@vorionsys/cognigate 1.0.1 → 1.0.2

package/dist/index.js

@@ -1,3 +1,7 @@
+import {
+  createProofBridge
+} from "./chunk-OIPPFRDP.js";
+
 // src/types.ts
 import { z } from "zod";
 import {
@@ -159,7 +163,7 @@ var Cognigate = class {
     if (score >= 876) return TrustTier.T6_CERTIFIED;
     if (score >= 800) return TrustTier.T5_TRUSTED;
     if (score >= 650) return TrustTier.T4_STANDARD;
-    if (score >= 501) return TrustTier.T3_MONITORED;
+    if (score >= 500) return TrustTier.T3_MONITORED;
     if (score >= 350) return TrustTier.T2_PROVISIONAL;
     if (score >= 200) return TrustTier.T1_OBSERVED;
     return TrustTier.T0_SANDBOX;
@@ -442,6 +446,249 @@ function timingSafeEqual(a, b) {
   return result === 0;
 }
 
+// src/sandbox/worker-sandbox.ts
+import { Worker } from "worker_threads";
+var DEFAULT_TIMEOUT2 = 3e4;
+var DEFAULT_MEMORY_LIMIT_MB = 64;
+var WORKER_SCRIPT = `
+  const { parentPort, workerData } = require('node:worker_threads');
+  const vm = require('node:vm');
+
+  const { code, context } = workerData;
+  const startTime = performance.now();
+  const memBefore = process.memoryUsage().heapUsed;
+
+  // Build restricted globals for the vm context
+  const safeGlobals = {
+    console: {
+      log: function() {},
+      warn: function() {},
+      error: function() {},
+      info: function() {},
+    },
+    JSON: JSON,
+    Math: Math,
+    Date: Date,
+    Array: Array,
+    Object: Object,
+    String: String,
+    Number: Number,
+    Boolean: Boolean,
+    Map: Map,
+    Set: Set,
+    WeakMap: WeakMap,
+    WeakSet: WeakSet,
+    Promise: Promise,
+    Symbol: Symbol,
+    RegExp: RegExp,
+    Error: Error,
+    TypeError: TypeError,
+    RangeError: RangeError,
+    SyntaxError: SyntaxError,
+    URIError: URIError,
+    parseInt: parseInt,
+    parseFloat: parseFloat,
+    isNaN: isNaN,
+    isFinite: isFinite,
+    encodeURIComponent: encodeURIComponent,
+    decodeURIComponent: decodeURIComponent,
+    encodeURI: encodeURI,
+    decodeURI: decodeURI,
+    undefined: undefined,
+    NaN: NaN,
+    Infinity: Infinity,
+    setTimeout: function(fn, ms) { return setTimeout(fn, Math.min(ms, 5000)); },
+    clearTimeout: clearTimeout,
+  };
+
+  const vmContext = vm.createContext(safeGlobals);
+
+  // Wrap code in an async IIFE to support await and return
+  const wrappedCode = '(async () => { ' + code + ' })()';
+
+  async function run() {
+    try {
+      const script = new vm.Script(wrappedCode, {
+        filename: 'sandbox-' + context.agentId + '.js',
+      });
+
+      const result = await script.runInContext(vmContext, {
+        timeout: context.timeout,
+      });
+
+      const durationMs = performance.now() - startTime;
+      const memAfter = process.memoryUsage().heapUsed;
+
+      parentPort.postMessage({
+        type: 'result',
+        output: result,
+        durationMs: durationMs,
+        memoryUsedBytes: Math.max(0, memAfter - memBefore),
+      });
+    } catch (err) {
+      const durationMs = performance.now() - startTime;
+      const memAfter = process.memoryUsage().heapUsed;
+
+      parentPort.postMessage({
+        type: 'error',
+        error: err && err.message ? err.message : String(err),
+        durationMs: durationMs,
+        memoryUsedBytes: Math.max(0, memAfter - memBefore),
+      });
+    }
+  }
+
+  run();
+`;
+var WorkerSandbox = class {
+  worker = null;
+  isShutdown = false;
+  /**
+   * Execute code in an isolated worker thread.
+   *
+   * Spawns a new worker for each execution to ensure full isolation.
+   * The worker has memory limits enforced by V8 via `resourceLimits`,
+   * a vm-level timeout for synchronous code, and a main-thread timeout
+   * as a fallback for async code or hangs.
+   *
+   * @param code - JavaScript code string to execute inside the sandbox.
+   *   The code is wrapped in an async IIFE, so `return` and `await` are valid.
+   * @param context - Execution context with identity and resource constraints
+   * @returns Promise resolving to a SandboxResult
+   */
+  async execute(code, context) {
+    if (this.isShutdown) {
+      return {
+        success: false,
+        output: void 0,
+        error: "Sandbox has been shut down",
+        durationMs: 0,
+        memoryUsedBytes: 0
+      };
+    }
+    const timeout = context.timeout || DEFAULT_TIMEOUT2;
+    const memoryLimitMb = context.memoryLimitMb || DEFAULT_MEMORY_LIMIT_MB;
+    const startTime = performance.now();
+    return new Promise((resolve) => {
+      let settled = false;
+      let timeoutId = null;
+      const settle = (result) => {
+        if (settled) return;
+        settled = true;
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        resolve(result);
+      };
+      try {
+        const worker = new Worker(WORKER_SCRIPT, {
+          eval: true,
+          workerData: {
+            code,
+            context: {
+              tenantId: context.tenantId,
+              agentId: context.agentId,
+              trustLevel: context.trustLevel ?? 0,
+              allowedModules: context.allowedModules ?? [],
+              timeout,
+              memoryLimitMb
+            }
+          },
+          resourceLimits: {
+            maxOldGenerationSizeMb: memoryLimitMb,
+            maxYoungGenerationSizeMb: Math.max(1, Math.floor(memoryLimitMb / 4)),
+            codeRangeSizeMb: Math.max(1, Math.floor(memoryLimitMb / 8))
+          }
+        });
+        this.worker = worker;
+        timeoutId = setTimeout(() => {
+          const durationMs = performance.now() - startTime;
+          worker.terminate().catch(() => {
+          });
+          settle({
+            success: false,
+            output: void 0,
+            error: `Execution timed out after ${timeout}ms`,
+            durationMs,
+            memoryUsedBytes: 0
+          });
+        }, timeout + 500);
+        worker.on("message", (message) => {
+          if (message.type === "result") {
+            settle({
+              success: true,
+              output: message.output,
+              durationMs: message.durationMs,
+              memoryUsedBytes: message.memoryUsedBytes
+            });
+          } else if (message.type === "error") {
+            settle({
+              success: false,
+              output: void 0,
+              error: message.error,
+              durationMs: message.durationMs,
+              memoryUsedBytes: message.memoryUsedBytes
+            });
+          }
+          worker.terminate().catch(() => {
+          });
+        });
+        worker.on("error", (error) => {
+          const durationMs = performance.now() - startTime;
+          settle({
+            success: false,
+            output: void 0,
+            error: error.message || "Worker error",
+            durationMs,
+            memoryUsedBytes: 0
+          });
+        });
+        worker.on("exit", (exitCode) => {
+          if (exitCode !== 0) {
+            const durationMs = performance.now() - startTime;
+            settle({
+              success: false,
+              output: void 0,
+              error: `Worker exited with code ${exitCode} (possible memory limit exceeded)`,
+              durationMs,
+              memoryUsedBytes: 0
+            });
+          }
+          this.worker = null;
+        });
+      } catch (err) {
+        const durationMs = performance.now() - startTime;
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        settle({
+          success: false,
+          output: void 0,
+          error: `Failed to spawn worker: ${errorMessage}`,
+          durationMs,
+          memoryUsedBytes: 0
+        });
+      }
+    });
+  }
+  /**
+   * Gracefully shut down the sandbox.
+   * Terminates any running worker and prevents future executions.
+   */
+  async shutdown() {
+    this.isShutdown = true;
+    if (this.worker) {
+      await this.worker.terminate();
+      this.worker = null;
+    }
+  }
+  /**
+   * Check whether the sandbox has been shut down.
+   */
+  get terminated() {
+    return this.isShutdown;
+  }
+};
+
 // src/index.ts
 import { z as z2 } from "zod";
 export {
@@ -454,6 +701,8 @@ export {
   TrustStatusSchema,
   TrustTier,
   WebhookRouter,
+  WorkerSandbox,
+  createProofBridge,
   parseWebhookPayload,
   verifyWebhookSignature,
   z2 as z

package/dist/proof-bridge-BBmb7kVP.d.cts

@@ -0,0 +1,394 @@
+import { z } from 'zod';
+import { TrustTier } from '@vorionsys/shared-constants';
+
+/**
+ * Cognigate TypeScript SDK - Type Definitions
+ *
+ * Core types for the Cognigate AI governance API
+ */
+
+type GovernanceDecision = 'ALLOW' | 'DENY' | 'ESCALATE' | 'DEGRADE';
+interface GovernanceResult {
+    decision: GovernanceDecision;
+    trustScore: number;
+    trustTier: TrustTier;
+    grantedCapabilities: string[];
+    deniedCapabilities: string[];
+    reasoning: string;
+    constraints?: Record<string, unknown>;
+    proofId?: string;
+    timestamp: Date;
+}
+interface Intent {
+    id: string;
+    entityId: string;
+    rawInput: string;
+    parsedAction: string;
+    parameters: Record<string, unknown>;
+    riskLevel: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    requiredCapabilities: string[];
+    timestamp: Date;
+}
+interface IntentParseResult {
+    intent: Intent;
+    confidence: number;
+    alternativeInterpretations?: Intent[];
+}
+interface TrustStatus {
+    entityId: string;
+    trustScore: number;
+    trustTier: TrustTier;
+    tierName: string;
+    capabilities: string[];
+    factorScores: Record<string, number>;
+    lastEvaluated: Date;
+    compliant: boolean;
+    warnings: string[];
+}
+interface ProofRecord {
+    id: string;
+    entityId: string;
+    intentId: string;
+    decision: GovernanceDecision;
+    action: string;
+    outcome: 'SUCCESS' | 'FAILURE' | 'PARTIAL' | 'PENDING';
+    trustScoreBefore: number;
+    trustScoreAfter: number;
+    timestamp: Date;
+    hash: string;
+    previousHash: string;
+    metadata?: Record<string, unknown>;
+}
+interface ProofChainStats {
+    totalRecords: number;
+    successRate: number;
+    averageTrustScore: number;
+    chainIntegrity: boolean;
+    lastVerified: Date;
+}
+interface Agent {
+    id: string;
+    name: string;
+    description: string;
+    ownerId: string;
+    trustScore: number;
+    trustTier: TrustTier;
+    status: 'ACTIVE' | 'PAUSED' | 'SUSPENDED' | 'TERMINATED';
+    capabilities: string[];
+    executions: number;
+    successRate: number;
+    createdAt: Date;
+    updatedAt: Date;
+    metadata?: Record<string, unknown>;
+}
+interface CreateAgentRequest {
+    name: string;
+    description?: string;
+    template?: string;
+    initialCapabilities?: string[];
+    metadata?: Record<string, unknown>;
+}
+interface UpdateAgentRequest {
+    name?: string;
+    description?: string;
+    status?: 'ACTIVE' | 'PAUSED';
+    metadata?: Record<string, unknown>;
+}
+interface ApiResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: ApiError;
+    requestId: string;
+    timestamp: Date;
+}
+interface ApiError {
+    code: string;
+    message: string;
+    details?: Record<string, unknown>;
+}
+interface PaginatedResponse<T> {
+    items: T[];
+    total: number;
+    page: number;
+    pageSize: number;
+    hasMore: boolean;
+}
+interface WebhookEvent {
+    id: string;
+    type: WebhookEventType;
+    entityId: string;
+    payload: Record<string, unknown>;
+    timestamp: Date;
+    signature: string;
+}
+type WebhookEventType = 'agent.created' | 'agent.updated' | 'agent.deleted' | 'agent.status_changed' | 'trust.score_changed' | 'trust.tier_changed' | 'governance.decision' | 'proof.recorded' | 'alert.triggered';
+interface CognigateConfig {
+    apiKey: string;
+    baseUrl?: string;
+    timeout?: number;
+    retries?: number;
+    debug?: boolean;
+    webhookSecret?: string;
+}
+declare const TrustStatusSchema: z.ZodObject<{
+    entityId: z.ZodString;
+    trustScore: z.ZodNumber;
+    trustTier: z.ZodNativeEnum<typeof TrustTier>;
+    tierName: z.ZodString;
+    capabilities: z.ZodArray<z.ZodString, "many">;
+    factorScores: z.ZodRecord<z.ZodString, z.ZodNumber>;
+    lastEvaluated: z.ZodDate;
+    compliant: z.ZodBoolean;
+    warnings: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    entityId: string;
+    trustScore: number;
+    trustTier: TrustTier;
+    tierName: string;
+    capabilities: string[];
+    factorScores: Record<string, number>;
+    lastEvaluated: Date;
+    compliant: boolean;
+    warnings: string[];
+}, {
+    entityId: string;
+    trustScore: number;
+    trustTier: TrustTier;
+    tierName: string;
+    capabilities: string[];
+    factorScores: Record<string, number>;
+    lastEvaluated: Date;
+    compliant: boolean;
+    warnings: string[];
+}>;
+declare const GovernanceResultSchema: z.ZodObject<{
+    decision: z.ZodEnum<["ALLOW", "DENY", "ESCALATE", "DEGRADE"]>;
+    trustScore: z.ZodNumber;
+    trustTier: z.ZodNativeEnum<typeof TrustTier>;
+    grantedCapabilities: z.ZodArray<z.ZodString, "many">;
+    deniedCapabilities: z.ZodArray<z.ZodString, "many">;
+    reasoning: z.ZodString;
+    constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    proofId: z.ZodOptional<z.ZodString>;
+    timestamp: z.ZodDate;
+}, "strip", z.ZodTypeAny, {
+    trustScore: number;
+    trustTier: TrustTier;
+    decision: "ALLOW" | "DENY" | "ESCALATE" | "DEGRADE";
+    grantedCapabilities: string[];
+    deniedCapabilities: string[];
+    reasoning: string;
+    timestamp: Date;
+    constraints?: Record<string, unknown> | undefined;
+    proofId?: string | undefined;
+}, {
+    trustScore: number;
+    trustTier: TrustTier;
+    decision: "ALLOW" | "DENY" | "ESCALATE" | "DEGRADE";
+    grantedCapabilities: string[];
+    deniedCapabilities: string[];
+    reasoning: string;
+    timestamp: Date;
+    constraints?: Record<string, unknown> | undefined;
+    proofId?: string | undefined;
+}>;
+declare const ProofRecordSchema: z.ZodObject<{
+    id: z.ZodString;
+    entityId: z.ZodString;
+    intentId: z.ZodString;
+    decision: z.ZodEnum<["ALLOW", "DENY", "ESCALATE", "DEGRADE"]>;
+    action: z.ZodString;
+    outcome: z.ZodEnum<["SUCCESS", "FAILURE", "PARTIAL", "PENDING"]>;
+    trustScoreBefore: z.ZodNumber;
+    trustScoreAfter: z.ZodNumber;
+    timestamp: z.ZodDate;
+    hash: z.ZodString;
+    previousHash: z.ZodString;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    entityId: string;
+    decision: "ALLOW" | "DENY" | "ESCALATE" | "DEGRADE";
+    timestamp: Date;
+    id: string;
+    intentId: string;
+    action: string;
+    outcome: "SUCCESS" | "FAILURE" | "PARTIAL" | "PENDING";
+    trustScoreBefore: number;
+    trustScoreAfter: number;
+    hash: string;
+    previousHash: string;
+    metadata?: Record<string, unknown> | undefined;
+}, {
+    entityId: string;
+    decision: "ALLOW" | "DENY" | "ESCALATE" | "DEGRADE";
+    timestamp: Date;
+    id: string;
+    intentId: string;
+    action: string;
+    outcome: "SUCCESS" | "FAILURE" | "PARTIAL" | "PENDING";
+    trustScoreBefore: number;
+    trustScoreAfter: number;
+    hash: string;
+    previousHash: string;
+    metadata?: Record<string, unknown> | undefined;
+}>;
+declare const AgentSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodString;
+    ownerId: z.ZodString;
+    trustScore: z.ZodNumber;
+    trustTier: z.ZodNativeEnum<typeof TrustTier>;
+    status: z.ZodEnum<["ACTIVE", "PAUSED", "SUSPENDED", "TERMINATED"]>;
+    capabilities: z.ZodArray<z.ZodString, "many">;
+    executions: z.ZodNumber;
+    successRate: z.ZodNumber;
+    createdAt: z.ZodDate;
+    updatedAt: z.ZodDate;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    trustScore: number;
+    trustTier: TrustTier;
+    status: "ACTIVE" | "PAUSED" | "SUSPENDED" | "TERMINATED";
+    capabilities: string[];
+    id: string;
+    name: string;
+    description: string;
+    ownerId: string;
+    executions: number;
+    successRate: number;
+    createdAt: Date;
+    updatedAt: Date;
+    metadata?: Record<string, unknown> | undefined;
+}, {
+    trustScore: number;
+    trustTier: TrustTier;
+    status: "ACTIVE" | "PAUSED" | "SUSPENDED" | "TERMINATED";
+    capabilities: string[];
+    id: string;
+    name: string;
+    description: string;
+    ownerId: string;
+    executions: number;
+    successRate: number;
+    createdAt: Date;
+    updatedAt: Date;
+    metadata?: Record<string, unknown> | undefined;
+}>;
+
+/**
+ * Cognigate TypeScript SDK - Webhook Utilities
+ *
+ * Helpers for handling Cognigate webhooks
+ */
+
+/**
+ * Verify webhook signature
+ */
+declare function verifyWebhookSignature(payload: string, signature: string, secret: string): Promise<boolean>;
+/**
+ * Parse and validate a webhook payload
+ */
+declare function parseWebhookPayload(body: string, signature: string, secret: string): Promise<WebhookEvent>;
+/**
+ * Webhook handler type
+ */
+type WebhookHandler<T extends WebhookEventType = WebhookEventType> = (event: WebhookEvent & {
+    type: T;
+}) => void | Promise<void>;
+/**
+ * Webhook router for handling different event types
+ */
+declare class WebhookRouter {
+    private handlers;
+    /**
+     * Register a handler for a specific event type
+     */
+    on<T extends WebhookEventType>(type: T, handler: WebhookHandler<T>): this;
+    /**
+     * Register a handler for all events
+     */
+    onAll(handler: WebhookHandler): this;
+    /**
+     * Handle a webhook event
+     */
+    handle(event: WebhookEvent): Promise<void>;
+    /**
+     * Create an Express/Connect compatible middleware
+     */
+    middleware(secret: string): (req: {
+        headers: Record<string, string>;
+        body: unknown;
+    }, res: {
+        status: (code: number) => {
+            json: (data: unknown) => void;
+        };
+    }) => Promise<void>;
+}
+
+/**
+ * Cognigate Proof Bridge
+ *
+ * Bridges Cognigate webhook events to the Proof Plane for immutable audit trails.
+ * Listens for `governance.decision` events and emits `DECISION_MADE` proof events.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Structural type for proof-plane integration (avoids hard dependency on @vorionsys/proof-plane)
+ */
+interface ProofPlaneEmitter {
+    logDecisionMade(decision: {
+        decisionId: string;
+        intentId: string;
+        agentId: string;
+        correlationId: string;
+        permitted: boolean;
+        trustBand: number;
+        trustScore: number;
+        reasoning: string[];
+        decidedAt: Date;
+        expiresAt: Date;
+        latencyMs: number;
+        version: number;
+    }, correlationId?: string): Promise<unknown>;
+}
+/**
+ * Configuration for the proof bridge
+ */
+interface ProofBridgeConfig {
+    /** Proof plane emitter instance */
+    proofPlane: ProofPlaneEmitter;
+    /** Webhook router to subscribe to */
+    webhookRouter: WebhookRouter;
+}
+/**
+ * Handle for disconnecting the proof bridge
+ */
+interface ProofBridgeHandle {
+    /** Disconnect the bridge (stops forwarding events) */
+    disconnect: () => void;
+}
+/**
+ * Create a proof bridge that forwards Cognigate governance.decision webhooks
+ * to the Proof Plane as DECISION_MADE events.
+ *
+ * @example
+ * ```typescript
+ * import { WebhookRouter } from '@vorionsys/cognigate';
+ * import { createProofBridge } from '@vorionsys/cognigate/proof-bridge';
+ * import { ProofPlane } from '@vorionsys/proof-plane';
+ *
+ * const router = new WebhookRouter();
+ * const proofPlane = new ProofPlane({ storage: memoryStore() });
+ *
+ * const bridge = createProofBridge({ proofPlane, webhookRouter: router });
+ * // governance.decision events now automatically emit DECISION_MADE proofs
+ *
+ * bridge.disconnect(); // stop forwarding
+ * ```
+ */
+declare function createProofBridge(config: ProofBridgeConfig): ProofBridgeHandle;
+
+export { type Agent as A, type CognigateConfig as C, type GovernanceResult as G, type IntentParseResult as I, type ProofRecord as P, type TrustStatus as T, type UpdateAgentRequest as U, type WebhookEvent as W, type Intent as a, type PaginatedResponse as b, type ProofChainStats as c, type CreateAgentRequest as d, AgentSchema as e, type ApiError as f, type ApiResponse as g, type GovernanceDecision as h, GovernanceResultSchema as i, type ProofBridgeConfig as j, type ProofBridgeHandle as k, type ProofPlaneEmitter as l, ProofRecordSchema as m, TrustStatusSchema as n, type WebhookEventType as o, type WebhookHandler as p, WebhookRouter as q, createProofBridge as r, parseWebhookPayload as s, verifyWebhookSignature as v };