@svrnsec/pulse 0.7.0 → 0.9.0

package/src/proof/validator.js

@@ -2,79 +2,74 @@
  * @svrnsec/pulse — Server-Side Validator
  *
  * Verifies a ProofPayload + BLAKE3 commitment received from the client.
- * This module is for NODE.JS / SERVER use only.  It should NOT be bundled
- * into the browser build (see package.json "exports" field).
- *
- * Trust model:
- *   • The server issues a challenge `nonce` before the client runs pulse().
- *   • The client returns { payload, hash }.
- *   • The server calls validateProof(payload, hash, options) to:
- *       1. Verify hash integrity (no tampering).
- *       2. Verify nonce freshness (no replay).
- *       3. Verify timestamp recency.
- *       4. Check jitter score against thresholds.
- *       5. Check canvas fingerprint against software-renderer blocklist.
- *       6. Cross-validate signal consistency.
- *
- * NOTE: The server NEVER sees raw timing arrays or mouse coordinates.
- * Only statistical summaries are transmitted.  This is the ZK property.
+ * This module is for NODE.JS / SERVER use only.
  */
 
 import { blake3 }        from '@noble/hashes/blake3';
 import { bytesToHex }    from '@noble/hashes/utils';
-import { randomFillSync } from 'node:crypto';
+import { randomFillSync, timingSafeEqual } from 'node:crypto';
 import { canonicalJson } from './fingerprint.js';
 import { computeServerDynamicThreshold } from '../analysis/coherence.js';
 
 // ---------------------------------------------------------------------------
-// Known software / virtual renderer substring patterns (lowercase)
+// Known software / virtual renderer patterns
 // ---------------------------------------------------------------------------
 const VM_RENDERER_BLOCKLIST = [
-  // Software / virtual renderers
   'llvmpipe', 'swiftshader', 'softpipe', 'mesa offscreen',
   'microsoft basic render', 'vmware svga', 'vmware', 'virtualbox',
   'parallels', 'chromium swiftshader', 'google swiftshader',
-  'angle (', 'cirrussm', 'qxl', 'virtio', 'bochs',
-  // NVIDIA datacenter / inference — no consumer unit has these
-  'nvidia t4',     // AWS/GCP inference VM
-  'nvidia a10g',   // AWS g5 inference
-  'nvidia a100',   // Datacenter A100
-  'nvidia h100',   // Hopper — datacenter only
-  'nvidia h200',   // Hopper successor — datacenter only
-  'nvidia b100',   // Blackwell — datacenter only
-  'nvidia b200',   // Blackwell Ultra — datacenter only
-  'nvidia gh200',  // Grace-Hopper superchip
-  // AMD datacenter / HPC — no consumer has these
-  'amd instinct',  // covers mi100, mi200, mi250, mi300 family
-  'amd mi300',
-  'amd mi250',
-  'amd mi200',
-  // Cloud-specific AI accelerators
-  'aws inferentia',
-  'aws trainium',
-  'google tpu',
+  'cirrussm', 'qxl', 'virtio', 'bochs',
+  'nvidia t4', 'nvidia a10g', 'nvidia a100', 'nvidia h100',
+  'nvidia h200', 'nvidia b100', 'nvidia b200', 'nvidia gh200',
+  'amd instinct', 'amd mi300', 'amd mi250', 'amd mi200',
+  'aws inferentia', 'aws trainium', 'google tpu',
 ];
 
+// ANGLE with software backend — match only software variants, not real hardware through ANGLE
+const VM_RENDERER_REGEX = [
+  /angle\s*\(.*software/i,
+];
+
+// ---------------------------------------------------------------------------
+// Recursive prototype pollution guard
+// ---------------------------------------------------------------------------
+function _checkProtoPollution(obj, depth = 0) {
+  if (depth > 10 || obj === null || typeof obj !== 'object') return false;
+  if (Array.isArray(obj)) {
+    for (const item of obj) {
+      if (_checkProtoPollution(item, depth + 1)) return true;
+    }
+    return false;
+  }
+  if (
+    Object.prototype.hasOwnProperty.call(obj, '__proto__') ||
+    Object.prototype.hasOwnProperty.call(obj, 'constructor') ||
+    Object.prototype.hasOwnProperty.call(obj, 'prototype')
+  ) {
+    return true;
+  }
+  for (const key of Object.keys(obj)) {
+    if (typeof obj[key] === 'object' && obj[key] !== null) {
+      if (_checkProtoPollution(obj[key], depth + 1)) return true;
+    }
+  }
+  return false;
+}
+
 // ---------------------------------------------------------------------------
 // validateProof
 // ---------------------------------------------------------------------------
 
 /**
- * Validates a client-submitted proof.
- *
  * @param {import('./fingerprint.js').ProofPayload} payload
- * @param {string}  receivedHash  - hex BLAKE3 from the client
+ * @param {string}  receivedHash
  * @param {object}  [opts]
- * @param {number}  [opts.minJitterScore=0.55]     - minimum acceptable jitter score
- * @param {number}  [opts.maxAgeMs=300_000]         - max payload age (5 min)
- * @param {number}  [opts.clockSkewMs=30_000]        - tolerated future timestamp drift
- * @param {boolean} [opts.requireBio=false]          - reject if no bio activity
- * @param {boolean} [opts.blockSoftwareRenderer=true] - reject software WebGL
- * @param {Function} [opts.checkNonce]               - async fn(nonce) → boolean
- *   Called to verify the nonce was issued by this server and not yet consumed.
- *   Should mark the nonce as consumed atomically (e.g. Redis SET NX with TTL).
- *   If omitted, nonce freshness is NOT checked (not recommended for production).
- *
+ * @param {number}  [opts.minJitterScore=0.55]
+ * @param {number}  [opts.maxAgeMs=300_000]
+ * @param {number}  [opts.clockSkewMs=30_000]
+ * @param {boolean} [opts.requireBio=false]
+ * @param {boolean} [opts.blockSoftwareRenderer=true]
+ * @param {Function} [opts.checkNonce]
  * @returns {Promise<ValidationResult>}
  */
 export async function validateProof(payload, receivedHash, opts = {}) {
@@ -96,12 +91,8 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     return _reject(['INVALID_PAYLOAD_STRUCTURE']);
   }
 
-  // Prototype pollution guard — reject any payload with __proto__ / constructor tricks
-  if (
-    Object.prototype.hasOwnProperty.call(payload, '__proto__') ||
-    Object.prototype.hasOwnProperty.call(payload, 'constructor') ||
-    Object.prototype.hasOwnProperty.call(payload, 'prototype')
-  ) {
+  // Recursive prototype pollution guard — checks all nested objects
+  if (_checkProtoPollution(payload)) {
     return _reject(['PROTOTYPE_POLLUTION_ATTEMPT']);
   }
 
@@ -113,7 +104,7 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     }
   }
 
-  // Type assertions on top-level scalars
+  // Type assertions
   if (typeof payload.version !== 'number')   return _reject(['INVALID_TYPE:version']);
   if (typeof payload.timestamp !== 'number') return _reject(['INVALID_TYPE:timestamp']);
   if (typeof payload.nonce !== 'string')     return _reject(['INVALID_TYPE:nonce']);
@@ -124,14 +115,8 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     return _reject(['INVALID_TYPE:classification']);
   }
 
-  // Note: we deliberately do not enforce a strict nonce format here so that
-  // test fixtures can provide short placeholder nonces. The `checkNonce`
-  // function (if supplied) should perform any format validation it requires
-  // and return false for invalid or replayed nonces.
-
-  // Timestamp must be a plausible Unix ms value (> year 2020, < year 2100)
-  const TS_MIN = 1_577_836_800_000; // 2020-01-01
-  const TS_MAX = 4_102_444_800_000; // 2100-01-01
+  const TS_MIN = 1_577_836_800_000;
+  const TS_MAX = 4_102_444_800_000;
   if (payload.timestamp < TS_MIN || payload.timestamp > TS_MAX) {
     return _reject(['TIMESTAMP_OUT_OF_RANGE']);
   }
@@ -140,8 +125,7 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     return _reject(['UNSUPPORTED_PROOF_VERSION']);
   }
 
-  // ── 1. Hash integrity ─────────────────────────────────────────────────────
-  // receivedHash must be exactly 64 lowercase hex characters
+  // ── 1. Hash integrity (timing-safe comparison) ────────────────────────────
   if (typeof receivedHash !== 'string' || !/^[0-9a-f]{64}$/.test(receivedHash)) {
     return _reject(['INVALID_HASH_FORMAT']);
   }
@@ -149,7 +133,13 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   const enc       = new TextEncoder().encode(canonical);
   const computed  = bytesToHex(blake3(enc));
 
-  if (computed !== receivedHash) {
+  try {
+    const computedBuf  = Buffer.from(computed,     'hex');
+    const receivedBuf  = Buffer.from(receivedHash, 'hex');
+    if (computedBuf.length !== receivedBuf.length || !timingSafeEqual(computedBuf, receivedBuf)) {
+      return _reject(['HASH_MISMATCH_PAYLOAD_TAMPERED']);
+    }
+  } catch {
     return _reject(['HASH_MISMATCH_PAYLOAD_TAMPERED']);
   }
 
@@ -166,7 +156,9 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   }
 
   // ── 3. Nonce freshness ────────────────────────────────────────────────────
+  let nonceChecked = false;
   if (checkNonce) {
+    nonceChecked = true;
     const nonceOk = await checkNonce(payload.nonce);
     if (!nonceOk) {
       valid = false;
@@ -183,23 +175,12 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     reasons.push(`JITTER_SCORE_TOO_LOW: ${jitterScore} < ${minJitterScore}`);
   }
 
-  // ── 4b. Dynamic threshold (evidence-proportional gate) ──────────────────
-  // The server independently computes the minimum passing score based on how
-  // much evidence the proof contains.  The client's dynamicThreshold field is
-  // NEVER trusted — it is only used for logging/auditing.
-  //
-  // Logic: a proof with only 50 iterations and no bio/audio faces a higher bar
-  // (0.62) than a full 200-iteration proof with phased data (0.50).
-  // This makes replay attacks with minimal proofs automatically fail the gate.
+  // ── 4b. Dynamic threshold — server recomputes from raw signals, not client finalScore
   const serverDynamicMin = computeServerDynamicThreshold(payload);
-
-  // We check the FINAL client score (which includes stage-3 coherence adjustment)
-  // if it was included, otherwise fall back to the base jitterScore.
-  const finalClientScore = payload.classification?.finalScore ?? jitterScore;
-  if (finalClientScore < serverDynamicMin) {
+  if (jitterScore < serverDynamicMin) {
     valid = false;
     reasons.push(
-      `DYNAMIC_THRESHOLD_NOT_MET: score=${finalClientScore} < ` +
+      `DYNAMIC_THRESHOLD_NOT_MET: jitterScore=${jitterScore} < ` +
       `serverMin=${serverDynamicMin} (evidenceWeight=${
         _computeEvidenceWeight(payload).toFixed(3)
       })`
@@ -213,10 +194,7 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     }
   }
 
-  // Hard override from the client heuristic engine (stage 2).
-  // EJR_PHASE_HARD_KILL fires when the stored entropyJitterRatio is mathematically
-  // inconsistent with the stored cold_QE / hot_QE values — proof of tampering.
-  // A legitimate SDK running on real hardware never triggers this.
+  // Hard override from heuristic engine (stage 2)
   if (payload.heuristic?.hardOverride === 'vm') {
     valid = false;
     reasons.push(
@@ -225,9 +203,7 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     );
   }
 
-  // Hard override from the client coherence stage (stage 3).
-  // Second line of defence — catches the same contradiction via a different
-  // code path and also catches the phase-trajectory forgery variant.
+  // Hard override from coherence stage (stage 3)
   if (payload.coherence?.hardOverride === 'vm') {
     valid = false;
     reasons.push(
@@ -236,7 +212,7 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     );
   }
 
-  // Surface all coherence flags for risk tracking / audit logs
+  // Surface all coherence flags for risk tracking
   for (const flag of (payload.heuristic?.coherenceFlags ?? [])) {
     riskFlags.push(`HEURISTIC:${flag}`);
   }
@@ -252,6 +228,7 @@ export async function validateProof(payload, receivedHash, opts = {}) {
       reasons.push(`SOFTWARE_RENDERER_DETECTED: ${canvas.webglRenderer}`);
     }
     const rendererLc = (canvas.webglRenderer ?? '').toLowerCase();
+    // Check substring patterns
     for (const pattern of VM_RENDERER_BLOCKLIST) {
       if (rendererLc.includes(pattern)) {
         valid = false;
@@ -260,6 +237,15 @@ export async function validateProof(payload, receivedHash, opts = {}) {
         break;
       }
     }
+    // Check regex patterns (e.g. ANGLE software)
+    for (const re of VM_RENDERER_REGEX) {
+      if (re.test(rendererLc)) {
+        valid = false;
+        reasons.push(`BLOCKLISTED_RENDERER: ${canvas.webglRenderer}`);
+        riskFlags.push('RENDERER_MATCH:angle_software');
+        break;
+      }
+    }
     if (!canvas.available) {
       riskFlags.push('CANVAS_UNAVAILABLE');
     }
@@ -275,7 +261,6 @@ export async function validateProof(payload, receivedHash, opts = {}) {
     if (bio.mouseSampleCount === 0 && bio.keyboardSampleCount === 0) {
       riskFlags.push('ZERO_BIO_SAMPLES');
     }
-    // Interference coefficient check: real human+hardware shows measurable correlation
     if (bio.interferenceCoefficient < -0.3) {
       riskFlags.push('NEGATIVE_INTERFERENCE_COEFFICIENT');
     }
@@ -284,19 +269,15 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   // ── 7. Internal consistency checks ────────────────────────────────────────
   const entropy = payload.signals?.entropy;
   if (entropy) {
-    // CV and jitter score should be directionally consistent
     if (entropy.timingsCV < 0.01 && jitterScore > 0.7) {
       riskFlags.push('INCONSISTENCY:LOW_CV_BUT_HIGH_SCORE');
     }
-    // Timer granularity should not be exactly 0 (no real device has infinite resolution)
     if (entropy.timerGranularityMs === 0) {
       riskFlags.push('SUSPICIOUS_ZERO_TIMER_GRANULARITY');
     }
-    // Extreme thermal patterns inconsistent with score
     if (entropy.thermalPattern === 'flat' && jitterScore > 0.8) {
       riskFlags.push('INCONSISTENCY:FLAT_THERMAL_BUT_HIGH_SCORE');
     }
-    // Hurst exponent way out of range
     if (entropy.hurstExponent != null) {
       if (entropy.hurstExponent < 0.2 || entropy.hurstExponent > 0.85) {
         riskFlags.push(`EXTREME_HURST:${entropy.hurstExponent}`);
@@ -305,29 +286,11 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   }
 
   // ── 7b. Cross-signal physics forgery detection ────────────────────────────
-  // BLAKE3 prevents tampering with a payload that was legitimately generated by
-  // the SDK. However, a determined attacker can:
-  //   1. Obtain a valid server nonce
-  //   2. Craft a fake payload with forged statistics
-  //   3. Compute BLAKE3(forgedPayload) themselves (BLAKE3 is public)
-  //   4. Submit { payload: forgedPayload, hash: selfComputedHash }
-  //
-  // These checks detect statistically impossible metric combinations that no
-  // real device would ever produce, catching crafted payloads even though the
-  // hash integrity check passes.
-  //
-  // All three thresholds are set conservatively: they only fire when the
-  // combination is physically IMPOSSIBLE, not just unlikely, to avoid false
-  // positives on unusual-but-legitimate hardware.
   if (entropy) {
     const cv   = entropy.timingsCV        ?? null;
     const qe   = entropy.quantizationEntropy ?? null;
     const lag1 = entropy.autocorr_lag1    ?? null;
 
-    // Impossibly flat CV + high physical score
-    // Real explanation: CV < 0.015 means timing jitter < 1.5% — hypervisor-flat.
-    // No real-silicon CPU running a WASM matrix multiply achieves this.
-    // A high jitterScore (> 0.65) is physically incompatible with CV < 0.015.
     if (cv !== null && cv < 0.015 && jitterScore > 0.65) {
       valid = false;
       reasons.push(
@@ -336,10 +299,6 @@ export async function validateProof(payload, receivedHash, opts = {}) {
       );
     }
 
-    // VM-grade autocorrelation + high physical score
-    // lag1 > 0.70 is a hypervisor scheduler rhythm — unambiguous VM signature.
-    // A device with that level of autocorrelation cannot score > 0.70 on the
-    // physical scale; the jitter classifier would have penalised it heavily.
     if (lag1 !== null && lag1 > 0.70 && jitterScore > 0.70) {
       valid = false;
       reasons.push(
@@ -348,10 +307,6 @@ export async function validateProof(payload, receivedHash, opts = {}) {
       );
     }
 
-    // VM-grade quantization entropy + high physical score
-    // QE < 2.0 means timings cluster on a small number of distinct values —
-    // the classic integer-millisecond quantisation of an emulated/virtual timer.
-    // A device producing QE < 2.0 cannot legitimately score > 0.65 as physical.
     if (qe !== null && qe < 2.0 && jitterScore > 0.65) {
       valid = false;
       reasons.push(
@@ -364,7 +319,6 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   // ── 8. Audio signal check ─────────────────────────────────────────────────
   const audio = payload.signals?.audio;
   if (audio?.available) {
-    // Impossibly low jitter CV may indicate a synthetic audio driver
     if (audio.callbackJitterCV < 0.001) {
       riskFlags.push('AUDIO_JITTER_TOO_FLAT');
     }
@@ -374,6 +328,9 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   let confidence;
   if (!valid) {
     confidence = 'rejected';
+  } else if (!nonceChecked) {
+    // Without nonce verification, confidence cannot be higher than 'low'
+    confidence = 'low';
   } else if (riskFlags.length === 0 && jitterScore >= 0.75) {
     confidence = 'high';
   } else if (riskFlags.length <= 2 && jitterScore >= 0.60) {
@@ -398,30 +355,13 @@ export async function validateProof(payload, receivedHash, opts = {}) {
   };
 }
 
-/**
- * @typedef {object} ValidationResult
- * @property {boolean}  valid
- * @property {number}   score
- * @property {'high'|'medium'|'low'|'rejected'} confidence
- * @property {string[]} reasons    - human-readable rejection reasons
- * @property {string[]} riskFlags  - non-blocking risk indicators
- * @property {object}   meta
- */
+/** @typedef {object} ValidationResult */
 
 // ---------------------------------------------------------------------------
-// generateNonce  (convenience helper for the server challenge flow)
+// generateNonce
 // ---------------------------------------------------------------------------
 
-/**
- * Generate a cryptographically random 32-byte nonce for the server challenge.
- * The server should store this nonce with a TTL before issuing it to the client.
- *
- * @returns {string}  hex nonce
- */
 export function generateNonce() {
-  // Synchronous nonce generator for server-side use and tests.
-  // Prefer global crypto.getRandomValues when available; otherwise use
-  // Node's `randomFillSync` which is synchronous and available in Node.
   let buf;
   if (typeof globalThis.crypto?.getRandomValues === 'function') {
     buf = new Uint8Array(32);