@nexart/codemode-sdk 1.8.4 → 1.9.0

package/dist/cjs/core.js

@@ -1,5 +1,8 @@
+import { hashes, verify } from '@noble/ed25519';
+import { sha512 } from '@noble/hashes/sha2.js';
+
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.9.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 
@@ -22,6 +25,20 @@ var DEFAULT_CONFIG = {
   minDuration: 1,
   maxDuration: 4
 };
+var CodeVerifyCode = {
+  OK: "OK",
+  CERTIFICATE_HASH_MISMATCH: "CERTIFICATE_HASH_MISMATCH",
+  SNAPSHOT_HASH_MISMATCH: "SNAPSHOT_HASH_MISMATCH",
+  RENDER_HASH_MISMATCH: "RENDER_HASH_MISMATCH",
+  INVALID_SHA256_FORMAT: "INVALID_SHA256_FORMAT",
+  CANONICALIZATION_ERROR: "CANONICALIZATION_ERROR",
+  SCHEMA_ERROR: "SCHEMA_ERROR",
+  NODE_RECEIPT_MISSING: "NODE_RECEIPT_MISSING",
+  NODE_RECEIPT_KEY_NOT_FOUND: "NODE_RECEIPT_KEY_NOT_FOUND",
+  NODE_RECEIPT_INVALID_SIGNATURE: "NODE_RECEIPT_INVALID_SIGNATURE",
+  NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED: "NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR"
+};
 
 // p5-runtime.ts
 var CODE_MODE_PROTOCOL_VERSION = PROTOCOL_VERSION;
@@ -1629,8 +1646,321 @@ function createEngine(config) {
   };
 }
 
+// canonicalJson.ts
+function toCanonicalJson(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!isFinite(value)) throw new Error(`toCanonicalJson: non-finite number ${value}`);
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return JSON.stringify(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map(toCanonicalJson).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return "{" + keys.filter((k) => obj[k] !== void 0 && typeof obj[k] !== "function").map((k) => `${JSON.stringify(k)}:${toCanonicalJson(obj[k])}`).join(",") + "}";
+  }
+  throw new Error(`toCanonicalJson: unsupported type ${typeof value}`);
+}
+
+// nodeReceipt.ts
+hashes.sha512 = sha512;
+function base64urlToBytes(s) {
+  const pad = s.length % 4;
+  const base64 = s.replace(/-/g, "+").replace(/_/g, "/") + (pad ? "=".repeat(4 - pad) : "");
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  const binary = atob(base64);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+async function verifyNodeReceiptSignature(params) {
+  try {
+    const { receipt, signatureB64Url, key } = params;
+    let pubKeyBytes;
+    if (key.jwk) {
+      if (key.jwk.kty !== "OKP" || key.jwk.crv !== "Ed25519") {
+        return {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+          details: [
+            `JWK must have kty=OKP and crv=Ed25519, got kty=${key.jwk.kty} crv=${key.jwk.crv}`
+          ]
+        };
+      }
+      pubKeyBytes = base64urlToBytes(key.jwk.x);
+    } else if (key.rawB64Url) {
+      pubKeyBytes = base64urlToBytes(key.rawB64Url);
+    } else if (key.spkiB64) {
+      const spkiBytes = base64urlToBytes(key.spkiB64);
+      if (spkiBytes.length < 32) {
+        return {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+          details: ["SPKI key too short to extract Ed25519 public key"]
+        };
+      }
+      pubKeyBytes = spkiBytes.slice(spkiBytes.length - 32);
+    } else {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+        details: ["No usable key provided: supply jwk, rawB64Url, or spkiB64"]
+      };
+    }
+    if (pubKeyBytes.length !== 32) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+        details: [`Ed25519 public key must be 32 bytes, got ${pubKeyBytes.length}`]
+      };
+    }
+    const sigBytes = base64urlToBytes(signatureB64Url);
+    if (sigBytes.length !== 64) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+        details: [`Ed25519 signature must be 64 bytes, got ${sigBytes.length}`]
+      };
+    }
+    const msgBytes = new TextEncoder().encode(toCanonicalJson(receipt));
+    const isValid = await verify(sigBytes, msgBytes, pubKeyBytes);
+    if (!isValid) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+        details: ["Ed25519 signature verification failed"]
+      };
+    }
+    return { ok: true, code: CodeVerifyCode.OK };
+  } catch (err) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+      details: [err instanceof Error ? err.message : String(err)]
+    };
+  }
+}
+async function fetchNodeKeys(nodeUrl) {
+  const url = `${nodeUrl.replace(/\/+$/, "")}/.well-known/nexart-node.json`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch node keys from ${url}: HTTP ${response.status}`);
+  }
+  const data = await response.json();
+  if (typeof data !== "object" || data === null) {
+    throw new Error("Node keys response is not an object");
+  }
+  const doc = data;
+  if (typeof doc.nodeId !== "string" || !Array.isArray(doc.keys)) {
+    throw new Error("Node keys document missing required fields (nodeId, keys)");
+  }
+  return data;
+}
+function selectNodeKey(doc, kid) {
+  if (kid) {
+    const found = doc.keys.find((k) => k.kid === kid);
+    if (!found) {
+      return {
+        error: {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+          details: [`Key with kid="${kid}" not found in node keys document`]
+        }
+      };
+    }
+    return { key: found };
+  }
+  if (doc.activeKid) {
+    const found = doc.keys.find((k) => k.kid === doc.activeKid);
+    if (!found) {
+      return {
+        error: {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+          details: [`activeKid="${doc.activeKid}" not found in keys array`]
+        }
+      };
+    }
+    return { key: found };
+  }
+  if (doc.keys.length === 0) {
+    return {
+      error: {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+        details: ["No keys available in node keys document"]
+      }
+    };
+  }
+  return { key: doc.keys[0] };
+}
+function extractReceiptAndSignature(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return null;
+  const b = bundle;
+  if (typeof b.receipt === "object" && b.receipt !== null && typeof b.signature === "string") {
+    return {
+      receipt: b.receipt,
+      signatureB64Url: b.signature,
+      attestorKeyId: typeof b.attestorKeyId === "string" ? b.attestorKeyId : void 0
+    };
+  }
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+      return {
+        receipt: att.receipt,
+        signatureB64Url: att.signature,
+        attestorKeyId: typeof att.attestorKeyId === "string" ? att.attestorKeyId : void 0
+      };
+    }
+  }
+  if (typeof b.meta === "object" && b.meta !== null) {
+    const meta = b.meta;
+    if (typeof meta.attestation === "object" && meta.attestation !== null) {
+      const att = meta.attestation;
+      if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+        return {
+          receipt: att.receipt,
+          signatureB64Url: att.signature,
+          attestorKeyId: typeof att.attestorKeyId === "string" ? att.attestorKeyId : void 0
+        };
+      }
+    }
+  }
+  return null;
+}
+async function verifyBundleAttestation(bundle, options) {
+  const extracted = extractReceiptAndSignature(bundle);
+  if (!extracted) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_MISSING,
+      details: ["No signed receipt found in bundle (expected bundle.receipt + bundle.signature or bundle.attestation envelope)"]
+    };
+  }
+  const nodeId = extracted.receipt.nodeId;
+  const resolvedKid = options.kid ?? extracted.attestorKeyId ?? extracted.receipt.attestorKeyId;
+  function ctx() {
+    const lines = [];
+    if (nodeId) lines.push(`nodeId: ${nodeId}`);
+    if (resolvedKid) lines.push(`kid: ${resolvedKid}`);
+    return lines;
+  }
+  if (typeof bundle.certificateHash === "string") {
+    const bundleCertHash = bundle.certificateHash;
+    if (extracted.receipt.certificateHash !== bundleCertHash) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.CERTIFICATE_HASH_MISMATCH,
+        details: [
+          "Receipt certificateHash does not match bundle certificateHash",
+          `receipt.certificateHash: ${extracted.receipt.certificateHash}`,
+          `bundle.certificateHash:  ${bundleCertHash}`,
+          ...ctx()
+        ]
+      };
+    }
+  }
+  let keysDoc;
+  try {
+    keysDoc = await fetchNodeKeys(options.nodeUrl);
+  } catch (err) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+      details: [...ctx(), err instanceof Error ? err.message : String(err)]
+    };
+  }
+  const selected = selectNodeKey(keysDoc, resolvedKid);
+  if (selected.error) {
+    return {
+      ...selected.error,
+      details: [...ctx(), ...selected.error.details ?? []]
+    };
+  }
+  const keyEntry = selected.key;
+  const keyParam = {};
+  if (keyEntry.publicKeyJwk) keyParam.jwk = keyEntry.publicKeyJwk;
+  else if (keyEntry.publicKey) keyParam.rawB64Url = keyEntry.publicKey;
+  else if (keyEntry.publicKeySpkiB64) keyParam.spkiB64 = keyEntry.publicKeySpkiB64;
+  else {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+      details: [
+        `Key kid="${keyEntry.kid}" has no usable public key field (publicKeyJwk, publicKey, or publicKeySpkiB64)`,
+        ...ctx()
+      ]
+    };
+  }
+  const sigResult = await verifyNodeReceiptSignature({
+    receipt: extracted.receipt,
+    signatureB64Url: extracted.signatureB64Url,
+    key: keyParam
+  });
+  const contextLines = ctx();
+  if (contextLines.length === 0) return sigResult;
+  return sigResult.ok ? { ok: true, code: CodeVerifyCode.OK, details: contextLines } : { ...sigResult, details: [...contextLines, ...sigResult.details ?? []] };
+}
+
+// attestation.ts
+function getAttestationReceipt(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return null;
+  const b = bundle;
+  if (typeof b.receipt === "object" && b.receipt !== null && typeof b.signature === "string") {
+    const r = b.receipt;
+    return {
+      attestationId: r.attestationId,
+      attestedAt: r.attestedAt,
+      nodeId: r.nodeId,
+      attestorKeyId: r.attestorKeyId,
+      nodeRuntimeHash: r.nodeRuntimeHash,
+      certificateHash: r.certificateHash,
+      protocolVersion: r.protocolVersion,
+      receipt: r,
+      signature: b.signature
+    };
+  }
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+      const r = att.receipt;
+      return {
+        attestationId: r.attestationId,
+        attestedAt: r.attestedAt,
+        nodeId: r.nodeId,
+        attestorKeyId: r.attestorKeyId,
+        nodeRuntimeHash: r.nodeRuntimeHash,
+        certificateHash: r.certificateHash,
+        protocolVersion: r.protocolVersion,
+        receipt: r,
+        signature: att.signature
+      };
+    }
+  }
+  if (typeof b.attestationId === "string") {
+    return {
+      attestationId: b.attestationId,
+      attestedAt: typeof b.attestedAt === "string" ? b.attestedAt : "",
+      nodeId: typeof b.nodeId === "string" ? b.nodeId : void 0,
+      attestorKeyId: typeof b.attestorKeyId === "string" ? b.attestorKeyId : void 0,
+      nodeRuntimeHash: typeof b.nodeRuntimeHash === "string" ? b.nodeRuntimeHash : void 0,
+      certificateHash: typeof b.certificateHash === "string" ? b.certificateHash : void 0,
+      protocolVersion: typeof b.protocolVersion === "string" ? b.protocolVersion : void 0
+    };
+  }
+  return null;
+}
+function hasAttestation(bundle) {
+  return getAttestationReceipt(bundle) !== null;
+}
+
 // core-index.ts
 var SDK_VERSION2 = SDK_VERSION;
 var SDK_NAME = "@nexart/codemode-sdk";
 
-export { CODE_MODE_ENFORCEMENT, CODE_MODE_PROTOCOL_PHASE, CODE_MODE_PROTOCOL_VERSION, DEFAULT_CONFIG, DEFAULT_VARS, PROTOCOL_IDENTITY, PROTOCOL_PHASE, PROTOCOL_VERSION, SDK_NAME, SDK_VERSION2 as SDK_VERSION, VAR_COUNT, VAR_MAX, VAR_MIN, cancelLoopMode, createEngine, createP5Runtime, createProtocolVAR, executeCodeMode, injectTimeVariables, runLoopMode, runStaticMode, validateCodeModeSource };
+export { CODE_MODE_ENFORCEMENT, CODE_MODE_PROTOCOL_PHASE, CODE_MODE_PROTOCOL_VERSION, CodeVerifyCode, DEFAULT_CONFIG, DEFAULT_VARS, PROTOCOL_IDENTITY, PROTOCOL_PHASE, PROTOCOL_VERSION, SDK_NAME, SDK_VERSION2 as SDK_VERSION, VAR_COUNT, VAR_MAX, VAR_MIN, cancelLoopMode, createEngine, createP5Runtime, createProtocolVAR, executeCodeMode, fetchNodeKeys, getAttestationReceipt, hasAttestation, injectTimeVariables, runLoopMode, runStaticMode, selectNodeKey, toCanonicalJson, validateCodeModeSource, verifyBundleAttestation, verifyNodeReceiptSignature };

package/dist/cjs/node.cjs

@@ -1068,7 +1068,7 @@ var init_soundart_sketches = __esm({
 });
 
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.9.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 

package/dist/cjs/node.js

@@ -1065,7 +1065,7 @@ var init_soundart_sketches = __esm({
 });
 
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.9.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 

package/dist/esm/browser.cjs

@@ -1068,7 +1068,7 @@ var init_soundart_sketches = __esm({
 });
 
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.9.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 

package/dist/esm/browser.js

@@ -1065,7 +1065,7 @@ var init_soundart_sketches = __esm({
 });
 
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.9.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;