@vorionsys/cognigate 1.0.0 → 1.0.2

package/dist/index.js

@@ -1,26 +1,16 @@
+import {
+  createProofBridge
+} from "./chunk-OIPPFRDP.js";
+
 // src/types.ts
 import { z } from "zod";
-var TrustTier = /* @__PURE__ */ ((TrustTier2) => {
-  TrustTier2[TrustTier2["T0_SANDBOX"] = 0] = "T0_SANDBOX";
-  TrustTier2[TrustTier2["T1_OBSERVED"] = 1] = "T1_OBSERVED";
-  TrustTier2[TrustTier2["T2_PROVISIONAL"] = 2] = "T2_PROVISIONAL";
-  TrustTier2[TrustTier2["T3_VERIFIED"] = 3] = "T3_VERIFIED";
-  TrustTier2[TrustTier2["T4_OPERATIONAL"] = 4] = "T4_OPERATIONAL";
-  TrustTier2[TrustTier2["T5_TRUSTED"] = 5] = "T5_TRUSTED";
-  TrustTier2[TrustTier2["T6_CERTIFIED"] = 6] = "T6_CERTIFIED";
-  TrustTier2[TrustTier2["T7_AUTONOMOUS"] = 7] = "T7_AUTONOMOUS";
-  return TrustTier2;
-})(TrustTier || {});
-var TIER_THRESHOLDS = {
-  [0 /* T0_SANDBOX */]: { min: 0, max: 199, name: "Sandbox" },
-  [1 /* T1_OBSERVED */]: { min: 200, max: 349, name: "Observed" },
-  [2 /* T2_PROVISIONAL */]: { min: 350, max: 499, name: "Provisional" },
-  [3 /* T3_VERIFIED */]: { min: 500, max: 649, name: "Verified" },
-  [4 /* T4_OPERATIONAL */]: { min: 650, max: 799, name: "Operational" },
-  [5 /* T5_TRUSTED */]: { min: 800, max: 875, name: "Trusted" },
-  [6 /* T6_CERTIFIED */]: { min: 876, max: 949, name: "Certified" },
-  [7 /* T7_AUTONOMOUS */]: { min: 950, max: 1e3, name: "Autonomous" }
-};
+import {
+  TrustTier,
+  TIER_THRESHOLDS,
+  scoreToTier,
+  getTierName,
+  getTierColor
+} from "@vorionsys/shared-constants";
 var TrustStatusSchema = z.object({
   entityId: z.string(),
   trustScore: z.number().min(0).max(1e3),
@@ -169,14 +159,14 @@ var Cognigate = class {
    * Get tier from trust score
    */
   static getTierFromScore(score) {
-    if (score >= 950) return 7 /* T7_AUTONOMOUS */;
-    if (score >= 876) return 6 /* T6_CERTIFIED */;
-    if (score >= 800) return 5 /* T5_TRUSTED */;
-    if (score >= 650) return 4 /* T4_OPERATIONAL */;
-    if (score >= 500) return 3 /* T3_VERIFIED */;
-    if (score >= 350) return 2 /* T2_PROVISIONAL */;
-    if (score >= 200) return 1 /* T1_OBSERVED */;
-    return 0 /* T0_SANDBOX */;
+    if (score >= 951) return TrustTier.T7_AUTONOMOUS;
+    if (score >= 876) return TrustTier.T6_CERTIFIED;
+    if (score >= 800) return TrustTier.T5_TRUSTED;
+    if (score >= 650) return TrustTier.T4_STANDARD;
+    if (score >= 500) return TrustTier.T3_MONITORED;
+    if (score >= 350) return TrustTier.T2_PROVISIONAL;
+    if (score >= 200) return TrustTier.T1_OBSERVED;
+    return TrustTier.T0_SANDBOX;
   }
   /**
    * Get tier name
@@ -381,21 +371,18 @@ async function verifyWebhookSignature(payload, signature, secret) {
   const expectedSignature = bufferToHex(signatureBuffer);
   return timingSafeEqual(signature, expectedSignature);
 }
-function parseWebhookPayload(body, signature, secret) {
-  return new Promise(async (resolve, reject) => {
-    const isValid = await verifyWebhookSignature(body, signature, secret);
-    if (!isValid) {
-      reject(new Error("Invalid webhook signature"));
-      return;
-    }
-    try {
-      const event = JSON.parse(body);
-      event.timestamp = new Date(event.timestamp);
-      resolve(event);
-    } catch (error) {
-      reject(new Error("Invalid webhook payload"));
-    }
-  });
+async function parseWebhookPayload(body, signature, secret) {
+  const isValid = await verifyWebhookSignature(body, signature, secret);
+  if (!isValid) {
+    throw new Error("Invalid webhook signature");
+  }
+  try {
+    const event = JSON.parse(body);
+    event.timestamp = new Date(event.timestamp);
+    return event;
+  } catch {
+    throw new Error("Invalid webhook payload");
+  }
 }
 var WebhookRouter = class {
   handlers = /* @__PURE__ */ new Map();
@@ -432,15 +419,15 @@ var WebhookRouter = class {
    * Create an Express/Connect compatible middleware
    */
   middleware(secret) {
-    return async (req, res, _next) => {
+    return async (req, res) => {
       try {
         const signature = req.headers["x-cognigate-signature"];
         const body = typeof req.body === "string" ? req.body : JSON.stringify(req.body);
         const event = await parseWebhookPayload(body, signature, secret);
         await this.handle(event);
         res.status(200).json({ received: true });
-      } catch (error) {
-        res.status(400).json({ error: error.message });
+      } catch (err) {
+        res.status(400).json({ error: err.message });
       }
     };
   }
@@ -459,6 +446,249 @@ function timingSafeEqual(a, b) {
   return result === 0;
 }
 
+// src/sandbox/worker-sandbox.ts
+import { Worker } from "worker_threads";
+var DEFAULT_TIMEOUT2 = 3e4;
+var DEFAULT_MEMORY_LIMIT_MB = 64;
+var WORKER_SCRIPT = `
+  const { parentPort, workerData } = require('node:worker_threads');
+  const vm = require('node:vm');
+
+  const { code, context } = workerData;
+  const startTime = performance.now();
+  const memBefore = process.memoryUsage().heapUsed;
+
+  // Build restricted globals for the vm context
+  const safeGlobals = {
+    console: {
+      log: function() {},
+      warn: function() {},
+      error: function() {},
+      info: function() {},
+    },
+    JSON: JSON,
+    Math: Math,
+    Date: Date,
+    Array: Array,
+    Object: Object,
+    String: String,
+    Number: Number,
+    Boolean: Boolean,
+    Map: Map,
+    Set: Set,
+    WeakMap: WeakMap,
+    WeakSet: WeakSet,
+    Promise: Promise,
+    Symbol: Symbol,
+    RegExp: RegExp,
+    Error: Error,
+    TypeError: TypeError,
+    RangeError: RangeError,
+    SyntaxError: SyntaxError,
+    URIError: URIError,
+    parseInt: parseInt,
+    parseFloat: parseFloat,
+    isNaN: isNaN,
+    isFinite: isFinite,
+    encodeURIComponent: encodeURIComponent,
+    decodeURIComponent: decodeURIComponent,
+    encodeURI: encodeURI,
+    decodeURI: decodeURI,
+    undefined: undefined,
+    NaN: NaN,
+    Infinity: Infinity,
+    setTimeout: function(fn, ms) { return setTimeout(fn, Math.min(ms, 5000)); },
+    clearTimeout: clearTimeout,
+  };
+
+  const vmContext = vm.createContext(safeGlobals);
+
+  // Wrap code in an async IIFE to support await and return
+  const wrappedCode = '(async () => { ' + code + ' })()';
+
+  async function run() {
+    try {
+      const script = new vm.Script(wrappedCode, {
+        filename: 'sandbox-' + context.agentId + '.js',
+      });
+
+      const result = await script.runInContext(vmContext, {
+        timeout: context.timeout,
+      });
+
+      const durationMs = performance.now() - startTime;
+      const memAfter = process.memoryUsage().heapUsed;
+
+      parentPort.postMessage({
+        type: 'result',
+        output: result,
+        durationMs: durationMs,
+        memoryUsedBytes: Math.max(0, memAfter - memBefore),
+      });
+    } catch (err) {
+      const durationMs = performance.now() - startTime;
+      const memAfter = process.memoryUsage().heapUsed;
+
+      parentPort.postMessage({
+        type: 'error',
+        error: err && err.message ? err.message : String(err),
+        durationMs: durationMs,
+        memoryUsedBytes: Math.max(0, memAfter - memBefore),
+      });
+    }
+  }
+
+  run();
+`;
+var WorkerSandbox = class {
+  worker = null;
+  isShutdown = false;
+  /**
+   * Execute code in an isolated worker thread.
+   *
+   * Spawns a new worker for each execution to ensure full isolation.
+   * The worker has memory limits enforced by V8 via `resourceLimits`,
+   * a vm-level timeout for synchronous code, and a main-thread timeout
+   * as a fallback for async code or hangs.
+   *
+   * @param code - JavaScript code string to execute inside the sandbox.
+   *   The code is wrapped in an async IIFE, so `return` and `await` are valid.
+   * @param context - Execution context with identity and resource constraints
+   * @returns Promise resolving to a SandboxResult
+   */
+  async execute(code, context) {
+    if (this.isShutdown) {
+      return {
+        success: false,
+        output: void 0,
+        error: "Sandbox has been shut down",
+        durationMs: 0,
+        memoryUsedBytes: 0
+      };
+    }
+    const timeout = context.timeout || DEFAULT_TIMEOUT2;
+    const memoryLimitMb = context.memoryLimitMb || DEFAULT_MEMORY_LIMIT_MB;
+    const startTime = performance.now();
+    return new Promise((resolve) => {
+      let settled = false;
+      let timeoutId = null;
+      const settle = (result) => {
+        if (settled) return;
+        settled = true;
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        resolve(result);
+      };
+      try {
+        const worker = new Worker(WORKER_SCRIPT, {
+          eval: true,
+          workerData: {
+            code,
+            context: {
+              tenantId: context.tenantId,
+              agentId: context.agentId,
+              trustLevel: context.trustLevel ?? 0,
+              allowedModules: context.allowedModules ?? [],
+              timeout,
+              memoryLimitMb
+            }
+          },
+          resourceLimits: {
+            maxOldGenerationSizeMb: memoryLimitMb,
+            maxYoungGenerationSizeMb: Math.max(1, Math.floor(memoryLimitMb / 4)),
+            codeRangeSizeMb: Math.max(1, Math.floor(memoryLimitMb / 8))
+          }
+        });
+        this.worker = worker;
+        timeoutId = setTimeout(() => {
+          const durationMs = performance.now() - startTime;
+          worker.terminate().catch(() => {
+          });
+          settle({
+            success: false,
+            output: void 0,
+            error: `Execution timed out after ${timeout}ms`,
+            durationMs,
+            memoryUsedBytes: 0
+          });
+        }, timeout + 500);
+        worker.on("message", (message) => {
+          if (message.type === "result") {
+            settle({
+              success: true,
+              output: message.output,
+              durationMs: message.durationMs,
+              memoryUsedBytes: message.memoryUsedBytes
+            });
+          } else if (message.type === "error") {
+            settle({
+              success: false,
+              output: void 0,
+              error: message.error,
+              durationMs: message.durationMs,
+              memoryUsedBytes: message.memoryUsedBytes
+            });
+          }
+          worker.terminate().catch(() => {
+          });
+        });
+        worker.on("error", (error) => {
+          const durationMs = performance.now() - startTime;
+          settle({
+            success: false,
+            output: void 0,
+            error: error.message || "Worker error",
+            durationMs,
+            memoryUsedBytes: 0
+          });
+        });
+        worker.on("exit", (exitCode) => {
+          if (exitCode !== 0) {
+            const durationMs = performance.now() - startTime;
+            settle({
+              success: false,
+              output: void 0,
+              error: `Worker exited with code ${exitCode} (possible memory limit exceeded)`,
+              durationMs,
+              memoryUsedBytes: 0
+            });
+          }
+          this.worker = null;
+        });
+      } catch (err) {
+        const durationMs = performance.now() - startTime;
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        settle({
+          success: false,
+          output: void 0,
+          error: `Failed to spawn worker: ${errorMessage}`,
+          durationMs,
+          memoryUsedBytes: 0
+        });
+      }
+    });
+  }
+  /**
+   * Gracefully shut down the sandbox.
+   * Terminates any running worker and prevents future executions.
+   */
+  async shutdown() {
+    this.isShutdown = true;
+    if (this.worker) {
+      await this.worker.terminate();
+      this.worker = null;
+    }
+  }
+  /**
+   * Check whether the sandbox has been shut down.
+   */
+  get terminated() {
+    return this.isShutdown;
+  }
+};
+
 // src/index.ts
 import { z as z2 } from "zod";
 export {
@@ -471,6 +701,8 @@ export {
   TrustStatusSchema,
   TrustTier,
   WebhookRouter,
+  WorkerSandbox,
+  createProofBridge,
   parseWebhookPayload,
   verifyWebhookSignature,
   z2 as z