npm - @svrnsec/pulse - Versions diffs - 0.6.0 → 0.8.0 - Mend

@svrnsec/pulse 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/LICENSE +21 -21
package/README.md +883 -622
package/SECURITY.md +86 -86
package/bin/svrnsec-pulse.js +7 -7
package/dist/{pulse.cjs.js → pulse.cjs} +6379 -6420
package/dist/pulse.cjs.map +1 -0
package/dist/pulse.esm.js +6380 -6421
package/dist/pulse.esm.js.map +1 -1
package/index.d.ts +895 -846
package/package.json +185 -165
package/pkg/pulse_core.js +174 -173
package/src/analysis/audio.js +213 -213
package/src/analysis/authenticityAudit.js +408 -390
package/src/analysis/coherence.js +502 -502
package/src/analysis/coordinatedBehavior.js +825 -0
package/src/analysis/heuristic.js +428 -428
package/src/analysis/jitter.js +446 -446
package/src/analysis/llm.js +473 -472
package/src/analysis/populationEntropy.js +404 -403
package/src/analysis/provider.js +248 -248
package/src/analysis/refraction.js +392 -0
package/src/analysis/trustScore.js +356 -356
package/src/cli/args.js +36 -36
package/src/cli/commands/scan.js +192 -192
package/src/cli/runner.js +157 -157
package/src/collector/adaptive.js +200 -200
package/src/collector/bio.js +297 -287
package/src/collector/canvas.js +247 -239
package/src/collector/dram.js +203 -203
package/src/collector/enf.js +311 -311
package/src/collector/entropy.js +195 -195
package/src/collector/gpu.js +248 -245
package/src/collector/idleAttestation.js +480 -480
package/src/collector/sabTimer.js +189 -191
package/src/fingerprint.js +475 -475
package/src/index.js +342 -342
package/src/integrations/react-native.js +462 -459
package/src/integrations/react.js +184 -185
package/src/middleware/express.js +155 -155
package/src/middleware/next.js +174 -175
package/src/proof/challenge.js +249 -249
package/src/proof/engagementToken.js +426 -394
package/src/proof/fingerprint.js +268 -268
package/src/proof/validator.js +83 -143
package/src/registry/serializer.js +349 -349
package/src/terminal.js +263 -263
package/src/update-notifier.js +259 -264
package/dist/pulse.cjs.js.map +0 -1

package/src/middleware/express.js CHANGED Viewed

@@ -1,155 +1,155 @@
-/**
- * @sovereign/pulse — Express Middleware
- *
- * Drop-in middleware for Express / Fastify / Hono.
- * Handles the full challenge → verify flow in two lines of code.
- *
- * Usage:
- *
- *   import { createPulseMiddleware } from '@sovereign/pulse/middleware/express';
- *
- *   const pulse = createPulseMiddleware({ threshold: 0.6 });
- *
- *   app.get('/api/pulse/challenge', pulse.challenge);
- *   app.post('/checkout', pulse.verify, checkoutHandler);
- *
- * With Redis (recommended for production):
- *
- *   import Redis from 'ioredis';
- *   const redis = new Redis(process.env.REDIS_URL);
- *
- *   const pulse = createPulseMiddleware({
- *     threshold: 0.6,
- *     store: {
- *       set: (k, ttl) => redis.set(k, '1', 'EX', ttl),
- *       consume: (k)  => redis.del(k).then(n => n === 1),
- *     },
- *   });
- */
-import { validateProof, generateNonce } from '../proof/validator.js';
-// ---------------------------------------------------------------------------
-// In-memory nonce store (single-process / development only)
-// ---------------------------------------------------------------------------
-function createMemoryStore(ttlMs = 300_000) {
-  const store = new Map();
-  return {
-    set(key) {
-      store.set(key, Date.now() + ttlMs);
-      // Lazy cleanup — don't leak memory in long-running processes
-      if (store.size > 10_000) {
-        const now = Date.now();
-        for (const [k, exp] of store) {
-          if (exp < now) store.delete(k);
-        }
-      }
-    },
-    consume(key) {
-      const exp = store.get(key);
-      if (!exp || Date.now() > exp) return false;
-      store.delete(key);
-      return true;
-    },
-  };
-}
-// ---------------------------------------------------------------------------
-// createPulseMiddleware
-// ---------------------------------------------------------------------------
-/**
- * @param {object}   opts
- * @param {number}   [opts.threshold=0.55]          - minimum jitter score (0–1)
- * @param {number}   [opts.nonceTTL=300]             - nonce lifetime in seconds
- * @param {boolean}  [opts.requireBio=false]         - reject if no mouse/keyboard activity
- * @param {boolean}  [opts.blockSoftwareRenderer=true]
- * @param {object}   [opts.store]                    - custom nonce store (see above)
- * @param {string}   [opts.proofHeader='x-pulse-proof'] - request header name
- * @param {string}   [opts.hashHeader='x-pulse-hash']
- * @param {Function} [opts.onReject]                 - custom rejection handler
- * @param {Function} [opts.onError]                  - custom error handler
- * @returns {{ challenge: Function, verify: Function }}
- */
-export function createPulseMiddleware(opts = {}) {
-  const {
-    threshold            = 0.55,
-    nonceTTL             = 300,
-    requireBio           = false,
-    blockSoftwareRenderer = true,
-    proofHeader          = 'x-pulse-proof',
-    hashHeader           = 'x-pulse-hash',
-    onReject,
-    onError,
-  } = opts;
-  // Allow external store (Redis, etc.) or default to in-memory
-  const store = opts.store ?? createMemoryStore(nonceTTL * 1000);
-  // ── challenge — GET /api/pulse/challenge ──────────────────────────────────
-  async function challenge(req, res) {
-    try {
-      const nonce = generateNonce();
-      await store.set(`pulse:${nonce}`);
-      res.json({ nonce, expiresIn: nonceTTL });
-    } catch (err) {
-      if (onError) return onError(err, req, res);
-      res.status(500).json({ error: 'Failed to generate challenge' });
-    }
-  }
-  // ── verify — middleware for protected routes ───────────────────────────────
-  async function verify(req, res, next) {
-    try {
-      // Support both header and body delivery
-      let payload, hash;
-      if (req.headers[proofHeader]) {
-        try   { payload = JSON.parse(req.headers[proofHeader]); }
-        catch { return _reject(res, 400, 'MALFORMED_PROOF_HEADER', 'Could not parse x-pulse-proof header as JSON', onReject, req); }
-        hash = req.headers[hashHeader];
-      } else if (req.body?.pulsePayload) {
-        payload = req.body.pulsePayload;
-        hash    = req.body.pulseHash;
-      } else {
-        return _reject(res, 401, 'MISSING_PROOF', 'No pulse proof found in headers or body', onReject, req);
-      }
-      if (!hash) {
-        return _reject(res, 401, 'MISSING_HASH', 'No pulse hash provided', onReject, req);
-      }
-      const result = await validateProof(payload, hash, {
-        minJitterScore: threshold,
-        requireBio,
-        blockSoftwareRenderer,
-        checkNonce: async (n) => store.consume(`pulse:${n}`),
-      });
-      if (!result.valid) {
-        return _reject(res, 403, 'PROOF_INVALID', result.reasons.join('; '), onReject, req, result);
-      }
-      // Attach result to request for downstream handlers
-      req.pulse = result;
-      next();
-    } catch (err) {
-      if (onError) return onError(err, req, res, next);
-      res.status(500).json({ error: 'Pulse verification error' });
-    }
-  }
-  return { challenge, verify };
-}
-// ---------------------------------------------------------------------------
-// Internal helpers
-// ---------------------------------------------------------------------------
-function _reject(res, status, code, message, customHandler, req, result = {}) {
-  if (customHandler) {
-    return customHandler(req, res, { code, message, ...result });
-  }
-  res.status(status).json({ error: code, message, ...result });
-}
+/**
+ * @svrnsec/pulse — Express Middleware
+ *
+ * Drop-in middleware for Express / Fastify / Hono.
+ * Handles the full challenge → verify flow in two lines of code.
+ *
+ * Usage:
+ *
+ *   import { createPulseMiddleware } from '@svrnsec/pulse/middleware/express';
+ *
+ *   const pulse = createPulseMiddleware({ threshold: 0.6 });
+ *
+ *   app.get('/api/pulse/challenge', pulse.challenge);
+ *   app.post('/checkout', pulse.verify, checkoutHandler);
+ *
+ * With Redis (recommended for production):
+ *
+ *   import Redis from 'ioredis';
+ *   const redis = new Redis(process.env.REDIS_URL);
+ *
+ *   const pulse = createPulseMiddleware({
+ *     threshold: 0.6,
+ *     store: {
+ *       set: (k, ttl) => redis.set(k, '1', 'EX', ttl),
+ *       consume: (k)  => redis.del(k).then(n => n === 1),
+ *     },
+ *   });
+ */
+import { validateProof, generateNonce } from '../proof/validator.js';
+// ---------------------------------------------------------------------------
+// In-memory nonce store (single-process / development only)
+// ---------------------------------------------------------------------------
+function createMemoryStore(ttlMs = 300_000) {
+  const store = new Map();
+  return {
+    set(key) {
+      store.set(key, Date.now() + ttlMs);
+      // Lazy cleanup — don't leak memory in long-running processes
+      if (store.size > 10_000) {
+        const now = Date.now();
+        for (const [k, exp] of store) {
+          if (exp < now) store.delete(k);
+        }
+      }
+    },
+    consume(key) {
+      const exp = store.get(key);
+      if (!exp || Date.now() > exp) return false;
+      store.delete(key);
+      return true;
+    },
+  };
+}
+// ---------------------------------------------------------------------------
+// createPulseMiddleware
+// ---------------------------------------------------------------------------
+/**
+ * @param {object}   opts
+ * @param {number}   [opts.threshold=0.55]          - minimum jitter score (0–1)
+ * @param {number}   [opts.nonceTTL=300]             - nonce lifetime in seconds
+ * @param {boolean}  [opts.requireBio=false]         - reject if no mouse/keyboard activity
+ * @param {boolean}  [opts.blockSoftwareRenderer=true]
+ * @param {object}   [opts.store]                    - custom nonce store (see above)
+ * @param {string}   [opts.proofHeader='x-pulse-proof'] - request header name
+ * @param {string}   [opts.hashHeader='x-pulse-hash']
+ * @param {Function} [opts.onReject]                 - custom rejection handler
+ * @param {Function} [opts.onError]                  - custom error handler
+ * @returns {{ challenge: Function, verify: Function }}
+ */
+export function createPulseMiddleware(opts = {}) {
+  const {
+    threshold            = 0.55,
+    nonceTTL             = 300,
+    requireBio           = false,
+    blockSoftwareRenderer = true,
+    proofHeader          = 'x-pulse-proof',
+    hashHeader           = 'x-pulse-hash',
+    onReject,
+    onError,
+  } = opts;
+  // Allow external store (Redis, etc.) or default to in-memory
+  const store = opts.store ?? createMemoryStore(nonceTTL * 1000);
+  // ── challenge — GET /api/pulse/challenge ──────────────────────────────────
+  async function challenge(req, res) {
+    try {
+      const nonce = generateNonce();
+      await store.set(`pulse:${nonce}`);
+      res.json({ nonce, expiresIn: nonceTTL });
+    } catch (err) {
+      if (onError) return onError(err, req, res);
+      res.status(500).json({ error: 'Failed to generate challenge' });
+    }
+  }
+  // ── verify — middleware for protected routes ───────────────────────────────
+  async function verify(req, res, next) {
+    try {
+      // Support both header and body delivery
+      let payload, hash;
+      if (req.headers[proofHeader]) {
+        try   { payload = JSON.parse(req.headers[proofHeader]); }
+        catch { return _reject(res, 400, 'MALFORMED_PROOF_HEADER', 'Could not parse x-pulse-proof header as JSON', onReject, req); }
+        hash = req.headers[hashHeader];
+      } else if (req.body?.pulsePayload) {
+        payload = req.body.pulsePayload;
+        hash    = req.body.pulseHash;
+      } else {
+        return _reject(res, 401, 'MISSING_PROOF', 'No pulse proof found in headers or body', onReject, req);
+      }
+      if (!hash) {
+        return _reject(res, 401, 'MISSING_HASH', 'No pulse hash provided', onReject, req);
+      }
+      const result = await validateProof(payload, hash, {
+        minJitterScore: threshold,
+        requireBio,
+        blockSoftwareRenderer,
+        checkNonce: async (n) => store.consume(`pulse:${n}`),
+      });
+      if (!result.valid) {
+        return _reject(res, 403, 'PROOF_INVALID', result.reasons.join('; '), onReject, req, result);
+      }
+      // Attach result to request for downstream handlers
+      req.pulse = result;
+      next();
+    } catch (err) {
+      if (onError) return onError(err, req, res, next);
+      res.status(500).json({ error: 'Pulse verification error' });
+    }
+  }
+  return { challenge, verify };
+}
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+function _reject(res, status, code, message, customHandler, req, result = {}) {
+  if (customHandler) {
+    return customHandler(req, res, { code, message, ...result });
+  }
+  res.status(status).json({ error: code, message, valid: result?.valid, reasons: result?.reasons, riskFlags: result?.riskFlags });
+}