npm - @sdotwinter/openclaw-deterministic - Versions diffs - 0.14.0 → 0.16.0 - Mend

@sdotwinter/openclaw-deterministic 0.14.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/doctor.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const fs = require("fs");
 const os = require("os");
 const path = require("path");
+const crypto = require("crypto");
 const JSON_MODE = process.argv.includes("--json");
@@ -88,6 +89,44 @@ Details: ${event.details}
   }
 }
+// -----------------------------
+// Canonical Integrity Verification
+// -----------------------------
+function sha256(content) {
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+function extractHash(content) {
+  const match = content.match(/Canonical-Hash:\s*SHA256:([a-f0-9]+)/);
+  return match ? match[1] : null;
+}
+function stripHeaders(content) {
+  return content.replace(/<!--[\s\S]*?-->/g, "").trim();
+}
+function verifyIntegrity(filePath) {
+  if (!exists(filePath)) {
+    return { present: false };
+  }
+  const raw = read(filePath);
+  const storedHash = extractHash(raw);
+  if (!storedHash) {
+    return { present: true, valid: false };
+  }
+  const stripped = stripHeaders(raw);
+  const currentHash = sha256(stripped);
+  return {
+    present: true,
+    valid: storedHash === currentHash,
+  };
+}
 function evaluate() {
   const result = {
     cliVersion: CLI_VERSION,
@@ -106,6 +145,26 @@ function evaluate() {
     soul: exists(paths.soul),
   };
+// -----------------------------
+// Canonical Integrity Checks
+// -----------------------------
+result.integrity = {
+  operating: verifyIntegrity(paths.operating),
+  detSoul: verifyIntegrity(paths.detSoul),
+  compactor: verifyIntegrity(paths.compactor),
+};
+// Log governance violations if hashes fail
+for (const [key, status] of Object.entries(result.integrity)) {
+  if (status.present && status.valid === false) {
+    appendGovernanceEvent({
+      type: "canonical-hash-mismatch",
+      details: `${key} failed canonical integrity verification.`,
+    });
+  }
+}
   const cfg = readJsonSafe(paths.config);
   result.config = {
@@ -171,6 +230,20 @@ function printHuman(r) {
     }
   }
+if (r.integrity) {
+  console.log("\nCanonical Integrity:");
+  for (const [key, status] of Object.entries(r.integrity)) {
+    if (!status.present) {
+      console.log(`⚠ ${key} not present (cannot verify).`);
+    } else if (status.valid) {
+      console.log(`✅ ${key} integrity verified.`);
+    } else {
+      console.log(`❌ ${key} integrity FAILED.`);
+    }
+  }
+}
   if (!r.config.present) {
     console.log("⚠ Deterministic config missing. Using defaults.");
   } else if (r.config.invalid) {

package/bin/install.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const fs = require("fs");
 const os = require("os");
 const path = require("path");
+const crypto = require("crypto");
 // -----------------------------
 // Args
@@ -87,10 +88,13 @@ function readFile(p) {
 }
 function timestamp() {
-  // keep filesystem-safe
   return new Date().toISOString().replace(/:/g, "-");
 }
+function sha256(content) {
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
 function backupSnapshot(pathsToBackup) {
   if (DRY_RUN) {
     console.log("[DRY-RUN] Would create backup snapshot.");
@@ -114,13 +118,22 @@ function backupSnapshot(pathsToBackup) {
   return snap;
 }
+// -----------------------------
+// Canonical Install Function
+// -----------------------------
 function copyWithVersionStamp(src, dest) {
   const raw = readFile(src);
-  const stamped = `${VERSION_STAMP}\n${raw.replace(/^\uFEFF/, "")}`;
+  const clean = raw.replace(/^\uFEFF/, "");
+  const hash = sha256(clean);
+  const stamped = `${VERSION_STAMP}
+<!-- Canonical-Hash: SHA256:${hash} -->
+${clean}`;
   writeFile(dest, stamped);
   if (!DRY_RUN) {
-    // keep output consistent with your CLI style
     const pretty = dest.startsWith(workspace)
       ? dest.replace(workspace + path.sep, "")
       : dest;
@@ -134,7 +147,6 @@ function copyWithVersionStamp(src, dest) {
 // Install steps
 // -----------------------------
 function installTemplates() {
-  // Ensure skill directory exists
   ensureDir(path.dirname(target.compactor));
   copyWithVersionStamp(tpl("OPERATING_RULES.md"), target.operating);
@@ -205,8 +217,6 @@ const pathsToBackup = [
   target.operating,
   target.detSoul,
   target.compactor,
-  // NOTE: we do NOT back up SOUL.md here because install never modifies it.
-  // If you later add an "enable" flow that edits SOUL.md, that command should back it up there.
   target.config,
 ];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sdotwinter/openclaw-deterministic",
-  "version": "0.14.0",
+  "version": "0.16.0",
   "description": "Deterministic governance and memory compaction layer for OpenClaw",
   "keywords": [
     "openclaw",