@o-lang/olang 1.2.19 → 1.2.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@o-lang/olang",
-  "version": "1.2.19",
+  "version": "1.2.20",
   "author": "Olalekan Ogundipe <info@olang.cloud>",
   "description": "O-Lang: A governance language for user-directed, rule-enforced agent workflows",
   "main": "./src/runtime/index.js",

package/src/runtime/index.js

@@ -1,89 +1,91 @@
 // src/runtime/index.js
 const { RuntimeAPI } = require('./RuntimeAPI');
-const { parse } = require('../parser');
-const crypto = require('crypto');
-const fs = require('fs');
-const path = require('path');
+const { parse }      = require('../parser');
+const crypto         = require('crypto');
+const fs             = require('fs');
+const path           = require('path');
 
-// ✅ Load kernel private key (cached)
+// ── Load kernel private key (cached) ─────────────────────────────────────────
 let KERNEL_PRIVATE_KEY = null;
+
 function getKernelPrivateKey() {
   if (KERNEL_PRIVATE_KEY) return KERNEL_PRIVATE_KEY;
-  
-  const keyPath = process.env.KERNEL_PRIVATE_KEY_PATH || './kernel-keys/kernel-private.pem';
-  const absolutePath = path.isAbsolute(keyPath) ? keyPath : path.join(process.cwd(), keyPath);
-  
+
+  const keyPath      = process.env.KERNEL_PRIVATE_KEY_PATH || './kernel-keys/kernel-private.pem';
+  const absolutePath = path.isAbsolute(keyPath)
+    ? keyPath
+    : path.join(process.cwd(), keyPath);
+
   if (!fs.existsSync(absolutePath)) {
     console.warn('[kernel] Warning: Private key not found at', absolutePath);
     console.warn('[kernel] Audit entries will NOT be signed');
     return null;
   }
-  
+
   KERNEL_PRIVATE_KEY = fs.readFileSync(absolutePath, 'utf8');
   console.log('[kernel] ✅ Private key loaded for signing');
   return KERNEL_PRIVATE_KEY;
 }
 
-// ✅ Sign audit data with ED25519 (Node.js crypto.sign)
+// ── Sign audit data with RSA-SHA256 ──────────────────────────────────────────
+// Uses RSA-SHA256 to match the RSA key generated by crypto.generateKeyPairSync.
+// The same sorted JSON serialization is used during verification.
+
 function signAuditData(auditData, privateKeyPem) {
   if (!privateKeyPem) return null;
-  
+
   try {
-    // Serialize audit data EXACTLY as it will be verified (sorted keys)
+    // Serialize with sorted keys — must match verifySignature() in server.js
     const serialized = JSON.stringify(auditData, Object.keys(auditData).sort());
-    
-    // ED25519 signing: use crypto.sign() directly
-    const signature = crypto.sign(
-      null,  // For ED25519, hash algorithm is implicit
-      Buffer.from(serialized, 'utf8'),
-      {
-        key: privateKeyPem,
-        dsaEncoding: 'ieee-p1363',  // Required for ED25519
-      }
-    );
-    
-    return signature.toString('hex');
+
+    const sign = crypto.createSign('SHA256');
+    sign.update(serialized);
+    sign.end();
+
+    return sign.sign(privateKeyPem, 'hex');
   } catch (err) {
     console.error('[kernel] Signature error:', err.message);
     return null;
   }
 }
 
+// ── Main execute function ─────────────────────────────────────────────────────
+
 async function execute(workflow, inputs, agentResolver, verbose = false) {
   const rt = new RuntimeAPI({ verbose });
-  
-  // run the workflow — result only contains Return values
+
+  // Run the workflow — result contains only Return values
   const result = await rt.executeWorkflow(workflow, inputs, agentResolver);
 
-  // rt is still alive here — grab audit before it dies
+  // Grab audit data while RuntimeAPI instance is still alive
   const lastEntry  = rt.auditLog.at(-1);
   const firstEntry = rt.auditLog.at(0);
 
-  // Build audit object BEFORE signing
+  // Build audit object BEFORE signing — must match verifySignature() structure
   const auditData = {
-    execution_hash:          lastEntry?.hash ?? null,
-    previous_hash:           firstEntry?.hash ?? 'GENESIS',
+    execution_hash:          lastEntry?.hash          ?? null,
+    previous_hash:           firstEntry?.hash         ?? 'GENESIS',
     merkle_root:             rt._calculateMerkleRoot(),
-    kernel_version:          lastEntry?.details?.kernel_version ?? null,
+    kernel_version:          lastEntry?.details?.kernel_version          ?? null,
     governance_profile_hash: lastEntry?.details?.governance_profile_hash ?? null,
     integrity:               rt.verifyAuditLogIntegrity(),
     chain:                   rt.auditLog,
   };
 
-  // ✅ SIGN the audit data
+  // Sign the audit data with the kernel private key
   const privateKey = getKernelPrivateKey();
-  const signature = signAuditData(auditData, privateKey);
-  
-  // Load public key for verification (optional but helpful)
+  const signature  = signAuditData(auditData, privateKey);
+
+  // Load public key for client-side verification (stripped PEM)
   let publicKey = null;
   if (privateKey) {
     try {
-      const pubKeyPath = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
-      const absolutePubPath = path.isAbsolute(pubKeyPath) 
-        ? pubKeyPath 
+      const pubKeyPath      = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
+      const absolutePubPath = path.isAbsolute(pubKeyPath)
+        ? pubKeyPath
         : path.join(process.cwd(), pubKeyPath);
+
       if (fs.existsSync(absolutePubPath)) {
-        // Read and clean PEM for storage
         publicKey = fs.readFileSync(absolutePubPath, 'utf8')
           .replace('-----BEGIN PUBLIC KEY-----', '')
           .replace('-----END PUBLIC KEY-----', '')
@@ -94,10 +96,11 @@ async function execute(workflow, inputs, agentResolver, verbose = false) {
     }
   }
 
+  // Attach audit to result — server.js detaches it before sending to client
   result.__audit = {
     ...auditData,
-    signature,      // ✅ Cryptographic signature (hex string)
-    publicKey,      // ✅ Public key for verification (cleaned PEM)
+    signature,  // RSA-SHA256 hex signature
+    publicKey,  // Stripped PEM for client verification
   };
 
   return result;