@nekzus/liop 2.0.1-beta.1 → 2.1.0-alpha.10

package/dist/chunk-32ADSAJS.js

@@ -0,0 +1,104 @@
+import { deriveLogicImageDigest } from './chunk-OUUTDSOW.js';
+import { log } from './chunk-72MNYFR6.js';
+import * as fs from 'fs';
+import { createRequire } from 'module';
+import path from 'path';
+import { fileURLToPath, pathToFileURL } from 'url';
+import { Piscina } from 'piscina';
+
+var __filename$1 = fileURLToPath(import.meta.url);
+var __dirname$1 = path.dirname(__filename$1);
+var LiopVerifier = class _LiopVerifier {
+  // Singleton Worker Pool for heavy ZK verification
+  static zkWorkerPool = null;
+  getZkPool() {
+    if (!_LiopVerifier.zkWorkerPool) {
+      const isTS = import.meta.url.endsWith(".ts");
+      const workerExt = isTS ? ".ts" : ".js";
+      let execArgv = [];
+      if (isTS) {
+        try {
+          const req = createRequire(import.meta.url);
+          const tsxPkg = req.resolve("tsx/package.json");
+          const absoluteTsx = pathToFileURL(
+            path.join(path.dirname(tsxPkg), "dist", "loader.mjs")
+          ).href;
+          execArgv = ["--import", absoluteTsx];
+        } catch (_e) {
+          execArgv = ["--import", "tsx"];
+        }
+      }
+      const workerPaths = [
+        path.resolve(__dirname$1, `./workers/zk-verifier${workerExt}`),
+        // Flat dist/ (tsup)
+        path.resolve(__dirname$1, `../workers/zk-verifier${workerExt}`)
+        // Original src/
+      ];
+      const workerFilename = workerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];
+      _LiopVerifier.zkWorkerPool = new Piscina({
+        filename: workerFilename,
+        minThreads: 1,
+        maxThreads: 2,
+        // Minimal footprint since verification is fast compared to generation
+        idleTimeout: 3e4,
+        execArgv
+      });
+      _LiopVerifier.zkWorkerPool.run({ action: "warmup" }).catch((err) => {
+        log.debug(
+          `[LiopVerifier] Verification pool warm-up ping failed: ${err.message}`
+        );
+      });
+    }
+    return _LiopVerifier.zkWorkerPool;
+  }
+  /**
+   * Verifies a Zero-Knowledge Receipt from a remote LIOP node via Worker Pool.
+   *
+   * @param logicPayload The raw WASM or JS logic that was sent to the provider.
+   * @param remoteImageIdHex The ImageID reported by the provider (must match our local calculation).
+   * @param zkReceipt The mathematical proof (Seal + Journal) from the zkVM.
+   */
+  async verifyZkReceipt(logicPayload, remoteImageIdHex, zkReceipt, sessionSecret, expectedOutput) {
+    const pool = this.getZkPool();
+    if (!pool) throw new Error("Worker pool initialization failed");
+    const result = await pool.run({
+      action: "verify_receipt",
+      logicPayload: new Uint8Array(logicPayload),
+      remoteImageIdHex,
+      zkReceipt: new Uint8Array(zkReceipt),
+      sessionSecret: sessionSecret ? new Uint8Array(sessionSecret) : void 0,
+      expectedOutput
+    });
+    if (result.verified) {
+      log.info(`[LiopVerifier] ${result.message}`);
+      return true;
+    }
+    log.error(`[LiopVerifier] FAILED: ${result.message}`);
+    return false;
+  }
+  /**
+   * Verifies if a node is running inside an authenticated TEE (e.g. AWS Nitro).
+   *
+   * @param attestationReport The COSE-signed attestation document from the hardware.
+   */
+  async verifyTeeAttestation(attestationReport) {
+    if (attestationReport.length === 0) return true;
+    try {
+      log.info("[LiopVerifier] TEE Attestation: Not configured (no-op).");
+      return true;
+    } catch (err) {
+      log.error("[LiopVerifier] TEE Verification Failed:", err);
+      return false;
+    }
+  }
+  /**
+   * Derives the ImageID of a logic payload following the LIOP v1 Standard.
+   */
+  deriveImageId(logicPayload) {
+    return deriveLogicImageDigest(logicPayload);
+  }
+};
+
+export { LiopVerifier };
+//# sourceMappingURL=chunk-32ADSAJS.js.map
+//# sourceMappingURL=chunk-32ADSAJS.js.map

package/dist/chunk-32ADSAJS.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/crypto/verifier.ts"],"names":["__filename","__dirname"],"mappings":";;;;;;;;AAQA,IAAMA,YAAA,GAAa,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AAChD,IAAMC,WAAA,GAAY,IAAA,CAAK,OAAA,CAAQD,YAAU,CAAA;AASlC,IAAM,YAAA,GAAN,MAAM,aAAA,CAAa;AAAA;AAAA,EAEzB,OAAe,YAAA,GAA+B,IAAA;AAAA,EAEtC,SAAA,GAAY;AACnB,IAAA,IAAI,CAAC,cAAa,YAAA,EAAc;AAC/B,MAAA,MAAM,IAAA,GAAO,MAAA,CAAA,IAAA,CAAY,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA;AAC3C,MAAA,MAAM,SAAA,GAAY,OAAO,KAAA,GAAQ,KAAA;AAEjC,MAAA,IAAI,WAAqB,EAAC;AAC1B,MAAA,IAAI,IAAA,EAAM;AACT,QAAA,IAAI;AACH,UAAA,MAAM,GAAA,GAAM,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AACzC,UAAA,MAAM,MAAA,GAAS,GAAA,CAAI,OAAA,CAAQ,kBAAkB,CAAA;AAC7C,UAAA,MAAM,WAAA,GAAc,aAAA;AAAA,YACnB,KAAK,IAAA,CAAK,IAAA,CAAK,QAAQ,MAAM,CAAA,EAAG,QAAQ,YAAY;AAAA,WACrD,CAAE,IAAA;AACF,UAAA,QAAA,GAAW,CAAC,YAAY,WAAW,CAAA;AAAA,QACpC,SAAS,EAAA,EAAI;AACZ,UAAA,QAAA,GAAW,CAAC,YAAY,KAAK,CAAA;AAAA,QAC9B;AAAA,MACD;AAGA,MAAA,MAAM,WAAA,GAAc;AAAA,QACnB,IAAA,CAAK,OAAA,CAAQC,WAAA,EAAW,CAAA,qBAAA,EAAwB,SAAS,CAAA,CAAE,CAAA;AAAA;AAAA,QAC3D,IAAA,CAAK,OAAA,CAAQA,WAAA,EAAW,CAAA,sBAAA,EAAyB,SAAS,CAAA,CAAE;AAAA;AAAA,OAC7D;AAEA,MAAA,MAAM,cAAA,GACL,WAAA,CAAY,IAAA,CAAK,CAAC,CAAA,KAAS,cAAW,CAAC,CAAC,CAAA,IAAK,WAAA,CAAY,CAAC,CAAA;AAE3D,MAAA,aAAA,CAAa,YAAA,GAAe,IAAI,OAAA,CAAQ;AAAA,QACvC,QAAA,EAAU,cAAA;AAAA,QACV,UAAA,EAAY,CAAA;AAAA,QACZ,UAAA,EAAY,CAAA;AAAA;AAAA,QACZ,WAAA,EAAa,GAAA;AAAA,QACb;AAAA,OACA,CAAA;AAGD,MAAA,aAAA,CAAa,YAAA,CAAa,IAAI,EAAE,MAAA,EAAQ,UAAU,CAAA,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AAClE,QAAA,GAAA,CAAI,KAAA;AAAA,UACH,CAAA,sDAAA,EAAyD,IAAI,OAAO,CAAA;AAAA,SACrE;AAAA,MACD,CAAC,CAAA;AAAA,IACF;AACA,IAAA,OAAO,aAAA,CAAa,YAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAa,eAAA,CACZ,YAAA,EACA,gBAAA,EACA,SAAA,EACA,eACA,cAAA,EACmB;AACnB,IAAA,MAAM,IAAA,GAAO,KAAK,SAAA,EAAU;AAC5B,IAAA,IAAI,CAAC,IAAA,EAAM,MAAM,IAAI,MAAM,mCAAmC,CAAA;AAC9D,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI;AAAA,MAC7B,MAAA,EAAQ,gBAAA;AAAA,MACR,YAAA,EAAc,IAAI,UAAA,CAAW,YAAY,CAAA;AAAA,MACzC,gBAAA;AAAA,MACA,SAAA,EAAW,IAAI,UAAA,CAAW,SAAS,CAAA;AAAA,MACnC,aAAA,EAAe,aAAA,GAAgB,IAAI,UAAA,CAAW,aAAa,CAAA,GAAI,MAAA;AAAA,MAC/D;AAAA,KACA,CAAA;AAED,IAAA,IAAI,OAAO,QAAA,EAAU;AACpB,MAAA,GAAA,CAAI,IAAA,CAAK,CAAA,eAAA,EAAkB,MAAA,CAAO,OAAO,CAAA,CAAE,CAAA;AAC3C,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,GAAA,CAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,MAAA,CAAO,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,OAAO,KAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,qBACZ,iBAAA,EACmB;AACnB,IAAA,IAAI,iBAAA,CAAkB,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAE3C,IAAA,IAAI;AAKH,MAAA,GAAA,CAAI,KAAK,yDAAyD,CAAA;AAClE,MAAA,OAAO,IAAA;AAAA,IACR,SAAS,GAAA,EAAK;AACb,MAAA,GAAA,CAAI,KAAA,CAAM,2CAA2C,GAAG,CAAA;AACxD,MAAA,OAAO,KAAA;AAAA,IACR;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKO,cAAc,YAAA,EAA8B;AAClD,IAAA,OAAO,uBAAuB,YAAY,CAAA;AAAA,EAC3C;AACD","file":"chunk-32ADSAJS.js","sourcesContent":["import * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport { Piscina } from \"piscina\";\nimport { log } from \"../utils/logger.js\";\nimport { deriveLogicImageDigest } from \"./logic-image-id.js\";\n\nconst __filename = fileURLToPath(import.meta.url);\nconst __dirname = path.dirname(__filename);\n\n/**\n * LIOP Tier-0 Industrial Verifier\n *\n * This engine is responsible for the trustless verification of remote logic execution.\n * It validates both the integrity of the code (ZkImageID) and the mathematical proof\n * of its execution (ZkSeal), as well as hardware-level attestation (TEE).\n */\nexport class LiopVerifier {\n\t// Singleton Worker Pool for heavy ZK verification\n\tprivate static zkWorkerPool: Piscina | null = null;\n\n\tprivate getZkPool() {\n\t\tif (!LiopVerifier.zkWorkerPool) {\n\t\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\t\tlet execArgv: string[] = [];\n\t\t\tif (isTS) {\n\t\t\t\ttry {\n\t\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t\t).href;\n\t\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t\t} catch (_e) {\n\t\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Support both flat dist/ and original src/ structure\n\t\t\tconst workerPaths = [\n\t\t\t\tpath.resolve(__dirname, `./workers/zk-verifier${workerExt}`), // Flat dist/ (tsup)\n\t\t\t\tpath.resolve(__dirname, `../workers/zk-verifier${workerExt}`), // Original src/\n\t\t\t];\n\n\t\t\tconst workerFilename =\n\t\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\t\tLiopVerifier.zkWorkerPool = new Piscina({\n\t\t\t\tfilename: workerFilename,\n\t\t\t\tminThreads: 1,\n\t\t\t\tmaxThreads: 2, // Minimal footprint since verification is fast compared to generation\n\t\t\t\tidleTimeout: 30000,\n\t\t\t\texecArgv,\n\t\t\t});\n\n\t\t\t// Pre-warm the verification worker\n\t\t\tLiopVerifier.zkWorkerPool.run({ action: \"warmup\" }).catch((err) => {\n\t\t\t\tlog.debug(\n\t\t\t\t\t`[LiopVerifier] Verification pool warm-up ping failed: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t\treturn LiopVerifier.zkWorkerPool;\n\t}\n\n\t/**\n\t * Verifies a Zero-Knowledge Receipt from a remote LIOP node via Worker Pool.\n\t *\n\t * @param logicPayload The raw WASM or JS logic that was sent to the provider.\n\t * @param remoteImageIdHex The ImageID reported by the provider (must match our local calculation).\n\t * @param zkReceipt The mathematical proof (Seal + Journal) from the zkVM.\n\t */\n\tpublic async verifyZkReceipt(\n\t\tlogicPayload: Buffer,\n\t\tremoteImageIdHex: string,\n\t\tzkReceipt: Buffer,\n\t\tsessionSecret?: Buffer,\n\t\texpectedOutput?: unknown,\n\t): Promise<boolean> {\n\t\tconst pool = this.getZkPool();\n\t\tif (!pool) throw new Error(\"Worker pool initialization failed\");\n\t\tconst result = await pool.run({\n\t\t\taction: \"verify_receipt\",\n\t\t\tlogicPayload: new Uint8Array(logicPayload),\n\t\t\tremoteImageIdHex,\n\t\t\tzkReceipt: new Uint8Array(zkReceipt),\n\t\t\tsessionSecret: sessionSecret ? new Uint8Array(sessionSecret) : undefined,\n\t\t\texpectedOutput,\n\t\t});\n\n\t\tif (result.verified) {\n\t\t\tlog.info(`[LiopVerifier] ${result.message}`);\n\t\t\treturn true;\n\t\t}\n\n\t\tlog.error(`[LiopVerifier] FAILED: ${result.message}`);\n\t\treturn false;\n\t}\n\n\t/**\n\t * Verifies if a node is running inside an authenticated TEE (e.g. AWS Nitro).\n\t *\n\t * @param attestationReport The COSE-signed attestation document from the hardware.\n\t */\n\tpublic async verifyTeeAttestation(\n\t\tattestationReport: Buffer,\n\t): Promise<boolean> {\n\t\tif (attestationReport.length === 0) return true; // Optional in Mesh Alpha\n\n\t\ttry {\n\t\t\t// Architecture for AWS Nitro Enclaves:\n\t\t\t// 1. Decode CBOR/COSE\n\t\t\t// 2. Verify Signature against AWS Nitro Root CA\n\t\t\t// 3. Compare PCRs\n\t\t\tlog.info(\"[LiopVerifier] TEE Attestation: Not configured (no-op).\");\n\t\t\treturn true;\n\t\t} catch (err) {\n\t\t\tlog.error(\"[LiopVerifier] TEE Verification Failed:\", err);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Derives the ImageID of a logic payload following the LIOP v1 Standard.\n\t */\n\tpublic deriveImageId(logicPayload: Buffer): Buffer {\n\t\treturn deriveLogicImageDigest(logicPayload);\n\t}\n}\n"]}

package/dist/chunk-72MNYFR6.js

@@ -0,0 +1,64 @@
+// src/utils/logger.ts
+var LiopLogger = class _LiopLogger {
+  static instance;
+  level = "info";
+  constructor() {
+    this.setLevelFromEnv();
+  }
+  static getInstance() {
+    if (!_LiopLogger.instance) {
+      _LiopLogger.instance = new _LiopLogger();
+    }
+    return _LiopLogger.instance;
+  }
+  setLevelFromEnv() {
+    const envLevel = process.env.LIOP_LOG_LEVEL?.toLowerCase();
+    if (envLevel === "silent" || envLevel === "error" || envLevel === "warn" || envLevel === "info" || envLevel === "debug") {
+      this.level = envLevel;
+    } else {
+      this.level = "info";
+    }
+  }
+  setLevel(level) {
+    this.level = level;
+  }
+  shouldLog(targetLevel) {
+    const levels = {
+      silent: 0,
+      error: 1,
+      warn: 2,
+      info: 3,
+      debug: 4
+    };
+    return levels[this.level] >= levels[targetLevel];
+  }
+  formatMessage(level, message) {
+    const ts = (/* @__PURE__ */ new Date()).toISOString();
+    return `[${ts}] [${level}] ${message}`;
+  }
+  error(message, ...args) {
+    if (this.shouldLog("error")) {
+      console.error(this.formatMessage("ERROR", message), ...args);
+    }
+  }
+  warn(message, ...args) {
+    if (this.shouldLog("warn")) {
+      console.error(this.formatMessage("WARN", message), ...args);
+    }
+  }
+  info(message, ...args) {
+    if (this.shouldLog("info")) {
+      console.error(this.formatMessage("INFO", message), ...args);
+    }
+  }
+  debug(message, ...args) {
+    if (this.shouldLog("debug")) {
+      console.error(this.formatMessage("DEBUG", message), ...args);
+    }
+  }
+};
+var log = LiopLogger.getInstance();
+
+export { log };
+//# sourceMappingURL=chunk-72MNYFR6.js.map
+//# sourceMappingURL=chunk-72MNYFR6.js.map

package/dist/chunk-72MNYFR6.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/logger.ts"],"names":[],"mappings":";AAOO,IAAM,UAAA,GAAN,MAAM,WAAA,CAAW;AAAA,EACvB,OAAe,QAAA;AAAA,EACP,KAAA,GAAkB,MAAA;AAAA,EAElB,WAAA,GAAc;AACrB,IAAA,IAAA,CAAK,eAAA,EAAgB;AAAA,EACtB;AAAA,EAEA,OAAc,WAAA,GAA0B;AACvC,IAAA,IAAI,CAAC,YAAW,QAAA,EAAU;AACzB,MAAA,WAAA,CAAW,QAAA,GAAW,IAAI,WAAA,EAAW;AAAA,IACtC;AACA,IAAA,OAAO,WAAA,CAAW,QAAA;AAAA,EACnB;AAAA,EAEQ,eAAA,GAAkB;AACzB,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,GAAA,CAAI,cAAA,EAAgB,WAAA,EAAY;AACzD,IAAA,IACC,QAAA,KAAa,YACb,QAAA,KAAa,OAAA,IACb,aAAa,MAAA,IACb,QAAA,KAAa,MAAA,IACb,QAAA,KAAa,OAAA,EACZ;AACD,MAAA,IAAA,CAAK,KAAA,GAAQ,QAAA;AAAA,IACd,CAAA,MAAO;AAEN,MAAA,IAAA,CAAK,KAAA,GAAQ,MAAA;AAAA,IACd;AAAA,EACD;AAAA,EAEO,SAAS,KAAA,EAAiB;AAChC,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACd;AAAA,EAEQ,UAAU,WAAA,EAAgC;AACjD,IAAA,MAAM,MAAA,GAAmC;AAAA,MACxC,MAAA,EAAQ,CAAA;AAAA,MACR,KAAA,EAAO,CAAA;AAAA,MACP,IAAA,EAAM,CAAA;AAAA,MACN,IAAA,EAAM,CAAA;AAAA,MACN,KAAA,EAAO;AAAA,KACR;AACA,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,IAAK,OAAO,WAAW,CAAA;AAAA,EAChD;AAAA,EAEQ,aAAA,CAAc,OAAe,OAAA,EAAyB;AAC7D,IAAA,MAAM,EAAA,GAAA,iBAAK,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAClC,IAAA,OAAO,CAAA,CAAA,EAAI,EAAE,CAAA,GAAA,EAAM,KAAK,KAAK,OAAO,CAAA,CAAA;AAAA,EACrC;AAAA,EAEO,KAAA,CAAM,YAAoB,IAAA,EAAiB;AACjD,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA,EAAG;AAC5B,MAAA,OAAA,CAAQ,MAAM,IAAA,CAAK,aAAA,CAAc,SAAS,OAAO,CAAA,EAAG,GAAG,IAAI,CAAA;AAAA,IAC5D;AAAA,EACD;AAAA,EAEO,IAAA,CAAK,YAAoB,IAAA,EAAiB;AAChD,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAM,CAAA,EAAG;AAC3B,MAAA,OAAA,CAAQ,MAAM,IAAA,CAAK,aAAA,CAAc,QAAQ,OAAO,CAAA,EAAG,GAAG,IAAI,CAAA;AAAA,IAC3D;AAAA,EACD;AAAA,EAEO,IAAA,CAAK,YAAoB,IAAA,EAAiB;AAChD,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAM,CAAA,EAAG;AAC3B,MAAA,OAAA,CAAQ,MAAM,IAAA,CAAK,aAAA,CAAc,QAAQ,OAAO,CAAA,EAAG,GAAG,IAAI,CAAA;AAAA,IAC3D;AAAA,EACD;AAAA,EAEO,KAAA,CAAM,YAAoB,IAAA,EAAiB;AACjD,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA,EAAG;AAC5B,MAAA,OAAA,CAAQ,MAAM,IAAA,CAAK,aAAA,CAAc,SAAS,OAAO,CAAA,EAAG,GAAG,IAAI,CAAA;AAAA,IAC5D;AAAA,EACD;AACD,CAAA;AAEO,IAAM,GAAA,GAAM,WAAW,WAAA","file":"chunk-72MNYFR6.js","sourcesContent":["export type LogLevel = \"silent\" | \"error\" | \"warn\" | \"info\" | \"debug\";\n\n/**\n * LiopLogger - Structured Logging Abstraction\n * Configurable via `process.env.LIOP_LOG_LEVEL`.\n * Emits strictly to stderr to comply with MCP stdio protocols.\n */\nexport class LiopLogger {\n\tprivate static instance: LiopLogger;\n\tprivate level: LogLevel = \"info\";\n\n\tprivate constructor() {\n\t\tthis.setLevelFromEnv();\n\t}\n\n\tpublic static getInstance(): LiopLogger {\n\t\tif (!LiopLogger.instance) {\n\t\t\tLiopLogger.instance = new LiopLogger();\n\t\t}\n\t\treturn LiopLogger.instance;\n\t}\n\n\tprivate setLevelFromEnv() {\n\t\tconst envLevel = process.env.LIOP_LOG_LEVEL?.toLowerCase();\n\t\tif (\n\t\t\tenvLevel === \"silent\" ||\n\t\t\tenvLevel === \"error\" ||\n\t\t\tenvLevel === \"warn\" ||\n\t\t\tenvLevel === \"info\" ||\n\t\t\tenvLevel === \"debug\"\n\t\t) {\n\t\t\tthis.level = envLevel as LogLevel;\n\t\t} else {\n\t\t\t// Default level: info\n\t\t\tthis.level = \"info\";\n\t\t}\n\t}\n\n\tpublic setLevel(level: LogLevel) {\n\t\tthis.level = level;\n\t}\n\n\tprivate shouldLog(targetLevel: LogLevel): boolean {\n\t\tconst levels: Record<LogLevel, number> = {\n\t\t\tsilent: 0,\n\t\t\terror: 1,\n\t\t\twarn: 2,\n\t\t\tinfo: 3,\n\t\t\tdebug: 4,\n\t\t};\n\t\treturn levels[this.level] >= levels[targetLevel];\n\t}\n\n\tprivate formatMessage(level: string, message: string): string {\n\t\tconst ts = new Date().toISOString();\n\t\treturn `[${ts}] [${level}] ${message}`;\n\t}\n\n\tpublic error(message: string, ...args: unknown[]) {\n\t\tif (this.shouldLog(\"error\")) {\n\t\t\tconsole.error(this.formatMessage(\"ERROR\", message), ...args);\n\t\t}\n\t}\n\n\tpublic warn(message: string, ...args: unknown[]) {\n\t\tif (this.shouldLog(\"warn\")) {\n\t\t\tconsole.error(this.formatMessage(\"WARN\", message), ...args);\n\t\t}\n\t}\n\n\tpublic info(message: string, ...args: unknown[]) {\n\t\tif (this.shouldLog(\"info\")) {\n\t\t\tconsole.error(this.formatMessage(\"INFO\", message), ...args);\n\t\t}\n\t}\n\n\tpublic debug(message: string, ...args: unknown[]) {\n\t\tif (this.shouldLog(\"debug\")) {\n\t\t\tconsole.error(this.formatMessage(\"DEBUG\", message), ...args);\n\t\t}\n\t}\n}\n\nexport const log = LiopLogger.getInstance();\n"]}

package/dist/chunk-E5QBDD5E.js

@@ -0,0 +1,469 @@
+import { LiopVerifier } from './chunk-32ADSAJS.js';
+import { Kyber768Wrapper } from './chunk-QLCOEP5J.js';
+import { createChannelCredentials, liopV1 } from './chunk-RDWCGZ2A.js';
+import { MeshNode } from './chunk-NJRSFFD7.js';
+import { log } from './chunk-72MNYFR6.js';
+import * as grpc from '@grpc/grpc-js';
+import { createDecipheriv, randomBytes, createCipheriv } from 'crypto';
+
+var LiopRpcClient = class {
+  // biome-ignore lint/suspicious/noExplicitAny: internal gRPC client type
+  client;
+  token;
+  constructor(address, tls, token) {
+    const credentials = createChannelCredentials(tls);
+    this.client = new liopV1.LogicMesh(address, credentials);
+    this.token = token;
+  }
+  /**
+   * Negotiates intent with the remote host.
+   * Returns the ephemeral Kyber public key for payload encryption.
+   */
+  async negotiateIntent(request) {
+    return new Promise((resolve, reject) => {
+      const metadata = new grpc.Metadata();
+      if (this.token) {
+        metadata.add("authorization", `Bearer ${this.token}`);
+      }
+      this.client.NegotiateIntent(
+        request,
+        metadata,
+        (error, response) => {
+          if (error) {
+            reject(error);
+          } else {
+            resolve(response);
+          }
+        }
+      );
+    });
+  }
+  /**
+   * Pushes the encrypted Logic-on-Origin payload to the origin.
+   * Returns a stream of semantic responses and ZK proofs.
+   */
+  executeLogic(request) {
+    const metadata = new grpc.Metadata();
+    if (this.token) {
+      metadata.add("authorization", `Bearer ${this.token}`);
+    }
+    return this.client.ExecuteLogic(request, metadata);
+  }
+  close() {
+    this.client.close();
+  }
+};
+var AesGcmWrapper = {
+  /**
+   * Encrypts a raw WASM payload using the shared secret negotiated via Kyber768.
+   *
+   * @param payload Raw incoming WASM byte array or string.
+   * @param sharedSecret A perfectly derived 32-byte (256-bit) shared secret array
+   * @returns The encrypted buffer to push to the GRPc stream, along with the 12-byte initialization vector natively generated.
+   */
+  encryptPayload(payload, sharedSecret) {
+    if (sharedSecret.length !== 32) {
+      throw new Error("Symmetric Key must be exactly 32 bytes (256 bits).");
+    }
+    const nonce = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", sharedSecret, nonce);
+    const encrypted = Buffer.concat([cipher.update(payload), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const finalCiphertext = Buffer.concat([encrypted, authTag]);
+    return {
+      ciphertext: finalCiphertext,
+      nonce
+    };
+  },
+  /**
+   * Decrypts a remote Zero-Knowledge receipt using AES-256-GCM.
+   */
+  decryptPayload(ciphertextBuffer, nonce, sharedSecret) {
+    if (ciphertextBuffer.length < 16) {
+      throw new Error(
+        "Invalid GCM Ciphertext; missing authentication tag length"
+      );
+    }
+    const encryptedData = ciphertextBuffer.subarray(0, -16);
+    const authTag = ciphertextBuffer.subarray(-16);
+    const decipher = createDecipheriv("aes-256-gcm", sharedSecret, nonce);
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([decipher.update(encryptedData), decipher.final()]);
+  }
+};
+
+// src/client/index.ts
+var LiopClient = class {
+  meshNode = null;
+  rpcClients = /* @__PURE__ */ new Map();
+  manifests = /* @__PURE__ */ new Map();
+  tlsOptions;
+  serverInfo;
+  verifier = new LiopVerifier();
+  oauthToken;
+  constructor(tls) {
+    this.tlsOptions = tls;
+  }
+  /**
+   * Requests an M2M access token from the Nexus Authorization Server using Client Credentials.
+   */
+  async acquireM2MToken(authOpts) {
+    const baseUrl = authOpts.nexusUrl.endsWith("/oidc") ? authOpts.nexusUrl : `${authOpts.nexusUrl}/oidc`;
+    const tokenUrl = `${baseUrl}/token`;
+    log.info(`[LiopClient] Requesting M2M Token from Nexus AS: ${tokenUrl}`);
+    const params = new URLSearchParams({
+      grant_type: "client_credentials",
+      scope: authOpts.scope || "liop:tools:call liop:tools:list liop:resources:read liop:schema:read liop:mesh:query",
+      resource: authOpts.audience,
+      client_id: authOpts.clientId,
+      client_secret: authOpts.clientSecret
+    });
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: params.toString()
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(
+        `OAuth token request failed with status ${response.status}: ${text}`
+      );
+    }
+    const data = await response.json();
+    if (!data.access_token) {
+      throw new Error("OAuth token response did not contain an access_token.");
+    }
+    log.info("[LiopClient] M2M Token acquired successfully.");
+    return data.access_token;
+  }
+  /**
+   * Discovers and connects to the target server or mesh capability.
+   * If address is omitted, it sets up the MeshNode to act purely dynamically.
+   */
+  async connect(address, options) {
+    const clientId = options?.auth?.clientId || process.env.LIOP_OAUTH_CLIENT_ID || process.env.LIOP_CLIENT_ID;
+    const clientSecret = options?.auth?.clientSecret || process.env.LIOP_OAUTH_CLIENT_SECRET || process.env.LIOP_CLIENT_SECRET;
+    const nexusUrl = options?.auth?.nexusUrl || process.env.LIOP_NEXUS_URL || "http://localhost:3000";
+    const audience = options?.auth?.audience || process.env.LIOP_OAUTH_AUDIENCE || "urn:liop:mesh:api";
+    const scope = options?.auth?.scope || process.env.LIOP_OAUTH_SCOPE || "liop:tools:call liop:tools:list liop:resources:read liop:schema:read liop:mesh:query";
+    this.oauthToken = options?.auth?.token || process.env.LIOP_OAUTH_TOKEN || process.env.LIOP_TOKEN;
+    if (clientId && clientSecret) {
+      try {
+        this.oauthToken = await this.acquireM2MToken({
+          clientId,
+          clientSecret,
+          nexusUrl,
+          audience,
+          scope
+        });
+      } catch (err) {
+        log.error(
+          `[LiopClient] Failed to acquire OAuth M2M Token: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    this.meshNode = new MeshNode(options?.meshConfig);
+    await this.meshNode.start();
+    log.info(
+      `[LiopClient] Mesh Node synchronized. PeerID: ${this.meshNode.getPeerId()}`
+    );
+    if (address) {
+      this.rpcClients.set(
+        "static",
+        new LiopRpcClient(address, this.tlsOptions, this.oauthToken)
+      );
+      this.serverInfo = { name: `LiopServer (${address})`, version: "1.0.0" };
+      log.info(`[LiopClient] Static gRPC configured for: ${address}`);
+    } else {
+      this.serverInfo = { name: "LiopServer (Mesh Alpha)", version: "1.0.0" };
+    }
+  }
+  /**
+   * Dynamically queries Kademlia DHT to find the optimal PeerID providing the Capability
+   * and returns the physical gRPC target (host:port) resolved from the provider's manifest.
+   */
+  async resolveCapability(toolName) {
+    if (!this.meshNode)
+      throw new Error(
+        "Client must be connected to Mesh to resolve capabilities."
+      );
+    log.info(`[LiopClient] Querying Mesh DHT for Provider: ${toolName}...`);
+    const providers = await this.meshNode.findProviders(toolName);
+    if (providers.length === 0) {
+      throw new Error(
+        `Kademlia DHT found zero providers for capability: ${toolName}`
+      );
+    }
+    const providerId = providers[0];
+    log.info(`[LiopClient] Identified Alpha Provider PeerID: ${providerId}`);
+    let grpcPort = 50051;
+    const manifest = await this.meshNode.queryManifest(providerId);
+    if (manifest) {
+      grpcPort = manifest.grpcPort;
+      log.info(`[LiopClient] Manifest resolved: gRPC port ${grpcPort}`);
+    }
+    const addrs = await this.meshNode.resolvePeer(providerId);
+    for (const maddr of addrs) {
+      const parts = maddr.split("/");
+      if (parts[1] === "ip4") {
+        const grpcHost = `${parts[2]}:${grpcPort}`;
+        log.info(
+          `[LiopClient] Translated Multiaddr to gRPC Target: ${grpcHost}`
+        );
+        return grpcHost;
+      }
+    }
+    return `127.0.0.1:${grpcPort}`;
+  }
+  /**
+   * Discovers remote capabilities via the LIOP Manifest Protocol.
+   */
+  async discoverTools() {
+    if (!this.meshNode) {
+      throw new Error("Client must be connected before discovering tools.");
+    }
+    log.info(`[LiopClient] Discovery started...`);
+    const providerIds = await this.meshNode.discoverManifestProviders();
+    const tools = [];
+    const seenNames = /* @__PURE__ */ new Set();
+    for (const peerId of providerIds) {
+      try {
+        log.info(`[LiopClient] Querying manifest from: ${peerId}`);
+        const manifest = await this.meshNode.queryManifest(peerId);
+        if (manifest) {
+          this.manifests.set(peerId, manifest);
+          for (const tool of manifest.tools) {
+            if (!seenNames.has(tool.name)) {
+              tools.push({ name: tool.name, description: tool.description });
+              seenNames.add(tool.name);
+            }
+          }
+        }
+      } catch (err) {
+        log.info(
+          `[LiopClient] Error querying manifest from ${peerId}:`,
+          err instanceof Error ? err.message : String(err)
+        );
+      }
+    }
+    log.info(
+      `[LiopClient] Discovery finished. Found ${tools.length} unique tools.`
+    );
+    return tools;
+  }
+  /**
+   * Invokes a tool.
+   */
+  async callTool(request, _wasmPayload) {
+    if (!this.meshNode) {
+      throw new Error("Client must be connected before calling tools.");
+    }
+    const toolName = request.name;
+    log.info(`[LiopClient] Resolving Tool: ${toolName}`);
+    let rpcClient = this.rpcClients.get("static");
+    if (!rpcClient) {
+      const dynamicAddress = await this.resolveCapability(toolName);
+      rpcClient = this.getOrCreateRpcClient(toolName, dynamicAddress);
+    } else {
+      log.info(
+        `[LiopClient] Using existing static gRPC connection for ${toolName}.`
+      );
+    }
+    log.info(`[LiopClient] Negotiating intent for ${toolName}...`);
+    const agentDid = this.meshNode ? `did:liop:${this.meshNode.getPeerId()}` : "did:liop:ephemeral";
+    const intentPayload = Buffer.from(`${toolName}:${Date.now()}`);
+    const proofOfIntent = this.meshNode ? await this.meshNode.sign(intentPayload) : intentPayload;
+    const intentResponse = await rpcClient.negotiateIntent({
+      agent_did: agentDid,
+      capability_hash: toolName,
+      proof_of_intent: proofOfIntent
+    });
+    if (!intentResponse.accepted) {
+      throw new Error(`Intent denied by host: ${intentResponse.error_message}`);
+    }
+    const publicKey = intentResponse.kyber_public_key || intentResponse.kyberPublicKey;
+    const sessionToken = intentResponse.session_token || intentResponse.sessionToken;
+    if (!publicKey) {
+      log.info(
+        "[LiopClient] Critical Error: Kyber Public Key not found in IntentResponse.",
+        intentResponse
+      );
+      throw new Error(
+        "Handshake failed: Remote host did not provide a valid Kyber Public Key."
+      );
+    }
+    log.info(
+      `[LiopClient] Encapsulating Post-Quantum Shared Secret for ${request.name}...`
+    );
+    const { ciphertext: kyberCiphertext, sharedSecret } = await Kyber768Wrapper.encapsulateAsymmetric(publicKey);
+    log.info(`[LiopClient] Sealing WASM Payload and Inputs...`);
+    const _safePayload = _wasmPayload || Buffer.from("");
+    const { ciphertext: encryptedWasm, nonce: aesNonce } = AesGcmWrapper.encryptPayload(_safePayload, sharedSecret);
+    const encryptedInputs = {};
+    const crypto = await import('crypto');
+    for (const [key, value] of Object.entries(request.arguments || {})) {
+      const inputNonce = crypto.randomBytes(12);
+      const cipher = crypto.createCipheriv(
+        "aes-256-gcm",
+        sharedSecret,
+        inputNonce
+      );
+      const encrypted = Buffer.concat([
+        cipher.update(JSON.stringify(value)),
+        cipher.final()
+      ]);
+      const authTag = cipher.getAuthTag();
+      encryptedInputs[key] = Buffer.concat([inputNonce, encrypted, authTag]);
+    }
+    const logicRequest = {
+      session_token: sessionToken,
+      wasm_binary: encryptedWasm,
+      inputs: encryptedInputs,
+      pqc_ciphertext: kyberCiphertext,
+      aes_nonce: aesNonce
+    };
+    return new Promise((resolve, reject) => {
+      const stream = rpcClient.executeLogic(logicRequest);
+      if (!stream) {
+        reject(new Error("RPC Client unavailable or failed to create stream."));
+        return;
+      }
+      let resultFulfilled = false;
+      let hasReceivedData = false;
+      stream.on("data", async (response) => {
+        if (resultFulfilled) return;
+        hasReceivedData = true;
+        log.info("[LiopClient] Logic Executed. Verification in progress...");
+        try {
+          if (!response.is_error) {
+            const isValid = await this.verifier.verifyZkReceipt(
+              _safePayload,
+              Buffer.from(response.cryptographic_proof).toString("hex"),
+              Buffer.from(response.zk_receipt),
+              Buffer.from(sharedSecret),
+              response.semantic_evidence
+            );
+            if (!isValid) {
+              reject(
+                new Error(
+                  "PROTOCOL INTEGRITY VIOLATION: ZK-Receipt verification failed."
+                )
+              );
+              return;
+            }
+          }
+          resultFulfilled = true;
+          resolve({
+            content: [
+              {
+                type: "text",
+                text: response.semantic_evidence
+              }
+            ],
+            isError: response.is_error
+          });
+        } catch (err) {
+          reject(err);
+        }
+      });
+      stream.on("error", (err) => {
+        if (resultFulfilled) return;
+        log.error("[LiopClient] Stream Error:", err);
+        reject(err);
+      });
+      stream.on("end", () => {
+        if (!hasReceivedData && !resultFulfilled) {
+          reject(new Error("Logic-on-Origin stream closed without results."));
+        }
+      });
+    });
+  }
+  getOrCreateRpcClient(peerId, address) {
+    let client = this.rpcClients.get(peerId);
+    if (!client) {
+      let nodeToken = this.oauthToken;
+      let manifest = this.manifests.get(peerId);
+      let realPeerId = peerId;
+      if (!manifest) {
+        for (const [pId, m] of this.manifests.entries()) {
+          if (m.tools.some((t) => t.name === peerId)) {
+            manifest = m;
+            realPeerId = pId;
+            break;
+          }
+        }
+      }
+      const providerName = manifest?.serverInfo?.name?.toLowerCase() || "";
+      let envToken;
+      const slug = manifest?.tokenSlug;
+      if (slug) {
+        envToken = process.env[`LIOP_TOKEN_${slug}`] || process.env[`LIOP_OAUTH_TOKEN_${slug}`];
+      }
+      if (!envToken && realPeerId) {
+        const shortId = realPeerId.slice(-8).toUpperCase();
+        envToken = process.env[`LIOP_TOKEN_${shortId}`] || process.env[`LIOP_OAUTH_TOKEN_${shortId}`];
+      }
+      if (!envToken && providerName) {
+        const cleanName = providerName.toUpperCase().replace(/[^A-Z0-9_]/g, "_");
+        envToken = process.env[`LIOP_TOKEN_${cleanName}`] || process.env[`LIOP_OAUTH_TOKEN_${cleanName}`];
+      }
+      if (envToken) {
+        log.info(
+          `[LiopClient] Resolved node-specific token for peer ${realPeerId.slice(-8)} (${providerName || "unknown"})`
+        );
+        nodeToken = envToken;
+      }
+      client = new LiopRpcClient(address, this.tlsOptions, nodeToken);
+      this.rpcClients.set(peerId, client);
+    }
+    return client;
+  }
+  /**
+   * Reads a specific resource by URI.
+   * In LIOP, resources can be static definitions or dynamic streams.
+   */
+  async readResource(uri) {
+    if (!this.meshNode) {
+      throw new Error("Client must be connected before reading resources.");
+    }
+    log.info(`[LiopClient] Querying Mesh for Resource: ${uri}...`);
+    const providers = await this.meshNode.findProviders(uri);
+    if (providers.length === 0) {
+      throw new Error(`No mesh providers found for resource: ${uri}`);
+    }
+    const manifest = await this.meshNode.queryManifest(providers[0]);
+    if (!manifest) {
+      throw new Error("Target peer did not return a valid LIOP Manifest.");
+    }
+    const resourceDef = manifest.resources?.find((r) => r.uri === uri);
+    if (!resourceDef) {
+      throw new Error(`Resource ${uri} not listed in remote manifest.`);
+    }
+    return {
+      contents: [
+        {
+          uri,
+          mimeType: resourceDef.mimeType || "application/json",
+          text: JSON.stringify(resourceDef, null, 2)
+        }
+      ]
+    };
+  }
+  getServerInfo() {
+    return this.serverInfo;
+  }
+  /**
+   * Destroys the active Mesh Node resources.
+   */
+  async close() {
+    if (this.meshNode) {
+      await this.meshNode.stop();
+    }
+  }
+};
+
+export { LiopClient, LiopRpcClient };
+//# sourceMappingURL=chunk-E5QBDD5E.js.map
+//# sourceMappingURL=chunk-E5QBDD5E.js.map