@vorionsys/cognigate 1.0.0 → 1.0.2

package/dist/chunk-OIPPFRDP.js

@@ -0,0 +1,35 @@
+// src/proof-bridge.ts
+function createProofBridge(config) {
+  const { proofPlane, webhookRouter } = config;
+  let connected = true;
+  const handler = async (event) => {
+    if (!connected) return;
+    const payload = event.payload;
+    const now = /* @__PURE__ */ new Date();
+    const decision = {
+      decisionId: payload.decisionId ?? event.id,
+      intentId: payload.intentId ?? "",
+      agentId: payload.agentId ?? event.entityId,
+      correlationId: payload.correlationId ?? event.id,
+      permitted: payload.permitted ?? payload.decision === "ALLOW",
+      trustBand: payload.trustBand ?? 4,
+      trustScore: payload.trustScore ?? 0,
+      reasoning: Array.isArray(payload.reasoning) ? payload.reasoning : typeof payload.reasoning === "string" ? [payload.reasoning] : [],
+      decidedAt: payload.decidedAt ? new Date(payload.decidedAt) : now,
+      expiresAt: payload.expiresAt ? new Date(payload.expiresAt) : new Date(now.getTime() + 24 * 60 * 60 * 1e3),
+      latencyMs: payload.latencyMs ?? 0,
+      version: payload.version ?? 1
+    };
+    await proofPlane.logDecisionMade(decision, decision.correlationId);
+  };
+  webhookRouter.on("governance.decision", handler);
+  return {
+    disconnect: () => {
+      connected = false;
+    }
+  };
+}
+
+export {
+  createProofBridge
+};

package/dist/index.cjs

@@ -25,10 +25,12 @@ __export(index_exports, {
   CognigateError: () => CognigateError,
   GovernanceResultSchema: () => GovernanceResultSchema,
   ProofRecordSchema: () => ProofRecordSchema,
-  TIER_THRESHOLDS: () => TIER_THRESHOLDS,
+  TIER_THRESHOLDS: () => import_shared_constants.TIER_THRESHOLDS,
   TrustStatusSchema: () => TrustStatusSchema,
-  TrustTier: () => TrustTier,
+  TrustTier: () => import_shared_constants.TrustTier,
   WebhookRouter: () => WebhookRouter,
+  WorkerSandbox: () => WorkerSandbox,
+  createProofBridge: () => createProofBridge,
   parseWebhookPayload: () => parseWebhookPayload,
   verifyWebhookSignature: () => verifyWebhookSignature,
   z: () => import_zod2.z
@@ -37,31 +39,11 @@ module.exports = __toCommonJS(index_exports);
 
 // src/types.ts
 var import_zod = require("zod");
-var TrustTier = /* @__PURE__ */ ((TrustTier2) => {
-  TrustTier2[TrustTier2["T0_SANDBOX"] = 0] = "T0_SANDBOX";
-  TrustTier2[TrustTier2["T1_OBSERVED"] = 1] = "T1_OBSERVED";
-  TrustTier2[TrustTier2["T2_PROVISIONAL"] = 2] = "T2_PROVISIONAL";
-  TrustTier2[TrustTier2["T3_VERIFIED"] = 3] = "T3_VERIFIED";
-  TrustTier2[TrustTier2["T4_OPERATIONAL"] = 4] = "T4_OPERATIONAL";
-  TrustTier2[TrustTier2["T5_TRUSTED"] = 5] = "T5_TRUSTED";
-  TrustTier2[TrustTier2["T6_CERTIFIED"] = 6] = "T6_CERTIFIED";
-  TrustTier2[TrustTier2["T7_AUTONOMOUS"] = 7] = "T7_AUTONOMOUS";
-  return TrustTier2;
-})(TrustTier || {});
-var TIER_THRESHOLDS = {
-  [0 /* T0_SANDBOX */]: { min: 0, max: 199, name: "Sandbox" },
-  [1 /* T1_OBSERVED */]: { min: 200, max: 349, name: "Observed" },
-  [2 /* T2_PROVISIONAL */]: { min: 350, max: 499, name: "Provisional" },
-  [3 /* T3_VERIFIED */]: { min: 500, max: 649, name: "Verified" },
-  [4 /* T4_OPERATIONAL */]: { min: 650, max: 799, name: "Operational" },
-  [5 /* T5_TRUSTED */]: { min: 800, max: 875, name: "Trusted" },
-  [6 /* T6_CERTIFIED */]: { min: 876, max: 949, name: "Certified" },
-  [7 /* T7_AUTONOMOUS */]: { min: 950, max: 1e3, name: "Autonomous" }
-};
+var import_shared_constants = require("@vorionsys/shared-constants");
 var TrustStatusSchema = import_zod.z.object({
   entityId: import_zod.z.string(),
   trustScore: import_zod.z.number().min(0).max(1e3),
-  trustTier: import_zod.z.nativeEnum(TrustTier),
+  trustTier: import_zod.z.nativeEnum(import_shared_constants.TrustTier),
   tierName: import_zod.z.string(),
   capabilities: import_zod.z.array(import_zod.z.string()),
   factorScores: import_zod.z.record(import_zod.z.string(), import_zod.z.number()),
@@ -72,7 +54,7 @@ var TrustStatusSchema = import_zod.z.object({
 var GovernanceResultSchema = import_zod.z.object({
   decision: import_zod.z.enum(["ALLOW", "DENY", "ESCALATE", "DEGRADE"]),
   trustScore: import_zod.z.number(),
-  trustTier: import_zod.z.nativeEnum(TrustTier),
+  trustTier: import_zod.z.nativeEnum(import_shared_constants.TrustTier),
   grantedCapabilities: import_zod.z.array(import_zod.z.string()),
   deniedCapabilities: import_zod.z.array(import_zod.z.string()),
   reasoning: import_zod.z.string(),
@@ -100,7 +82,7 @@ var AgentSchema = import_zod.z.object({
   description: import_zod.z.string(),
   ownerId: import_zod.z.string(),
   trustScore: import_zod.z.number(),
-  trustTier: import_zod.z.nativeEnum(TrustTier),
+  trustTier: import_zod.z.nativeEnum(import_shared_constants.TrustTier),
   status: import_zod.z.enum(["ACTIVE", "PAUSED", "SUSPENDED", "TERMINATED"]),
   capabilities: import_zod.z.array(import_zod.z.string()),
   executions: import_zod.z.number(),
@@ -206,26 +188,26 @@ var Cognigate = class {
    * Get tier from trust score
    */
   static getTierFromScore(score) {
-    if (score >= 950) return 7 /* T7_AUTONOMOUS */;
-    if (score >= 876) return 6 /* T6_CERTIFIED */;
-    if (score >= 800) return 5 /* T5_TRUSTED */;
-    if (score >= 650) return 4 /* T4_OPERATIONAL */;
-    if (score >= 500) return 3 /* T3_VERIFIED */;
-    if (score >= 350) return 2 /* T2_PROVISIONAL */;
-    if (score >= 200) return 1 /* T1_OBSERVED */;
-    return 0 /* T0_SANDBOX */;
+    if (score >= 951) return import_shared_constants.TrustTier.T7_AUTONOMOUS;
+    if (score >= 876) return import_shared_constants.TrustTier.T6_CERTIFIED;
+    if (score >= 800) return import_shared_constants.TrustTier.T5_TRUSTED;
+    if (score >= 650) return import_shared_constants.TrustTier.T4_STANDARD;
+    if (score >= 500) return import_shared_constants.TrustTier.T3_MONITORED;
+    if (score >= 350) return import_shared_constants.TrustTier.T2_PROVISIONAL;
+    if (score >= 200) return import_shared_constants.TrustTier.T1_OBSERVED;
+    return import_shared_constants.TrustTier.T0_SANDBOX;
   }
   /**
    * Get tier name
    */
   static getTierName(tier) {
-    return TIER_THRESHOLDS[tier].name;
+    return import_shared_constants.TIER_THRESHOLDS[tier].name;
   }
   /**
    * Get tier thresholds
    */
   static getTierThresholds(tier) {
-    return TIER_THRESHOLDS[tier];
+    return import_shared_constants.TIER_THRESHOLDS[tier];
   }
 };
 var AgentsClient = class {
@@ -418,21 +400,18 @@ async function verifyWebhookSignature(payload, signature, secret) {
   const expectedSignature = bufferToHex(signatureBuffer);
   return timingSafeEqual(signature, expectedSignature);
 }
-function parseWebhookPayload(body, signature, secret) {
-  return new Promise(async (resolve, reject) => {
-    const isValid = await verifyWebhookSignature(body, signature, secret);
-    if (!isValid) {
-      reject(new Error("Invalid webhook signature"));
-      return;
-    }
-    try {
-      const event = JSON.parse(body);
-      event.timestamp = new Date(event.timestamp);
-      resolve(event);
-    } catch (error) {
-      reject(new Error("Invalid webhook payload"));
-    }
-  });
+async function parseWebhookPayload(body, signature, secret) {
+  const isValid = await verifyWebhookSignature(body, signature, secret);
+  if (!isValid) {
+    throw new Error("Invalid webhook signature");
+  }
+  try {
+    const event = JSON.parse(body);
+    event.timestamp = new Date(event.timestamp);
+    return event;
+  } catch {
+    throw new Error("Invalid webhook payload");
+  }
 }
 var WebhookRouter = class {
   handlers = /* @__PURE__ */ new Map();
@@ -469,15 +448,15 @@ var WebhookRouter = class {
    * Create an Express/Connect compatible middleware
    */
   middleware(secret) {
-    return async (req, res, _next) => {
+    return async (req, res) => {
       try {
         const signature = req.headers["x-cognigate-signature"];
         const body = typeof req.body === "string" ? req.body : JSON.stringify(req.body);
         const event = await parseWebhookPayload(body, signature, secret);
         await this.handle(event);
         res.status(200).json({ received: true });
-      } catch (error) {
-        res.status(400).json({ error: error.message });
+      } catch (err) {
+        res.status(400).json({ error: err.message });
       }
     };
   }
@@ -496,6 +475,281 @@ function timingSafeEqual(a, b) {
   return result === 0;
 }
 
+// src/proof-bridge.ts
+function createProofBridge(config) {
+  const { proofPlane, webhookRouter } = config;
+  let connected = true;
+  const handler = async (event) => {
+    if (!connected) return;
+    const payload = event.payload;
+    const now = /* @__PURE__ */ new Date();
+    const decision = {
+      decisionId: payload.decisionId ?? event.id,
+      intentId: payload.intentId ?? "",
+      agentId: payload.agentId ?? event.entityId,
+      correlationId: payload.correlationId ?? event.id,
+      permitted: payload.permitted ?? payload.decision === "ALLOW",
+      trustBand: payload.trustBand ?? 4,
+      trustScore: payload.trustScore ?? 0,
+      reasoning: Array.isArray(payload.reasoning) ? payload.reasoning : typeof payload.reasoning === "string" ? [payload.reasoning] : [],
+      decidedAt: payload.decidedAt ? new Date(payload.decidedAt) : now,
+      expiresAt: payload.expiresAt ? new Date(payload.expiresAt) : new Date(now.getTime() + 24 * 60 * 60 * 1e3),
+      latencyMs: payload.latencyMs ?? 0,
+      version: payload.version ?? 1
+    };
+    await proofPlane.logDecisionMade(decision, decision.correlationId);
+  };
+  webhookRouter.on("governance.decision", handler);
+  return {
+    disconnect: () => {
+      connected = false;
+    }
+  };
+}
+
+// src/sandbox/worker-sandbox.ts
+var import_node_worker_threads = require("worker_threads");
+var DEFAULT_TIMEOUT2 = 3e4;
+var DEFAULT_MEMORY_LIMIT_MB = 64;
+var WORKER_SCRIPT = `
+  const { parentPort, workerData } = require('node:worker_threads');
+  const vm = require('node:vm');
+
+  const { code, context } = workerData;
+  const startTime = performance.now();
+  const memBefore = process.memoryUsage().heapUsed;
+
+  // Build restricted globals for the vm context
+  const safeGlobals = {
+    console: {
+      log: function() {},
+      warn: function() {},
+      error: function() {},
+      info: function() {},
+    },
+    JSON: JSON,
+    Math: Math,
+    Date: Date,
+    Array: Array,
+    Object: Object,
+    String: String,
+    Number: Number,
+    Boolean: Boolean,
+    Map: Map,
+    Set: Set,
+    WeakMap: WeakMap,
+    WeakSet: WeakSet,
+    Promise: Promise,
+    Symbol: Symbol,
+    RegExp: RegExp,
+    Error: Error,
+    TypeError: TypeError,
+    RangeError: RangeError,
+    SyntaxError: SyntaxError,
+    URIError: URIError,
+    parseInt: parseInt,
+    parseFloat: parseFloat,
+    isNaN: isNaN,
+    isFinite: isFinite,
+    encodeURIComponent: encodeURIComponent,
+    decodeURIComponent: decodeURIComponent,
+    encodeURI: encodeURI,
+    decodeURI: decodeURI,
+    undefined: undefined,
+    NaN: NaN,
+    Infinity: Infinity,
+    setTimeout: function(fn, ms) { return setTimeout(fn, Math.min(ms, 5000)); },
+    clearTimeout: clearTimeout,
+  };
+
+  const vmContext = vm.createContext(safeGlobals);
+
+  // Wrap code in an async IIFE to support await and return
+  const wrappedCode = '(async () => { ' + code + ' })()';
+
+  async function run() {
+    try {
+      const script = new vm.Script(wrappedCode, {
+        filename: 'sandbox-' + context.agentId + '.js',
+      });
+
+      const result = await script.runInContext(vmContext, {
+        timeout: context.timeout,
+      });
+
+      const durationMs = performance.now() - startTime;
+      const memAfter = process.memoryUsage().heapUsed;
+
+      parentPort.postMessage({
+        type: 'result',
+        output: result,
+        durationMs: durationMs,
+        memoryUsedBytes: Math.max(0, memAfter - memBefore),
+      });
+    } catch (err) {
+      const durationMs = performance.now() - startTime;
+      const memAfter = process.memoryUsage().heapUsed;
+
+      parentPort.postMessage({
+        type: 'error',
+        error: err && err.message ? err.message : String(err),
+        durationMs: durationMs,
+        memoryUsedBytes: Math.max(0, memAfter - memBefore),
+      });
+    }
+  }
+
+  run();
+`;
+var WorkerSandbox = class {
+  worker = null;
+  isShutdown = false;
+  /**
+   * Execute code in an isolated worker thread.
+   *
+   * Spawns a new worker for each execution to ensure full isolation.
+   * The worker has memory limits enforced by V8 via `resourceLimits`,
+   * a vm-level timeout for synchronous code, and a main-thread timeout
+   * as a fallback for async code or hangs.
+   *
+   * @param code - JavaScript code string to execute inside the sandbox.
+   *   The code is wrapped in an async IIFE, so `return` and `await` are valid.
+   * @param context - Execution context with identity and resource constraints
+   * @returns Promise resolving to a SandboxResult
+   */
+  async execute(code, context) {
+    if (this.isShutdown) {
+      return {
+        success: false,
+        output: void 0,
+        error: "Sandbox has been shut down",
+        durationMs: 0,
+        memoryUsedBytes: 0
+      };
+    }
+    const timeout = context.timeout || DEFAULT_TIMEOUT2;
+    const memoryLimitMb = context.memoryLimitMb || DEFAULT_MEMORY_LIMIT_MB;
+    const startTime = performance.now();
+    return new Promise((resolve) => {
+      let settled = false;
+      let timeoutId = null;
+      const settle = (result) => {
+        if (settled) return;
+        settled = true;
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        resolve(result);
+      };
+      try {
+        const worker = new import_node_worker_threads.Worker(WORKER_SCRIPT, {
+          eval: true,
+          workerData: {
+            code,
+            context: {
+              tenantId: context.tenantId,
+              agentId: context.agentId,
+              trustLevel: context.trustLevel ?? 0,
+              allowedModules: context.allowedModules ?? [],
+              timeout,
+              memoryLimitMb
+            }
+          },
+          resourceLimits: {
+            maxOldGenerationSizeMb: memoryLimitMb,
+            maxYoungGenerationSizeMb: Math.max(1, Math.floor(memoryLimitMb / 4)),
+            codeRangeSizeMb: Math.max(1, Math.floor(memoryLimitMb / 8))
+          }
+        });
+        this.worker = worker;
+        timeoutId = setTimeout(() => {
+          const durationMs = performance.now() - startTime;
+          worker.terminate().catch(() => {
+          });
+          settle({
+            success: false,
+            output: void 0,
+            error: `Execution timed out after ${timeout}ms`,
+            durationMs,
+            memoryUsedBytes: 0
+          });
+        }, timeout + 500);
+        worker.on("message", (message) => {
+          if (message.type === "result") {
+            settle({
+              success: true,
+              output: message.output,
+              durationMs: message.durationMs,
+              memoryUsedBytes: message.memoryUsedBytes
+            });
+          } else if (message.type === "error") {
+            settle({
+              success: false,
+              output: void 0,
+              error: message.error,
+              durationMs: message.durationMs,
+              memoryUsedBytes: message.memoryUsedBytes
+            });
+          }
+          worker.terminate().catch(() => {
+          });
+        });
+        worker.on("error", (error) => {
+          const durationMs = performance.now() - startTime;
+          settle({
+            success: false,
+            output: void 0,
+            error: error.message || "Worker error",
+            durationMs,
+            memoryUsedBytes: 0
+          });
+        });
+        worker.on("exit", (exitCode) => {
+          if (exitCode !== 0) {
+            const durationMs = performance.now() - startTime;
+            settle({
+              success: false,
+              output: void 0,
+              error: `Worker exited with code ${exitCode} (possible memory limit exceeded)`,
+              durationMs,
+              memoryUsedBytes: 0
+            });
+          }
+          this.worker = null;
+        });
+      } catch (err) {
+        const durationMs = performance.now() - startTime;
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        settle({
+          success: false,
+          output: void 0,
+          error: `Failed to spawn worker: ${errorMessage}`,
+          durationMs,
+          memoryUsedBytes: 0
+        });
+      }
+    });
+  }
+  /**
+   * Gracefully shut down the sandbox.
+   * Terminates any running worker and prevents future executions.
+   */
+  async shutdown() {
+    this.isShutdown = true;
+    if (this.worker) {
+      await this.worker.terminate();
+      this.worker = null;
+    }
+  }
+  /**
+   * Check whether the sandbox has been shut down.
+   */
+  get terminated() {
+    return this.isShutdown;
+  }
+};
+
 // src/index.ts
 var import_zod2 = require("zod");
 // Annotate the CommonJS export names for ESM import in node:
@@ -509,6 +763,8 @@ var import_zod2 = require("zod");
   TrustStatusSchema,
   TrustTier,
   WebhookRouter,
+  WorkerSandbox,
+  createProofBridge,
   parseWebhookPayload,
   verifyWebhookSignature,
   z