@svrnsec/pulse 0.3.1 → 0.5.0

package/bin/svrnsec-pulse.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * svrnsec-pulse CLI
+ * Usage: npx svrnsec-pulse <command> [options]
+ */
+import { run } from '../src/cli/runner.js';
+run(process.argv.slice(2));

package/index.d.ts

@@ -714,3 +714,133 @@ export interface ExtendedPulseCommitment extends PulseCommitment {
     llm:  LlmResult  | null;
   };
 }
+
+// =============================================================================
+// TrustScore
+// =============================================================================
+
+export interface TrustScoreBreakdown {
+  pts: number;
+  max: number;
+  [key: string]: unknown;
+}
+
+export interface TrustScorePenalty {
+  signal: string;
+  reason: string;
+  cap: number;
+}
+
+export interface TrustScoreBonus {
+  signal: string;
+  reason: string;
+  pts: number;
+}
+
+export interface TrustScore {
+  score: number;
+  grade: 'A' | 'B' | 'C' | 'D' | 'F';
+  label: 'Trusted' | 'Verified' | 'Marginal' | 'Suspicious' | 'Blocked';
+  color: string;
+  hardCap: number | null;
+  breakdown: {
+    physics: TrustScoreBreakdown;
+    enf:     TrustScoreBreakdown;
+    gpu:     TrustScoreBreakdown;
+    dram:    TrustScoreBreakdown;
+    bio:     TrustScoreBreakdown;
+  };
+  penalties: TrustScorePenalty[];
+  bonuses:   TrustScoreBonus[];
+  signals: {
+    physics: number;
+    enf:     number;
+    gpu:     number;
+    dram:    number;
+    bio:     number;
+  };
+}
+
+export declare function computeTrustScore(
+  payload: ProofPayload,
+  extended?: { enf?: EnfResult; gpu?: GpuEntropyResult; dram?: DramResult; llm?: LlmResult }
+): TrustScore;
+
+export declare function formatTrustScore(ts: TrustScore): string;
+
+// =============================================================================
+// HMAC-Signed Challenge
+// =============================================================================
+
+export interface SignedChallenge {
+  nonce:     string;
+  issuedAt:  number;
+  expiresAt: number;
+  sig:       string;
+}
+
+export interface ChallengeVerifyResult {
+  valid:   boolean;
+  reason?: string;
+}
+
+export declare function createChallenge(
+  secret: string,
+  opts?: { ttlMs?: number; nonce?: string }
+): SignedChallenge;
+
+export declare function verifyChallenge(
+  challenge: SignedChallenge,
+  secret: string,
+  opts?: { checkNonce?: (nonce: string) => Promise<boolean> }
+): Promise<ChallengeVerifyResult>;
+
+export declare function embedChallenge(challenge: SignedChallenge, payload: ProofPayload): ProofPayload;
+export declare function extractChallenge(payload: ProofPayload): SignedChallenge;
+export declare function generateSecret(): string;
+
+// =============================================================================
+// React Native Hook
+// =============================================================================
+
+export interface TremorResult {
+  tremorPresent: boolean;
+  tremorPower:   number;
+  rmsNoise:      number;
+  sampleRate:    number;
+  gyroNoise:     number;
+  isStatic:      boolean;
+}
+
+export interface TouchAnalysis {
+  humanConf:    number;
+  dwellMean:    number;
+  dwellCV:      number;
+  sampleCount:  number;
+}
+
+export interface UsePulseNativeOptions {
+  challengeUrl?: string;
+  verifyUrl?:    string;
+  apiKey?:       string;
+  sensorMs?:     number;
+  autoRun?:      boolean;
+  onResult?:     (trustScore: TrustScore, proof: object) => void;
+  onError?:      (error: Error) => void;
+}
+
+export interface UsePulseNativeReturn {
+  run:         () => Promise<void>;
+  reset:       () => void;
+  isRunning:   boolean;
+  stage:       string | null;
+  pct:         number;
+  trustScore:  TrustScore | null;
+  tremor:      TremorResult | null;
+  touches:     TouchAnalysis | null;
+  proof:       object | null;
+  error:       Error | null;
+  panHandlers: object | null;
+}
+
+export declare function usePulseNative(opts?: UsePulseNativeOptions): UsePulseNativeReturn;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@svrnsec/pulse",
-  "version": "0.3.1",
-  "description": "Physical Turing Test — Hardware-Biological Symmetry Protocol distinguishing real consumer devices from sanitised datacenter VMs.",
+  "version": "0.5.0",
+  "description": "Physical Turing Test — Idle attestation, population-level Sybil detection, and engagement tokens that defeat click farms at the physics layer.",
   "type": "module",
   "license": "MIT",
   "author": "Aaron Miller",
@@ -14,6 +14,9 @@
     "url": "https://github.com/ayronny14-alt/Svrn-Pulse-Security/issues"
   },
   "types": "index.d.ts",
+  "bin": {
+    "svrnsec-pulse": "./bin/svrnsec-pulse.js"
+  },
   "publishConfig": {
     "access": "public",
     "registry": "https://registry.npmjs.org/"
@@ -21,28 +24,39 @@
   "exports": {
     ".": {
       "browser": "./dist/pulse.esm.js",
-      "import": "./dist/pulse.esm.js",
+      "import":  "./dist/pulse.esm.js",
       "require": "./dist/pulse.cjs.js"
     },
     "./validator": {
-      "node": "./src/proof/validator.js",
+      "node":   "./src/proof/validator.js",
       "import": "./src/proof/validator.js"
     },
+    "./challenge": {
+      "node":   "./src/proof/challenge.js",
+      "import": "./src/proof/challenge.js"
+    },
+    "./trust": {
+      "import": "./src/analysis/trustScore.js",
+      "node":   "./src/analysis/trustScore.js"
+    },
     "./registry": {
       "import": "./src/registry/serializer.js",
-      "node": "./src/registry/serializer.js"
+      "node":   "./src/registry/serializer.js"
     },
     "./middleware/express": {
       "import": "./src/middleware/express.js",
-      "node": "./src/middleware/express.js"
+      "node":   "./src/middleware/express.js"
     },
     "./middleware/next": {
       "import": "./src/middleware/next.js",
-      "node": "./src/middleware/next.js"
+      "node":   "./src/middleware/next.js"
     },
     "./react": {
       "import": "./src/integrations/react.js"
     },
+    "./react-native": {
+      "import": "./src/integrations/react-native.js"
+    },
     "./gpu": {
       "import": "./src/collector/gpu.js"
     },
@@ -57,40 +71,59 @@
     },
     "./enf": {
       "import": "./src/collector/enf.js"
+    },
+    "./idle": {
+      "import": "./src/collector/idleAttestation.js",
+      "node":   "./src/collector/idleAttestation.js"
+    },
+    "./population": {
+      "import": "./src/analysis/populationEntropy.js",
+      "node":   "./src/analysis/populationEntropy.js"
+    },
+    "./engage": {
+      "import": "./src/proof/engagementToken.js",
+      "node":   "./src/proof/engagementToken.js"
     }
   },
-  "main": "dist/pulse.cjs.js",
+  "main":   "dist/pulse.cjs.js",
   "module": "dist/pulse.esm.js",
   "files": [
     "dist/",
     "pkg/",
+    "bin/",
+    "src/",
     "index.d.ts",
-    "src/proof/validator.js",
-    "src/proof/fingerprint.js",
-    "src/middleware/express.js",
-    "src/middleware/next.js",
-    "src/registry/serializer.js",
-    "src/integrations/react.js",
     "SECURITY.md"
   ],
   "scripts": {
     "build:wasm": "bash build.sh",
-    "build:js": "rollup -c rollup.config.js",
-    "build": "npm run build:wasm && npm run build:js",
-    "dev": "rollup -c rollup.config.js --watch",
-    "test": "node --experimental-vm-modules ./node_modules/jest-cli/bin/jest.js",
-    "demo": "node demo/node-demo.js"
+    "build:js":   "rollup -c rollup.config.js",
+    "build":      "npm run build:wasm && npm run build:js",
+    "dev":        "rollup -c rollup.config.js --watch",
+    "test":       "node --experimental-vm-modules ./node_modules/jest-cli/bin/jest.js",
+    "demo":       "node demo/node-demo.js",
+    "scan":       "node bin/svrnsec-pulse.js scan"
   },
   "dependencies": {
     "@noble/hashes": "^1.4.0"
   },
   "devDependencies": {
-    "@rollup/plugin-commonjs": "^25.0.0",
+    "@rollup/plugin-commonjs":     "^25.0.0",
     "@rollup/plugin-node-resolve": "^15.0.0",
-    "@rollup/plugin-wasm": "^6.2.2",
-    "@types/jest": "^29.0.0",
-    "jest": "^29.0.0",
-    "rollup": "^4.0.0"
+    "@rollup/plugin-wasm":         "^6.2.2",
+    "@types/jest":                 "^29.0.0",
+    "jest":                        "^29.0.0",
+    "rollup":                      "^4.0.0"
+  },
+  "peerDependencies": {
+    "react":        ">=17.0.0",
+    "react-native": ">=0.70.0",
+    "expo-sensors": ">=13.0.0"
+  },
+  "peerDependenciesMeta": {
+    "react":        { "optional": true },
+    "react-native": { "optional": true },
+    "expo-sensors": { "optional": true }
   },
   "keywords": [
     "physical-turing-test",
@@ -105,7 +138,19 @@
     "dram-detection",
     "llm-detection",
     "ai-agent-detection",
-    "behavioral-biometrics"
+    "behavioral-biometrics",
+    "trust-score",
+    "hmac-challenge",
+    "react-native",
+    "mobile-security",
+    "enf-detection",
+    "cli",
+    "click-farm-detection",
+    "idle-attestation",
+    "engagement-token",
+    "sybil-detection",
+    "invalid-traffic",
+    "proof-of-idle"
   ],
   "engines": {
     "node": ">=18.0.0"

package/src/analysis/audio.js

@@ -0,0 +1,213 @@
+/**
+ * @sovereign/pulse — AudioContext Oscillator Jitter
+ *
+ * Measures the scheduling jitter of the browser's audio pipeline.
+ * Real audio hardware callbacks are driven by a hardware interrupt (IRQ)
+ * from the sound card; the timing reflects the actual interrupt latency
+ * of the physical device.  VM audio drivers (if present at all) are
+ * emulated and show either unrealistically low jitter or burst-mode
+ * scheduling artefacts that are statistically distinguishable.
+ */
+
+/**
+ * @param {object} [opts]
+ * @param {number} [opts.durationMs=2000]  - how long to collect audio callbacks
+ * @param {number} [opts.bufferSize=256]   - ScriptProcessorNode buffer size
+ * @returns {Promise<AudioJitter>}
+ */
+export async function collectAudioJitter(opts = {}) {
+  const { durationMs = 2000, bufferSize = 256 } = opts;
+
+  const base = {
+    available:         false,
+    workletAvailable:  false,
+    callbackJitterCV:  0,
+    noiseFloorMean:    0,
+    sampleRate:        0,
+    callbackCount:     0,
+    jitterTimings:     [],
+  };
+
+  if (typeof AudioContext === 'undefined' && typeof webkitAudioContext === 'undefined') {
+    return base; // Node.js / server environment
+  }
+
+  let ctx;
+  try {
+    ctx = new (window.AudioContext || window.webkitAudioContext)();
+  } catch (_) {
+    return base;
+  }
+
+  // Some browsers require a user gesture before AudioContext can run.
+  if (ctx.state === 'suspended') {
+    try {
+      await ctx.resume();
+    } catch (_) {
+      await ctx.close().catch(() => {});
+      return base;
+    }
+  }
+
+  const sampleRate       = ctx.sampleRate;
+  const expectedInterval = (bufferSize / sampleRate) * 1000; // ms per callback
+
+  const jitterTimings = []; // absolute AudioContext.currentTime at each callback
+  const callbackDeltas = [];
+
+  const result = await new Promise((resolve) => {
+    // ── AudioWorklet (preferred — runs on dedicated real-time thread) ──────
+    const useWorklet = typeof AudioWorkletNode !== 'undefined';
+    base.workletAvailable = useWorklet;
+
+    if (useWorklet) {
+      // Inline worklet: send currentTime back via MessagePort every buffer
+      const workletCode = `
+        class PulseProbe extends AudioWorkletProcessor {
+          process(inputs, outputs) {
+            this.port.postMessage({ t: currentTime });
+            // Pass-through silence
+            for (const out of outputs)
+              for (const ch of out) ch.fill(0);
+            return true;
+          }
+        }
+        registerProcessor('pulse-probe', PulseProbe);
+      `;
+      const blob    = new Blob([workletCode], { type: 'application/javascript' });
+      const blobUrl = URL.createObjectURL(blob);
+
+      ctx.audioWorklet.addModule(blobUrl).then(() => {
+        const node = new AudioWorkletNode(ctx, 'pulse-probe');
+        node.port.onmessage = (e) => {
+          jitterTimings.push(e.data.t * 1000); // convert to ms
+        };
+        node.connect(ctx.destination);
+
+        setTimeout(async () => {
+          node.disconnect();
+          URL.revokeObjectURL(blobUrl);
+          resolve(node);
+        }, durationMs);
+      }).catch(() => {
+        URL.revokeObjectURL(blobUrl);
+        _fallbackScriptProcessor(ctx, bufferSize, durationMs, jitterTimings, resolve);
+      });
+
+    } else {
+      _fallbackScriptProcessor(ctx, bufferSize, durationMs, jitterTimings, resolve);
+    }
+  });
+
+  // ── Compute deltas between successive callback times ────────────────────
+  for (let i = 1; i < jitterTimings.length; i++) {
+    callbackDeltas.push(jitterTimings[i] - jitterTimings[i - 1]);
+  }
+
+  // ── Noise floor via AnalyserNode ─────────────────────────────────────────
+  // Feed a silent oscillator through an analyser; the FFT magnitude at silence
+  // reveals the hardware's thermal noise floor (varies per ADC/DAC chipset).
+  const noiseFloor = await _measureNoiseFloor(ctx);
+
+  await ctx.close().catch(() => {});
+
+  // ── Statistics ────────────────────────────────────────────────────────────
+  const mean = callbackDeltas.length
+    ? callbackDeltas.reduce((s, v) => s + v, 0) / callbackDeltas.length
+    : 0;
+  const variance = callbackDeltas.length > 1
+    ? callbackDeltas.reduce((s, v) => s + (v - mean) ** 2, 0) / (callbackDeltas.length - 1)
+    : 0;
+  const jitterCV = mean > 0 ? Math.sqrt(variance) / mean : 0;
+
+  return {
+    available:         true,
+    workletAvailable:  base.workletAvailable,
+    callbackJitterCV:  jitterCV,
+    noiseFloorMean:    noiseFloor.mean,
+    noiseFloorStd:     noiseFloor.std,
+    sampleRate,
+    callbackCount:     jitterTimings.length,
+    expectedIntervalMs: expectedInterval,
+    // Only include summary stats, not raw timings (privacy / size)
+    jitterMeanMs:      mean,
+    jitterP95Ms:       _percentile(callbackDeltas, 95),
+  };
+}
+
+/**
+ * @typedef {object} AudioJitter
+ * @property {boolean} available
+ * @property {boolean} workletAvailable
+ * @property {number}  callbackJitterCV
+ * @property {number}  noiseFloorMean
+ * @property {number}  sampleRate
+ * @property {number}  callbackCount
+ */
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+function _fallbackScriptProcessor(ctx, bufferSize, durationMs, jitterTimings, resolve) {
+  // ScriptProcessorNode is deprecated but universally supported.
+  const proc = ctx.createScriptProcessor(bufferSize, 1, 1);
+  proc.onaudioprocess = () => {
+    jitterTimings.push(ctx.currentTime * 1000);
+  };
+  // Connect to keep the graph alive
+  const osc = ctx.createOscillator();
+  osc.frequency.value = 1; // sub-audible
+  osc.connect(proc);
+  proc.connect(ctx.destination);
+  osc.start();
+
+  setTimeout(() => {
+    osc.stop();
+    osc.disconnect();
+    proc.disconnect();
+    resolve(proc);
+  }, durationMs);
+}
+
+async function _measureNoiseFloor(ctx) {
+  try {
+    const analyser = ctx.createAnalyser();
+    analyser.fftSize = 256;
+    analyser.connect(ctx.destination);
+
+    // Silent source
+    const buf  = ctx.createBuffer(1, ctx.sampleRate * 0.1, ctx.sampleRate);
+    const src  = ctx.createBufferSource();
+    src.buffer = buf;
+    src.connect(analyser);
+    src.start();
+
+    await new Promise(r => setTimeout(r, 150));
+
+    const data = new Float32Array(analyser.frequencyBinCount);
+    analyser.getFloatFrequencyData(data);
+    analyser.disconnect();
+
+    // Limit to 32 bins to keep the payload small
+    const trimmed = Array.from(data.slice(0, 32)).map(v =>
+      isFinite(v) ? Math.pow(10, v / 20) : 0 // dB → linear
+    );
+    const mean = trimmed.reduce((s, v) => s + v, 0) / trimmed.length;
+    const std  = Math.sqrt(
+      trimmed.reduce((s, v) => s + (v - mean) ** 2, 0) / trimmed.length
+    );
+    return { mean, std };
+  } catch (_) {
+    return { mean: 0, std: 0 };
+  }
+}
+
+function _percentile(arr, p) {
+  if (!arr.length) return 0;
+  const sorted = [...arr].sort((a, b) => a - b);
+  const idx    = (p / 100) * (sorted.length - 1);
+  const lo     = Math.floor(idx);
+  const hi     = Math.ceil(idx);
+  return sorted[lo] + (sorted[hi] - sorted[lo]) * (idx - lo);
+}