@nekzus/liop 2.0.1-beta.1 → 2.1.0-alpha.2

package/dist/chunk-XOITNPU3.js

@@ -0,0 +1,2 @@
+import {c}from'./chunk-VQUSWD4U.js';var o=c.object({name:c.string(),description:c.string().optional(),inputSchema:c.record(c.string(),c.unknown())}),i=c.object({uri:c.string(),name:c.string(),description:c.string().optional(),mimeType:c.string().optional()}),s=c.object({name:c.string(),description:c.string().optional(),arguments:c.array(c.object({name:c.string(),description:c.string().optional(),required:c.boolean().optional()})).optional()});export{o as a,i as b,s as c};//# sourceMappingURL=chunk-XOITNPU3.js.map
+//# sourceMappingURL=chunk-XOITNPU3.js.map

package/dist/{chunk-TYVG6TXQ.js.map → chunk-XOITNPU3.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/types.ts"],"names":["ToolSchema","external_exports","ResourceSchema","PromptSchema"],"mappings":"oCAMO,IAAMA,CAAAA,CAAaC,EAAE,MAAA,CAAO,CAClC,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,QAAO,CAAE,QAAA,GACxB,WAAA,CAAaA,CAAAA,CAAE,OAAOA,CAAAA,CAAE,MAAA,GAAUA,CAAAA,CAAE,OAAA,EAAS,CAC9C,CAAC,EAIYC,CAAAA,CAAiBD,CAAAA,CAAE,OAAO,CACtC,GAAA,CAAKA,EAAE,MAAA,EAAO,CACd,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,QAAO,CAAE,QAAA,GACxB,QAAA,CAAUA,CAAAA,CAAE,QAAO,CAAE,QAAA,EACtB,CAAC,CAAA,CAIYE,EAAeF,CAAAA,CAAE,MAAA,CAAO,CACpC,IAAA,CAAMA,CAAAA,CAAE,QAAO,CACf,WAAA,CAAaA,EAAE,MAAA,EAAO,CAAE,UAAS,CACjC,SAAA,CAAWA,EACT,KAAA,CACAA,CAAAA,CAAE,OAAO,CACR,IAAA,CAAMA,EAAE,MAAA,EAAO,CACf,YAAaA,CAAAA,CAAE,MAAA,GAAS,QAAA,EAAS,CACjC,SAAUA,CAAAA,CAAE,OAAA,GAAU,QAAA,EACvB,CAAC,CACF,CAAA,CACC,QAAA,EACH,CAAC","file":"chunk-TYVG6TXQ.js","sourcesContent":["import { z } from \"zod\";\n\n/**\n * Base Protocol Types representing parity with Model Context Protocol\n */\n\nexport const ToolSchema = z.object({\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\tinputSchema: z.record(z.string(), z.unknown()), // Represents a JSON Schema\n});\n\nexport type Tool = z.infer<typeof ToolSchema>;\n\nexport const ResourceSchema = z.object({\n\turi: z.string(),\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\tmimeType: z.string().optional(),\n});\n\nexport type Resource = z.infer<typeof ResourceSchema>;\n\nexport const PromptSchema = z.object({\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\targuments: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tname: z.string(),\n\t\t\t\tdescription: z.string().optional(),\n\t\t\t\trequired: z.boolean().optional(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n});\n\nexport type Prompt = z.infer<typeof PromptSchema>;\n\nexport interface CallToolRequest {\n\tname: string;\n\targuments?: Record<string, unknown>;\n}\n\nexport interface CallToolResult {\n\tcontent: Array<{\n\t\ttype: \"text\" | \"image\" | \"resource\";\n\t\ttext?: string;\n\t\tdata?: string;\n\t\tmimeType?: string;\n\t\tresource?: {\n\t\t\turi: string;\n\t\t\ttext?: string;\n\t\t\tblob?: string;\n\t\t};\n\t}>;\n\tisError?: boolean;\n}\n\nexport interface GetPromptRequest {\n\tname: string;\n\targuments?: Record<string, string>;\n}\n\nexport interface GetPromptResult {\n\tdescription?: string;\n\tmessages: Array<{\n\t\trole: \"user\" | \"assistant\";\n\t\tcontent:\n\t\t\t| { type: \"text\"; text: string }\n\t\t\t| { type: \"image\"; data: string; mimeType: string }\n\t\t\t| {\n\t\t\t\t\ttype: \"resource\";\n\t\t\t\t\tresource: { uri: string; text?: string; blob?: string };\n\t\t\t  };\n\t}>;\n}\n\nexport interface ServerInfo {\n\tname: string;\n\tversion: string;\n\tcapabilities?: {\n\t\tprompts?: { listChanged?: boolean };\n\t\tresources?: { subscribe?: boolean; listChanged?: boolean };\n\t\ttools?: { listChanged?: boolean };\n\t\tlogging?: Record<string, unknown>;\n\t};\n}\n\nexport interface McpRequest {\n\tmethod: string;\n\tparams?: unknown;\n\tid?: string | number | null;\n\tjsonrpc?: \"2.0\";\n}\n\nexport interface McpResponse {\n\tjsonrpc: \"2.0\";\n\tid?: string | number | null;\n\tresult?: unknown;\n\terror?: {\n\t\tcode: number;\n\t\tmessage: string;\n\t\tdata?: unknown;\n\t};\n}\n\n/**\n * Re-export AuthInfo from the security module for convenience.\n * Compatible with MCP TypeScript SDK AuthInfo interface shape.\n */\nexport type { AuthInfo } from \"./security/jwt-validator.js\";\n"]}
+{"version":3,"sources":["../src/types.ts"],"names":["ToolSchema","external_exports","ResourceSchema","PromptSchema"],"mappings":"oCAMO,IAAMA,CAAAA,CAAaC,EAAE,MAAA,CAAO,CAClC,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,QAAO,CAAE,QAAA,GACxB,WAAA,CAAaA,CAAAA,CAAE,OAAOA,CAAAA,CAAE,MAAA,GAAUA,CAAAA,CAAE,OAAA,EAAS,CAC9C,CAAC,EAIYC,CAAAA,CAAiBD,CAAAA,CAAE,OAAO,CACtC,GAAA,CAAKA,EAAE,MAAA,EAAO,CACd,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,QAAO,CAAE,QAAA,GACxB,QAAA,CAAUA,CAAAA,CAAE,QAAO,CAAE,QAAA,EACtB,CAAC,CAAA,CAIYE,EAAeF,CAAAA,CAAE,MAAA,CAAO,CACpC,IAAA,CAAMA,CAAAA,CAAE,QAAO,CACf,WAAA,CAAaA,EAAE,MAAA,EAAO,CAAE,UAAS,CACjC,SAAA,CAAWA,EACT,KAAA,CACAA,CAAAA,CAAE,OAAO,CACR,IAAA,CAAMA,EAAE,MAAA,EAAO,CACf,YAAaA,CAAAA,CAAE,MAAA,GAAS,QAAA,EAAS,CACjC,SAAUA,CAAAA,CAAE,OAAA,GAAU,QAAA,EACvB,CAAC,CACF,CAAA,CACC,QAAA,EACH,CAAC","file":"chunk-XOITNPU3.js","sourcesContent":["import { z } from \"zod\";\n\n/**\n * Base Protocol Types representing parity with Model Context Protocol\n */\n\nexport const ToolSchema = z.object({\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\tinputSchema: z.record(z.string(), z.unknown()), // Represents a JSON Schema\n});\n\nexport type Tool = z.infer<typeof ToolSchema>;\n\nexport const ResourceSchema = z.object({\n\turi: z.string(),\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\tmimeType: z.string().optional(),\n});\n\nexport type Resource = z.infer<typeof ResourceSchema>;\n\nexport const PromptSchema = z.object({\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\targuments: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tname: z.string(),\n\t\t\t\tdescription: z.string().optional(),\n\t\t\t\trequired: z.boolean().optional(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n});\n\nexport type Prompt = z.infer<typeof PromptSchema>;\n\nexport interface CallToolRequest {\n\tname: string;\n\targuments?: Record<string, unknown>;\n}\n\nexport interface CallToolResult {\n\tcontent: Array<{\n\t\ttype: \"text\" | \"image\" | \"resource\";\n\t\ttext?: string;\n\t\tdata?: string;\n\t\tmimeType?: string;\n\t\tresource?: {\n\t\t\turi: string;\n\t\t\ttext?: string;\n\t\t\tblob?: string;\n\t\t};\n\t}>;\n\tisError?: boolean;\n}\n\nexport interface GetPromptRequest {\n\tname: string;\n\targuments?: Record<string, string>;\n}\n\nexport interface GetPromptResult {\n\tdescription?: string;\n\tmessages: Array<{\n\t\trole: \"user\" | \"assistant\";\n\t\tcontent:\n\t\t\t| { type: \"text\"; text: string }\n\t\t\t| { type: \"image\"; data: string; mimeType: string }\n\t\t\t| {\n\t\t\t\t\ttype: \"resource\";\n\t\t\t\t\tresource: { uri: string; text?: string; blob?: string };\n\t\t\t  };\n\t}>;\n}\n\nexport interface ServerInfo {\n\tname: string;\n\tversion: string;\n\tcapabilities?: {\n\t\tprompts?: { listChanged?: boolean };\n\t\tresources?: { subscribe?: boolean; listChanged?: boolean };\n\t\ttools?: { listChanged?: boolean };\n\t\tlogging?: Record<string, unknown>;\n\t};\n}\n\nexport interface McpRequest {\n\tmethod: string;\n\tparams?: unknown;\n\tid?: string | number | null;\n\tjsonrpc?: \"2.0\";\n}\n\nexport interface McpResponse {\n\tjsonrpc: \"2.0\";\n\tid?: string | number | null;\n\tresult?: unknown;\n\terror?: {\n\t\tcode: number;\n\t\tmessage: string;\n\t\tdata?: unknown;\n\t};\n}\n\n/**\n * Re-export AuthInfo from the security module for convenience.\n * Compatible with MCP TypeScript SDK AuthInfo interface shape.\n */\nexport type { AuthInfo } from \"./security/jwt-validator.js\";\n"]}

package/dist/client.d.ts

@@ -1,6 +1,6 @@
-import './verifier-DTCD9imJ.js';
+import './verifier-COnid_dg.js';
 import './mesh.js';
-export { a as LiopClient } from './index-B_Vbrb_I.js';
+export { a as LiopClient } from './index-Brfvxmdt.js';
 import './types-DzEXgi4s.js';
 import 'zod';
 import 'jose';

package/dist/client.js

@@ -1,2 +1,2 @@
-export{b as LiopClient}from'./chunk-N6FGTZ6A.js';import'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=client.js.map
+export{b as LiopClient}from'./chunk-T3L6OCM3.js';import'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=client.js.map
 //# sourceMappingURL=client.js.map

package/dist/gateway.d.ts

@@ -1,6 +1,6 @@
 import { MeshNode } from './mesh.js';
-import { L as LiopServer } from './index-CL8m1L1d.js';
-import { L as LiopVerifier } from './verifier-DTCD9imJ.js';
+import { L as LiopServer } from './index-DO97j6hP.js';
+import { L as LiopVerifier } from './verifier-COnid_dg.js';
 import { M as McpRequest, A as AuthInfo, b as McpResponse } from './types-DzEXgi4s.js';
 import 'zod';
 import 'jose';

package/dist/gateway.js

@@ -1,2 +1,2 @@
-export{b as LiopHybridGateway}from'./chunk-YZVCAJJO.js';import'./chunk-VGXNGTIC.js';import'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=gateway.js.map
+export{b as LiopHybridGateway}from'./chunk-GI2LSJYZ.js';import'./chunk-I46YEWND.js';import'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=gateway.js.map
 //# sourceMappingURL=gateway.js.map

package/dist/{index-B_Vbrb_I.d.ts → index-Brfvxmdt.d.ts}

@@ -1,4 +1,4 @@
-import { L as LiopVerifier } from './verifier-DTCD9imJ.js';
+import { L as LiopVerifier } from './verifier-COnid_dg.js';
 import { MeshNodeConfig } from './mesh.js';
 import { C as CallToolRequest, a as CallToolResult } from './types-DzEXgi4s.js';
 

package/dist/{index-CL8m1L1d.d.ts → index-DO97j6hP.d.ts}

@@ -236,6 +236,8 @@ interface LiopServerOptions {
         idleTimeout?: number;
         /** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */
         maxHeapMb?: number;
+        /** Maximum number of tasks allowed in the queue. Default is "auto". */
+        maxQueue?: number | "auto";
     };
     security?: {
         piiPatterns?: PiiRule[];
@@ -276,6 +278,10 @@ interface LiopServerOptions {
      * Must match SCREAMING_SNAKE_CASE: /^[A-Z][A-Z0-9_]*$/ (e.g., "BANK", "VAULT", "HFT_ORACLE").
      */
     tokenSlug?: string;
+    /**
+     * Path to a shared JSON file for persistent Query Budget tracking across multiple server instances.
+     */
+    budgetStorePath?: string;
 }
 interface AggregationPolicy {
     /** Maximum number of object-type array elements allowed (default: 10) */
@@ -322,6 +328,10 @@ interface LogicExecutionPolicy {
      * Domain-specific sensitive keys that fall under the "sensitive" query budget tier.
      */
     sensitiveKeys?: string[];
+    /**
+     * Path to a shared JSON file for persistent Query Budget tracking across multiple server instances.
+     */
+    budgetStorePath?: string;
 }
 declare class LiopServer {
     private serverInfo;
@@ -495,6 +505,10 @@ declare class LiopServer {
     private loadRevocationList;
     revokeToken(token: string): void;
     revokeTokenHash(hash: string): void;
+    private getPersistentBudget;
+    private savePersistentBudget;
+    private executeWithBudgetLock;
+    private applyInMemoryBudget;
 }
 
 export { AUTH_DEFAULTS as A, LiopServer as L, NerScanner as N, type OAuthClientConfig as O, PII_PATTERNS as P, type ToolHandler as T, type LiopServerOptions as a, type AggregationPolicy as b, type AuthRole as c, type LiopAuthConfig as d, type LogicExecutionPolicy as e, type OutputSanitizerConfig as f, PII_PRESETS as g, type PiiRule as h, PiiScanner as i, sanitizeOutput as s };

package/dist/index.d.ts

@@ -1,17 +1,17 @@
 export { LiopBridgeOptions, LiopMcpBridge, LiopStreamBridge, LiopStreamBridgeOptions } from './bridge.js';
-import { L as LiopTlsOptions } from './index-B_Vbrb_I.js';
-export { a as LiopClient } from './index-B_Vbrb_I.js';
+import { L as LiopTlsOptions } from './index-Brfvxmdt.js';
+export { a as LiopClient } from './index-Brfvxmdt.js';
 export { LiopHybridGateway } from './gateway.js';
 export { LiopManifest, MeshNode, MeshNodeConfig } from './mesh.js';
 import * as grpc from '@grpc/grpc-js';
-export { A as AUTH_DEFAULTS, b as AggregationPolicy, c as AuthRole, d as LiopAuthConfig, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, O as OAuthClientConfig, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-CL8m1L1d.js';
+export { A as AUTH_DEFAULTS, b as AggregationPolicy, c as AuthRole, d as LiopAuthConfig, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, O as OAuthClientConfig, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-DO97j6hP.js';
 import { A as AuthInfo } from './types-DzEXgi4s.js';
 export { C as CallToolRequest, a as CallToolResult, G as GetPromptRequest, c as GetPromptResult, J as JwtValidator, M as McpRequest, b as McpResponse, P as Prompt, d as PromptSchema, R as Resource, e as ResourceSchema, S as ServerInfo, T as Tool, f as ToolSchema } from './types-DzEXgi4s.js';
 import * as jose from 'jose';
 import Provider from 'oidc-provider';
 import '@modelcontextprotocol/sdk/server/mcp.js';
 import 'zod';
-import './verifier-DTCD9imJ.js';
+import './verifier-COnid_dg.js';
 
 /**
  * TokenEstimator — Pluggable strategy for counting tokens in text content.

package/dist/index.js

@@ -1,4 +1,4 @@
-export{c as WasiSandbox,b as getDefaultEnvironment}from'./chunk-RYYRR4N5.js';export{b as LiopClient,a as LiopRpcClient}from'./chunk-N6FGTZ6A.js';export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-TYVG6TXQ.js';export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-W2QGWRTT.js';export{b as LiopHybridGateway,a as buildProtectedResourceMetadata}from'./chunk-YZVCAJJO.js';export{b as AUTH_DEFAULTS,c as JwtValidator,a as LiopRpcServer,j as LiopServer,e as NerScanner,g as PII_PATTERNS,h as PII_PRESETS,i as PiiScanner,d as createOAuthServer,f as sanitizeOutput}from'./chunk-L5A64CNT.js';import'./chunk-2MGFSIXN.js';export{b as HeuristicTokenEstimator,e as LiopOTelBridge,a as RealTokenEstimator,f as TokenTelemetryEngine,d as createSyncTokenEstimator,c as createTokenEstimator}from'./chunk-VGXNGTIC.js';import'./chunk-SW53FNSN.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';export{b as LIOP_SCOPES,a as authorizeRequest}from'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';export{a as MeshNode}from'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';var h=(e=>(e.CapabilityViolation="CapabilityViolation",e.SandboxEscape="SandboxEscape",e.PiiLeak="PiiLeak",e.InvalidIntent="InvalidIntent",e.Throttled="Throttled",e.ZkVerificationFailed="ZkVerificationFailed",e.MeshUnavailable="MeshUnavailable",e.ConnectionFailed="ConnectionFailed",e))(h||{}),n=class extends Error{code;constructor(o,t){super(t),this.name="LiopError",this.code=o;}};var x={claude:{xmlStandard:true,jsonSchemaPreferred:false},openai:{xmlStandard:false,jsonSchemaPreferred:true},gemini:{xmlStandard:false,jsonSchemaPreferred:true}};function W(i){let o=x[i],t=`[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
+export{c as WasiSandbox,b as getDefaultEnvironment}from'./chunk-RYYRR4N5.js';export{b as LiopClient,a as LiopRpcClient}from'./chunk-T3L6OCM3.js';export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-XOITNPU3.js';export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-I7OTWNFM.js';export{b as LiopHybridGateway,a as buildProtectedResourceMetadata}from'./chunk-GI2LSJYZ.js';export{b as AUTH_DEFAULTS,c as JwtValidator,a as LiopRpcServer,j as LiopServer,e as NerScanner,g as PII_PATTERNS,h as PII_PRESETS,i as PiiScanner,d as createOAuthServer,f as sanitizeOutput}from'./chunk-CXMVL5IW.js';import'./chunk-VQUSWD4U.js';export{b as HeuristicTokenEstimator,e as LiopOTelBridge,a as RealTokenEstimator,f as TokenTelemetryEngine,d as createSyncTokenEstimator,c as createTokenEstimator}from'./chunk-I46YEWND.js';import'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';export{b as LIOP_SCOPES,a as authorizeRequest}from'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';export{a as MeshNode}from'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';var h=(e=>(e.CapabilityViolation="CapabilityViolation",e.SandboxEscape="SandboxEscape",e.PiiLeak="PiiLeak",e.InvalidIntent="InvalidIntent",e.Throttled="Throttled",e.ZkVerificationFailed="ZkVerificationFailed",e.MeshUnavailable="MeshUnavailable",e.ConnectionFailed="ConnectionFailed",e))(h||{}),n=class extends Error{code;constructor(o,t){super(t),this.name="LiopError",this.code=o;}};var x={claude:{xmlStandard:true,jsonSchemaPreferred:false},openai:{xmlStandard:false,jsonSchemaPreferred:true},gemini:{xmlStandard:false,jsonSchemaPreferred:true}};function W(i){let o=x[i],t=`[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
 You are interacting with a Logic-Injection-on-Origin Protocol (LIOP) Mesh Network.
 Unlike standard MCP where you pull context to evaluate it remotely, in LIOP you WRITE code that executes on the data's origin.
 

package/dist/server.d.ts

@@ -1,4 +1,4 @@
-export { b as AggregationPolicy, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-CL8m1L1d.js';
+export { b as AggregationPolicy, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-DO97j6hP.js';
 import 'zod';
 import './mesh.js';
 import './types-DzEXgi4s.js';

package/dist/server.js

@@ -1,2 +1,2 @@
-export{j as LiopServer,e as NerScanner,g as PII_PATTERNS,h as PII_PRESETS,i as PiiScanner,f as sanitizeOutput}from'./chunk-L5A64CNT.js';import'./chunk-2MGFSIXN.js';import'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';import'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=server.js.map
+export{j as LiopServer,e as NerScanner,g as PII_PATTERNS,h as PII_PRESETS,i as PiiScanner,f as sanitizeOutput}from'./chunk-CXMVL5IW.js';import'./chunk-VQUSWD4U.js';import'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';import'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=server.js.map
 //# sourceMappingURL=server.js.map

package/dist/types.js

@@ -1,2 +1,2 @@
-export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-TYVG6TXQ.js';import'./chunk-2MGFSIXN.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=types.js.map
+export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-XOITNPU3.js';import'./chunk-VQUSWD4U.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=types.js.map
 //# sourceMappingURL=types.js.map

package/dist/{verifier-DTCD9imJ.d.ts → verifier-COnid_dg.d.ts}

@@ -15,7 +15,7 @@ declare class LiopVerifier {
      * @param remoteImageIdHex The ImageID reported by the provider (must match our local calculation).
      * @param zkReceipt The mathematical proof (Seal + Journal) from the zkVM.
      */
-    verifyZkReceipt(logicPayload: Buffer, remoteImageIdHex: string, zkReceipt: Buffer, sessionSecret?: Buffer): Promise<boolean>;
+    verifyZkReceipt(logicPayload: Buffer, remoteImageIdHex: string, zkReceipt: Buffer, sessionSecret?: Buffer, expectedOutput?: unknown): Promise<boolean>;
     /**
      * Verifies if a node is running inside an authenticated TEE (e.g. AWS Nitro).
      *

package/dist/verifier-XU2DB56Z.js

@@ -0,0 +1,2 @@
+export{a as LiopVerifier}from'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=verifier-XU2DB56Z.js.map
+//# sourceMappingURL=verifier-XU2DB56Z.js.map

package/dist/{verifier-Z26UC7M4.js.map → verifier-XU2DB56Z.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-Z26UC7M4.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-XU2DB56Z.js"}

package/dist/workers/zk-verifier.d.ts

@@ -12,6 +12,8 @@ interface ZkVerificationPayload {
     zkReceipt?: Uint8Array;
     /** Kyber-derived session secret to verify HMAC signature */
     sessionSecret?: Uint8Array;
+    /** The expected output value of the computation for anti-replay/tampering verification */
+    expectedOutput?: unknown;
 }
 /**
  * Main worker entry point for Piscina.

package/dist/workers/zk-verifier.js

@@ -1,2 +1,2 @@
-import {b}from'../chunk-ANFXJGMP.js';import'../chunk-4C666HHU.js';import d from'crypto';import'worker_threads';function u(e){return b(e)}async function y(e){let{logicPayload:t,remoteImageIdHex:o,zkReceipt:g,sessionSecret:n}=e,a=u(t).toString("hex");if(a!==o)return {verified:false,message:`Integrity Violation: Local (${a.slice(0,8)}) != Remote (${o.slice(0,8)})`};let r=Buffer.from(g);if(r.length<35)return {verified:false,message:"Receipt too short for binary format."};let s=r[0];if(s!==1)return {verified:false,message:`Unknown receipt version: ${s}`};let f=r.readUInt16BE(1),c=r.subarray(3,3+f),l=r.subarray(3+f);if(l.length!==32)return {verified:false,message:"Invalid seal length (expected 32 bytes HMAC-SHA256)."};try{let i=JSON.parse(c.toString());if(i.image_id!==a)return {verified:!1,message:`Journal ImageID mismatch: ${i.image_id.slice(0,8)} != ${a.slice(0,8)}`}}catch{return {verified:false,message:"Failed to parse journal data."}}if(n&&n.length>0){let i=d.createHmac("sha256",n).update(c).digest();if(!d.timingSafeEqual(l,i))return {verified:false,message:"Invalid seal: HMAC verification failed."}}return {verified:true,message:"HMAC Commitment Verified: Integrity intact."}}async function p(e){try{if(e.action==="warmup")return {verified:!0,message:"warm"};if(e.action==="verify_receipt")return await y(e);throw new Error("Unknown action in ZkVerifier Worker.")}catch(t){return {verified:false,message:`Verification Error: ${t.message}`}}}export{p as default};//# sourceMappingURL=zk-verifier.js.map
+import {b}from'../chunk-ANFXJGMP.js';import'../chunk-4C666HHU.js';import g from'crypto';import'worker_threads';function I(r){return b(r)}function _(r){try{let e=Buffer.from(r).toString("utf-8").trim();if(!e.includes("__liop_proxy_tool"))return null;let f=e.indexOf("{");if(f===-1)return null;let l=0,i=!1,o=!1,c=!1,s=!1,a=-1;for(let n=f;n<e.length;n++){let t=e[n];if(s){s=!1;continue}if(t==="\\"){s=!0;continue}if(t==='"'&&!o&&!c){i=!i;continue}if(t==="'"&&!i&&!c){o=!o;continue}if(t==="`"&&!i&&!o){c=!c;continue}if(!i&&!o&&!c){if(t==="{")l++;else if(t==="}"&&(l--,l===0)){a=n;break}}}if(a!==-1){let n=e.slice(f,a+1),t=JSON.parse(n);if(t?.__liop_proxy_tool)return t}}catch{}return null}async function k(r){let{logicPayload:e,remoteImageIdHex:f,zkReceipt:l,sessionSecret:i,expectedOutput:o}=r;if(!e||!f||!l)return {verified:false,message:"Missing required verification fields."};let s=I(e).toString("hex");if(s!==f)return {verified:false,message:`Integrity Violation: Local (${s.slice(0,8)}) != Remote (${f.slice(0,8)})`};let a=Buffer.from(l);if(a.length<35)return {verified:false,message:"Receipt too short for binary format."};let n=a[0];if(n!==1)return {verified:false,message:`Unknown receipt version: ${n}`};let t=a.readUInt16BE(1),p=a.subarray(3,3+t),y=a.subarray(3+t);if(y.length!==32)return {verified:false,message:"Invalid seal length (expected 32 bytes HMAC-SHA256)."};let u;try{if(u=JSON.parse(p.toString()),u.image_id!==s)return {verified:!1,message:`Journal ImageID mismatch: ${u.image_id.slice(0,8)} != ${s.slice(0,8)}`}}catch{return {verified:false,message:"Failed to parse journal data."}}if(i&&i.length>0){let d=g.createHmac("sha256",i).update(p).digest();if(!g.timingSafeEqual(y,d))return {verified:false,message:"Invalid seal: HMAC verification failed."}}if(o!==void 0){let d=_(e),m=d!==null?d:o,x=typeof m=="string"?m:m===void 0?"undefined":JSON.stringify(m),h=g.createHash("sha256").update(x).digest("hex");if(u.output_hash!==h)return {verified:false,message:`Output Hash Mismatch (Replay/Tamper attempt): Journal output_hash (${u.output_hash.slice(0,8)}) != Calculated output_hash (${h.slice(0,8)})`}}return {verified:true,message:"HMAC Commitment Verified: Integrity intact."}}async function S(r){try{if(r.action==="warmup")return {verified:!0,message:"warm"};if(r.action==="verify_receipt")return await k(r);throw new Error("Unknown action in ZkVerifier Worker.")}catch(e){return {verified:false,message:`Verification Error: ${e.message}`}}}export{S as default};//# sourceMappingURL=zk-verifier.js.map
 //# sourceMappingURL=zk-verifier.js.map

package/dist/workers/zk-verifier.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/workers/zk-verifier.ts"],"names":["deriveImageId","logicPayload","deriveLogicImageDigest","verifyZkReceipt","payload","remoteImageIdHex","zkReceipt","sessionSecret","localImageIdHex","receiptBuf","version","journalLen","journal","seal","journalData","expectedSeal","crypto","workerHandler","task","error"],"mappings":"+GAyBA,SAASA,CAAAA,CAAcC,CAAAA,CAAkC,CACxD,OAAOC,CAAAA,CAAuBD,CAAY,CAC3C,CAMA,eAAeE,CAAAA,CACdC,CAAAA,CACkD,CAClD,GAAM,CAAE,YAAA,CAAAH,CAAAA,CAAc,gBAAA,CAAAI,CAAAA,CAAkB,SAAA,CAAAC,CAAAA,CAAW,aAAA,CAAAC,CAAc,CAAA,CAChEH,CAAAA,CAIKI,CAAAA,CADeR,CAAAA,CAAcC,CAAY,CAAA,CACV,QAAA,CAAS,KAAK,CAAA,CAEnD,GAAIO,CAAAA,GAAoBH,CAAAA,CACvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,4BAAA,EAA+BG,CAAAA,CAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,aAAA,EAAgBH,CAAAA,CAAiB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CAAA,CAChH,CAAA,CAID,IAAMI,CAAAA,CAAa,MAAA,CAAO,IAAA,CAAKH,CAAS,CAAA,CACxC,GAAIG,CAAAA,CAAW,MAAA,CAAS,EAAA,CAEvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,sCACV,CAAA,CAGD,IAAMC,CAAAA,CAAUD,CAAAA,CAAW,CAAC,CAAA,CAC5B,GAAIC,CAAAA,GAAY,CAAA,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,yBAAA,EAA4BA,CAAO,CAAA,CAC7C,CAAA,CAGD,IAAMC,CAAAA,CAAaF,CAAAA,CAAW,YAAA,CAAa,CAAC,CAAA,CACtCG,CAAAA,CAAUH,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAG,CAAA,CAAIE,CAAU,CAAA,CAC/CE,CAAAA,CAAOJ,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAIE,CAAU,CAAA,CAE/C,GAAIE,CAAAA,CAAK,MAAA,GAAW,EAAA,CACnB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,sDACV,CAAA,CAID,GAAI,CACH,IAAMC,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAAA,CAAQ,QAAA,EAAU,CAAA,CACjD,GAAIE,CAAAA,CAAY,QAAA,GAAaN,CAAAA,CAC5B,OAAO,CACN,QAAA,CAAU,CAAA,CAAA,CACV,OAAA,CAAS,CAAA,0BAAA,EAA6BM,CAAAA,CAAY,QAAA,CAAS,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,IAAA,EAAON,CAAAA,CAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CACzG,CAEF,CAAA,KAAa,CACZ,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,OAAA,CAAS,+BAAgC,CACpE,CAGA,GAAID,CAAAA,EAAiBA,CAAAA,CAAc,MAAA,CAAS,CAAA,CAAG,CAC9C,IAAMQ,CAAAA,CAAeC,CAAAA,CACnB,UAAA,CAAW,QAAA,CAAUT,CAAa,CAAA,CAClC,MAAA,CAAOK,CAAO,CAAA,CACd,MAAA,EAAO,CACT,GAAI,CAACI,CAAAA,CAAO,eAAA,CAAgBH,CAAAA,CAAME,CAAY,CAAA,CAC7C,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,yCACV,CAEF,CAEA,OAAO,CACN,QAAA,CAAU,IAAA,CACV,OAAA,CAAS,6CACV,CACD,CAKA,eAAOE,CAAAA,CACNC,CAAAA,CACkD,CAClD,GAAI,CACH,GAAIA,CAAAA,CAAK,MAAA,GAAW,QAAA,CACnB,OAAO,CACN,QAAA,CAAU,CAAA,CAAA,CACV,OAAA,CAAS,MACV,CAAA,CAED,GAAIA,CAAAA,CAAK,MAAA,GAAW,gBAAA,CACnB,OAAO,MAAMf,CAAAA,CAAgBe,CAAI,CAAA,CAElC,MAAM,IAAI,KAAA,CAAM,sCAAsC,CACvD,CAAA,MAASC,CAAAA,CAAO,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,oBAAA,EAAwBA,CAAAA,CAAgB,OAAO,CAAA,CACzD,CACD,CACD","file":"zk-verifier.js","sourcesContent":["import crypto from \"node:crypto\";\nimport { parentPort } from \"node:worker_threads\";\nimport { deriveLogicImageDigest } from \"../crypto/logic-image-id.js\";\n\n// Ensure this worker is used via Piscina pool\nif (!parentPort) {\n\t// Not fatal in Piscina, but handled appropriately\n}\n\n/**\n * ZK Verification Payload Structure.\n * Modeled after RISC Zero & SP1 Receipt formats.\n */\nexport interface ZkVerificationPayload {\n\taction: \"verify_receipt\" | \"warmup\";\n\t/** Original logic payload (JS/WASM) sent by client */\n\tlogicPayload?: Uint8Array;\n\t/** Expected ImageID (SHA-256) of the execution state */\n\tremoteImageIdHex?: string;\n\t/** Cbor-encoded or raw buffer containing the execution Receipt (Journal + Seal) */\n\tzkReceipt?: Uint8Array;\n\t/** Kyber-derived session secret to verify HMAC signature */\n\tsessionSecret?: Uint8Array;\n}\n\nfunction deriveImageId(logicPayload: Uint8Array): Buffer {\n\treturn deriveLogicImageDigest(logicPayload);\n}\n\n/**\n * Simulates heavy ZK-Proof cryptographic verification.\n * In a real environment, this delegates to @risc0/verifier or SP1 FFI bindings.\n */\nasync function verifyZkReceipt(\n\tpayload: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\tconst { logicPayload, remoteImageIdHex, zkReceipt, sessionSecret } =\n\t\tpayload as Required<ZkVerificationPayload>;\n\n\t// 1. Calculate local ImageID (Integrity Check)\n\tconst localImageId = deriveImageId(logicPayload);\n\tconst localImageIdHex = localImageId.toString(\"hex\");\n\n\tif (localImageIdHex !== remoteImageIdHex) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Integrity Violation: Local (${localImageIdHex.slice(0, 8)}) != Remote (${remoteImageIdHex.slice(0, 8)})`,\n\t\t};\n\t}\n\n\t// 2. Structural Verification: Deserialize Binary Receipt\n\tconst receiptBuf = Buffer.from(zkReceipt);\n\tif (receiptBuf.length < 35) {\n\t\t// 1 version + 2 len + 32 seal minimum\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Receipt too short for binary format.\",\n\t\t};\n\t}\n\n\tconst version = receiptBuf[0];\n\tif (version !== 0x01) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Unknown receipt version: ${version}`,\n\t\t};\n\t}\n\n\tconst journalLen = receiptBuf.readUInt16BE(1);\n\tconst journal = receiptBuf.subarray(3, 3 + journalLen);\n\tconst seal = receiptBuf.subarray(3 + journalLen);\n\n\tif (seal.length !== 32) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Invalid seal length (expected 32 bytes HMAC-SHA256).\",\n\t\t};\n\t}\n\n\t// 3. Parse journal and verify imageId\n\ttry {\n\t\tconst journalData = JSON.parse(journal.toString());\n\t\tif (journalData.image_id !== localImageIdHex) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: `Journal ImageID mismatch: ${journalData.image_id.slice(0, 8)} != ${localImageIdHex.slice(0, 8)}`,\n\t\t\t};\n\t\t}\n\t} catch (_e) {\n\t\treturn { verified: false, message: \"Failed to parse journal data.\" };\n\t}\n\n\t// 4. Mathematical Verification (HMAC-SHA256)\n\tif (sessionSecret && sessionSecret.length > 0) {\n\t\tconst expectedSeal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tif (!crypto.timingSafeEqual(seal, expectedSeal)) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: \"Invalid seal: HMAC verification failed.\",\n\t\t\t};\n\t\t}\n\t}\n\n\treturn {\n\t\tverified: true,\n\t\tmessage: \"HMAC Commitment Verified: Integrity intact.\",\n\t};\n}\n\n/**\n * Main worker entry point for Piscina.\n */\nexport default async function workerHandler(\n\ttask: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\ttry {\n\t\tif (task.action === \"warmup\") {\n\t\t\treturn {\n\t\t\t\tverified: true,\n\t\t\t\tmessage: \"warm\",\n\t\t\t};\n\t\t}\n\t\tif (task.action === \"verify_receipt\") {\n\t\t\treturn await verifyZkReceipt(task);\n\t\t}\n\t\tthrow new Error(\"Unknown action in ZkVerifier Worker.\");\n\t} catch (error) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Verification Error: ${(error as Error).message}`,\n\t\t};\n\t}\n}\n"]}
+{"version":3,"sources":["../../src/workers/zk-verifier.ts"],"names":["deriveImageId","logicPayload","deriveLogicImageDigest","tryExtractProxyOutput","logicStr","firstBraceIdx","braceCount","inDoubleQuote","inSingleQuote","inBacktick","escaped","lastBraceIdx","i","char","jsonStr","parsed","verifyZkReceipt","payload","remoteImageIdHex","zkReceipt","sessionSecret","expectedOutput","localImageIdHex","receiptBuf","version","journalLen","journal","seal","journalData","expectedSeal","crypto","proxyOutput","actualExpected","expectedOutputStr","expectedOutputHash","workerHandler","task","error"],"mappings":"+GA2BA,SAASA,CAAAA,CAAcC,CAAAA,CAAkC,CACxD,OAAOC,CAAAA,CAAuBD,CAAY,CAC3C,CAUA,SAASE,CAAAA,CAAsBF,CAAAA,CAA0C,CACxE,GAAI,CACH,IAAMG,CAAAA,CAAW,MAAA,CAAO,IAAA,CAAKH,CAAY,CAAA,CAAE,QAAA,CAAS,OAAO,CAAA,CAAE,IAAA,EAAK,CAClE,GAAI,CAACG,CAAAA,CAAS,QAAA,CAAS,mBAAmB,CAAA,CACzC,OAAO,IAAA,CAGR,IAAMC,CAAAA,CAAgBD,CAAAA,CAAS,OAAA,CAAQ,GAAG,CAAA,CAC1C,GAAIC,CAAAA,GAAkB,CAAA,CAAA,CACrB,OAAO,IAAA,CAGR,IAAIC,CAAAA,CAAa,CAAA,CACbC,CAAAA,CAAgB,CAAA,CAAA,CAChBC,CAAAA,CAAgB,CAAA,CAAA,CAChBC,CAAAA,CAAa,CAAA,CAAA,CACbC,CAAAA,CAAU,GACVC,CAAAA,CAAe,CAAA,CAAA,CAEnB,IAAA,IAASC,CAAAA,CAAIP,CAAAA,CAAeO,CAAAA,CAAIR,CAAAA,CAAS,MAAA,CAAQQ,CAAAA,EAAAA,CAAK,CACrD,IAAMC,CAAAA,CAAOT,CAAAA,CAASQ,CAAC,CAAA,CAEvB,GAAIF,CAAAA,CAAS,CACZA,CAAAA,CAAU,CAAA,CAAA,CACV,QACD,CAEA,GAAIG,CAAAA,GAAS,IAAA,CAAM,CAClBH,CAAAA,CAAU,CAAA,CAAA,CACV,QACD,CAEA,GAAIG,CAAAA,GAAS,GAAA,EAAO,CAACL,CAAAA,EAAiB,CAACC,CAAAA,CAAY,CAClDF,CAAAA,CAAgB,CAACA,CAAAA,CACjB,QACD,CAEA,GAAIM,CAAAA,GAAS,GAAA,EAAO,CAACN,CAAAA,EAAiB,CAACE,CAAAA,CAAY,CAClDD,CAAAA,CAAgB,CAACA,CAAAA,CACjB,QACD,CAEA,GAAIK,CAAAA,GAAS,GAAA,EAAO,CAACN,CAAAA,EAAiB,CAACC,EAAe,CACrDC,CAAAA,CAAa,CAACA,CAAAA,CACd,QACD,CAEA,GAAI,CAACF,CAAAA,EAAiB,CAACC,CAAAA,EAAiB,CAACC,CAAAA,CAAAA,CACxC,GAAII,CAAAA,GAAS,GAAA,CACZP,CAAAA,EAAAA,CAAAA,KAAAA,GACUO,CAAAA,GAAS,GAAA,GACnBP,CAAAA,EAAAA,CACIA,CAAAA,GAAe,CAAA,CAAA,CAAG,CACrBK,CAAAA,CAAeC,CAAAA,CACf,KACD,CAAA,CAGH,CAEA,GAAID,CAAAA,GAAiB,CAAA,CAAA,CAAI,CACxB,IAAMG,CAAAA,CAAUV,CAAAA,CAAS,KAAA,CAAMC,CAAAA,CAAeM,CAAAA,CAAe,CAAC,CAAA,CACxDI,CAAAA,CAAS,IAAA,CAAK,KAAA,CAAMD,CAAO,CAAA,CACjC,GAAIC,CAAAA,EAAQ,iBAAA,CACX,OAAOA,CAET,CACD,CAAA,KAAa,CAEb,CACA,OAAO,IACR,CAMA,eAAeC,CAAAA,CACdC,CAAAA,CACkD,CAClD,GAAM,CACL,YAAA,CAAAhB,CAAAA,CACA,gBAAA,CAAAiB,CAAAA,CACA,SAAA,CAAAC,CAAAA,CACA,aAAA,CAAAC,CAAAA,CACA,cAAA,CAAAC,CACD,CAAA,CAAIJ,CAAAA,CAEJ,GAAI,CAAChB,CAAAA,EAAgB,CAACiB,CAAAA,EAAoB,CAACC,CAAAA,CAC1C,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,uCACV,CAAA,CAKD,IAAMG,CAAAA,CADetB,CAAAA,CAAcC,CAAY,CAAA,CACV,QAAA,CAAS,KAAK,CAAA,CAEnD,GAAIqB,CAAAA,GAAoBJ,CAAAA,CACvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,4BAAA,EAA+BI,CAAAA,CAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,aAAA,EAAgBJ,CAAAA,CAAiB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CAAA,CAChH,CAAA,CAID,IAAMK,CAAAA,CAAa,MAAA,CAAO,IAAA,CAAKJ,CAAS,CAAA,CACxC,GAAII,CAAAA,CAAW,MAAA,CAAS,EAAA,CAEvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,sCACV,CAAA,CAGD,IAAMC,CAAAA,CAAUD,CAAAA,CAAW,CAAC,CAAA,CAC5B,GAAIC,CAAAA,GAAY,CAAA,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,yBAAA,EAA4BA,CAAO,CAAA,CAC7C,CAAA,CAGD,IAAMC,CAAAA,CAAaF,CAAAA,CAAW,YAAA,CAAa,CAAC,CAAA,CACtCG,CAAAA,CAAUH,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAG,CAAA,CAAIE,CAAU,CAAA,CAC/CE,CAAAA,CAAOJ,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAIE,CAAU,CAAA,CAE/C,GAAIE,CAAAA,CAAK,MAAA,GAAW,EAAA,CACnB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,sDACV,CAAA,CAID,IAAIC,CAAAA,CACJ,GAAI,CAEH,GADAA,EAAc,IAAA,CAAK,KAAA,CAAMF,CAAAA,CAAQ,QAAA,EAAU,CAAA,CACvCE,CAAAA,CAAY,QAAA,GAAaN,CAAAA,CAC5B,OAAO,CACN,QAAA,CAAU,CAAA,CAAA,CACV,OAAA,CAAS,CAAA,0BAAA,EAA6BM,CAAAA,CAAY,QAAA,CAAS,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,IAAA,EAAON,CAAAA,CAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CACzG,CAEF,CAAA,KAAa,CACZ,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,OAAA,CAAS,+BAAgC,CACpE,CAGA,GAAIF,CAAAA,EAAiBA,CAAAA,CAAc,MAAA,CAAS,CAAA,CAAG,CAC9C,IAAMS,CAAAA,CAAeC,CAAAA,CACnB,UAAA,CAAW,QAAA,CAAUV,CAAa,CAAA,CAClC,MAAA,CAAOM,CAAO,CAAA,CACd,MAAA,EAAO,CACT,GAAI,CAACI,CAAAA,CAAO,eAAA,CAAgBH,CAAAA,CAAME,CAAY,CAAA,CAC7C,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,yCACV,CAEF,CAGA,GAAIR,CAAAA,GAAmB,MAAA,CAAW,CACjC,IAAMU,CAAAA,CAAc5B,CAAAA,CAAsBF,CAAY,CAAA,CAChD+B,CAAAA,CAAiBD,CAAAA,GAAgB,IAAA,CAAOA,CAAAA,CAAcV,CAAAA,CAEtDY,CAAAA,CACL,OAAOD,CAAAA,EAAmB,QAAA,CACvBA,CAAAA,CACAA,CAAAA,GAAmB,MAAA,CAClB,WAAA,CACA,IAAA,CAAK,SAAA,CAAUA,CAAc,CAAA,CAC5BE,CAAAA,CAAqBJ,CAAAA,CACzB,UAAA,CAAW,QAAQ,CAAA,CACnB,MAAA,CAAOG,CAAiB,CAAA,CACxB,MAAA,CAAO,KAAK,CAAA,CAEd,GAAIL,CAAAA,CAAY,WAAA,GAAgBM,CAAAA,CAC/B,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,mEAAA,EAAsEN,CAAAA,CAAY,WAAA,CAAY,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,gCAAgCM,CAAAA,CAAmB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CAAA,CACjL,CAEF,CAEA,OAAO,CACN,QAAA,CAAU,IAAA,CACV,OAAA,CAAS,6CACV,CACD,CAKA,eAAOC,CAAAA,CACNC,CAAAA,CACkD,CAClD,GAAI,CACH,GAAIA,CAAAA,CAAK,MAAA,GAAW,QAAA,CACnB,OAAO,CACN,QAAA,CAAU,CAAA,CAAA,CACV,OAAA,CAAS,MACV,CAAA,CAED,GAAIA,CAAAA,CAAK,MAAA,GAAW,gBAAA,CACnB,OAAO,MAAMpB,CAAAA,CAAgBoB,CAAI,CAAA,CAElC,MAAM,IAAI,KAAA,CAAM,sCAAsC,CACvD,CAAA,MAASC,CAAAA,CAAO,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,oBAAA,EAAwBA,CAAAA,CAAgB,OAAO,CAAA,CACzD,CACD,CACD","file":"zk-verifier.js","sourcesContent":["import crypto from \"node:crypto\";\nimport { parentPort } from \"node:worker_threads\";\nimport { deriveLogicImageDigest } from \"../crypto/logic-image-id.js\";\n\n// Ensure this worker is used via Piscina pool\nif (!parentPort) {\n\t// Not fatal in Piscina, but handled appropriately\n}\n\n/**\n * ZK Verification Payload Structure.\n * Modeled after RISC Zero & SP1 Receipt formats.\n */\nexport interface ZkVerificationPayload {\n\taction: \"verify_receipt\" | \"warmup\";\n\t/** Original logic payload (JS/WASM) sent by client */\n\tlogicPayload?: Uint8Array;\n\t/** Expected ImageID (SHA-256) of the execution state */\n\tremoteImageIdHex?: string;\n\t/** Cbor-encoded or raw buffer containing the execution Receipt (Journal + Seal) */\n\tzkReceipt?: Uint8Array;\n\t/** Kyber-derived session secret to verify HMAC signature */\n\tsessionSecret?: Uint8Array;\n\t/** The expected output value of the computation for anti-replay/tampering verification */\n\texpectedOutput?: unknown;\n}\n\nfunction deriveImageId(logicPayload: Uint8Array): Buffer {\n\treturn deriveLogicImageDigest(logicPayload);\n}\n\ninterface ZkJournal {\n\timage_id: string;\n\tdataset_hash: string;\n\toutput_hash: string;\n\tfuel: number;\n\tts: number;\n}\n\nfunction tryExtractProxyOutput(logicPayload: Uint8Array): unknown | null {\n\ttry {\n\t\tconst logicStr = Buffer.from(logicPayload).toString(\"utf-8\").trim();\n\t\tif (!logicStr.includes(\"__liop_proxy_tool\")) {\n\t\t\treturn null;\n\t\t}\n\n\t\tconst firstBraceIdx = logicStr.indexOf(\"{\");\n\t\tif (firstBraceIdx === -1) {\n\t\t\treturn null;\n\t\t}\n\n\t\tlet braceCount = 0;\n\t\tlet inDoubleQuote = false;\n\t\tlet inSingleQuote = false;\n\t\tlet inBacktick = false;\n\t\tlet escaped = false;\n\t\tlet lastBraceIdx = -1;\n\n\t\tfor (let i = firstBraceIdx; i < logicStr.length; i++) {\n\t\t\tconst char = logicStr[i];\n\n\t\t\tif (escaped) {\n\t\t\t\tescaped = false;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (char === \"\\\\\") {\n\t\t\t\tescaped = true;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (char === '\"' && !inSingleQuote && !inBacktick) {\n\t\t\t\tinDoubleQuote = !inDoubleQuote;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (char === \"'\" && !inDoubleQuote && !inBacktick) {\n\t\t\t\tinSingleQuote = !inSingleQuote;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (char === \"`\" && !inDoubleQuote && !inSingleQuote) {\n\t\t\t\tinBacktick = !inBacktick;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (!inDoubleQuote && !inSingleQuote && !inBacktick) {\n\t\t\t\tif (char === \"{\") {\n\t\t\t\t\tbraceCount++;\n\t\t\t\t} else if (char === \"}\") {\n\t\t\t\t\tbraceCount--;\n\t\t\t\t\tif (braceCount === 0) {\n\t\t\t\t\t\tlastBraceIdx = i;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (lastBraceIdx !== -1) {\n\t\t\tconst jsonStr = logicStr.slice(firstBraceIdx, lastBraceIdx + 1);\n\t\t\tconst parsed = JSON.parse(jsonStr);\n\t\t\tif (parsed?.__liop_proxy_tool) {\n\t\t\t\treturn parsed;\n\t\t\t}\n\t\t}\n\t} catch (_e) {\n\t\t// Fallback\n\t}\n\treturn null;\n}\n\n/**\n * Simulates heavy ZK-Proof cryptographic verification.\n * In a real environment, this delegates to @risc0/verifier or SP1 FFI bindings.\n */\nasync function verifyZkReceipt(\n\tpayload: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\tconst {\n\t\tlogicPayload,\n\t\tremoteImageIdHex,\n\t\tzkReceipt,\n\t\tsessionSecret,\n\t\texpectedOutput,\n\t} = payload;\n\n\tif (!logicPayload || !remoteImageIdHex || !zkReceipt) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Missing required verification fields.\",\n\t\t};\n\t}\n\n\t// 1. Calculate local ImageID (Integrity Check)\n\tconst localImageId = deriveImageId(logicPayload);\n\tconst localImageIdHex = localImageId.toString(\"hex\");\n\n\tif (localImageIdHex !== remoteImageIdHex) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Integrity Violation: Local (${localImageIdHex.slice(0, 8)}) != Remote (${remoteImageIdHex.slice(0, 8)})`,\n\t\t};\n\t}\n\n\t// 2. Structural Verification: Deserialize Binary Receipt\n\tconst receiptBuf = Buffer.from(zkReceipt);\n\tif (receiptBuf.length < 35) {\n\t\t// 1 version + 2 len + 32 seal minimum\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Receipt too short for binary format.\",\n\t\t};\n\t}\n\n\tconst version = receiptBuf[0];\n\tif (version !== 0x01) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Unknown receipt version: ${version}`,\n\t\t};\n\t}\n\n\tconst journalLen = receiptBuf.readUInt16BE(1);\n\tconst journal = receiptBuf.subarray(3, 3 + journalLen);\n\tconst seal = receiptBuf.subarray(3 + journalLen);\n\n\tif (seal.length !== 32) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Invalid seal length (expected 32 bytes HMAC-SHA256).\",\n\t\t};\n\t}\n\n\t// 3. Parse journal and verify imageId\n\tlet journalData: ZkJournal;\n\ttry {\n\t\tjournalData = JSON.parse(journal.toString()) as ZkJournal;\n\t\tif (journalData.image_id !== localImageIdHex) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: `Journal ImageID mismatch: ${journalData.image_id.slice(0, 8)} != ${localImageIdHex.slice(0, 8)}`,\n\t\t\t};\n\t\t}\n\t} catch (_e) {\n\t\treturn { verified: false, message: \"Failed to parse journal data.\" };\n\t}\n\n\t// 4. Mathematical Verification (HMAC-SHA256)\n\tif (sessionSecret && sessionSecret.length > 0) {\n\t\tconst expectedSeal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tif (!crypto.timingSafeEqual(seal, expectedSeal)) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: \"Invalid seal: HMAC verification failed.\",\n\t\t\t};\n\t\t}\n\t}\n\n\t// 5. Output Hash Verification (Anti-Replay / Anti-Tampering)\n\tif (expectedOutput !== undefined) {\n\t\tconst proxyOutput = tryExtractProxyOutput(logicPayload);\n\t\tconst actualExpected = proxyOutput !== null ? proxyOutput : expectedOutput;\n\n\t\tconst expectedOutputStr =\n\t\t\ttypeof actualExpected === \"string\"\n\t\t\t\t? actualExpected\n\t\t\t\t: actualExpected === undefined\n\t\t\t\t\t? \"undefined\"\n\t\t\t\t\t: JSON.stringify(actualExpected);\n\t\tconst expectedOutputHash = crypto\n\t\t\t.createHash(\"sha256\")\n\t\t\t.update(expectedOutputStr)\n\t\t\t.digest(\"hex\");\n\n\t\tif (journalData.output_hash !== expectedOutputHash) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: `Output Hash Mismatch (Replay/Tamper attempt): Journal output_hash (${journalData.output_hash.slice(0, 8)}) != Calculated output_hash (${expectedOutputHash.slice(0, 8)})`,\n\t\t\t};\n\t\t}\n\t}\n\n\treturn {\n\t\tverified: true,\n\t\tmessage: \"HMAC Commitment Verified: Integrity intact.\",\n\t};\n}\n\n/**\n * Main worker entry point for Piscina.\n */\nexport default async function workerHandler(\n\ttask: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\ttry {\n\t\tif (task.action === \"warmup\") {\n\t\t\treturn {\n\t\t\t\tverified: true,\n\t\t\t\tmessage: \"warm\",\n\t\t\t};\n\t\t}\n\t\tif (task.action === \"verify_receipt\") {\n\t\t\treturn await verifyZkReceipt(task);\n\t\t}\n\t\tthrow new Error(\"Unknown action in ZkVerifier Worker.\");\n\t} catch (error) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Verification Error: ${(error as Error).message}`,\n\t\t};\n\t}\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nekzus/liop",
-  "version": "2.0.1-beta.1",
+  "version": "2.1.0-alpha.2",
   "description": "Official SDK for Logic-Injection-on-Origin Protocol (LIOP). Deploy Logic-on-Origin with WebAssembly at gRPC speed and bidirectional MCP compatibility.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -79,54 +79,54 @@
     "node": ">=20.0"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.4",
-    "@opentelemetry/api": "^1.9.1",
-    "@opentelemetry/sdk-metrics": "^2.7.0",
-    "@types/node": "^25.3.1",
-    "@types/oidc-provider": "^9.5.0",
-    "@vitest/coverage-v8": "^4.0.18",
-    "acorn": "^8.16.0",
-    "acorn-walk": "^8.3.5",
-    "tsup": "^8.5.1",
-    "tsx": "^4.21.0",
-    "typescript": "^5.9.3",
-    "vitest": "^4.0.18",
-    "zod": "^3.23.11",
-    "zod-to-json-schema": "^3.24.1"
+    "@biomejs/biome": "2.4.4",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/sdk-metrics": "2.7.0",
+    "@types/node": "25.3.1",
+    "@types/oidc-provider": "9.5.0",
+    "@vitest/coverage-v8": "4.1.8",
+    "acorn": "8.16.0",
+    "acorn-walk": "8.3.5",
+    "tsup": "8.5.1",
+    "tsx": "4.21.0",
+    "typescript": "5.9.3",
+    "vitest": "4.1.8",
+    "zod": "3.25.76",
+    "zod-to-json-schema": "3.24.1"
   },
   "dependencies": {
-    "@chainsafe/libp2p-noise": "^17.0.0",
-    "@chainsafe/libp2p-yamux": "^8.0.1",
-    "@grpc/grpc-js": "^1.14.3",
-    "@grpc/proto-loader": "^0.8.0",
-    "@hono/node-server": "^1.19.11",
-    "@libp2p/bootstrap": "^12.0.22",
-    "@libp2p/crypto": "^5.1.18",
-    "@libp2p/identify": "^4.1.6",
-    "@libp2p/kad-dht": "^16.3.0",
-    "@libp2p/peer-id": "^6.0.9",
-    "@libp2p/ping": "^3.1.5",
-    "@libp2p/tcp": "^11.0.20",
-    "@libp2p/websockets": "^10.1.13",
-    "@multiformats/multiaddr": "^13.0.1",
-    "hono": "^4.12.5",
-    "it-pipe": "^3.0.1",
-    "jose": "^6.2.3",
-    "libp2p": "^3.3.1",
-    "mlkem": "^2.7.0",
-    "multiformats": "^13.4.2",
-    "oidc-provider": "^9.8.3",
-    "piscina": "^5.1.4",
-    "uint8arrays": "^3.1.1"
+    "@chainsafe/libp2p-noise": "17.0.0",
+    "@chainsafe/libp2p-yamux": "8.0.1",
+    "@grpc/grpc-js": "1.14.4",
+    "@grpc/proto-loader": "0.8.1",
+    "@hono/node-server": "1.19.11",
+    "@libp2p/bootstrap": "12.0.24",
+    "@libp2p/crypto": "5.1.18",
+    "@libp2p/identify": "4.1.6",
+    "@libp2p/kad-dht": "16.3.1",
+    "@libp2p/peer-id": "6.0.9",
+    "@libp2p/ping": "3.1.5",
+    "@libp2p/tcp": "11.0.20",
+    "@libp2p/websockets": "10.1.13",
+    "@multiformats/multiaddr": "13.0.1",
+    "hono": "4.12.23",
+    "it-pipe": "3.0.1",
+    "jose": "6.2.3",
+    "libp2p": "3.3.3",
+    "mlkem": "2.7.0",
+    "multiformats": "13.4.2",
+    "oidc-provider": "9.8.4",
+    "piscina": "5.1.4",
+    "uint8arrays": "3.1.1"
   },
   "optionalDependencies": {
-    "@modelcontextprotocol/sdk": "^1.28.0",
+    "@modelcontextprotocol/sdk": "1.28.0",
     "compromise": "14.15.0",
-    "gpt-tokenizer": "^3.4.0"
+    "gpt-tokenizer": "3.4.0"
   },
   "peerDependencies": {
-    "@modelcontextprotocol/sdk": "^1.28.0",
-    "@opentelemetry/api": "^1.9.1"
+    "@modelcontextprotocol/sdk": "1.28.0",
+    "@opentelemetry/api": "1.9.1"
   },
   "peerDependenciesMeta": {
     "@modelcontextprotocol/sdk": {
@@ -138,7 +138,7 @@
   },
   "overrides": {
     "content-type": "1.0.5",
-    "protobufjs": "^7.5.8",
+    "protobufjs": "7.5.8",
     "type-is": "2.0.1"
   },
   "scripts": {