@o-lang/olang 1.2.17 → 1.2.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -2
- package/src/runtime/index.js +79 -2
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@o-lang/olang",
|
|
3
|
-
"version": "1.2.
|
|
4
|
-
"author": "Olalekan Ogundipe <info@
|
|
3
|
+
"version": "1.2.19",
|
|
4
|
+
"author": "Olalekan Ogundipe <info@olang.cloud>",
|
|
5
5
|
"description": "O-Lang: A governance language for user-directed, rule-enforced agent workflows",
|
|
6
6
|
"main": "./src/runtime/index.js",
|
|
7
7
|
"bin": {
|
package/src/runtime/index.js
CHANGED
|
@@ -1,6 +1,53 @@
|
|
|
1
1
|
// src/runtime/index.js
|
|
2
2
|
const { RuntimeAPI } = require('./RuntimeAPI');
|
|
3
3
|
const { parse } = require('../parser');
|
|
4
|
+
const crypto = require('crypto');
|
|
5
|
+
const fs = require('fs');
|
|
6
|
+
const path = require('path');
|
|
7
|
+
|
|
8
|
+
// ✅ Load kernel private key (cached)
|
|
9
|
+
let KERNEL_PRIVATE_KEY = null;
|
|
10
|
+
function getKernelPrivateKey() {
|
|
11
|
+
if (KERNEL_PRIVATE_KEY) return KERNEL_PRIVATE_KEY;
|
|
12
|
+
|
|
13
|
+
const keyPath = process.env.KERNEL_PRIVATE_KEY_PATH || './kernel-keys/kernel-private.pem';
|
|
14
|
+
const absolutePath = path.isAbsolute(keyPath) ? keyPath : path.join(process.cwd(), keyPath);
|
|
15
|
+
|
|
16
|
+
if (!fs.existsSync(absolutePath)) {
|
|
17
|
+
console.warn('[kernel] Warning: Private key not found at', absolutePath);
|
|
18
|
+
console.warn('[kernel] Audit entries will NOT be signed');
|
|
19
|
+
return null;
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
KERNEL_PRIVATE_KEY = fs.readFileSync(absolutePath, 'utf8');
|
|
23
|
+
console.log('[kernel] ✅ Private key loaded for signing');
|
|
24
|
+
return KERNEL_PRIVATE_KEY;
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
// ✅ Sign audit data with ED25519 (Node.js crypto.sign)
|
|
28
|
+
function signAuditData(auditData, privateKeyPem) {
|
|
29
|
+
if (!privateKeyPem) return null;
|
|
30
|
+
|
|
31
|
+
try {
|
|
32
|
+
// Serialize audit data EXACTLY as it will be verified (sorted keys)
|
|
33
|
+
const serialized = JSON.stringify(auditData, Object.keys(auditData).sort());
|
|
34
|
+
|
|
35
|
+
// ED25519 signing: use crypto.sign() directly
|
|
36
|
+
const signature = crypto.sign(
|
|
37
|
+
null, // For ED25519, hash algorithm is implicit
|
|
38
|
+
Buffer.from(serialized, 'utf8'),
|
|
39
|
+
{
|
|
40
|
+
key: privateKeyPem,
|
|
41
|
+
dsaEncoding: 'ieee-p1363', // Required for ED25519
|
|
42
|
+
}
|
|
43
|
+
);
|
|
44
|
+
|
|
45
|
+
return signature.toString('hex');
|
|
46
|
+
} catch (err) {
|
|
47
|
+
console.error('[kernel] Signature error:', err.message);
|
|
48
|
+
return null;
|
|
49
|
+
}
|
|
50
|
+
}
|
|
4
51
|
|
|
5
52
|
async function execute(workflow, inputs, agentResolver, verbose = false) {
|
|
6
53
|
const rt = new RuntimeAPI({ verbose });
|
|
@@ -12,17 +59,47 @@ async function execute(workflow, inputs, agentResolver, verbose = false) {
|
|
|
12
59
|
const lastEntry = rt.auditLog.at(-1);
|
|
13
60
|
const firstEntry = rt.auditLog.at(0);
|
|
14
61
|
|
|
15
|
-
|
|
62
|
+
// Build audit object BEFORE signing
|
|
63
|
+
const auditData = {
|
|
16
64
|
execution_hash: lastEntry?.hash ?? null,
|
|
17
65
|
previous_hash: firstEntry?.hash ?? 'GENESIS',
|
|
18
66
|
merkle_root: rt._calculateMerkleRoot(),
|
|
19
67
|
kernel_version: lastEntry?.details?.kernel_version ?? null,
|
|
20
68
|
governance_profile_hash: lastEntry?.details?.governance_profile_hash ?? null,
|
|
21
|
-
signature: lastEntry?.signature ?? null,
|
|
22
69
|
integrity: rt.verifyAuditLogIntegrity(),
|
|
23
70
|
chain: rt.auditLog,
|
|
24
71
|
};
|
|
25
72
|
|
|
73
|
+
// ✅ SIGN the audit data
|
|
74
|
+
const privateKey = getKernelPrivateKey();
|
|
75
|
+
const signature = signAuditData(auditData, privateKey);
|
|
76
|
+
|
|
77
|
+
// Load public key for verification (optional but helpful)
|
|
78
|
+
let publicKey = null;
|
|
79
|
+
if (privateKey) {
|
|
80
|
+
try {
|
|
81
|
+
const pubKeyPath = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
|
|
82
|
+
const absolutePubPath = path.isAbsolute(pubKeyPath)
|
|
83
|
+
? pubKeyPath
|
|
84
|
+
: path.join(process.cwd(), pubKeyPath);
|
|
85
|
+
if (fs.existsSync(absolutePubPath)) {
|
|
86
|
+
// Read and clean PEM for storage
|
|
87
|
+
publicKey = fs.readFileSync(absolutePubPath, 'utf8')
|
|
88
|
+
.replace('-----BEGIN PUBLIC KEY-----', '')
|
|
89
|
+
.replace('-----END PUBLIC KEY-----', '')
|
|
90
|
+
.replace(/\s/g, '');
|
|
91
|
+
}
|
|
92
|
+
} catch (err) {
|
|
93
|
+
console.warn('[kernel] Could not load public key:', err.message);
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
result.__audit = {
|
|
98
|
+
...auditData,
|
|
99
|
+
signature, // ✅ Cryptographic signature (hex string)
|
|
100
|
+
publicKey, // ✅ Public key for verification (cleaned PEM)
|
|
101
|
+
};
|
|
102
|
+
|
|
26
103
|
return result;
|
|
27
104
|
}
|
|
28
105
|
|