@svrnsec/pulse 0.3.1 → 0.5.0

package/src/cli/runner.js

@@ -0,0 +1,157 @@
+/**
+ * @svrnsec/pulse CLI — main entry point
+ *
+ * Commands:
+ *   scan              run the full probe locally
+ *   challenge         generate a signed challenge nonce
+ *   version           show version and check for updates
+ *   help              show this help text
+ */
+
+import { parseArgs }      from './args.js';
+import { printBanner, checkForUpdate, CURRENT_VERSION } from '../update-notifier.js';
+
+const isTTY = () => process.stderr.isTTY && !process.env.NO_COLOR;
+const A = { reset:'\x1b[0m', gray:'\x1b[90m', bcyan:'\x1b[96m',
+  bwhite:'\x1b[97m', bmagenta:'\x1b[95m', bgreen:'\x1b[92m', byellow:'\x1b[93m' };
+const c  = (code, s) => isTTY() ? `${code}${s}${A.reset}` : s;
+const gy = (s) => c(A.gray, s);
+const cy = (s) => c(A.bcyan, s);
+const wh = (s) => c(A.bwhite, s);
+const gr = (s) => c(A.bgreen, s);
+const ye = (s) => c(A.byellow, s);
+const mg = (s) => c(A.bmagenta, s);
+
+function help() {
+  process.stderr.write(`
+${mg('SVRN')}${wh(':PULSE')}  ${gy(`v${CURRENT_VERSION}`)}  ${gy('Physical Turing Test')}
+
+${wh('Usage')}
+  ${cy('npx svrnsec-pulse')} ${gy('<command>')} ${gy('[options]')}
+
+${wh('Commands')}
+  ${cy('scan')}         Run the full probe locally and show a TrustScore
+  ${cy('challenge')}    Generate a signed HMAC challenge nonce
+  ${cy('version')}      Show version and check for updates
+  ${cy('help')}         Show this help text
+
+${wh('Scan options')}
+  ${gy('--json')}         Output raw JSON (pipe-friendly)
+  ${gy('--iterations')}   Override probe iteration count ${gy('(default: 200)')}
+  ${gy('--no-banner')}    Suppress the banner
+
+${wh('Challenge options')}
+  ${gy('--secret')}       Server secret for HMAC signing ${gy('(or set PULSE_SECRET env)')}
+  ${gy('--ttl')}          Challenge TTL in seconds ${gy('(default: 300)')}
+  ${gy('--json')}         Output raw JSON
+
+${wh('Examples')}
+  ${gy('$')} ${cy('npx svrnsec-pulse scan')}
+  ${gy('$')} ${cy('npx svrnsec-pulse scan --json | jq .trustScore.score')}
+  ${gy('$')} ${cy('npx svrnsec-pulse challenge --secret $PULSE_SECRET')}
+  ${gy('$')} ${cy('PULSE_SECRET=mysecret npx svrnsec-pulse challenge --json')}
+
+${wh('Environment')}
+  ${gy('PULSE_SECRET')}    Default server secret for challenge signing
+  ${gy('NO_COLOR')}        Disable ANSI colors
+  ${gy('PULSE_NO_UPDATE')} Disable update notifications
+
+${gy('  Docs: https://github.com/ayronny14-alt/Svrn-Pulse-Security#readme')}
+`);
+}
+
+async function cmdChallenge(args) {
+  const secret = args.get('secret') ?? process.env.PULSE_SECRET;
+  if (!secret) {
+    process.stderr.write(
+      ye('⚠ ') + 'No secret provided.\n' +
+      gy('  Pass --secret <value> or set PULSE_SECRET env var.\n') +
+      gy('  Generate one: ') + cy('npx svrnsec-pulse challenge --generate-secret\n')
+    );
+    process.exit(1);
+  }
+
+  if (args.has('generate-secret')) {
+    const { generateSecret } = await import('../proof/challenge.js');
+    const s = generateSecret();
+    if (args.has('json')) {
+      process.stdout.write(JSON.stringify({ secret: s }) + '\n');
+    } else {
+      process.stderr.write(gr('Generated secret (store in env):\n'));
+      process.stdout.write(s + '\n');
+    }
+    return;
+  }
+
+  const { createChallenge } = await import('../proof/challenge.js');
+  const ttlMs = (parseInt(args.get('ttl', '300'), 10) || 300) * 1000;
+  const challenge = createChallenge(secret, { ttlMs });
+
+  if (args.has('json')) {
+    process.stdout.write(JSON.stringify(challenge, null, 2) + '\n');
+  } else {
+    process.stderr.write('\n');
+    process.stderr.write(gy('  nonce      ') + wh(challenge.nonce) + '\n');
+    process.stderr.write(gy('  issuedAt   ') + gy(new Date(challenge.issuedAt).toISOString()) + '\n');
+    process.stderr.write(gy('  expiresAt  ') + gy(new Date(challenge.expiresAt).toISOString()) + '\n');
+    process.stderr.write(gy('  sig        ') + cy(challenge.sig) + '\n\n');
+  }
+}
+
+async function cmdVersion(args) {
+  if (args.has('json')) {
+    const { latest, updateAvailable } = await checkForUpdate({ silent: true });
+    process.stdout.write(JSON.stringify({ version: CURRENT_VERSION, latest, updateAvailable }) + '\n');
+    return;
+  }
+
+  process.stderr.write(`\n${mg('SVRN')}${wh(':PULSE')}  ${gy('v' + CURRENT_VERSION)}\n\n`);
+  const { latest, updateAvailable } = await checkForUpdate({ silent: true });
+  if (updateAvailable) {
+    process.stderr.write(ye(`  Update available: ${latest}\n`));
+    process.stderr.write(gy(`  Run: `) + cy('npm i @svrnsec/pulse@latest') + '\n');
+  } else if (latest) {
+    process.stderr.write(gr('  Up to date.\n'));
+  }
+  process.stderr.write('\n');
+}
+
+export async function run(argv = process.argv.slice(2)) {
+  const args = parseArgs(argv);
+  const cmd  = args.command ?? 'help';
+
+  try {
+    switch (cmd) {
+      case 'scan': {
+        const { runScan } = await import('./commands/scan.js');
+        await runScan(args);
+        break;
+      }
+      case 'challenge':
+      case 'ch':
+        await cmdChallenge(args);
+        break;
+      case 'version':
+      case '-v':
+      case '--version':
+        await cmdVersion(args);
+        break;
+      case 'help':
+      case '-h':
+      case '--help':
+        help();
+        break;
+      default:
+        process.stderr.write(ye(`Unknown command: ${cmd}\n`));
+        help();
+        process.exit(1);
+    }
+  } catch (err) {
+    process.stderr.write(
+      c(A.bmagenta + '\x1b[1m', 'SVRN:PULSE error') + '\n' +
+      gy(err.message) + '\n'
+    );
+    if (process.env.DEBUG) process.stderr.write(err.stack + '\n');
+    process.exit(1);
+  }
+}

package/src/collector/adaptive.js

@@ -0,0 +1,200 @@
+/**
+ * @sovereign/pulse — Adaptive Entropy Probe
+ *
+ * Runs the WASM probe in batches and stops early once the signal is decisive.
+ *
+ * Why this works:
+ *   A KVM VM with QE=1.27 and lag-1 autocorr=0.67 is unambiguously a VM after
+ *   just 50 iterations.  Running 200 iterations confirms what was already obvious
+ *   at 50 — it adds no new information but wastes 3 seconds of user time.
+ *
+ *   Conversely, a physical device with healthy entropy needs more data to
+ *   rule out edge cases, so it runs longer.
+ *
+ * Speed profile:
+ *   Obvious VM  (QE < 1.5,  lag1 > 0.60)  →  stops at  50 iters  →  ~0.9s  (75% faster)
+ *   Clear HW    (QE > 3.5,  lag1 < 0.10)  →  stops at ~100 iters  →  ~1.8s  (50% faster)
+ *   Ambiguous   (borderline metrics)       →  runs full 200 iters  →  ~3.5s  (same)
+ */
+
+import { detectQuantizationEntropy } from '../analysis/jitter.js';
+
+// ---------------------------------------------------------------------------
+// Quick classifier (cheap, runs after every batch)
+// ---------------------------------------------------------------------------
+
+/**
+ * Fast signal-quality check.  No Hurst, no thermal analysis — just the three
+ * metrics that converge quickest: QE, CV, and lag-1 autocorrelation.
+ *
+ * @param {number[]} timings
+ * @returns {{ vmConf: number, hwConf: number, qe: number, cv: number, lag1: number }}
+ */
+export function quickSignal(timings) {
+  const n    = timings.length;
+  const mean = timings.reduce((s, v) => s + v, 0) / n;
+  const variance = timings.reduce((s, v) => s + (v - mean) ** 2, 0) / n;
+  const cv   = mean > 0 ? Math.sqrt(variance) / mean : 0;
+  const qe   = detectQuantizationEntropy(timings);
+
+  // Pearson autocorrelation at lag-1 (O(n), fits in a single pass)
+  let num = 0, da = 0, db = 0;
+  for (let i = 0; i < n - 1; i++) {
+    const a = timings[i]     - mean;
+    const b = timings[i + 1] - mean;
+    num += a * b;
+    da  += a * a;
+    db  += b * b;
+  }
+  const lag1 = Math.sqrt(da * db) < 1e-14 ? 0 : num / Math.sqrt(da * db);
+
+  // VM confidence: each factor independently identifies the hypervisor footprint
+  const vmConf = Math.min(1,
+    (qe   < 1.50 ? 0.40 : qe   < 2.00 ? 0.20 : 0.0) +
+    (lag1 > 0.60 ? 0.35 : lag1 > 0.40 ? 0.18 : 0.0) +
+    (cv   < 0.04 ? 0.25 : cv   < 0.07 ? 0.10 : 0.0)
+  );
+
+  // HW confidence: must see all three positive signals together
+  const hwConf = Math.min(1,
+    (qe   > 3.50 ? 0.38 : qe   > 3.00 ? 0.22 : 0.0) +
+    (Math.abs(lag1) < 0.10 ? 0.32 : Math.abs(lag1) < 0.20 ? 0.15 : 0.0) +
+    (cv   > 0.10 ? 0.30 : cv   > 0.07 ? 0.14 : 0.0)
+  );
+
+  return { vmConf, hwConf, qe, cv, lag1 };
+}
+
+// ---------------------------------------------------------------------------
+// collectEntropyAdaptive
+// ---------------------------------------------------------------------------
+
+/**
+ * @param {object}   opts
+ * @param {number}   [opts.minIterations=50]        - never stop before this
+ * @param {number}   [opts.maxIterations=200]        - hard cap
+ * @param {number}   [opts.batchSize=25]             - WASM call granularity
+ * @param {number}   [opts.vmThreshold=0.85]         - stop early if VM confidence ≥ this
+ * @param {number}   [opts.hwThreshold=0.80]         - stop early if HW confidence ≥ this
+ * @param {number}   [opts.hwMinIterations=75]        - physical needs more data to confirm
+ * @param {number}   [opts.matrixSize=64]
+ * @param {Function} [opts.onBatch]                  - called after each batch with interim signal
+ * @param {string}   [opts.wasmPath]
+ * @param {Function}  wasmModule                     - pre-initialised WASM module
+ * @returns {Promise<AdaptiveEntropyResult>}
+ */
+export async function collectEntropyAdaptive(wasmModule, opts = {}) {
+  const {
+    minIterations  = 50,
+    maxIterations  = 200,
+    batchSize      = 25,
+    vmThreshold    = 0.85,
+    hwThreshold    = 0.80,
+    hwMinIterations = 75,
+    matrixSize     = 64,
+    onBatch,
+  } = opts;
+
+  const wasm       = wasmModule;
+  const allTimings = [];
+  const batches    = [];       // per-batch timing snapshots
+  let   stoppedAt  = null;    // { reason, iterations, vmConf, hwConf }
+  let   checksum   = 0;
+
+  const t_start = Date.now();
+
+  while (allTimings.length < maxIterations) {
+    const n      = Math.min(batchSize, maxIterations - allTimings.length);
+    const result = wasm.run_entropy_probe(n, matrixSize);
+    const chunk  = Array.from(result.timings);
+
+    allTimings.push(...chunk);
+    checksum += result.checksum;
+
+    const sig = quickSignal(allTimings);
+    batches.push({ iterations: allTimings.length, ...sig });
+
+    // Fire progress callback with live signal so callers can stream to UI
+    if (typeof onBatch === 'function') {
+      try {
+        onBatch({
+          iterations:   allTimings.length,
+          maxIterations,
+          pct:          Math.round(allTimings.length / maxIterations * 100),
+          vmConf:       sig.vmConf,
+          hwConf:       sig.hwConf,
+          qe:           sig.qe,
+          cv:           sig.cv,
+          lag1:         sig.lag1,
+          // Thresholds: 0.70 — high enough that a legitimate device won't be
+        // shown a false early verdict from a noisy first batch.
+        // 'borderline' surfaces when one axis is moderate but not decisive.
+        earlyVerdict: sig.vmConf > 0.70 ? 'vm'
+          : sig.hwConf > 0.70 ? 'physical'
+          : (sig.vmConf > 0.45 || sig.hwConf > 0.45) ? 'borderline'
+          : 'uncertain',
+        });
+      } catch {}
+    }
+
+    // ── Early-exit checks ──────────────────────────────────────────────────
+    if (allTimings.length < minIterations) continue;
+
+    if (sig.vmConf >= vmThreshold) {
+      stoppedAt = { reason: 'VM_SIGNAL_DECISIVE', vmConf: sig.vmConf, hwConf: sig.hwConf };
+      break;
+    }
+
+    if (allTimings.length >= hwMinIterations && sig.hwConf >= hwThreshold) {
+      stoppedAt = { reason: 'PHYSICAL_SIGNAL_DECISIVE', vmConf: sig.vmConf, hwConf: sig.hwConf };
+      break;
+    }
+  }
+
+  const elapsed          = Date.now() - t_start;
+  const iterationsRan    = allTimings.length;
+  const iterationsSaved  = maxIterations - iterationsRan;
+  const speedupFactor    = maxIterations / iterationsRan;
+
+  // ── Resolution probe using cached WASM call ────────────────────────────
+  const resResult     = wasm.run_entropy_probe(1, 4); // tiny probe for resolution
+  const resProbe      = Array.from(resResult.resolution_probe ?? []);
+
+  const resDeltas = [];
+  for (let i = 1; i < resProbe.length; i++) {
+    const d = resProbe[i] - resProbe[i - 1];
+    if (d > 0) resDeltas.push(d);
+  }
+
+  return {
+    timings:          allTimings,
+    iterations:       iterationsRan,
+    maxIterations,
+    checksum:         checksum.toString(),
+    resolutionProbe:  resProbe,
+    timerGranularityMs: resDeltas.length
+      ? resDeltas.reduce((a, b) => Math.min(a, b), Infinity)
+      : null,
+    earlyExit: stoppedAt ? {
+      ...stoppedAt,
+      iterationsSaved,
+      timeSavedMs:    Math.round(iterationsSaved * (elapsed / iterationsRan)),
+      speedupFactor:  +speedupFactor.toFixed(2),
+    } : null,
+    batches,
+    elapsedMs: elapsed,
+    collectedAt: t_start,
+    matrixSize,
+    phased: false, // adaptive replaces phased for speed
+  };
+}
+
+/**
+ * @typedef {object} AdaptiveEntropyResult
+ * @property {number[]}  timings
+ * @property {number}    iterations         - how many actually ran
+ * @property {number}    maxIterations      - cap that was set
+ * @property {object|null} earlyExit        - null if ran to completion
+ * @property {object[]}  batches            - per-batch signal snapshots
+ * @property {number}    elapsedMs
+ */

package/src/collector/bio.js

@@ -0,0 +1,287 @@
+/**
+ * @sovereign/pulse — Bio-Binding Layer
+ *
+ * Captures mouse-movement micro-stutters and keystroke-cadence dynamics
+ * WHILE the hardware entropy probe is running.  Computes the
+ * "Interference Coefficient": how much human input jitters hardware timing.
+ *
+ * PRIVACY NOTE: Only timing deltas are retained.  No key labels, no raw
+ * (x, y) coordinates, no content of any kind is stored or transmitted.
+ */
+
+// ---------------------------------------------------------------------------
+// Internal state
+// ---------------------------------------------------------------------------
+const MAX_EVENTS = 500; // rolling buffer cap
+
+// ---------------------------------------------------------------------------
+// BioCollector class
+// ---------------------------------------------------------------------------
+export class BioCollector {
+  constructor() {
+    this._mouseEvents  = []; // { t: DOMHighResTimeStamp, dx, dy }
+    this._keyEvents    = []; // { t, type: 'down'|'up', dwell: ms|null }
+    this._lastKey      = {}; // keyCode → { downAt: t }
+    this._lastMouse    = null; // { t, x, y }
+    this._startTime    = null;
+    this._active       = false;
+
+    // Bound handlers (needed for removeEventListener)
+    this._onMouseMove  = this._onMouseMove.bind(this);
+    this._onKeyDown    = this._onKeyDown.bind(this);
+    this._onKeyUp      = this._onKeyUp.bind(this);
+  }
+
+  // ── Lifecycle ────────────────────────────────────────────────────────────
+
+  start() {
+    if (this._active) return;
+    this._active    = true;
+    this._startTime = performance.now();
+
+    if (typeof window !== 'undefined') {
+      window.addEventListener('pointermove', this._onMouseMove, { passive: true });
+      window.addEventListener('keydown',     this._onKeyDown,   { passive: true });
+      window.addEventListener('keyup',       this._onKeyUp,     { passive: true });
+    }
+  }
+
+  stop() {
+    if (!this._active) return;
+    this._active = false;
+
+    if (typeof window !== 'undefined') {
+      window.removeEventListener('pointermove', this._onMouseMove);
+      window.removeEventListener('keydown',     this._onKeyDown);
+      window.removeEventListener('keyup',       this._onKeyUp);
+    }
+  }
+
+  // ── Event handlers ────────────────────────────────────────────────────────
+
+  _onMouseMove(e) {
+    if (!this._active) return;
+    const t   = e.timeStamp ?? performance.now();
+    const cur = { t, x: e.clientX, y: e.clientY };
+
+    if (this._lastMouse) {
+      const dt = t - this._lastMouse.t;
+      const dx = cur.x - this._lastMouse.x;
+      const dy = cur.y - this._lastMouse.y;
+      // Only store the delta, not absolute position (privacy)
+      if (this._mouseEvents.length < MAX_EVENTS) {
+        this._mouseEvents.push({ t, dt, dx, dy,
+          pressure: e.pressure ?? 0,
+          pointerType: e.pointerType ?? 'mouse' });
+      }
+    }
+    this._lastMouse = cur;
+  }
+
+  _onKeyDown(e) {
+    if (!this._active) return;
+    const t = e.timeStamp ?? performance.now();
+    // Store timestamp keyed by code (NOT key label)
+    this._lastKey[e.code] = { downAt: t };
+  }
+
+  _onKeyUp(e) {
+    if (!this._active) return;
+    const t   = e.timeStamp ?? performance.now();
+    const rec = this._lastKey[e.code];
+    const dwell = rec ? (t - rec.downAt) : null;
+    delete this._lastKey[e.code];
+
+    if (this._keyEvents.length < MAX_EVENTS) {
+      // Only dwell time; key identity NOT stored.
+      this._keyEvents.push({ t, dwell });
+    }
+  }
+
+  // ── snapshot ─────────────────────────────────────────────────────────────
+
+  /**
+   * Returns a privacy-preserving statistical snapshot of collected bio signals.
+   * Raw events are summarised; nothing identifiable is included in the output.
+   *
+   * @param {number[]} computationTimings  - entropy probe timing array
+   * @returns {BioSnapshot}
+   */
+  snapshot(computationTimings = []) {
+    const now = performance.now();
+    const durationMs = this._startTime != null ? (now - this._startTime) : 0;
+
+    // ── Mouse statistics ────────────────────────────────────────────────
+    const iei         = this._mouseEvents.map(e => e.dt);
+    const velocities  = this._mouseEvents.map(e =>
+      e.dt > 0 ? Math.hypot(e.dx, e.dy) / e.dt : 0
+    );
+    const pressure    = this._mouseEvents.map(e => e.pressure);
+    const angJerk     = _computeAngularJerk(this._mouseEvents);
+
+    const mouseStats = {
+      sampleCount:      iei.length,
+      ieiMean:          _mean(iei),
+      ieiCV:            _cv(iei),
+      velocityP50:      _percentile(velocities, 50),
+      velocityP95:      _percentile(velocities, 95),
+      angularJerkMean:  _mean(angJerk),
+      pressureVariance: _variance(pressure),
+    };
+
+    // ── Keyboard statistics ───────────────────────────────────────────────
+    const dwellTimes = this._keyEvents.filter(e => e.dwell != null).map(e => e.dwell);
+    const iki = [];
+    for (let i = 1; i < this._keyEvents.length; i++) {
+      iki.push(this._keyEvents[i].t - this._keyEvents[i - 1].t);
+    }
+
+    const keyStats = {
+      sampleCount:   dwellTimes.length,
+      dwellMean:     _mean(dwellTimes),
+      dwellCV:       _cv(dwellTimes),
+      ikiMean:       _mean(iki),
+      ikiCV:         _cv(iki),
+    };
+
+    // ── Interference Coefficient ──────────────────────────────────────────
+    // Cross-correlate input event density with computation timing deviations.
+    // A real human on real hardware creates measurable CPU-scheduling pressure
+    // that perturbs the entropy probe's timing.
+    const interferenceCoefficient = _computeInterference(
+      this._mouseEvents,
+      this._keyEvents,
+      computationTimings,
+    );
+
+    return {
+      mouse:                   mouseStats,
+      keyboard:                keyStats,
+      interferenceCoefficient,
+      durationMs,
+      hasActivity:             iei.length > 5 || dwellTimes.length > 2,
+    };
+  }
+}
+
+/**
+ * @typedef {object} BioSnapshot
+ * @property {object}  mouse
+ * @property {object}  keyboard
+ * @property {number}  interferenceCoefficient  – [−1, 1]; higher = more human
+ * @property {number}  durationMs
+ * @property {boolean} hasActivity
+ */
+
+// ---------------------------------------------------------------------------
+// Statistical helpers (private)
+// ---------------------------------------------------------------------------
+
+function _mean(arr) {
+  if (!arr.length) return 0;
+  return arr.reduce((a, b) => a + b, 0) / arr.length;
+}
+
+function _variance(arr) {
+  if (arr.length < 2) return 0;
+  const m = _mean(arr);
+  return arr.reduce((s, v) => s + (v - m) ** 2, 0) / (arr.length - 1);
+}
+
+function _cv(arr) {
+  if (!arr.length) return 0;
+  const m = _mean(arr);
+  if (m === 0) return 0;
+  return Math.sqrt(_variance(arr)) / Math.abs(m);
+}
+
+function _percentile(sorted, p) {
+  const arr = [...sorted].sort((a, b) => a - b);
+  if (!arr.length) return 0;
+  const idx = (p / 100) * (arr.length - 1);
+  const lo  = Math.floor(idx);
+  const hi  = Math.ceil(idx);
+  return arr[lo] + (arr[hi] - arr[lo]) * (idx - lo);
+}
+
+/** Angular jerk: second derivative of movement direction (radians / s²) */
+function _computeAngularJerk(events) {
+  if (events.length < 3) return [];
+  const angles = [];
+  for (let i = 0; i < events.length; i++) {
+    const { dx, dy } = events[i];
+    angles.push(Math.atan2(dy, dx));
+  }
+  const d1 = [];
+  for (let i = 1; i < angles.length; i++) {
+    const dt = events[i].dt || 1;
+    d1.push((angles[i] - angles[i - 1]) / dt);
+  }
+  const d2 = [];
+  for (let i = 1; i < d1.length; i++) {
+    const dt = events[i].dt || 1;
+    d2.push(Math.abs((d1[i] - d1[i - 1]) / dt));
+  }
+  return d2;
+}
+
+/**
+ * Interference Coefficient
+ *
+ * For each computation sample, check whether an input event occurred within
+ * ±16 ms (one animation frame).  Build two parallel series:
+ *   X[i] = 1 if input near sample i, else 0
+ *   Y[i] = deviation of timing[i] from mean timing
+ * Return the Pearson correlation between X and Y.
+ * A real human on real hardware produces positive correlation (input events
+ * cause measurable CPU scheduling perturbations).
+ */
+function _computeInterference(mouseEvents, keyEvents, timings) {
+  if (!timings.length) return 0;
+
+  const allInputTimes = [
+    ...mouseEvents.map(e => e.t),
+    ...keyEvents.map(e => e.t),
+  ].sort((a, b) => a - b);
+
+  if (!allInputTimes.length) return 0;
+
+  const WINDOW_MS = 16;
+  const meanTiming = _mean(timings);
+
+  // We need absolute timestamps for the probe samples.
+  // We don't have them directly – use relative index spacing as a proxy.
+  // The entropy probe runs for ~(mean * n) ms starting at collectedAt.
+  // This is a statistical approximation; the exact alignment improves
+  // when callers pass `collectedAt` from the entropy result.
+  // For now we distribute samples evenly across the collection window.
+  const first = allInputTimes[0];
+  const last  = allInputTimes[allInputTimes.length - 1];
+  const span  = Math.max(last - first, 1);
+
+  const X = timings.map((_, i) => {
+    const tSample = first + (i / timings.length) * span;
+    return allInputTimes.some(t => Math.abs(t - tSample) < WINDOW_MS) ? 1 : 0;
+  });
+
+  const Y = timings.map(t => t - meanTiming);
+
+  return _pearson(X, Y);
+}
+
+function _pearson(X, Y) {
+  const n   = X.length;
+  if (n < 2) return 0;
+  const mx  = _mean(X);
+  const my  = _mean(Y);
+  let num = 0, da = 0, db = 0;
+  for (let i = 0; i < n; i++) {
+    const a = X[i] - mx;
+    const b = Y[i] - my;
+    num += a * b;
+    da  += a * a;
+    db  += b * b;
+  }
+  const denom = Math.sqrt(da * db);
+  return denom < 1e-14 ? 0 : num / denom;
+}