@o-lang/olang 1.4.0-alpha.1 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +3 -3
- package/src/runtime/RuntimeAPI.js +1 -1
- package/src/runtime/index.js +38 -33
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@o-lang/olang",
|
|
3
|
-
"version": "1.4.0
|
|
3
|
+
"version": "1.4.0",
|
|
4
4
|
"author": "Olalekan Ogundipe <info@olang.cloud>",
|
|
5
5
|
"description": "O-Lang: A governance language for user-directed, rule-enforced agent workflows with native African language PII protection.",
|
|
6
6
|
"main": "./src/runtime/index.js",
|
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
},
|
|
10
10
|
"files": [
|
|
11
11
|
"src/",
|
|
12
|
-
"cli/",
|
|
12
|
+
"cli/",
|
|
13
13
|
"README.md",
|
|
14
14
|
"LICENSE"
|
|
15
15
|
],
|
|
@@ -57,4 +57,4 @@
|
|
|
57
57
|
"devDependencies": {
|
|
58
58
|
"jest": "^29.7.0"
|
|
59
59
|
}
|
|
60
|
-
}
|
|
60
|
+
}
|
|
@@ -3,7 +3,7 @@ const path = require('path');
|
|
|
3
3
|
const crypto = require('crypto'); // ✅ CRYPTOGRAPHIC AUDIT LOGS
|
|
4
4
|
|
|
5
5
|
// ✅ O-Lang Kernel Version (Safety Logic & Governance Rules)
|
|
6
|
-
const KERNEL_VERSION = '1.4.0
|
|
6
|
+
const KERNEL_VERSION = '1.4.0'; // 🔁 Bumped: PII redaction engine added
|
|
7
7
|
|
|
8
8
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
9
9
|
// ✅ NEW v1.3.0 — SEPARATED PATTERN SETS
|
package/src/runtime/index.js
CHANGED
|
@@ -5,12 +5,13 @@ const crypto = require('crypto');
|
|
|
5
5
|
const fs = require('fs');
|
|
6
6
|
const path = require('path');
|
|
7
7
|
|
|
8
|
-
// ── Load kernel private key
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
8
|
+
// ── Load kernel private key ───────────────────────────────────────────────────
|
|
9
|
+
// FIX: Load at module initialisation time (when kernel boots) instead of
|
|
10
|
+
// lazily on the first execute() call. This prevents a 5-10s delay on the
|
|
11
|
+
// first request caused by RSA key file I/O + audit chain signing overhead.
|
|
12
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
13
13
|
|
|
14
|
+
function _loadPrivateKey() {
|
|
14
15
|
const keyPath = process.env.KERNEL_PRIVATE_KEY_PATH || './kernel-keys/kernel-private.pem';
|
|
15
16
|
const absolutePath = path.isAbsolute(keyPath)
|
|
16
17
|
? keyPath
|
|
@@ -22,11 +23,37 @@ function getKernelPrivateKey() {
|
|
|
22
23
|
return null;
|
|
23
24
|
}
|
|
24
25
|
|
|
25
|
-
|
|
26
|
+
const key = fs.readFileSync(absolutePath, 'utf8');
|
|
26
27
|
console.log('[kernel] ✅ Private key loaded for signing');
|
|
27
|
-
return
|
|
28
|
+
return key;
|
|
28
29
|
}
|
|
29
30
|
|
|
31
|
+
// Loaded once at require() time — cached for all subsequent execute() calls
|
|
32
|
+
const KERNEL_PRIVATE_KEY = _loadPrivateKey();
|
|
33
|
+
|
|
34
|
+
function _loadPublicKey() {
|
|
35
|
+
if (!KERNEL_PRIVATE_KEY) return null;
|
|
36
|
+
try {
|
|
37
|
+
const pubKeyPath = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
|
|
38
|
+
const absolutePubPath = path.isAbsolute(pubKeyPath)
|
|
39
|
+
? pubKeyPath
|
|
40
|
+
: path.join(process.cwd(), pubKeyPath);
|
|
41
|
+
|
|
42
|
+
if (!fs.existsSync(absolutePubPath)) return null;
|
|
43
|
+
|
|
44
|
+
return fs.readFileSync(absolutePubPath, 'utf8')
|
|
45
|
+
.replace('-----BEGIN PUBLIC KEY-----', '')
|
|
46
|
+
.replace('-----END PUBLIC KEY-----', '')
|
|
47
|
+
.replace(/\s/g, '');
|
|
48
|
+
} catch (err) {
|
|
49
|
+
console.warn('[kernel] Could not load public key:', err.message);
|
|
50
|
+
return null;
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
// Also loaded once at require() time
|
|
55
|
+
const KERNEL_PUBLIC_KEY = _loadPublicKey();
|
|
56
|
+
|
|
30
57
|
// ── Sign audit data with RSA-SHA256 ──────────────────────────────────────────
|
|
31
58
|
// Uses RSA-SHA256 to match the RSA key generated by crypto.generateKeyPairSync.
|
|
32
59
|
// The same sorted JSON serialization is used during verification.
|
|
@@ -72,35 +99,14 @@ async function execute(workflow, inputs, agentResolver, verbose = false) {
|
|
|
72
99
|
chain: rt.auditLog,
|
|
73
100
|
};
|
|
74
101
|
|
|
75
|
-
//
|
|
76
|
-
const
|
|
77
|
-
const signature = signAuditData(auditData, privateKey);
|
|
78
|
-
|
|
79
|
-
// Load public key for client-side verification (stripped PEM)
|
|
80
|
-
let publicKey = null;
|
|
81
|
-
if (privateKey) {
|
|
82
|
-
try {
|
|
83
|
-
const pubKeyPath = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
|
|
84
|
-
const absolutePubPath = path.isAbsolute(pubKeyPath)
|
|
85
|
-
? pubKeyPath
|
|
86
|
-
: path.join(process.cwd(), pubKeyPath);
|
|
87
|
-
|
|
88
|
-
if (fs.existsSync(absolutePubPath)) {
|
|
89
|
-
publicKey = fs.readFileSync(absolutePubPath, 'utf8')
|
|
90
|
-
.replace('-----BEGIN PUBLIC KEY-----', '')
|
|
91
|
-
.replace('-----END PUBLIC KEY-----', '')
|
|
92
|
-
.replace(/\s/g, '');
|
|
93
|
-
}
|
|
94
|
-
} catch (err) {
|
|
95
|
-
console.warn('[kernel] Could not load public key:', err.message);
|
|
96
|
-
}
|
|
97
|
-
}
|
|
102
|
+
// FIX: Use pre-loaded keys — no file I/O on hot path
|
|
103
|
+
const signature = signAuditData(auditData, KERNEL_PRIVATE_KEY);
|
|
98
104
|
|
|
99
105
|
// Attach audit to result — server.js detaches it before sending to client
|
|
100
106
|
result.__audit = {
|
|
101
107
|
...auditData,
|
|
102
|
-
signature,
|
|
103
|
-
publicKey,
|
|
108
|
+
signature, // RSA-SHA256 hex signature
|
|
109
|
+
publicKey: KERNEL_PUBLIC_KEY, // Stripped PEM for client verification
|
|
104
110
|
};
|
|
105
111
|
|
|
106
112
|
return result;
|
|
@@ -115,5 +121,4 @@ function redact(text) {
|
|
|
115
121
|
return rt.redact(text);
|
|
116
122
|
}
|
|
117
123
|
|
|
118
|
-
|
|
119
124
|
module.exports = { execute, parse, redact };
|