@ruvector/edge-net 0.5.0 → 0.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +281 -10
- package/core-invariants.js +942 -0
- package/models/adapter-hub.js +1008 -0
- package/models/adapter-security.js +792 -0
- package/models/benchmark.js +688 -0
- package/models/distribution.js +791 -0
- package/models/index.js +109 -0
- package/models/integrity.js +753 -0
- package/models/loader.js +725 -0
- package/models/microlora.js +1298 -0
- package/models/model-loader.js +922 -0
- package/models/model-optimizer.js +1245 -0
- package/models/model-registry.js +696 -0
- package/models/model-utils.js +548 -0
- package/models/models-cli.js +914 -0
- package/models/registry.json +214 -0
- package/models/training-utils.js +1418 -0
- package/models/wasm-core.js +1025 -0
- package/network-genesis.js +2847 -0
- package/onnx-worker.js +462 -8
- package/package.json +33 -3
- package/plugins/SECURITY-AUDIT.md +654 -0
- package/plugins/cli.js +43 -3
- package/plugins/implementations/e2e-encryption.js +57 -12
- package/plugins/plugin-loader.js +610 -21
- package/tests/model-optimizer.test.js +644 -0
- package/tests/network-genesis.test.js +562 -0
- package/tests/plugin-benchmark.js +1239 -0
- package/tests/plugin-system-test.js +163 -0
- package/tests/wasm-core.test.js +368 -0
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
* @module @ruvector/edge-net/plugins/e2e-encryption
|
|
8
8
|
*/
|
|
9
9
|
|
|
10
|
-
import { randomBytes, createCipheriv, createDecipheriv, createHash } from 'crypto';
|
|
10
|
+
import { randomBytes, createCipheriv, createDecipheriv, createHash, pbkdf2Sync, hkdfSync } from 'crypto';
|
|
11
11
|
|
|
12
12
|
export class E2EEncryptionPlugin {
|
|
13
13
|
constructor(config = {}) {
|
|
@@ -38,16 +38,41 @@ export class E2EEncryptionPlugin {
|
|
|
38
38
|
|
|
39
39
|
/**
|
|
40
40
|
* Establish encrypted session with peer
|
|
41
|
+
* Uses HKDF for secure key derivation with proper entropy
|
|
41
42
|
*/
|
|
42
43
|
async establishSession(peerId, peerPublicKey) {
|
|
43
|
-
//
|
|
44
|
-
|
|
45
|
-
const
|
|
46
|
-
|
|
47
|
-
|
|
44
|
+
// Generate cryptographically secure random material
|
|
45
|
+
const ephemeralSecret = randomBytes(32);
|
|
46
|
+
const salt = randomBytes(32);
|
|
47
|
+
|
|
48
|
+
// In production: X25519 key exchange with peerPublicKey
|
|
49
|
+
// For now: Use HKDF for secure key derivation
|
|
50
|
+
// HKDF is a proper KDF that extracts entropy and expands it securely
|
|
51
|
+
let sharedSecret;
|
|
52
|
+
try {
|
|
53
|
+
// Use HKDF (preferred) - extract-then-expand
|
|
54
|
+
sharedSecret = hkdfSync(
|
|
55
|
+
'sha256', // hash algorithm
|
|
56
|
+
ephemeralSecret, // input key material
|
|
57
|
+
salt, // salt
|
|
58
|
+
`edge-net-e2e-${peerId}`, // info/context
|
|
59
|
+
32 // output length
|
|
60
|
+
);
|
|
61
|
+
} catch (e) {
|
|
62
|
+
// Fallback to PBKDF2 if HKDF not available (older Node)
|
|
63
|
+
// 100,000 iterations for security
|
|
64
|
+
sharedSecret = pbkdf2Sync(
|
|
65
|
+
ephemeralSecret,
|
|
66
|
+
salt,
|
|
67
|
+
100000, // iterations
|
|
68
|
+
32, // key length
|
|
69
|
+
'sha256'
|
|
70
|
+
);
|
|
71
|
+
}
|
|
48
72
|
|
|
49
73
|
const sessionKey = {
|
|
50
74
|
key: sharedSecret,
|
|
75
|
+
salt: salt,
|
|
51
76
|
iv: randomBytes(16),
|
|
52
77
|
createdAt: Date.now(),
|
|
53
78
|
messageCount: 0,
|
|
@@ -57,7 +82,8 @@ export class E2EEncryptionPlugin {
|
|
|
57
82
|
|
|
58
83
|
return {
|
|
59
84
|
sessionId: createHash('sha256').update(sharedSecret).digest('hex').slice(0, 16),
|
|
60
|
-
publicKey:
|
|
85
|
+
publicKey: ephemeralSecret.toString('hex'), // Our ephemeral public key
|
|
86
|
+
salt: salt.toString('hex'),
|
|
61
87
|
};
|
|
62
88
|
}
|
|
63
89
|
|
|
@@ -117,18 +143,37 @@ export class E2EEncryptionPlugin {
|
|
|
117
143
|
|
|
118
144
|
/**
|
|
119
145
|
* Rotate session keys for forward secrecy
|
|
146
|
+
* Uses HKDF for secure key rotation
|
|
120
147
|
*/
|
|
121
148
|
_rotateKeys() {
|
|
122
149
|
const now = Date.now();
|
|
123
150
|
for (const [peerId, session] of this.sessionKeys) {
|
|
124
151
|
if (now - session.createdAt > this.config.keyRotationInterval) {
|
|
125
|
-
// Generate new session key
|
|
126
|
-
const
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
152
|
+
// Generate new session key using HKDF with previous key as IKM
|
|
153
|
+
const newSalt = randomBytes(32);
|
|
154
|
+
let newKey;
|
|
155
|
+
|
|
156
|
+
try {
|
|
157
|
+
newKey = hkdfSync(
|
|
158
|
+
'sha256',
|
|
159
|
+
session.key,
|
|
160
|
+
newSalt,
|
|
161
|
+
`edge-net-rotate-${peerId}-${now}`,
|
|
162
|
+
32
|
|
163
|
+
);
|
|
164
|
+
} catch (e) {
|
|
165
|
+
// Fallback to PBKDF2
|
|
166
|
+
newKey = pbkdf2Sync(
|
|
167
|
+
session.key,
|
|
168
|
+
newSalt,
|
|
169
|
+
100000,
|
|
170
|
+
32,
|
|
171
|
+
'sha256'
|
|
172
|
+
);
|
|
173
|
+
}
|
|
130
174
|
|
|
131
175
|
session.key = newKey;
|
|
176
|
+
session.salt = newSalt;
|
|
132
177
|
session.createdAt = now;
|
|
133
178
|
session.messageCount = 0;
|
|
134
179
|
}
|