@nexart/codemode-sdk 1.8.4 → 1.10.0

package/dist/esm/core.cjs

@@ -1,8 +1,11 @@
 'use strict';
 
+var ed25519 = require('@noble/ed25519');
+var sha2_js = require('@noble/hashes/sha2.js');
+
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.10.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 
@@ -25,6 +28,20 @@ var DEFAULT_CONFIG = {
   minDuration: 1,
   maxDuration: 4
 };
+var CodeVerifyCode = {
+  OK: "OK",
+  CERTIFICATE_HASH_MISMATCH: "CERTIFICATE_HASH_MISMATCH",
+  SNAPSHOT_HASH_MISMATCH: "SNAPSHOT_HASH_MISMATCH",
+  RENDER_HASH_MISMATCH: "RENDER_HASH_MISMATCH",
+  INVALID_SHA256_FORMAT: "INVALID_SHA256_FORMAT",
+  CANONICALIZATION_ERROR: "CANONICALIZATION_ERROR",
+  SCHEMA_ERROR: "SCHEMA_ERROR",
+  NODE_RECEIPT_MISSING: "NODE_RECEIPT_MISSING",
+  NODE_RECEIPT_KEY_NOT_FOUND: "NODE_RECEIPT_KEY_NOT_FOUND",
+  NODE_RECEIPT_INVALID_SIGNATURE: "NODE_RECEIPT_INVALID_SIGNATURE",
+  NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED: "NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR"
+};
 
 // p5-runtime.ts
 var CODE_MODE_PROTOCOL_VERSION = PROTOCOL_VERSION;
@@ -1632,6 +1649,384 @@ function createEngine(config) {
   };
 }
 
+// canonicalJson.ts
+function toCanonicalJson(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!isFinite(value)) throw new Error(`toCanonicalJson: non-finite number ${value}`);
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return JSON.stringify(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map(toCanonicalJson).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return "{" + keys.filter((k) => obj[k] !== void 0 && typeof obj[k] !== "function").map((k) => `${JSON.stringify(k)}:${toCanonicalJson(obj[k])}`).join(",") + "}";
+  }
+  throw new Error(`toCanonicalJson: unsupported type ${typeof value}`);
+}
+
+// nodeReceipt.ts
+ed25519.hashes.sha512 = sha2_js.sha512;
+function base64urlToBytes(s) {
+  const pad = s.length % 4;
+  const base64 = s.replace(/-/g, "+").replace(/_/g, "/") + (pad ? "=".repeat(4 - pad) : "");
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  const binary = atob(base64);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+async function verifyNodeReceiptSignature(params) {
+  try {
+    const { receipt, signatureB64Url, key } = params;
+    let pubKeyBytes;
+    if (key.jwk) {
+      if (key.jwk.kty !== "OKP" || key.jwk.crv !== "Ed25519") {
+        return {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+          details: [
+            `JWK must have kty=OKP and crv=Ed25519, got kty=${key.jwk.kty} crv=${key.jwk.crv}`
+          ]
+        };
+      }
+      pubKeyBytes = base64urlToBytes(key.jwk.x);
+    } else if (key.rawB64Url) {
+      pubKeyBytes = base64urlToBytes(key.rawB64Url);
+    } else if (key.spkiB64) {
+      const spkiBytes = base64urlToBytes(key.spkiB64);
+      if (spkiBytes.length < 32) {
+        return {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+          details: ["SPKI key too short to extract Ed25519 public key"]
+        };
+      }
+      pubKeyBytes = spkiBytes.slice(spkiBytes.length - 32);
+    } else {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+        details: ["No usable key provided: supply jwk, rawB64Url, or spkiB64"]
+      };
+    }
+    if (pubKeyBytes.length !== 32) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+        details: [`Ed25519 public key must be 32 bytes, got ${pubKeyBytes.length}`]
+      };
+    }
+    const sigBytes = base64urlToBytes(signatureB64Url);
+    if (sigBytes.length !== 64) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+        details: [`Ed25519 signature must be 64 bytes, got ${sigBytes.length}`]
+      };
+    }
+    const msgBytes = new TextEncoder().encode(toCanonicalJson(receipt));
+    const isValid = await ed25519.verify(sigBytes, msgBytes, pubKeyBytes);
+    if (!isValid) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+        details: ["Ed25519 signature verification failed"]
+      };
+    }
+    return { ok: true, code: CodeVerifyCode.OK };
+  } catch (err) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+      details: [err instanceof Error ? err.message : String(err)]
+    };
+  }
+}
+async function fetchNodeKeys(nodeUrl) {
+  const url = `${nodeUrl.replace(/\/+$/, "")}/.well-known/nexart-node.json`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch node keys from ${url}: HTTP ${response.status}`);
+  }
+  const data = await response.json();
+  if (typeof data !== "object" || data === null) {
+    throw new Error("Node keys response is not an object");
+  }
+  const doc = data;
+  if (typeof doc.nodeId !== "string" || !Array.isArray(doc.keys)) {
+    throw new Error("Node keys document missing required fields (nodeId, keys)");
+  }
+  return data;
+}
+function selectNodeKey(doc, kid) {
+  if (kid) {
+    const found = doc.keys.find((k) => k.kid === kid);
+    if (!found) {
+      return {
+        error: {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+          details: [`Key with kid="${kid}" not found in node keys document`]
+        }
+      };
+    }
+    return { key: found };
+  }
+  if (doc.activeKid) {
+    const found = doc.keys.find((k) => k.kid === doc.activeKid);
+    if (!found) {
+      return {
+        error: {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+          details: [`activeKid="${doc.activeKid}" not found in keys array`]
+        }
+      };
+    }
+    return { key: found };
+  }
+  if (doc.keys.length === 0) {
+    return {
+      error: {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+        details: ["No keys available in node keys document"]
+      }
+    };
+  }
+  return { key: doc.keys[0] };
+}
+function extractReceiptAndSignature(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return null;
+  const b = bundle;
+  if (typeof b.receipt === "object" && b.receipt !== null && typeof b.signature === "string") {
+    return {
+      receipt: b.receipt,
+      signatureB64Url: b.signature,
+      attestorKeyId: typeof b.attestorKeyId === "string" ? b.attestorKeyId : void 0
+    };
+  }
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+      return {
+        receipt: att.receipt,
+        signatureB64Url: att.signature,
+        attestorKeyId: typeof att.attestorKeyId === "string" ? att.attestorKeyId : void 0
+      };
+    }
+  }
+  if (typeof b.meta === "object" && b.meta !== null) {
+    const meta = b.meta;
+    if (typeof meta.attestation === "object" && meta.attestation !== null) {
+      const att = meta.attestation;
+      if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+        return {
+          receipt: att.receipt,
+          signatureB64Url: att.signature,
+          attestorKeyId: typeof att.attestorKeyId === "string" ? att.attestorKeyId : void 0
+        };
+      }
+    }
+  }
+  return null;
+}
+async function verifyBundleAttestation(bundle, options) {
+  const extracted = extractReceiptAndSignature(bundle);
+  if (!extracted) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_MISSING,
+      details: ["No signed receipt found in bundle (expected bundle.receipt + bundle.signature or bundle.attestation envelope)"]
+    };
+  }
+  const nodeId = extracted.receipt.nodeId;
+  const resolvedKid = options.kid ?? extracted.attestorKeyId ?? extracted.receipt.attestorKeyId;
+  function ctx() {
+    const lines = [];
+    if (nodeId) lines.push(`nodeId: ${nodeId}`);
+    if (resolvedKid) lines.push(`kid: ${resolvedKid}`);
+    return lines;
+  }
+  if (typeof bundle.certificateHash === "string") {
+    const bundleCertHash = bundle.certificateHash;
+    if (extracted.receipt.certificateHash !== bundleCertHash) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.CERTIFICATE_HASH_MISMATCH,
+        details: [
+          "Receipt certificateHash does not match bundle certificateHash",
+          `receipt.certificateHash: ${extracted.receipt.certificateHash}`,
+          `bundle.certificateHash:  ${bundleCertHash}`,
+          ...ctx()
+        ]
+      };
+    }
+  }
+  let keysDoc;
+  try {
+    keysDoc = await fetchNodeKeys(options.nodeUrl);
+  } catch (err) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+      details: [...ctx(), err instanceof Error ? err.message : String(err)]
+    };
+  }
+  const selected = selectNodeKey(keysDoc, resolvedKid);
+  if (selected.error) {
+    return {
+      ...selected.error,
+      details: [...ctx(), ...selected.error.details ?? []]
+    };
+  }
+  const keyEntry = selected.key;
+  const keyParam = {};
+  if (keyEntry.publicKeyJwk) keyParam.jwk = keyEntry.publicKeyJwk;
+  else if (keyEntry.publicKey) keyParam.rawB64Url = keyEntry.publicKey;
+  else if (keyEntry.publicKeySpkiB64) keyParam.spkiB64 = keyEntry.publicKeySpkiB64;
+  else {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+      details: [
+        `Key kid="${keyEntry.kid}" has no usable public key field (publicKeyJwk, publicKey, or publicKeySpkiB64)`,
+        ...ctx()
+      ]
+    };
+  }
+  const sigResult = await verifyNodeReceiptSignature({
+    receipt: extracted.receipt,
+    signatureB64Url: extracted.signatureB64Url,
+    key: keyParam
+  });
+  const contextLines = ctx();
+  if (contextLines.length === 0) return sigResult;
+  return sigResult.ok ? { ok: true, code: CodeVerifyCode.OK, details: contextLines } : { ...sigResult, details: [...contextLines, ...sigResult.details ?? []] };
+}
+
+// attestation.ts
+function getAttestationReceipt(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return null;
+  const b = bundle;
+  if (typeof b.receipt === "object" && b.receipt !== null && typeof b.signature === "string") {
+    const r = b.receipt;
+    return {
+      attestationId: r.attestationId,
+      attestedAt: r.attestedAt,
+      nodeId: r.nodeId,
+      attestorKeyId: r.attestorKeyId,
+      nodeRuntimeHash: r.nodeRuntimeHash,
+      certificateHash: r.certificateHash,
+      protocolVersion: r.protocolVersion,
+      receipt: r,
+      signature: b.signature
+    };
+  }
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+      const r = att.receipt;
+      return {
+        attestationId: r.attestationId,
+        attestedAt: r.attestedAt,
+        nodeId: r.nodeId,
+        attestorKeyId: r.attestorKeyId,
+        nodeRuntimeHash: r.nodeRuntimeHash,
+        certificateHash: r.certificateHash,
+        protocolVersion: r.protocolVersion,
+        receipt: r,
+        signature: att.signature
+      };
+    }
+  }
+  if (typeof b.attestationId === "string") {
+    return {
+      attestationId: b.attestationId,
+      attestedAt: typeof b.attestedAt === "string" ? b.attestedAt : "",
+      nodeId: typeof b.nodeId === "string" ? b.nodeId : void 0,
+      attestorKeyId: typeof b.attestorKeyId === "string" ? b.attestorKeyId : void 0,
+      nodeRuntimeHash: typeof b.nodeRuntimeHash === "string" ? b.nodeRuntimeHash : void 0,
+      certificateHash: typeof b.certificateHash === "string" ? b.certificateHash : void 0,
+      protocolVersion: typeof b.protocolVersion === "string" ? b.protocolVersion : void 0
+    };
+  }
+  return null;
+}
+function hasAttestation(bundle) {
+  return getAttestationReceipt(bundle) !== null;
+}
+
+// cerProtocol.ts
+var ReasonCode = {
+  BUNDLE_HASH_MISMATCH: "BUNDLE_HASH_MISMATCH",
+  NODE_SIGNATURE_INVALID: "NODE_SIGNATURE_INVALID",
+  NODE_SIGNATURE_MISSING: "NODE_SIGNATURE_MISSING",
+  RECEIPT_HASH_MISMATCH: "RECEIPT_HASH_MISMATCH",
+  SCHEMA_VERSION_UNSUPPORTED: "SCHEMA_VERSION_UNSUPPORTED",
+  RECORD_NOT_FOUND: "RECORD_NOT_FOUND",
+  BUNDLE_CORRUPTED: "BUNDLE_CORRUPTED"
+};
+
+// verifyDetailed.ts
+function validateSnapshotStructure(snapshot) {
+  const codes = [];
+  if (!snapshot || typeof snapshot !== "object") {
+    codes.push(ReasonCode.BUNDLE_CORRUPTED);
+    return codes;
+  }
+  if (snapshot.protocol !== "nexart") {
+    codes.push(ReasonCode.SCHEMA_VERSION_UNSUPPORTED);
+  }
+  if (!snapshot.outputHash || !snapshot.outputHash.startsWith("sha256:")) {
+    codes.push(ReasonCode.BUNDLE_CORRUPTED);
+  }
+  if (!snapshot.codeHash || !snapshot.codeHash.startsWith("sha256:")) {
+    codes.push(ReasonCode.BUNDLE_CORRUPTED);
+  }
+  return codes;
+}
+function verifyCodeModeSnapshotDetailed(snapshot, options = {}) {
+  const verifiedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const verifier = "@nexart/codemode-sdk";
+  if (!snapshot || typeof snapshot !== "object" || Array.isArray(snapshot)) {
+    return {
+      status: "FAILED",
+      checks: { bundleIntegrity: "FAIL", nodeSignature: "SKIPPED", receiptConsistency: "SKIPPED" },
+      reasonCodes: [ReasonCode.BUNDLE_CORRUPTED],
+      certificateHash: "",
+      bundleType: "codemode.snapshot.v1",
+      verifiedAt,
+      verifier
+    };
+  }
+  const snap = snapshot;
+  const structureReasons = validateSnapshotStructure(snap);
+  const hashReasons = [];
+  if (options.outputHash !== void 0 && options.outputHash !== snap.outputHash) {
+    hashReasons.push(ReasonCode.BUNDLE_HASH_MISMATCH);
+  }
+  if (options.codeHash !== void 0 && options.codeHash !== snap.codeHash) {
+    hashReasons.push(ReasonCode.BUNDLE_HASH_MISMATCH);
+  }
+  const reasonCodes = [.../* @__PURE__ */ new Set([...structureReasons, ...hashReasons])];
+  const bundleIntegrity = reasonCodes.length === 0 ? "PASS" : "FAIL";
+  return {
+    status: bundleIntegrity === "PASS" ? "VERIFIED" : "FAILED",
+    checks: { bundleIntegrity, nodeSignature: "SKIPPED", receiptConsistency: "SKIPPED" },
+    reasonCodes,
+    certificateHash: snap.outputHash ?? "",
+    bundleType: "codemode.snapshot.v1",
+    verifiedAt,
+    verifier
+  };
+}
+
 // core-index.ts
 var SDK_VERSION2 = SDK_VERSION;
 var SDK_NAME = "@nexart/codemode-sdk";
@@ -1639,11 +2034,13 @@ var SDK_NAME = "@nexart/codemode-sdk";
 exports.CODE_MODE_ENFORCEMENT = CODE_MODE_ENFORCEMENT;
 exports.CODE_MODE_PROTOCOL_PHASE = CODE_MODE_PROTOCOL_PHASE;
 exports.CODE_MODE_PROTOCOL_VERSION = CODE_MODE_PROTOCOL_VERSION;
+exports.CodeVerifyCode = CodeVerifyCode;
 exports.DEFAULT_CONFIG = DEFAULT_CONFIG;
 exports.DEFAULT_VARS = DEFAULT_VARS;
 exports.PROTOCOL_IDENTITY = PROTOCOL_IDENTITY;
 exports.PROTOCOL_PHASE = PROTOCOL_PHASE;
 exports.PROTOCOL_VERSION = PROTOCOL_VERSION;
+exports.ReasonCode = ReasonCode;
 exports.SDK_NAME = SDK_NAME;
 exports.SDK_VERSION = SDK_VERSION2;
 exports.VAR_COUNT = VAR_COUNT;
@@ -1654,7 +2051,15 @@ exports.createEngine = createEngine;
 exports.createP5Runtime = createP5Runtime;
 exports.createProtocolVAR = createProtocolVAR;
 exports.executeCodeMode = executeCodeMode;
+exports.fetchNodeKeys = fetchNodeKeys;
+exports.getAttestationReceipt = getAttestationReceipt;
+exports.hasAttestation = hasAttestation;
 exports.injectTimeVariables = injectTimeVariables;
 exports.runLoopMode = runLoopMode;
 exports.runStaticMode = runStaticMode;
+exports.selectNodeKey = selectNodeKey;
+exports.toCanonicalJson = toCanonicalJson;
 exports.validateCodeModeSource = validateCodeModeSource;
+exports.verifyBundleAttestation = verifyBundleAttestation;
+exports.verifyCodeModeSnapshotDetailed = verifyCodeModeSnapshotDetailed;
+exports.verifyNodeReceiptSignature = verifyNodeReceiptSignature;