA,CAA+B,CACpE,IAAIC,CAAAA,CACJ,GACKD,EAMHC,CAAAA,CALaC,CAAAA,CACX,WAAW,QAAQ,CAAA,CACnB,OAAO,CAAA,EAAGF,CAAAA,CAAU,IAAI,CAAA,CAAA,EAAIA,CAAAA,CAAU,OAAA,EAAS,EAAE,CAAA,CACjD,MAAA,GAEO,YAAA,CAAa,CAAC,EAAI,UAAA,CAAc,EAAA,CAGzCC,EADYC,CAAAA,CAAO,WAAA,CAAY,CAAC,CAAA,CACxB,YAAA,CAAa,CAAC,CAAA,CAAI,UAAA,CAAc,SAEjCD,CAAAA,GAAM,CAAA,EAAKA,CAAAA,GAAM,IAAA,EAC1B,OAAO,CAACF,EAAQ,IAAA,CAAK,IAAA,CAAKE,CAAC,CAAA,CAAI,IAAA,CAAK,IAAI,CAAA,CAAI,CAAA,CAAI,IAAA,CAAK,GAAA,CAAIA,CAAC,CAAC,CAC5D,CAUO,SAASE,EACfC,CAAAA,CACAC,CAAAA,CAA4B,EAAC,CAC7BL,CAAAA,CACS,CACT,IAAMM,CAAAA,CAAS,CAAE,GAAGX,CAAAA,CAAmB,GAAGU,CAAO,CAAA,CAC3CN,CAAAA,CAAQO,EAAO,WAAA,CAAcA,CAAAA,CAAO,QACpCC,CAAAA,CAAaH,CAAAA,CAAQN,EAAcC,CAAAA,CAAOC,CAAS,EAGzD,OAAO,IAAA,CAAK,MAAMO,CAAAA,CAAa,GAAK,CAAA,CAAI,GACzC,CAmBA,SAASC,EACRC,CAAAA,CACAC,CAAAA,CACAC,EACS,CACT,GAAI,CAACF,CAAAA,CAAK,OAAOC,CAAAA,CAEjB,IAAME,CAAAA,CAAKH,CAAAA,CAAI,aAAY,CAOrBI,CAAAA,CACL,8FAA8F,IAAA,CAC7FD,CACD,EACKE,CAAAA,CACLF,CAAAA,GAAO,OAAA,EACPA,CAAAA,GAAO,GAAA,EACPA,CAAAA,GAAO,iBACPA,CAAAA,CAAG,UAAA,CAAW,QAAQ,CAAA,EACtBA,CAAAA,CAAG,WAAW,MAAM,CAAA,EACpB,qDAAqD,IAAA,CAAKA,CAAE,EAC7D,OAAIC,CAAAA,EAAeC,EAAqB,CAAA,CAGpC,kBAAA,CAAmB,KAAKF,CAAE,CAAA,EAAKD,CAAAA,CAAc,CAAA,CACzCD,CAAAA,CAAoBC,CAAAA,CAIrBD,CACR,CAkBO,SAASK,EACfC,CAAAA,CACAX,CAAAA,CAA4B,EAAC,CAC7BM,CAAAA,CACU,CACV,IAAML,CAAAA,CAAS,CAAE,GAAGX,CAAAA,CAAmB,GAAGU,CAAO,CAAA,CAGjD,GAAIM,GAAeL,CAAAA,CAAO,qBAAA,CACzB,OAAOU,CAAAA,CAOJL,CAAAA,CAAcd,CAAAA,EAA2BS,EAAO,OAAA,CAAUV,CAAAA,GAC7DU,EAAO,OAAA,CAAUV,CAAAA,CAAAA,CAGlB,IAAII,CAAAA,CACJ,OAAIM,EAAO,IAAA,GACVN,CAAAA,CAAY,CAAE,IAAA,CAAMM,CAAAA,CAAO,KAAM,OAAA,CAAS,CAAE,GAGtCW,CAAAA,CAAaD,CAAAA,CAAQV,CAAAA,CAAQK,CAAAA,CAAa,MAAA,CAAWX,CAAS,CACtE,CASA,SAASiB,EACRC,CAAAA,CACAb,CAAAA,CACAM,EACAQ,CAAAA,CACAnB,CAAAA,CACU,CACV,GAAI,OAAOkB,CAAAA,EAAS,UAAY,MAAA,CAAO,QAAA,CAASA,CAAI,CAAA,CAAG,CAEtD,IAAME,CAAAA,CAAmBZ,CAAAA,CACxBW,CAAAA,CACAd,CAAAA,CAAO,WAAA,CACPM,CACD,EACIJ,CAAAA,CAAaJ,CAAAA,CAChBe,EACA,CACC,GAAGb,EACH,WAAA,CAAae,CACd,EACApB,CACD,CAAA,CAIMqB,EACLF,CAAAA,EAAc,IAAA,EACdX,EAAuBW,CAAAA,CAAYd,CAAAA,CAAO,YAAaM,CAAW,CAAA,GAAM,CAAA,CAIzE,OAAA,CAAI,MAAA,CAAO,SAAA,CAAUO,CAAI,CAAA,EAAKG,CAAAA,IAC7Bd,EAAa,IAAA,CAAK,KAAA,CAAMA,CAAU,CAAA,CAAA,CAK/BW,CAAAA,EAAQ,CAAA,GACXX,CAAAA,CAAa,IAAA,CAAK,GAAA,CAAI,EAAGA,CAAU,CAAA,CAAA,CAG7BA,CACR,CAEA,GAAI,MAAM,OAAA,CAAQW,CAAI,CAAA,CAErB,OAAOA,CAAAA,CAAK,GAAA,CAAKI,GAChBL,CAAAA,CAAaK,CAAAA,CAAMjB,EAAQM,CAAAA,CAAaQ,CAAAA,CAAYnB,CAAS,CAC9D,CAAA,CAGD,GAAIkB,CAAAA,GAAS,IAAA,EAAQ,OAAOA,CAAAA,EAAS,QAAA,CAAU,CAC9C,IAAMK,CAAAA,CAAkC,EAAC,CACzC,IAAA,GAAW,CAACd,CAAAA,CAAKL,CAAK,CAAA,GAAK,OAAO,OAAA,CACjCc,CACD,EACCK,CAAAA,CAAOd,CAAG,EAAIQ,CAAAA,CAAab,CAAAA,CAAOC,CAAAA,CAAQM,CAAAA,CAAaF,CAAAA,CAAKT,CAAS,EAEtE,OAAOuB,CACR,CAGA,OAAOL,CACR,CC3QA,eAAOM,CAAAA,CAA6CC,CAAAA,CAKjD,CACF,GAAIA,CAAAA,CAAK,SACR,OAAO,CACN,SAAU,EAAA,CACV,MAAA,CAAQ,OACR,aAAA,CAAe,CAChB,EAGD,GAAM,CACL,WAAAC,CAAAA,CACA,YAAA,CAAAC,EACA,UAAA,CAAAC,CAAAA,CACA,OAAAC,GAAAA,CACA,QAAA,CAAAC,CAAAA,CACA,OAAA,CAAAC,CAAAA,CACA,WAAA,CAAAC,EAAc,IAAA,CACd,QAAA,CAAAC,CACD,CAAA,CAAIR,CAAAA,CAEAS,EACEC,CAAAA,CAA2C,EAAC,CAC9CC,CAAAA,CAAgBC,MAAAA,CAAO,KAAA,CAAM,EAAE,CAAA,CAEnC,GAAIL,EAAa,CAEhB,IAAMM,EAAK,IAAI,UAAA,CAAWX,CAAY,CAAA,CAChCY,CAAAA,CAAK,IAAI,WAAWb,CAAU,CAAA,CAE9Bc,GADM,MAAMC,cAAAA,IACO,KAAA,CAAMF,CAAAA,CAAID,CAAE,CAAA,CAC/BI,CAAAA,CAASL,OAAO,IAAA,CAAKG,CAAY,EACvCJ,CAAAA,CAAgBM,CAAAA,CAIhB,IAAMC,CAAAA,CAAaN,MAAAA,CAAO,IAAA,CAAKT,CAAU,CAAA,CACnCgB,CAAAA,CAAUD,EAAW,QAAA,CAAS,GAAG,EACjCE,CAAAA,CAAgBF,CAAAA,CAAW,SAAS,CAAA,CAAG,GAAG,CAAA,CAE1CG,CAAAA,CAAW5C,CAAAA,CAAO,gBAAA,CACvB,cACAwC,CAAAA,CACAL,MAAAA,CAAO,KAAKP,CAAAA,EAAY,IAAI,WAAW,EAAE,CAAC,CAC3C,CAAA,CACAgB,CAAAA,CAAS,UAAA,CAAWF,CAAO,CAAA,CAC3B,IAAIG,EAAYD,CAAAA,CAAS,MAAA,CAAOD,CAAa,CAAA,CAC7CE,CAAAA,CAAYV,OAAO,MAAA,CAAO,CAACU,EAAWD,CAAAA,CAAS,KAAA,EAAO,CAAC,CAAA,CACvDZ,EAAmBa,CAAAA,CAGnB,IAAA,GAAW,CAACtC,CAAAA,CAAKuC,CAAQ,CAAA,GAAK,OAAO,OAAA,CAAQnB,GAAAA,EAAU,EAAE,CAAA,CAAG,CAC3D,IAAMoB,CAAAA,CAAYZ,MAAAA,CAAO,IAAA,CAAKW,CAAQ,CAAA,CAEhCE,EAAaD,CAAAA,CAAU,QAAA,CAAS,EAAG,EAAE,CAAA,CACrCE,EAASF,CAAAA,CAAU,QAAA,CAAS,GAAG,CAAA,CAC/BG,CAAAA,CAAUH,CAAAA,CAAU,SAAS,EAAA,CAAI,GAAG,EAEpCI,CAAAA,CAAcnD,CAAAA,CAAO,iBAC1B,aAAA,CACAwC,CAAAA,CACAQ,CACD,CAAA,CACAG,CAAAA,CAAY,WAAWF,CAAM,CAAA,CAC7B,IAAIG,CAAAA,CAAeD,CAAAA,CAAY,OAAOD,CAAO,CAAA,CAC7CE,CAAAA,CAAejB,MAAAA,CAAO,MAAA,CAAO,CAACiB,EAAcD,CAAAA,CAAY,KAAA,EAAO,CAAC,CAAA,CAChElB,EAAgB1B,CAAG,CAAA,CAAI,IAAA,CAAK,KAAA,CAAM6C,CAAAA,CAAa,QAAA,CAAS,OAAO,CAAC,EACjE,CACD,CAAA,KAIE1B,CAAAA,CAAW,CAAC,CAAA,GAAM,CAAA,EAClBA,CAAAA,CAAW,CAAC,CAAA,GAAM,EAAA,EAClBA,EAAW,CAAC,CAAA,GAAM,KAClBA,CAAAA,CAAW,CAAC,IAAM,GAAA,CAElBM,CAAAA,CAAmBG,OAAO,IAAA,CAAKT,CAAU,EAEzCM,CAAAA,CAAmBG,MAAAA,CAAO,KAAKT,CAAU,CAAA,CAAE,SAAS,OAAO,CAAA,CAK7D,IAAM2B,CAAAA,CACLrB,CAAAA,CAAiB,CAAC,IAAM,CAAA,EACxBA,CAAAA,CAAiB,CAAC,CAAA,GAAM,EAAA,EACxBA,EAAiB,CAAC,CAAA,GAAM,GAAA,EACxBA,CAAAA,CAAiB,CAAC,CAAA,GAAM,IAEzB,GAAIA,CAAAA,YAA4BG,QAAUkB,CAAAA,CAAQ,CAEjD,IAAMC,CAAAA,CAAY,IAAI,UAAA,CAAWtB,CAAgB,CAAA,CAC3CuB,CAAAA,CAAiB,MAAM,WAAA,CAAY,OAAA,CAAQD,CAAS,CAAA,CAC1DE,CAAAA,CAAY,QAAQD,CAAc,EACnC,MAAWvB,CAAAA,YAA4BG,MAAAA,EAAU,CAACkB,CAAAA,GACjDrB,CAAAA,CAAmBA,EAAiB,QAAA,CAAS,OAAO,GAIjD,OAAOA,CAAAA,EAAqB,QAAA,GAC/BA,CAAAA,CAAmByB,GAAAA,CAAqBzB,CAAgB,GAIzD,IAAM0B,CAAAA,CAAU,IAAIC,CAAAA,CACpB,MAAMD,EAAQ,IAAA,EAAK,CAEnB,GAAI,CACH,IAAMrC,CAAAA,CAAS,MAAMqC,CAAAA,CAAQ,OAAA,CAC5B1B,EACAH,CAAAA,CACAI,CACD,EAEI2B,CAAAA,CAAcvC,CAAAA,CAAO,MAAA,CAGrBwC,CAAAA,CACA,OAAO7B,CAAAA,EAAqB,SAC/B6B,CAAAA,CAAa1B,MAAAA,CAAO,KAAKH,CAAAA,CAAkB,OAAO,EAElD6B,CAAAA,CAAa,IAAI,WAAW7B,CAAgB,CAAA,CAE7C,IAAM8B,CAAAA,CAAUC,GAAAA,CAAuBF,CAAU,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA,CAK3DG,CAAAA,CAAchE,CAAAA,CAClB,UAAA,CAAW,QAAQ,CAAA,CACnB,OAAO,IAAA,CAAK,SAAA,CAAU6B,GAAW,EAAE,CAAC,CAAA,CACpC,MAAA,CAAO,KAAK,CAAA,CAGVE,CAAAA,GACH6B,CAAAA,CAAc/C,EACb+C,CAAAA,CACA,CACC,GAAG7B,CAAAA,CACH,IAAA,CAAM,GAAGiC,CAAW,CAAA,CAAA,EAAIF,CAAO,CAAA,CAChC,CAAA,CACAjC,CAAAA,EAAS,QAAU,CACpB,CAAA,CAAA,CAKD,IAAMoC,CAAAA,CAAU9B,MAAAA,CAAO,KACtB,IAAA,CAAK,SAAA,CAAU,CACd,QAAA,CAAU2B,CAAAA,CACV,aAAcE,CAAAA,CACd,WAAA,CAAahE,EACX,UAAA,CAAW,QAAQ,EACnB,MAAA,CACA,OAAO4D,CAAAA,EAAgB,QAAA,CACpBA,CAAAA,CACA,IAAA,CAAK,UAAUA,CAAW,CAC9B,EACC,MAAA,CAAO,KAAK,EACd,IAAA,CAAMvC,CAAAA,CAAO,YAAA,CACb,EAAA,CAAI,IAAA,CAAK,GAAA,EACV,CAAC,CACF,EAEM6C,CAAAA,CAAOlE,CAAAA,CACX,WAAW,QAAA,CAAUkC,CAAa,CAAA,CAClC,MAAA,CAAO+B,CAAO,CAAA,CACd,QAAO,CACHE,CAAAA,CAAahC,OAAO,KAAA,CAAM,CAAC,EACjCgC,CAAAA,CAAW,aAAA,CAAcF,EAAQ,MAAM,CAAA,CAOvC,IAAMG,CAAAA,CANajC,MAAAA,CAAO,OAAO,CAChCA,MAAAA,CAAO,KAAK,CAAC,CAAI,CAAC,CAAA,CAClBgC,CAAAA,CACAF,CAAAA,CACAC,CACD,CAAC,CAAA,CAC4B,SAAS,QAAQ,CAAA,CAE9C,OAAO,CACN,QAAA,CAAUJ,CAAAA,CACV,UAAA,CAAYM,CAAAA,CACZ,MAAA,CAAQR,EACR,aAAA,CAAevC,CAAAA,CAAO,YACvB,CACD,CAAA,OAAE,CACD,MAAMqC,CAAAA,CAAQ,QAAA,GACf,CACD","file":"logic-execution.js","sourcesContent":["/**\n * LIOP Differential Privacy Engine — Laplace Mechanism (NIST SP 800-226)\n *\n * Applies calibrated Laplace noise to numeric query outputs,\n * providing ε-differential privacy guarantees against differencing\n * and binary search attacks (F-01, F-02 from security audit).\n *\n * Key design decisions (Phase 110 — Industrial Recalibration):\n * 1. CSPRNG: Uses crypto.randomBytes() instead of Math.random()\n * to prevent state-reconstruction attacks on the noise generator.\n * 2. Query-Aware Sensitivity: COUNT keys get sensitivity=1,\n * AVG keys get sensitivity/n, SUM keys use global config.\n * 3. Epsilon Floor: Auto-enforce ε≥1.0 for datasets with n<10\n * to prevent catastrophic utility destruction.\n *\n * Reference: Dwork & Roth 2014, \"The Algorithmic Foundations of Differential Privacy\"\n * Standards: NIST SP 800-226, Google DP Library, US Census TopDown, Apple iOS DP\n * Industry precedent: Apple (ε=2.0 Health, ε=8.0 Keyboard), US Census (ε=1.0–4.0)\n */\n\nimport crypto from \"node:crypto\";\n\n// ── Public Configuration ─────────────────────────────────────────────\n\nexport interface DpConfig {\n\t/**\n\t * Privacy budget per query (default: 1.0).\n\t * Lower = stronger privacy + more noise. Higher = weaker privacy + less noise.\n\t * Industry standard: Apple iOS Health uses ε=2.0, US Census uses ε=1.0–4.0.\n\t */\n\tepsilon: number;\n\t/**\n\t * Max change in output when one record is added/removed.\n\t * For SUM queries: set to the max plausible value of the field.\n\t * For COUNT queries: the engine automatically overrides to 1.\n\t * For AVG queries: the engine automatically divides by recordCount.\n\t * Default: 1.0 (appropriate for counts and ratios).\n\t */\n\tsensitivity: number;\n\t/**\n\t * Only apply DP noise when dataset size is below this threshold.\n\t * Large datasets have natural statistical privacy (k-anonymity).\n\t * Default: 50 (aligned with HIPAA Safe Harbor minimum).\n\t */\n\tsmallDatasetThreshold: number;\n\t/**\n\t * Optional deterministic seed (e.g., datasetHash + imageId).\n\t * Enables Deterministic Differential Privacy (DDP) for audit modes,\n\t * ensuring perfectly reproducible ZK-Receipts while preserving DP.\n\t */\n\tseed?: string;\n}\n\nconst DEFAULT_DP_CONFIG: DpConfig = {\n\tepsilon: 1.0,\n\tsensitivity: 1.0,\n\tsmallDatasetThreshold: 50,\n};\n\n/**\n * Minimum epsilon enforced for very small datasets (n < 10).\n * Apple's most sensitive category (Health Data) uses ε=2.0 on millions of records.\n * Using ε<1.0 on datasets with <10 records destroys utility completely.\n */\nconst EPSILON_FLOOR = 1.0;\nconst EPSILON_FLOOR_THRESHOLD = 10;\n\n// ── Core Laplace Mechanism ───────────────────────────────────────────\n\nexport interface PrngState {\n\tseed: string;\n\tcounter: number;\n}\n\n/**\n * Generates a sample from the Laplace(0, scale) distribution\n * using inverse CDF sampling with a CSPRNG source.\n *\n * SECURITY: Uses crypto.randomBytes() (OS-level entropy pool) instead of\n * Math.random() (Xorshift128+ PRNG). This prevents state-reconstruction\n * attacks where an adversary observing 3-5 noisy outputs could predict\n * all future noise values and strip the DP protection entirely.\n *\n * Deterministic Audit Mode: If prngState is provided, derives cryptographic\n * entropy using SHA-256 over the seed and an auto-incrementing counter,\n * guaranteeing ZK-Receipt determinism while retaining mathematical privacy.\n *\n * Reference: NIST SP 800-226 §3.2 — \"Implementations must use a CSPRNG\n * for noise generation to maintain the mathematical privacy guarantee.\"\n */\nfunction laplaceSample(scale: number, prngState?: PrngState): number {\n\tlet u: number;\n\tdo {\n\t\tif (prngState) {\n\t\t\tconst hash = crypto\n\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t.update(`${prngState.seed}:${prngState.counter++}`)\n\t\t\t\t.digest();\n\t\t\t// 4 bytes → Uint32 → uniform float in (-0.5, 0.5)\n\t\t\tu = hash.readUInt32BE(0) / 0x100000000 - 0.5;\n\t\t} else {\n\t\t\tconst buf = crypto.randomBytes(4);\n\t\t\tu = buf.readUInt32BE(0) / 0x100000000 - 0.5;\n\t\t}\n\t} while (u === 0 || u === -0.5); // Ensure no exactly 0 or -0.5 for log domain\n\treturn -scale * Math.sign(u) * Math.log(1 - 2 * Math.abs(u));\n}\n\n/**\n * Applies Laplace noise to a single numeric value.\n *\n * @param value - The true computed result\n * @param config - DP configuration (epsilon, sensitivity, seed)\n * @param prngState - Optional state tracking for deterministic sampling\n * @returns Noisy value with ε-differential privacy guarantee\n */\nexport function addLaplaceNoise(\n\tvalue: number,\n\tconfig: Partial<DpConfig> = {},\n\tprngState?: PrngState,\n): number {\n\tconst merged = { ...DEFAULT_DP_CONFIG, ...config };\n\tconst scale = merged.sensitivity / merged.epsilon;\n\tconst noisyValue = value + laplaceSample(scale, prngState);\n\t// Round to 4 decimal places to prevent long random digit strings\n\t// from triggering regex-based PII egress filters (e.g. phone numbers)\n\treturn Math.round(noisyValue * 10000) / 10000;\n}\n\n// ── Query-Aware Sensitivity ─────────────────────────────────────────\n\n/**\n * Derives field-level sensitivity based on key name semantics.\n *\n * This follows Google DP's architectural separation of CountParams,\n * SumParams, and MeanParams — each with independent sensitivity.\n *\n * Axioms (Dwork & Roth 2014):\n * - COUNT: Adding/removing one record changes count by at most 1.\n * - SUM: Adding/removing one record changes sum by at most max_value.\n * - AVG: Sensitivity = max_value / n (bounded contribution).\n *\n * @param key - Output field name (e.g., \"count\", \"avg_balance\", \"totalRevenue\")\n * @param globalSensitivity - Operator-configured max change per record\n * @param recordCount - Dataset size for average normalization\n */\nfunction deriveFieldSensitivity(\n\tkey: string | undefined,\n\tglobalSensitivity: number,\n\trecordCount: number,\n): number {\n\tif (!key) return globalSensitivity;\n\n\tconst lk = key.toLowerCase();\n\n\t// COUNT queries: sensitivity is ALWAYS 1 (fundamental DP axiom)\n\t// Match unambiguous count words: count, length, size, num (anywhere in key),\n\t// as well as common filter prefixes used in audits (nan_, negative_, positive_, null_, empty_, finite_, non_finite_).\n\t// \"total\" is ambiguous (\"totalRevenue\" = SUM, \"total\" or \"total_records\" = COUNT).\n\t// Only treat \"total\" as count when it IS the key or ends with a count suffix.\n\tconst isCountWord =\n\t\t/count|length|size|num|gainer|loser|positive|negative|nan_|null_|empty_|finite_|non_finite_/i.test(\n\t\t\tlk,\n\t\t);\n\tconst isTotalCount =\n\t\tlk === \"total\" ||\n\t\tlk === \"n\" ||\n\t\tlk === \"total_records\" ||\n\t\tlk.startsWith(\"total_\") || // Catch total_tickers, total_users\n\t\tlk.startsWith(\"num_\") || // Catch num_records, num_ticks\n\t\t/total.*(count|items|entries|rows|records|tickers)/i.test(lk);\n\tif (isCountWord || isTotalCount) return 1;\n\n\t// AVERAGE queries: sensitivity = globalSensitivity / n\n\tif (/avg|mean|average/.test(lk) && recordCount > 0) {\n\t\treturn globalSensitivity / recordCount;\n\t}\n\n\t// SUM / unknown: use operator-configured sensitivity\n\treturn globalSensitivity;\n}\n\n// ── Output Walker ────────────────────────────────────────────────────\n\n/**\n * Recursively walks a JSON output object and applies Laplace noise\n * to all finite numeric leaf values. Non-numeric values (strings,\n * booleans, null) are preserved unchanged.\n *\n * IMPORTANT: This function NEVER mutates the input object.\n * It always returns a new object tree, preserving data integrity\n * of the original sandbox output for ZK-Receipt verification.\n *\n * @param output - The sandbox computation result\n * @param config - DP configuration (epsilon, sensitivity, threshold)\n * @param recordCount - Source dataset size (noise only if < threshold)\n * @returns New object with noisy numeric values (never mutates input)\n */\nexport function applyDpToOutput(\n\toutput: unknown,\n\tconfig: Partial<DpConfig> = {},\n\trecordCount: number,\n): unknown {\n\tconst merged = { ...DEFAULT_DP_CONFIG, ...config };\n\n\t// Large datasets have natural statistical privacy — skip noise\n\tif (recordCount >= merged.smallDatasetThreshold) {\n\t\treturn output;\n\t}\n\n\t// NIST SP 800-226: For very small datasets, enforce minimum epsilon\n\t// to prevent catastrophic utility destruction. Apple uses ε≥2.0 even\n\t// for health data on millions of records; using ε<1.0 on n<10 is\n\t// mathematically equivalent to random number generation.\n\tif (recordCount < EPSILON_FLOOR_THRESHOLD && merged.epsilon < EPSILON_FLOOR) {\n\t\tmerged.epsilon = EPSILON_FLOOR;\n\t}\n\n\tlet prngState: PrngState | undefined;\n\tif (merged.seed) {\n\t\tprngState = { seed: merged.seed, counter: 0 };\n\t}\n\n\treturn walkAndNoise(output, merged, recordCount, undefined, prngState);\n}\n\n/**\n * Internal recursive walker that applies noise to numeric leaves.\n * Handles: numbers, arrays, objects (arbitrary nesting depth).\n *\n * Uses query-aware sensitivity: COUNT keys → sensitivity=1,\n * AVG keys → sensitivity/n, SUM/unknown → global sensitivity.\n */\nfunction walkAndNoise(\n\tnode: unknown,\n\tconfig: DpConfig,\n\trecordCount: number,\n\tcurrentKey?: string,\n\tprngState?: PrngState,\n): unknown {\n\tif (typeof node === \"number\" && Number.isFinite(node)) {\n\t\t// Query-aware sensitivity per Google DP / NIST SP 800-226\n\t\tconst fieldSensitivity = deriveFieldSensitivity(\n\t\t\tcurrentKey,\n\t\t\tconfig.sensitivity,\n\t\t\trecordCount,\n\t\t);\n\t\tlet noisyValue = addLaplaceNoise(\n\t\t\tnode,\n\t\t\t{\n\t\t\t\t...config,\n\t\t\t\tsensitivity: fieldSensitivity,\n\t\t\t},\n\t\t\tprngState,\n\t\t);\n\n\t\t// Semantic heuristics to preserve structural invariants:\n\t\t// Reuse the same count-key detection logic as deriveFieldSensitivity\n\t\tconst isCountKey =\n\t\t\tcurrentKey != null &&\n\t\t\tderiveFieldSensitivity(currentKey, config.sensitivity, recordCount) === 1;\n\n\t\t// If original was an integer OR key suggests a count, force integer\n\t\t// (US Census TopDown: all counts must be non-negative integers)\n\t\tif (Number.isInteger(node) || isCountKey) {\n\t\t\tnoisyValue = Math.round(noisyValue);\n\t\t}\n\n\t\t// If original was non-negative, clamp to 0\n\t\t// (US Census TopDown: enforces non-negative constraint in post-processing)\n\t\tif (node >= 0) {\n\t\t\tnoisyValue = Math.max(0, noisyValue);\n\t\t}\n\n\t\treturn noisyValue;\n\t}\n\n\tif (Array.isArray(node)) {\n\t\t// Pass currentKey down for array items so they inherit semantics\n\t\treturn node.map((item) =>\n\t\t\twalkAndNoise(item, config, recordCount, currentKey, prngState),\n\t\t);\n\t}\n\n\tif (node !== null && typeof node === \"object\") {\n\t\tconst result: Record<string, unknown> = {};\n\t\tfor (const [key, value] of Object.entries(\n\t\t\tnode as Record<string, unknown>,\n\t\t)) {\n\t\t\tresult[key] = walkAndNoise(value, config, recordCount, key, prngState);\n\t\t}\n\t\treturn result;\n\t}\n\n\t// Strings, booleans, null — pass through unchanged\n\treturn node;\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport { createMlKem768 } from \"mlkem\";\nimport {\n\tderiveLogicImageDigest,\n\tnormalizeLogicSource,\n} from \"../crypto/logic-image-id.js\";\nimport { ASTGuardian } from \"../sandbox/guardian.js\";\nimport { WasiSandbox } from \"../sandbox/wasi.js\";\nimport { applyDpToOutput } from \"../security/dp-engine.js\";\n\nexport interface WorkerData {\n\tisWarmup?: boolean;\n\tciphertext?: Uint8Array;\n\tsecretKeyObj?: ArrayLike<number>;\n\tkyberPublicKey?: Uint8Array;\n\twasmBinary?: Uint8Array; // Can also be JS code in non-encrypted mode\n\tinputs?: Record<string, Uint8Array>;\n\trecords?: Record<string, unknown>[];\n\tsessionToken?: string;\n\tisEncrypted?: boolean;\n\taesNonce?: Uint8Array;\n\tdpConfig?: {\n\t\tepsilon: number;\n\t\tsensitivity: number;\n\t\tsmallDatasetThreshold: number;\n\t};\n}\n\nexport default async function processLogicExecution(data: WorkerData): Promise<{\n\timage_id: string;\n\toutput: unknown;\n\tfuel_consumed: number;\n\tzk_receipt?: string;\n}> {\n\tif (data.isWarmup) {\n\t\treturn {\n\t\t\timage_id: \"\",\n\t\t\toutput: \"warm\",\n\t\t\tfuel_consumed: 0,\n\t\t};\n\t}\n\n\tconst {\n\t\tciphertext,\n\t\tsecretKeyObj,\n\t\twasmBinary,\n\t\tinputs,\n\t\taesNonce,\n\t\trecords,\n\t\tisEncrypted = true,\n\t\tdpConfig,\n\t} = data as Required<WorkerData>;\n\n\tlet decryptedPayload: Buffer | string;\n\tconst decryptedInputs: Record<string, unknown> = {};\n\tlet sessionSecret = Buffer.alloc(32); // Fallback if plain text (no PQC)\n\n\tif (isEncrypted) {\n\t\t// 1. Decapsulate Kyber secret\n\t\tconst sk = new Uint8Array(secretKeyObj);\n\t\tconst ct = new Uint8Array(ciphertext);\n\t\tconst kem = await createMlKem768();\n\t\tconst sharedSecret = kem.decap(ct, sk);\n\t\tconst aesKey = Buffer.from(sharedSecret);\n\t\tsessionSecret = aesKey;\n\n\t\t// 2. Decrypt Main Payload (WASM/JS Code)\n\t\t// LIOP Serialization: Ciphertext = EncryptedData + 16-byte AuthTag\n\t\tconst wasmBuffer = Buffer.from(wasmBinary);\n\t\tconst authTag = wasmBuffer.subarray(-16);\n\t\tconst encryptedData = wasmBuffer.subarray(0, -16);\n\n\t\tconst decipher = crypto.createDecipheriv(\n\t\t\t\"aes-256-gcm\",\n\t\t\taesKey,\n\t\t\tBuffer.from(aesNonce || new Uint8Array(12)),\n\t\t);\n\t\tdecipher.setAuthTag(authTag);\n\t\tlet decrypted = decipher.update(encryptedData);\n\t\tdecrypted = Buffer.concat([decrypted, decipher.final()]);\n\t\tdecryptedPayload = decrypted;\n\n\t\t// 3. Decrypt Inputs\n\t\tfor (const [key, encValue] of Object.entries(inputs || {})) {\n\t\t\tconst valBuffer = Buffer.from(encValue);\n\t\t\t// Extract 12-byte prepended nonce, ciphertext, and 16-byte AuthTag\n\t\t\tconst inputNonce = valBuffer.subarray(0, 12);\n\t\t\tconst valTag = valBuffer.subarray(-16);\n\t\t\tconst valData = valBuffer.subarray(12, -16);\n\n\t\t\tconst valDecipher = crypto.createDecipheriv(\n\t\t\t\t\"aes-256-gcm\",\n\t\t\t\taesKey,\n\t\t\t\tinputNonce,\n\t\t\t);\n\t\t\tvalDecipher.setAuthTag(valTag);\n\t\t\tlet valDecrypted = valDecipher.update(valData);\n\t\t\tvalDecrypted = Buffer.concat([valDecrypted, valDecipher.final()]);\n\t\t\tdecryptedInputs[key] = JSON.parse(valDecrypted.toString(\"utf-8\"));\n\t\t}\n\t} else {\n\t\t// Transparent mode: payload is provided directly\n\t\t// If it's WASM (Magic bytes: \\0asm), keep as Buffer\n\t\tif (\n\t\t\twasmBinary[0] === 0x00 &&\n\t\t\twasmBinary[1] === 0x61 &&\n\t\t\twasmBinary[2] === 0x73 &&\n\t\t\twasmBinary[3] === 0x6d\n\t\t) {\n\t\t\tdecryptedPayload = Buffer.from(wasmBinary);\n\t\t} else {\n\t\t\tdecryptedPayload = Buffer.from(wasmBinary).toString(\"utf-8\");\n\t\t}\n\t}\n\n\t// 3. Inspect AST with Guardian-TS (if WASM)\n\tconst isWasm =\n\t\tdecryptedPayload[0] === 0x00 &&\n\t\tdecryptedPayload[1] === 0x61 &&\n\t\tdecryptedPayload[2] === 0x73 &&\n\t\tdecryptedPayload[3] === 0x6d;\n\n\tif (decryptedPayload instanceof Buffer && isWasm) {\n\t\t// Ensure we pass a compatible BufferSource\n\t\tconst wasmBytes = new Uint8Array(decryptedPayload);\n\t\tconst compiledModule = await WebAssembly.compile(wasmBytes);\n\t\tASTGuardian.analyze(compiledModule);\n\t} else if (decryptedPayload instanceof Buffer && !isWasm) {\n\t\tdecryptedPayload = decryptedPayload.toString(\"utf-8\");\n\t}\n\n\t// Strip only a whole-document LIOP envelope (see logic-image-id.ts).\n\tif (typeof decryptedPayload === \"string\") {\n\t\tdecryptedPayload = normalizeLogicSource(decryptedPayload);\n\t}\n\n\t// 4. Instantiate and Execute WASI Sandbox (or V8 Fallback)\n\tconst sandbox = new WasiSandbox();\n\tawait sandbox.init();\n\n\ttry {\n\t\tconst result = await sandbox.execute(\n\t\t\tdecryptedPayload,\n\t\t\trecords,\n\t\t\tdecryptedInputs,\n\t\t);\n\n\t\tlet finalOutput = result.output;\n\n\t\t// Pre-compute Image ID and Dataset Hash for Audit Trail & DP Seeding\n\t\tlet logicBytes: Uint8Array;\n\t\tif (typeof decryptedPayload === \"string\") {\n\t\t\tlogicBytes = Buffer.from(decryptedPayload, \"utf-8\");\n\t\t} else {\n\t\t\tlogicBytes = new Uint8Array(decryptedPayload);\n\t\t}\n\t\tconst imageId = deriveLogicImageDigest(logicBytes).toString(\"hex\");\n\n\t\t// Phase 110: Include dataset_hash for SOX audit trail compliance.\n\t\t// This SHA-256 anchor proves the underlying dataset was identical\n\t\t// across consecutive queries, separating DP noise from data mutation.\n\t\tconst datasetHash = crypto\n\t\t\t.createHash(\"sha256\")\n\t\t\t.update(JSON.stringify(records || []))\n\t\t\t.digest(\"hex\");\n\n\t\t// Apply Differential Privacy before committing to the ZK-Receipt\n\t\tif (dpConfig) {\n\t\t\tfinalOutput = applyDpToOutput(\n\t\t\t\tfinalOutput,\n\t\t\t\t{\n\t\t\t\t\t...dpConfig,\n\t\t\t\t\tseed: `${datasetHash}:${imageId}`,\n\t\t\t\t},\n\t\t\t\trecords?.length || 0,\n\t\t\t);\n\t\t}\n\n\t\t// 5. Generate Cryptographic Proof of Execution (HMAC-SHA256 Commitment)\n\n\t\tconst journal = Buffer.from(\n\t\t\tJSON.stringify({\n\t\t\t\timage_id: imageId,\n\t\t\t\tdataset_hash: datasetHash,\n\t\t\t\toutput_hash: crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(\n\t\t\t\t\t\ttypeof finalOutput === \"string\"\n\t\t\t\t\t\t\t? finalOutput\n\t\t\t\t\t\t\t: JSON.stringify(finalOutput),\n\t\t\t\t\t)\n\t\t\t\t\t.digest(\"hex\"),\n\t\t\t\tfuel: result.fuelConsumed,\n\t\t\t\tts: Date.now(),\n\t\t\t}),\n\t\t);\n\n\t\tconst seal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tconst journalLen = Buffer.alloc(2);\n\t\tjournalLen.writeUInt16BE(journal.length);\n\t\tconst receiptBuf = Buffer.concat([\n\t\t\tBuffer.from([0x01]), // Receipt format v1\n\t\t\tjournalLen,\n\t\t\tjournal,\n\t\t\tseal, // 32 bytes HMAC\n\t\t]);\n\t\tconst zkReceipt = receiptBuf.toString(\"base64\");\n\n\t\treturn {\n\t\t\timage_id: imageId,\n\t\t\tzk_receipt: zkReceipt,\n\t\t\toutput: finalOutput,\n\t\t\tfuel_consumed: result.fuelConsumed,\n\t\t};\n\t} finally {\n\t\tawait sandbox.teardown();\n\t}\n}\n"]}