@nekzus/liop 2.1.0 → 2.2.0

package/dist/client.js

@@ -1,2 +1,9 @@
-export{b as LiopClient}from'./chunk-T3L6OCM3.js';import'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-V5MKJT6S.js';import'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=client.js.map
+export { LiopClient } from './chunk-E5QBDD5E.js';
+import './chunk-32ADSAJS.js';
+import './chunk-OUUTDSOW.js';
+import './chunk-QLCOEP5J.js';
+import './chunk-RDWCGZ2A.js';
+import './chunk-NJRSFFD7.js';
+import './chunk-72MNYFR6.js';
+//# sourceMappingURL=client.js.map
 //# sourceMappingURL=client.js.map

package/dist/gateway.d.ts

@@ -1,7 +1,7 @@
 import { MeshNode } from './mesh.js';
-import { L as LiopServer } from './index-DO97j6hP.js';
+import { L as LiopServer } from './index-BlGc0iym.js';
 import { L as LiopVerifier } from './verifier-COnid_dg.js';
-import { M as McpRequest, A as AuthInfo, b as McpResponse } from './types-DzEXgi4s.js';
+import { M as McpRequest, A as AuthInfo, b as McpResponse } from './types-sKeUxuky.js';
 import 'zod';
 import 'jose';
 

package/dist/gateway.js

@@ -1,2 +1,10 @@
-export{b as LiopHybridGateway}from'./chunk-GI2LSJYZ.js';import'./chunk-I46YEWND.js';import'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';import'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=gateway.js.map
+export { LiopHybridGateway } from './chunk-PHTWUTY7.js';
+import './chunk-HB5DXX3Q.js';
+import './chunk-32ADSAJS.js';
+import './chunk-OUUTDSOW.js';
+import './chunk-QLCOEP5J.js';
+import './chunk-IJHTRIZC.js';
+import './chunk-RDWCGZ2A.js';
+import './chunk-72MNYFR6.js';
+//# sourceMappingURL=gateway.js.map
 //# sourceMappingURL=gateway.js.map

package/dist/{index-DO97j6hP.d.ts → index-BlGc0iym.d.ts}

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 import { MeshNode } from './mesh.js';
-import { J as JwtValidator, S as ServerInfo, a as CallToolResult, P as Prompt, G as GetPromptRequest, c as GetPromptResult, C as CallToolRequest, T as Tool, R as Resource } from './types-DzEXgi4s.js';
+import { J as JwtValidator, S as ServerInfo, a as CallToolResult, P as Prompt, G as GetPromptRequest, c as GetPromptResult, C as CallToolRequest, T as Tool, R as Resource } from './types-sKeUxuky.js';
 
 /**
  * LIOP OAuth 2.1 Hybrid Auth — Configuration Types
@@ -505,6 +505,15 @@ declare class LiopServer {
     private loadRevocationList;
     revokeToken(token: string): void;
     revokeTokenHash(hash: string): void;
+    /**
+     * Resets the query budget for a specific client identity.
+     * If toolName is provided, only that tool's budget is cleared.
+     * Otherwise, all tool budgets for the client are reset.
+     *
+     * Operates on both in-memory and persistent (disk) budget stores.
+     * Uses file-level locking for safe concurrent access.
+     */
+    resetFieldBudget(clientId: string, toolName?: string): void;
     private getPersistentBudget;
     private savePersistentBudget;
     private executeWithBudgetLock;

package/dist/{index-Brfvxmdt.d.ts → index-qM8ZH8sC.d.ts}

@@ -1,6 +1,6 @@
 import { L as LiopVerifier } from './verifier-COnid_dg.js';
 import { MeshNodeConfig } from './mesh.js';
-import { C as CallToolRequest, a as CallToolResult } from './types-DzEXgi4s.js';
+import { C as CallToolRequest, a as CallToolResult } from './types-sKeUxuky.js';
 
 /**
  * LIOP TLS Configuration

package/dist/index.d.ts

@@ -1,12 +1,12 @@
 export { LiopBridgeOptions, LiopMcpBridge, LiopStreamBridge, LiopStreamBridgeOptions } from './bridge.js';
-import { L as LiopTlsOptions } from './index-Brfvxmdt.js';
-export { a as LiopClient } from './index-Brfvxmdt.js';
+import { L as LiopTlsOptions } from './index-qM8ZH8sC.js';
+export { a as LiopClient } from './index-qM8ZH8sC.js';
 export { LiopHybridGateway } from './gateway.js';
 export { LiopManifest, MeshNode, MeshNodeConfig } from './mesh.js';
 import * as grpc from '@grpc/grpc-js';
-export { A as AUTH_DEFAULTS, b as AggregationPolicy, c as AuthRole, d as LiopAuthConfig, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, O as OAuthClientConfig, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-DO97j6hP.js';
-import { A as AuthInfo } from './types-DzEXgi4s.js';
-export { C as CallToolRequest, a as CallToolResult, G as GetPromptRequest, c as GetPromptResult, J as JwtValidator, M as McpRequest, b as McpResponse, P as Prompt, d as PromptSchema, R as Resource, e as ResourceSchema, S as ServerInfo, T as Tool, f as ToolSchema } from './types-DzEXgi4s.js';
+export { A as AUTH_DEFAULTS, b as AggregationPolicy, c as AuthRole, d as LiopAuthConfig, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, O as OAuthClientConfig, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-BlGc0iym.js';
+import { A as AuthInfo } from './types-sKeUxuky.js';
+export { C as CallToolRequest, a as CallToolResult, G as GetPromptRequest, c as GetPromptResult, J as JwtValidator, M as McpRequest, b as McpResponse, P as Prompt, d as PromptSchema, R as Resource, e as ResourceSchema, S as ServerInfo, T as Tool, f as ToolSchema } from './types-sKeUxuky.js';
 import * as jose from 'jose';
 import Provider from 'oidc-provider';
 import '@modelcontextprotocol/sdk/server/mcp.js';

package/dist/index.js

@@ -1,4 +1,48 @@
-export{c as WasiSandbox,b as getDefaultEnvironment}from'./chunk-RYYRR4N5.js';export{b as LiopClient,a as LiopRpcClient}from'./chunk-T3L6OCM3.js';export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-TYVG6TXQ.js';export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-GJUZGKZW.js';export{b as LiopHybridGateway,a as buildProtectedResourceMetadata}from'./chunk-GI2LSJYZ.js';export{b as AUTH_DEFAULTS,c as JwtValidator,a as LiopRpcServer,j as LiopServer,e as NerScanner,g as PII_PATTERNS,h as PII_PRESETS,i as PiiScanner,d as createOAuthServer,f as sanitizeOutput}from'./chunk-UCCGDGHE.js';import'./chunk-2MGFSIXN.js';export{b as HeuristicTokenEstimator,e as LiopOTelBridge,a as RealTokenEstimator,f as TokenTelemetryEngine,d as createSyncTokenEstimator,c as createTokenEstimator}from'./chunk-I46YEWND.js';import'./chunk-PWCXZWSE.js';import'./chunk-ANFXJGMP.js';import'./chunk-DBXGYHKY.js';export{b as LIOP_SCOPES,a as authorizeRequest}from'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';export{a as MeshNode}from'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';var h=(e=>(e.CapabilityViolation="CapabilityViolation",e.SandboxEscape="SandboxEscape",e.PiiLeak="PiiLeak",e.InvalidIntent="InvalidIntent",e.Throttled="Throttled",e.ZkVerificationFailed="ZkVerificationFailed",e.MeshUnavailable="MeshUnavailable",e.ConnectionFailed="ConnectionFailed",e))(h||{}),n=class extends Error{code;constructor(o,t){super(t),this.name="LiopError",this.code=o;}};var x={claude:{xmlStandard:true,jsonSchemaPreferred:false},openai:{xmlStandard:false,jsonSchemaPreferred:true},gemini:{xmlStandard:false,jsonSchemaPreferred:true}};function W(i){let o=x[i],t=`[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
+export { WasiSandbox, getDefaultEnvironment } from './chunk-J3WPBMJ5.js';
+export { LiopClient, LiopRpcClient } from './chunk-E5QBDD5E.js';
+export { PromptSchema, ResourceSchema, ToolSchema } from './chunk-CT6NHSYP.js';
+export { LiopMcpBridge, LiopStreamBridge } from './chunk-UVO7DII3.js';
+export { LiopHybridGateway, buildProtectedResourceMetadata } from './chunk-PHTWUTY7.js';
+export { AUTH_DEFAULTS, JwtValidator, LiopRpcServer, LiopServer, NerScanner, PII_PATTERNS, PII_PRESETS, PiiScanner, createOAuthServer, sanitizeOutput } from './chunk-2JLG4DET.js';
+export { HeuristicTokenEstimator, LiopOTelBridge, RealTokenEstimator, TokenTelemetryEngine, createSyncTokenEstimator, createTokenEstimator } from './chunk-HB5DXX3Q.js';
+import './chunk-32ADSAJS.js';
+import './chunk-OUUTDSOW.js';
+import './chunk-QLCOEP5J.js';
+export { LIOP_SCOPES, authorizeRequest } from './chunk-IJHTRIZC.js';
+import './chunk-RDWCGZ2A.js';
+export { MeshNode } from './chunk-NJRSFFD7.js';
+import './chunk-72MNYFR6.js';
+
+// src/errors.ts
+var ErrorCode = /* @__PURE__ */ ((ErrorCode2) => {
+  ErrorCode2["CapabilityViolation"] = "CapabilityViolation";
+  ErrorCode2["SandboxEscape"] = "SandboxEscape";
+  ErrorCode2["PiiLeak"] = "PiiLeak";
+  ErrorCode2["InvalidIntent"] = "InvalidIntent";
+  ErrorCode2["Throttled"] = "Throttled";
+  ErrorCode2["ZkVerificationFailed"] = "ZkVerificationFailed";
+  ErrorCode2["MeshUnavailable"] = "MeshUnavailable";
+  ErrorCode2["ConnectionFailed"] = "ConnectionFailed";
+  return ErrorCode2;
+})(ErrorCode || {});
+var LiopError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "LiopError";
+    this.code = code;
+  }
+};
+
+// src/prompts/adapters.ts
+var PROVIDER_CONFIGS = {
+  claude: { xmlStandard: true, jsonSchemaPreferred: false },
+  openai: { xmlStandard: false, jsonSchemaPreferred: true },
+  gemini: { xmlStandard: false, jsonSchemaPreferred: true }
+};
+function generateSystemInstructions(provider) {
+  const config = PROVIDER_CONFIGS[provider];
+  let instructions = `[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]
 You are interacting with a Logic-Injection-on-Origin Protocol (LIOP) Mesh Network.
 Unlike standard MCP where you pull context to evaluate it remotely, in LIOP you WRITE code that executes on the data's origin.
 
@@ -23,7 +67,9 @@ To prevent database reconstruction and inference attacks, numeric query outputs
 - Poisoned globals: eval, Function, setTimeout, setInterval, Buffer, ArrayBuffer, and TypedArrays are undefined.
 - Frozen prototypes: Modifications to Object.prototype, Array.prototype, etc., are blocked.
 - K-Anonymity constraints: Small datasets (< 10 records) limit outputs to max 3 scalar keys with NO nesting. Datasets with >= 10 records limit outputs to max 10 fields.
-`;return o.xmlStandard?t+=`
+`;
+  if (config.xmlStandard) {
+    instructions += `
 ### PAYLOAD FORMATTING (CLAUDE-XML PREFERRED)
 You must wrap your logic precisely within <liop_logic> tags.
 Example:
@@ -32,7 +78,9 @@ const records = await liop.readResource("liop://vault/patients");
 const filtered = records.filter(r => r.disease === "Hypertension");
 return { alert: "High risk demographic", targetCount: filtered.length };
 </liop_logic>
-`:o.jsonSchemaPreferred&&(t+=`
+`;
+  } else if (config.jsonSchemaPreferred) {
+    instructions += `
 ### PAYLOAD FORMATTING (JSON PARSING PREFERRED)
 You must provide your logic strictly within a JSON string key called \`"logic_blob"\` inside your tool call parameters.
 Example:
@@ -40,5 +88,11 @@ Example:
   "target": "liop://vault/patients",
   "logic_blob": "const records = await liop.readResource(args.target); return { targetCount: records.filter(r => r.disease === 'Hypertension').length };"
 }
-`),t}export{h as ErrorCode,n as LiopError,W as generateSystemInstructions};//# sourceMappingURL=index.js.map
+`;
+  }
+  return instructions;
+}
+
+export { ErrorCode, LiopError, generateSystemInstructions };
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/errors.ts","../src/prompts/adapters.ts"],"names":["ErrorCode","LiopError","code","message","PROVIDER_CONFIGS","generateSystemInstructions","provider","config","instructions"],"mappings":"4lCAAO,IAAKA,OACXA,CAAAA,CAAA,mBAAA,CAAsB,qBAAA,CACtBA,CAAAA,CAAA,cAAgB,eAAA,CAChBA,CAAAA,CAAA,OAAA,CAAU,SAAA,CACVA,EAAA,aAAA,CAAgB,eAAA,CAChBA,EAAA,SAAA,CAAY,WAAA,CACZA,EAAA,oBAAA,CAAuB,sBAAA,CACvBA,CAAAA,CAAA,eAAA,CAAkB,kBAClBA,CAAAA,CAAA,gBAAA,CAAmB,kBAAA,CARRA,CAAAA,CAAAA,EAAAA,CAAAA,EAAA,IAWCC,CAAAA,CAAN,cAAwB,KAAM,CACpB,KAEhB,WAAA,CAAYC,CAAAA,CAAiBC,EAAiB,CAC7C,KAAA,CAAMA,CAAO,CAAA,CACb,IAAA,CAAK,IAAA,CAAO,WAAA,CACZ,KAAK,IAAA,CAAOD,EACb,CACD,ECLA,IAAME,CAAAA,CAAqD,CAC1D,MAAA,CAAQ,CAAE,YAAa,IAAA,CAAM,mBAAA,CAAqB,KAAM,CAAA,CACxD,MAAA,CAAQ,CAAE,WAAA,CAAa,KAAA,CAAO,mBAAA,CAAqB,IAAK,EACxD,MAAA,CAAQ,CAAE,YAAa,KAAA,CAAO,mBAAA,CAAqB,IAAK,CACzD,CAAA,CAMO,SAASC,CAAAA,CAA2BC,EAA8B,CACxE,IAAMC,EAASH,CAAAA,CAAiBE,CAAQ,EAEpCE,CAAAA,CAAe,CAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA,CA2BnB,OAAID,CAAAA,CAAO,WAAA,CACVC,CAAAA,EAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA,CAUND,CAAAA,CAAO,sBACjBC,CAAAA,EAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA,CAAA,CAWVA,CACR","file":"index.js","sourcesContent":["export enum ErrorCode {\n\tCapabilityViolation = \"CapabilityViolation\",\n\tSandboxEscape = \"SandboxEscape\",\n\tPiiLeak = \"PiiLeak\",\n\tInvalidIntent = \"InvalidIntent\",\n\tThrottled = \"Throttled\",\n\tZkVerificationFailed = \"ZkVerificationFailed\",\n\tMeshUnavailable = \"MeshUnavailable\",\n\tConnectionFailed = \"ConnectionFailed\",\n}\n\nexport class LiopError extends Error {\n\tpublic readonly code: ErrorCode;\n\n\tconstructor(code: ErrorCode, message: string) {\n\t\tsuper(message);\n\t\tthis.name = \"LiopError\";\n\t\tthis.code = code;\n\t}\n}\n","/**\n * LIOP Cross-AI Prompt Adapters (Fase 92)\n *\n * Normalizes system instructions for different LLM providers (Claude, OpenAI, Gemini)\n * to ensure they understand how to generate \"Logic-on-Origin\" WASM-compatible payload structures.\n */\n\nexport type AIProvider = \"claude\" | \"openai\" | \"gemini\";\n\nexport interface PromptConfig {\n\txmlStandard: boolean;\n\tjsonSchemaPreferred: boolean;\n}\n\nconst PROVIDER_CONFIGS: Record<AIProvider, PromptConfig> = {\n\tclaude: { xmlStandard: true, jsonSchemaPreferred: false },\n\topenai: { xmlStandard: false, jsonSchemaPreferred: true },\n\tgemini: { xmlStandard: false, jsonSchemaPreferred: true },\n};\n\n/**\n * Generates specific System Prompts optimized for the provided AI.\n * This instructs the LLM on how to bypass Context-Pulling and use Logic-Injection (Zero-Shot).\n */\nexport function generateSystemInstructions(provider: AIProvider): string {\n\tconst config = PROVIDER_CONFIGS[provider];\n\n\tlet instructions = `[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]\nYou are interacting with a Logic-Injection-on-Origin Protocol (LIOP) Mesh Network.\nUnlike standard MCP where you pull context to evaluate it remotely, in LIOP you WRITE code that executes on the data's origin.\n\n### CORE PARADIGM\nWhen you call a tool or resource, you MUST provide a payload that represents secure sandboxed logic to be executed on the remote Node.\nThe node will execute your logic securely on the raw secure data, and return only the RESULT, avoiding PII data egress.\n\n### EXECUTION RULES\n1. Provide a self-contained JavaScript syntax block that we will compile to WASM-Sandboxed logic.\n2. Rely only on standard ECMA script features (No Node.js polyfills).\n3. The logic must end by returning the calculated insights, not the raw data.\n\n### DIFFERENTIAL PRIVACY (DP) MECHANISM (Laplace Mechanism)\nTo prevent database reconstruction and inference attacks, numeric query outputs are processed by a Laplace DP engine:\n- COUNT / LENGTH queries: To get EXACT integer values without noise, you MUST name return keys containing 'count', 'length', 'size', 'num', 'positive', 'negative', or starting with 'total_' or 'num_' (e.g. 'total_tx', 'credits_count'). This forces sensitivity=1.0, rounds values, and clamps to non-negative values.\n- AVERAGE queries: Return keys containing 'avg', 'mean', or 'average' scale down noise automatically by dividing global sensitivity by the dataset size (sensitivity / n).\n- SUM / OTHER queries: Return keys without these semantic names receive full Laplace noise based on the global node sensitivity (which can be up to 100,000 in Bank nodes to protect raw balances). Do NOT attempt to bypass this by renaming sum fields to count fields, as it violates protocol integrity.\n\n### SANDBOX RUNTIME RESTRICTIONS & WORKAROUNDS\n- Date is poisoned: The 'Date' class/constructor is undefined (calling 'new Date()', 'Date.now()', or 'Date.parse()' will crash the execution).\n  - Workaround: Perform chronological sorting and comparisons lexicographically on ISO 8601 string dates (e.g. record.date >= '2024-01-01').\n- Poisoned globals: eval, Function, setTimeout, setInterval, Buffer, ArrayBuffer, and TypedArrays are undefined.\n- Frozen prototypes: Modifications to Object.prototype, Array.prototype, etc., are blocked.\n- K-Anonymity constraints: Small datasets (< 10 records) limit outputs to max 3 scalar keys with NO nesting. Datasets with >= 10 records limit outputs to max 10 fields.\n`;\n\n\tif (config.xmlStandard) {\n\t\tinstructions += `\n### PAYLOAD FORMATTING (CLAUDE-XML PREFERRED)\nYou must wrap your logic precisely within <liop_logic> tags.\nExample:\n<liop_logic>\nconst records = await liop.readResource(\"liop://vault/patients\");\nconst filtered = records.filter(r => r.disease === \"Hypertension\");\nreturn { alert: \"High risk demographic\", targetCount: filtered.length };\n</liop_logic>\n`;\n\t} else if (config.jsonSchemaPreferred) {\n\t\tinstructions += `\n### PAYLOAD FORMATTING (JSON PARSING PREFERRED)\nYou must provide your logic strictly within a JSON string key called \\`\"logic_blob\"\\` inside your tool call parameters.\nExample:\n{\n  \"target\": \"liop://vault/patients\",\n  \"logic_blob\": \"const records = await liop.readResource(args.target); return { targetCount: records.filter(r => r.disease === 'Hypertension').length };\"\n}\n`;\n\t}\n\n\treturn instructions;\n}\n"]}
+{"version":3,"sources":["../src/errors.ts","../src/prompts/adapters.ts"],"names":["ErrorCode"],"mappings":";;;;;;;;;;;;;;;;AAAO,IAAK,SAAA,qBAAAA,UAAAA,KAAL;AACN,EAAAA,WAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,WAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,WAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,WAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,WAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,WAAA,sBAAA,CAAA,GAAuB,sBAAA;AACvB,EAAAA,WAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,WAAA,kBAAA,CAAA,GAAmB,kBAAA;AARR,EAAA,OAAAA,UAAAA;AAAA,CAAA,EAAA,SAAA,IAAA,EAAA;AAWL,IAAM,SAAA,GAAN,cAAwB,KAAA,CAAM;AAAA,EACpB,IAAA;AAAA,EAEhB,WAAA,CAAY,MAAiB,OAAA,EAAiB;AAC7C,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACb;AACD;;;ACLA,IAAM,gBAAA,GAAqD;AAAA,EAC1D,MAAA,EAAQ,EAAE,WAAA,EAAa,IAAA,EAAM,qBAAqB,KAAA,EAAM;AAAA,EACxD,MAAA,EAAQ,EAAE,WAAA,EAAa,KAAA,EAAO,qBAAqB,IAAA,EAAK;AAAA,EACxD,MAAA,EAAQ,EAAE,WAAA,EAAa,KAAA,EAAO,qBAAqB,IAAA;AACpD,CAAA;AAMO,SAAS,2BAA2B,QAAA,EAA8B;AACxE,EAAA,MAAM,MAAA,GAAS,iBAAiB,QAAQ,CAAA;AAExC,EAAA,IAAI,YAAA,GAAe,CAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AA2BnB,EAAA,IAAI,OAAO,WAAA,EAAa;AACvB,IAAA,YAAA,IAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AAAA,EAUjB,CAAA,MAAA,IAAW,OAAO,mBAAA,EAAqB;AACtC,IAAA,YAAA,IAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AAAA,EASjB;AAEA,EAAA,OAAO,YAAA;AACR","file":"index.js","sourcesContent":["export enum ErrorCode {\n\tCapabilityViolation = \"CapabilityViolation\",\n\tSandboxEscape = \"SandboxEscape\",\n\tPiiLeak = \"PiiLeak\",\n\tInvalidIntent = \"InvalidIntent\",\n\tThrottled = \"Throttled\",\n\tZkVerificationFailed = \"ZkVerificationFailed\",\n\tMeshUnavailable = \"MeshUnavailable\",\n\tConnectionFailed = \"ConnectionFailed\",\n}\n\nexport class LiopError extends Error {\n\tpublic readonly code: ErrorCode;\n\n\tconstructor(code: ErrorCode, message: string) {\n\t\tsuper(message);\n\t\tthis.name = \"LiopError\";\n\t\tthis.code = code;\n\t}\n}\n","/**\n * LIOP Cross-AI Prompt Adapters (Fase 92)\n *\n * Normalizes system instructions for different LLM providers (Claude, OpenAI, Gemini)\n * to ensure they understand how to generate \"Logic-on-Origin\" WASM-compatible payload structures.\n */\n\nexport type AIProvider = \"claude\" | \"openai\" | \"gemini\";\n\nexport interface PromptConfig {\n\txmlStandard: boolean;\n\tjsonSchemaPreferred: boolean;\n}\n\nconst PROVIDER_CONFIGS: Record<AIProvider, PromptConfig> = {\n\tclaude: { xmlStandard: true, jsonSchemaPreferred: false },\n\topenai: { xmlStandard: false, jsonSchemaPreferred: true },\n\tgemini: { xmlStandard: false, jsonSchemaPreferred: true },\n};\n\n/**\n * Generates specific System Prompts optimized for the provided AI.\n * This instructs the LLM on how to bypass Context-Pulling and use Logic-Injection (Zero-Shot).\n */\nexport function generateSystemInstructions(provider: AIProvider): string {\n\tconst config = PROVIDER_CONFIGS[provider];\n\n\tlet instructions = `[LIOP-PROTO-V1: LOGIC-ON-ORIGIN SPECIFICATION]\nYou are interacting with a Logic-Injection-on-Origin Protocol (LIOP) Mesh Network.\nUnlike standard MCP where you pull context to evaluate it remotely, in LIOP you WRITE code that executes on the data's origin.\n\n### CORE PARADIGM\nWhen you call a tool or resource, you MUST provide a payload that represents secure sandboxed logic to be executed on the remote Node.\nThe node will execute your logic securely on the raw secure data, and return only the RESULT, avoiding PII data egress.\n\n### EXECUTION RULES\n1. Provide a self-contained JavaScript syntax block that we will compile to WASM-Sandboxed logic.\n2. Rely only on standard ECMA script features (No Node.js polyfills).\n3. The logic must end by returning the calculated insights, not the raw data.\n\n### DIFFERENTIAL PRIVACY (DP) MECHANISM (Laplace Mechanism)\nTo prevent database reconstruction and inference attacks, numeric query outputs are processed by a Laplace DP engine:\n- COUNT / LENGTH queries: To get EXACT integer values without noise, you MUST name return keys containing 'count', 'length', 'size', 'num', 'positive', 'negative', or starting with 'total_' or 'num_' (e.g. 'total_tx', 'credits_count'). This forces sensitivity=1.0, rounds values, and clamps to non-negative values.\n- AVERAGE queries: Return keys containing 'avg', 'mean', or 'average' scale down noise automatically by dividing global sensitivity by the dataset size (sensitivity / n).\n- SUM / OTHER queries: Return keys without these semantic names receive full Laplace noise based on the global node sensitivity (which can be up to 100,000 in Bank nodes to protect raw balances). Do NOT attempt to bypass this by renaming sum fields to count fields, as it violates protocol integrity.\n\n### SANDBOX RUNTIME RESTRICTIONS & WORKAROUNDS\n- Date is poisoned: The 'Date' class/constructor is undefined (calling 'new Date()', 'Date.now()', or 'Date.parse()' will crash the execution).\n  - Workaround: Perform chronological sorting and comparisons lexicographically on ISO 8601 string dates (e.g. record.date >= '2024-01-01').\n- Poisoned globals: eval, Function, setTimeout, setInterval, Buffer, ArrayBuffer, and TypedArrays are undefined.\n- Frozen prototypes: Modifications to Object.prototype, Array.prototype, etc., are blocked.\n- K-Anonymity constraints: Small datasets (< 10 records) limit outputs to max 3 scalar keys with NO nesting. Datasets with >= 10 records limit outputs to max 10 fields.\n`;\n\n\tif (config.xmlStandard) {\n\t\tinstructions += `\n### PAYLOAD FORMATTING (CLAUDE-XML PREFERRED)\nYou must wrap your logic precisely within <liop_logic> tags.\nExample:\n<liop_logic>\nconst records = await liop.readResource(\"liop://vault/patients\");\nconst filtered = records.filter(r => r.disease === \"Hypertension\");\nreturn { alert: \"High risk demographic\", targetCount: filtered.length };\n</liop_logic>\n`;\n\t} else if (config.jsonSchemaPreferred) {\n\t\tinstructions += `\n### PAYLOAD FORMATTING (JSON PARSING PREFERRED)\nYou must provide your logic strictly within a JSON string key called \\`\"logic_blob\"\\` inside your tool call parameters.\nExample:\n{\n  \"target\": \"liop://vault/patients\",\n  \"logic_blob\": \"const records = await liop.readResource(args.target); return { targetCount: records.filter(r => r.disease === 'Hypertension').length };\"\n}\n`;\n\t}\n\n\treturn instructions;\n}\n"]}

package/dist/kyber-3ULIJSE3.js

@@ -0,0 +1,3 @@
+export { Kyber768Wrapper } from './chunk-QLCOEP5J.js';
+//# sourceMappingURL=kyber-3ULIJSE3.js.map
+//# sourceMappingURL=kyber-3ULIJSE3.js.map

package/dist/{kyber-NONMBQNH.js.map → kyber-3ULIJSE3.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"kyber-NONMBQNH.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"kyber-3ULIJSE3.js"}

package/dist/mesh.js

@@ -1,2 +1,5 @@
-import'./chunk-RWRRBYG4.js';export{a as MeshNode}from'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=mesh.js.map
+import './chunk-RWRRBYG4.js';
+export { MeshNode } from './chunk-NJRSFFD7.js';
+import './chunk-72MNYFR6.js';
+//# sourceMappingURL=mesh.js.map
 //# sourceMappingURL=mesh.js.map

package/dist/server.d.ts

@@ -1,5 +1,5 @@
-export { b as AggregationPolicy, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-DO97j6hP.js';
+export { b as AggregationPolicy, L as LiopServer, a as LiopServerOptions, e as LogicExecutionPolicy, N as NerScanner, f as OutputSanitizerConfig, P as PII_PATTERNS, g as PII_PRESETS, h as PiiRule, i as PiiScanner, T as ToolHandler, s as sanitizeOutput } from './index-BlGc0iym.js';
 import 'zod';
 import './mesh.js';
-import './types-DzEXgi4s.js';
+import './types-sKeUxuky.js';
 import 'jose';

package/dist/server.js

@@ -1,2 +1,7 @@
-export{j as LiopServer,e as NerScanner,g as PII_PATTERNS,h as PII_PRESETS,i as PiiScanner,f as sanitizeOutput}from'./chunk-UCCGDGHE.js';import'./chunk-2MGFSIXN.js';import'./chunk-SB5XJXKV.js';import'./chunk-V5MKJT6S.js';import'./chunk-DQ6UW6L7.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=server.js.map
+export { LiopServer, NerScanner, PII_PATTERNS, PII_PRESETS, PiiScanner, sanitizeOutput } from './chunk-2JLG4DET.js';
+import './chunk-IJHTRIZC.js';
+import './chunk-RDWCGZ2A.js';
+import './chunk-NJRSFFD7.js';
+import './chunk-72MNYFR6.js';
+//# sourceMappingURL=server.js.map
 //# sourceMappingURL=server.js.map

package/dist/{types-DzEXgi4s.d.ts → types-sKeUxuky.d.ts}

@@ -87,32 +87,14 @@ declare const ToolSchema: z.ZodObject<{
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
     inputSchema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
-}, "strip", z.ZodTypeAny, {
-    name: string;
-    inputSchema: Record<string, unknown>;
-    description?: string | undefined;
-}, {
-    name: string;
-    inputSchema: Record<string, unknown>;
-    description?: string | undefined;
-}>;
+}, z.core.$strip>;
 type Tool = z.infer<typeof ToolSchema>;
 declare const ResourceSchema: z.ZodObject<{
     uri: z.ZodString;
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
     mimeType: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    name: string;
-    uri: string;
-    description?: string | undefined;
-    mimeType?: string | undefined;
-}, {
-    name: string;
-    uri: string;
-    description?: string | undefined;
-    mimeType?: string | undefined;
-}>;
+}, z.core.$strip>;
 type Resource = z.infer<typeof ResourceSchema>;
 declare const PromptSchema: z.ZodObject<{
     name: z.ZodString;
@@ -121,32 +103,8 @@ declare const PromptSchema: z.ZodObject<{
         name: z.ZodString;
         description: z.ZodOptional<z.ZodString>;
         required: z.ZodOptional<z.ZodBoolean>;
-    }, "strip", z.ZodTypeAny, {
-        name: string;
-        description?: string | undefined;
-        required?: boolean | undefined;
-    }, {
-        name: string;
-        description?: string | undefined;
-        required?: boolean | undefined;
-    }>, "many">>;
-}, "strip", z.ZodTypeAny, {
-    name: string;
-    description?: string | undefined;
-    arguments?: {
-        name: string;
-        description?: string | undefined;
-        required?: boolean | undefined;
-    }[] | undefined;
-}, {
-    name: string;
-    description?: string | undefined;
-    arguments?: {
-        name: string;
-        description?: string | undefined;
-        required?: boolean | undefined;
-    }[] | undefined;
-}>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
 type Prompt = z.infer<typeof PromptSchema>;
 interface CallToolRequest {
     name: string;

package/dist/types.d.ts

@@ -1,3 +1,3 @@
 import 'zod';
-export { A as AuthInfo, C as CallToolRequest, a as CallToolResult, G as GetPromptRequest, c as GetPromptResult, M as McpRequest, b as McpResponse, P as Prompt, d as PromptSchema, R as Resource, e as ResourceSchema, S as ServerInfo, T as Tool, f as ToolSchema } from './types-DzEXgi4s.js';
+export { A as AuthInfo, C as CallToolRequest, a as CallToolResult, G as GetPromptRequest, c as GetPromptResult, M as McpRequest, b as McpResponse, P as Prompt, d as PromptSchema, R as Resource, e as ResourceSchema, S as ServerInfo, T as Tool, f as ToolSchema } from './types-sKeUxuky.js';
 import 'jose';

package/dist/types.js

@@ -1,2 +1,3 @@
-export{c as PromptSchema,b as ResourceSchema,a as ToolSchema}from'./chunk-TYVG6TXQ.js';import'./chunk-2MGFSIXN.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=types.js.map
+export { PromptSchema, ResourceSchema, ToolSchema } from './chunk-CT6NHSYP.js';
+//# sourceMappingURL=types.js.map
 //# sourceMappingURL=types.js.map

package/dist/verifier-3FAKCFNN.js

@@ -0,0 +1,5 @@
+export { LiopVerifier } from './chunk-32ADSAJS.js';
+import './chunk-OUUTDSOW.js';
+import './chunk-72MNYFR6.js';
+//# sourceMappingURL=verifier-3FAKCFNN.js.map
+//# sourceMappingURL=verifier-3FAKCFNN.js.map

package/dist/{verifier-XU2DB56Z.js.map → verifier-3FAKCFNN.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-XU2DB56Z.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"verifier-3FAKCFNN.js"}

package/dist/workers/logic-execution.js

@@ -1,2 +1,256 @@
-import {a,c}from'../chunk-RYYRR4N5.js';import {a as a$1,b}from'../chunk-ANFXJGMP.js';import'../chunk-4C666HHU.js';import {Buffer}from'buffer';import g from'crypto';import {createMlKem768}from'mlkem';var R={epsilon:1,sensitivity:1,smallDatasetThreshold:50},L=1,$=10;function K(t,n){let r;do if(n)r=g.createHash("sha256").update(`${n.seed}:${n.counter++}`).digest().readUInt32BE(0)/4294967296-.5;else {let e=g.randomBytes(4),o=e[0]<<24|e[1]<<16|e[2]<<8|e[3];r=Number.parseInt(o.toString(10),10)/4294967296;}while(r===0||r===-0.5);return -t*Math.sign(r)*Math.log(1-2*Math.abs(r))}function G(t,n={},r){let e={...R,...n},o=e.sensitivity/e.epsilon,a=t+K(o,r);return Math.round(a*1e4)/1e4}function E(t,n,r){if(!t)return n;let e=t.toLowerCase(),o=/count|length|size|num|gainer|loser|positive|negative|nan_|null_|empty_|finite_|non_finite_|instruments|tickers|users|records/i.test(e),a=e==="total"||e==="n"||e==="total_records"||e.startsWith("total_")||e.startsWith("num_")||/total.*(count|items|entries|rows|records|tickers)/i.test(e);return o||a?1:/avg|mean|average|var|variance|std|stddev|ratio|bps|drift|pct|percent|imbalance/i.test(e)&&r>0?n/r:n}function W(t,n={},r){let e={...R,...n};if(r>=e.smallDatasetThreshold)return t;r<$&&e.epsilon<L&&(e.epsilon=L);let o;return e.seed&&(o={seed:e.seed,counter:0}),v(t,e,r,void 0,o)}function v(t,n,r,e,o){if(typeof t=="number"&&Number.isFinite(t)){let a=E(e,n.sensitivity,r),c=G(t,{...n,sensitivity:a},o),m=e!=null&&E(e,n.sensitivity,r)===1;return (Number.isInteger(t)||m)&&(c=Math.round(c)),t>=0&&(c=Math.max(0,c)),c}if(Array.isArray(t))return t.map(a=>v(a,n,r,e,o));if(t!==null&&typeof t=="object"){let a={};for(let[c,m]of Object.entries(t))a[c]=v(m,n,r,c,o);return a}return t}async function Q(t){if(typeof Object.prototype=="object"&&!Object.isFrozen(Object.prototype)&&(Object.freeze(Object.prototype),Object.freeze(Array.prototype),Object.freeze(String.prototype),Object.freeze(Number.prototype),Object.freeze(Boolean.prototype),Object.freeze(RegExp.prototype),Object.freeze(Map.prototype),Object.freeze(Set.prototype),Object.freeze(Promise.prototype),Object.freeze(Error.prototype)),t.isWarmup)return {image_id:"",output:"warm",fuel_consumed:0};let{ciphertext:n,secretKeyObj:r,wasmBinary:e,inputs:o,aesNonce:a$2,records:c$1,isEncrypted:m=true,dpConfig:S}=t,s,j={},A=Buffer.alloc(32);if(m){let p=new Uint8Array(r),u=new Uint8Array(n),d=(await createMlKem768()).decap(u,p),f=Buffer.from(d);A=f;let l=Buffer.from(e),x=l.subarray(-16),h=l.subarray(0,-16),w=g.createDecipheriv("aes-256-gcm",f,Buffer.from(a$2||new Uint8Array(12)));w.setAuthTag(x);let y=w.update(h);y=Buffer.concat([y,w.final()]),s=y;for(let[I,M]of Object.entries(o||{})){let k=Buffer.from(M),C=k.subarray(0,12),F=k.subarray(-16),H=k.subarray(12,-16),D=g.createDecipheriv("aes-256-gcm",f,C);D.setAuthTag(F);let _=D.update(H);_=Buffer.concat([_,D.final()]),j[I]=JSON.parse(_.toString("utf-8"));}}else e[0]===0&&e[1]===97&&e[2]===115&&e[3]===109?s=Buffer.from(e):s=Buffer.from(e).toString("utf-8");let z=s[0]===0&&s[1]===97&&s[2]===115&&s[3]===109;if(s instanceof Buffer&&z){let p=new Uint8Array(s),u=await WebAssembly.compile(p);a.analyze(u);}else s instanceof Buffer&&!z&&(s=s.toString("utf-8"));typeof s=="string"&&(s=a$1(s));let O=new c;await O.init();try{let p=await O.execute(s,c$1,j),u=p.output,b$1;typeof s=="string"?b$1=Buffer.from(s,"utf-8"):b$1=new Uint8Array(s);let d=b(b$1).toString("hex"),f=g.createHash("sha256").update(JSON.stringify(c$1||[])).digest("hex");S&&(u=W(u,{...S,seed:`${f}:${d}`},c$1?.length||0));let l=Buffer.from(JSON.stringify({image_id:d,dataset_hash:f,output_hash:g.createHash("sha256").update(typeof u=="string"?u:u===void 0?"undefined":JSON.stringify(u)).digest("hex"),fuel:p.fuelConsumed,ts:Date.now()})),x=g.createHmac("sha256",A).update(l).digest(),h=Buffer.alloc(2);h.writeUInt16BE(l.length);let y=Buffer.concat([Buffer.from([1]),h,l,x]).toString("base64");return {image_id:d,zk_receipt:y,output:u,fuel_consumed:p.fuelConsumed}}finally{await O.teardown();}}export{Q as default};//# sourceMappingURL=logic-execution.js.map
+import { ASTGuardian, WasiSandbox } from '../chunk-J3WPBMJ5.js';
+import { normalizeLogicSource, deriveLogicImageDigest } from '../chunk-OUUTDSOW.js';
+import { Buffer } from 'buffer';
+import crypto2 from 'crypto';
+import { createMlKem768 } from 'mlkem';
+
+var DEFAULT_DP_CONFIG = {
+  epsilon: 1,
+  sensitivity: 1,
+  smallDatasetThreshold: 50
+};
+var EPSILON_FLOOR = 1;
+var EPSILON_FLOOR_THRESHOLD = 10;
+function laplaceSample(scale, prngState) {
+  let u;
+  do {
+    if (prngState) {
+      const hash = crypto2.createHash("sha256").update(`${prngState.seed}:${prngState.counter++}`).digest();
+      u = hash.readUInt32BE(0) / 4294967296 - 0.5;
+    } else {
+      const buf = crypto2.randomBytes(4);
+      const rawVal = buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+      const cleanVal = Number.parseInt(rawVal.toString(10), 10);
+      u = cleanVal / 4294967296;
+    }
+  } while (u === 0 || u === -0.5);
+  return -scale * Math.sign(u) * Math.log(1 - 2 * Math.abs(u));
+}
+function addLaplaceNoise(value, config = {}, prngState) {
+  const merged = { ...DEFAULT_DP_CONFIG, ...config };
+  const scale = merged.sensitivity / merged.epsilon;
+  const noisyValue = value + laplaceSample(scale, prngState);
+  return Math.round(noisyValue * 1e4) / 1e4;
+}
+function deriveFieldSensitivity(key, globalSensitivity, recordCount) {
+  if (!key) return globalSensitivity;
+  const lk = key.toLowerCase();
+  const isCountWord = /count|length|size|num|gainer|loser|positive|negative|nan_|null_|empty_|finite_|non_finite_|instruments|tickers|users|records/i.test(
+    lk
+  );
+  const isTotalCount = lk === "total" || lk === "n" || lk === "total_records" || lk.startsWith("total_") || // Catch total_tickers, total_users
+  lk.startsWith("num_") || // Catch num_records, num_ticks
+  /total.*(count|items|entries|rows|records|tickers)/i.test(lk);
+  if (isCountWord || isTotalCount) return 1;
+  if (/avg|mean|average|var|variance|std|stddev|ratio|bps|drift|pct|percent|imbalance/i.test(
+    lk
+  ) && recordCount > 0) {
+    return globalSensitivity / recordCount;
+  }
+  return globalSensitivity;
+}
+function applyDpToOutput(output, config = {}, recordCount) {
+  const merged = { ...DEFAULT_DP_CONFIG, ...config };
+  if (recordCount >= merged.smallDatasetThreshold) {
+    return output;
+  }
+  if (recordCount < EPSILON_FLOOR_THRESHOLD && merged.epsilon < EPSILON_FLOOR) {
+    merged.epsilon = EPSILON_FLOOR;
+  }
+  let prngState;
+  if (merged.seed) {
+    prngState = { seed: merged.seed, counter: 0 };
+  }
+  return walkAndNoise(output, merged, recordCount, void 0, prngState);
+}
+function walkAndNoise(node, config, recordCount, currentKey, prngState) {
+  if (typeof node === "number" && Number.isFinite(node)) {
+    const fieldSensitivity = deriveFieldSensitivity(
+      currentKey,
+      config.sensitivity,
+      recordCount
+    );
+    let noisyValue = addLaplaceNoise(
+      node,
+      {
+        ...config,
+        sensitivity: fieldSensitivity
+      },
+      prngState
+    );
+    const isCountKey = currentKey != null && deriveFieldSensitivity(currentKey, config.sensitivity, recordCount) === 1;
+    if (Number.isInteger(node) || isCountKey) {
+      noisyValue = Math.round(noisyValue);
+    }
+    if (node >= 0) {
+      noisyValue = Math.max(0, noisyValue);
+    }
+    return noisyValue;
+  }
+  if (Array.isArray(node)) {
+    return node.map(
+      (item) => walkAndNoise(item, config, recordCount, currentKey, prngState)
+    );
+  }
+  if (node !== null && typeof node === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(
+      node
+    )) {
+      result[key] = walkAndNoise(value, config, recordCount, key, prngState);
+    }
+    return result;
+  }
+  return node;
+}
+
+// src/workers/logic-execution.ts
+async function processLogicExecution(data) {
+  if (typeof Object.prototype === "object" && !Object.isFrozen(Object.prototype)) {
+    Object.freeze(Object.prototype);
+    Object.freeze(Array.prototype);
+    Object.freeze(String.prototype);
+    Object.freeze(Number.prototype);
+    Object.freeze(Boolean.prototype);
+    Object.freeze(RegExp.prototype);
+    Object.freeze(Map.prototype);
+    Object.freeze(Set.prototype);
+    Object.freeze(Promise.prototype);
+    Object.freeze(Error.prototype);
+  }
+  if (data.isWarmup) {
+    return {
+      image_id: "",
+      output: "warm",
+      fuel_consumed: 0
+    };
+  }
+  const {
+    ciphertext,
+    secretKeyObj,
+    wasmBinary,
+    inputs,
+    aesNonce,
+    records,
+    isEncrypted = true,
+    dpConfig
+  } = data;
+  let decryptedPayload;
+  const decryptedInputs = {};
+  let sessionSecret = Buffer.alloc(32);
+  if (isEncrypted) {
+    const sk = new Uint8Array(secretKeyObj);
+    const ct = new Uint8Array(ciphertext);
+    const kem = await createMlKem768();
+    const sharedSecret = kem.decap(ct, sk);
+    const aesKey = Buffer.from(sharedSecret);
+    sessionSecret = aesKey;
+    const wasmBuffer = Buffer.from(wasmBinary);
+    const authTag = wasmBuffer.subarray(-16);
+    const encryptedData = wasmBuffer.subarray(0, -16);
+    const decipher = crypto2.createDecipheriv(
+      "aes-256-gcm",
+      aesKey,
+      Buffer.from(aesNonce || new Uint8Array(12))
+    );
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encryptedData);
+    decrypted = Buffer.concat([decrypted, decipher.final()]);
+    decryptedPayload = decrypted;
+    for (const [key, encValue] of Object.entries(inputs || {})) {
+      const valBuffer = Buffer.from(encValue);
+      const inputNonce = valBuffer.subarray(0, 12);
+      const valTag = valBuffer.subarray(-16);
+      const valData = valBuffer.subarray(12, -16);
+      const valDecipher = crypto2.createDecipheriv(
+        "aes-256-gcm",
+        aesKey,
+        inputNonce
+      );
+      valDecipher.setAuthTag(valTag);
+      let valDecrypted = valDecipher.update(valData);
+      valDecrypted = Buffer.concat([valDecrypted, valDecipher.final()]);
+      decryptedInputs[key] = JSON.parse(valDecrypted.toString("utf-8"));
+    }
+  } else {
+    if (wasmBinary[0] === 0 && wasmBinary[1] === 97 && wasmBinary[2] === 115 && wasmBinary[3] === 109) {
+      decryptedPayload = Buffer.from(wasmBinary);
+    } else {
+      decryptedPayload = Buffer.from(wasmBinary).toString("utf-8");
+    }
+  }
+  const isWasm = decryptedPayload[0] === 0 && decryptedPayload[1] === 97 && decryptedPayload[2] === 115 && decryptedPayload[3] === 109;
+  if (decryptedPayload instanceof Buffer && isWasm) {
+    const wasmBytes = new Uint8Array(decryptedPayload);
+    const compiledModule = await WebAssembly.compile(wasmBytes);
+    ASTGuardian.analyze(compiledModule);
+  } else if (decryptedPayload instanceof Buffer && !isWasm) {
+    decryptedPayload = decryptedPayload.toString("utf-8");
+  }
+  if (typeof decryptedPayload === "string") {
+    decryptedPayload = normalizeLogicSource(decryptedPayload);
+  }
+  const sandbox = new WasiSandbox();
+  await sandbox.init();
+  try {
+    const result = await sandbox.execute(
+      decryptedPayload,
+      records,
+      decryptedInputs
+    );
+    let finalOutput = result.output;
+    let logicBytes;
+    if (typeof decryptedPayload === "string") {
+      logicBytes = Buffer.from(decryptedPayload, "utf-8");
+    } else {
+      logicBytes = new Uint8Array(decryptedPayload);
+    }
+    const imageId = deriveLogicImageDigest(logicBytes).toString("hex");
+    const datasetHash = crypto2.createHash("sha256").update(JSON.stringify(records || [])).digest("hex");
+    if (dpConfig) {
+      finalOutput = applyDpToOutput(
+        finalOutput,
+        {
+          ...dpConfig,
+          seed: `${datasetHash}:${imageId}`
+        },
+        records?.length || 0
+      );
+    }
+    const journal = Buffer.from(
+      JSON.stringify({
+        image_id: imageId,
+        dataset_hash: datasetHash,
+        output_hash: crypto2.createHash("sha256").update(
+          typeof finalOutput === "string" ? finalOutput : finalOutput === void 0 ? "undefined" : JSON.stringify(finalOutput)
+        ).digest("hex"),
+        fuel: result.fuelConsumed,
+        ts: Date.now()
+      })
+    );
+    const seal = crypto2.createHmac("sha256", sessionSecret).update(journal).digest();
+    const journalLen = Buffer.alloc(2);
+    journalLen.writeUInt16BE(journal.length);
+    const receiptBuf = Buffer.concat([
+      Buffer.from([1]),
+      // Receipt format v1
+      journalLen,
+      journal,
+      seal
+      // 32 bytes HMAC
+    ]);
+    const zkReceipt = receiptBuf.toString("base64");
+    return {
+      image_id: imageId,
+      zk_receipt: zkReceipt,
+      output: finalOutput,
+      fuel_consumed: result.fuelConsumed
+    };
+  } finally {
+    await sandbox.teardown();
+  }
+}
+
+export { processLogicExecution as default };
+//# sourceMappingURL=logic-execution.js.map
 //# sourceMappingURL=logic-execution.js.map