agentskeptic 8.6.1 → 8.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +49 -20
- package/dist/cli.js.map +1 -1
- package/dist/cliArgv.d.ts +1 -0
- package/dist/cliArgv.d.ts.map +1 -1
- package/dist/cliArgv.js +12 -4
- package/dist/cliArgv.js.map +1 -1
- package/dist/decisionEvidenceBundle/canonicalBytes.d.ts +5 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.d.ts.map +1 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.js +10 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.js.map +1 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.test.d.ts +2 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.test.d.ts.map +1 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.test.js +55 -0
- package/dist/decisionEvidenceBundle/canonicalBytes.test.js.map +1 -0
- package/dist/decisionEvidenceBundle/constants.d.ts +2 -0
- package/dist/decisionEvidenceBundle/constants.d.ts.map +1 -1
- package/dist/decisionEvidenceBundle/constants.js +2 -0
- package/dist/decisionEvidenceBundle/constants.js.map +1 -1
- package/dist/decisionEvidenceBundle/failureCodes.d.ts +26 -0
- package/dist/decisionEvidenceBundle/failureCodes.d.ts.map +1 -0
- package/dist/decisionEvidenceBundle/failureCodes.js +24 -0
- package/dist/decisionEvidenceBundle/failureCodes.js.map +1 -0
- package/dist/decisionEvidenceBundle/index.d.ts +2 -0
- package/dist/decisionEvidenceBundle/index.d.ts.map +1 -1
- package/dist/decisionEvidenceBundle/index.js +2 -0
- package/dist/decisionEvidenceBundle/index.js.map +1 -1
- package/dist/decisionEvidenceBundle/validateDecisionEvidenceBundle.d.ts +32 -11
- package/dist/decisionEvidenceBundle/validateDecisionEvidenceBundle.d.ts.map +1 -1
- package/dist/decisionEvidenceBundle/validateDecisionEvidenceBundle.js +222 -122
- package/dist/decisionEvidenceBundle/validateDecisionEvidenceBundle.js.map +1 -1
- package/dist/decisionEvidenceBundle/writeDecisionEvidenceBundle.d.ts +15 -1
- package/dist/decisionEvidenceBundle/writeDecisionEvidenceBundle.d.ts.map +1 -1
- package/dist/decisionEvidenceBundle/writeDecisionEvidenceBundle.js +42 -7
- package/dist/decisionEvidenceBundle/writeDecisionEvidenceBundle.js.map +1 -1
- package/dist/decisionEvidenceBundle.test.js +16 -5
- package/dist/decisionEvidenceBundle.test.js.map +1 -1
- package/dist/execution-identity.v1.json +1 -1
- package/dist/publicDistribution.generated.d.ts +1 -1
- package/dist/publicDistribution.generated.js +1 -1
- package/dist/schema-validation.test.js +67 -0
- package/dist/schema-validation.test.js.map +1 -1
- package/dist/schemaLoad.d.ts +1 -1
- package/dist/schemaLoad.d.ts.map +1 -1
- package/dist/schemaLoad.js +2 -0
- package/dist/schemaLoad.js.map +1 -1
- package/dist/signCanonicalBytesEd25519.d.ts +10 -0
- package/dist/signCanonicalBytesEd25519.d.ts.map +1 -0
- package/dist/signCanonicalBytesEd25519.js +43 -0
- package/dist/signCanonicalBytesEd25519.js.map +1 -0
- package/dist/verify/batchVerifyTelemetrySubcommand.d.ts.map +1 -1
- package/dist/verify/batchVerifyTelemetrySubcommand.js +12 -0
- package/dist/verify/batchVerifyTelemetrySubcommand.js.map +1 -1
- package/dist/verify/writeContractProofArtifacts.d.ts +2 -0
- package/dist/verify/writeContractProofArtifacts.d.ts.map +1 -1
- package/dist/verify/writeContractProofArtifacts.js +3 -0
- package/dist/verify/writeContractProofArtifacts.js.map +1 -1
- package/dist/workflowResultSignature.d.ts +7 -4
- package/dist/workflowResultSignature.d.ts.map +1 -1
- package/dist/workflowResultSignature.js +9 -40
- package/dist/workflowResultSignature.js.map +1 -1
- package/dist/workflowResultSignaturePemNormalize.d.ts +3 -0
- package/dist/workflowResultSignaturePemNormalize.d.ts.map +1 -0
- package/dist/workflowResultSignaturePemNormalize.js +8 -0
- package/dist/workflowResultSignaturePemNormalize.js.map +1 -0
- package/package.json +1 -1
- package/schemas/decision-bundle-validation-v1.schema.json +25 -9
- package/schemas/decision-evidence-bundle-manifest-v1.schema.json +1 -0
- package/schemas/decision-evidence-bundle-manifest-v2.schema.json +61 -0
- package/schemas/openapi-commercial-v1.yaml +1 -1
- package/scripts/discovery-payload.lib.cjs +2 -2
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Normative `errors[].code` and `errors[].message` constants for decision-bundle validation.
|
|
3
|
+
* Messages are contract-fixed; contract tests string-compare both code and message.
|
|
4
|
+
*/
|
|
5
|
+
export declare const MANIFEST_SCHEMA = "MANIFEST_SCHEMA";
|
|
6
|
+
export declare const DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH = "DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH";
|
|
7
|
+
export declare const DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH = "DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH";
|
|
8
|
+
export declare const DECISION_BUNDLE_MATERIAL_TRUTH_MISSING = "DECISION_BUNDLE_MATERIAL_TRUTH_MISSING";
|
|
9
|
+
export declare const DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA = "DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA";
|
|
10
|
+
export declare const DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED = "DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED";
|
|
11
|
+
export declare const DECISION_BUNDLE_SIGNATURE_INVALID = "DECISION_BUNDLE_SIGNATURE_INVALID";
|
|
12
|
+
export declare const DECISION_BUNDLE_FAILURE_MESSAGES: {
|
|
13
|
+
readonly MANIFEST_SCHEMA: "manifest.json failed schema validation or is not a supported manifest version.";
|
|
14
|
+
readonly DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH: "outcome-certificate.json sha256 does not match manifest.certificate.sha256";
|
|
15
|
+
readonly DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH: "material-truth.json sha256 does not match manifest.materialTruth.sha256";
|
|
16
|
+
readonly DECISION_BUNDLE_MATERIAL_TRUTH_MISSING: "material-truth.json is required for manifest schemaVersion 2 and was not found.";
|
|
17
|
+
readonly DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA: "material-truth.json failed material-truth-v2 schema validation.";
|
|
18
|
+
readonly DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED: "manifest.sig.json is present; pass --public-key <path> with the signer's SPKI PEM.";
|
|
19
|
+
readonly DECISION_BUNDLE_SIGNATURE_INVALID: "manifest.sig.json failed Ed25519 verification or does not match manifest.json bytes.";
|
|
20
|
+
};
|
|
21
|
+
export type DecisionBundleFailureCode = keyof typeof DECISION_BUNDLE_FAILURE_MESSAGES;
|
|
22
|
+
export declare function decisionBundleFailure(code: DecisionBundleFailureCode): {
|
|
23
|
+
code: string;
|
|
24
|
+
message: string;
|
|
25
|
+
};
|
|
26
|
+
//# sourceMappingURL=failureCodes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"failureCodes.d.ts","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/failureCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,eAAe,oBAAoB,CAAC;AACjD,eAAO,MAAM,yCAAyC,8CAA8C,CAAC;AACrG,eAAO,MAAM,mDAAmD,wDACT,CAAC;AACxD,eAAO,MAAM,sCAAsC,2CAA2C,CAAC;AAC/F,eAAO,MAAM,qCAAqC,0CAA0C,CAAC;AAC7F,eAAO,MAAM,sCAAsC,2CAA2C,CAAC;AAC/F,eAAO,MAAM,iCAAiC,sCAAsC,CAAC;AAErF,eAAO,MAAM,gCAAgC;;;;;;;;CAcnC,CAAC;AAEX,MAAM,MAAM,yBAAyB,GAAG,MAAM,OAAO,gCAAgC,CAAC;AAEtF,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,yBAAyB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAExG"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Normative `errors[].code` and `errors[].message` constants for decision-bundle validation.
|
|
3
|
+
* Messages are contract-fixed; contract tests string-compare both code and message.
|
|
4
|
+
*/
|
|
5
|
+
export const MANIFEST_SCHEMA = "MANIFEST_SCHEMA";
|
|
6
|
+
export const DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH = "DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH";
|
|
7
|
+
export const DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH = "DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH";
|
|
8
|
+
export const DECISION_BUNDLE_MATERIAL_TRUTH_MISSING = "DECISION_BUNDLE_MATERIAL_TRUTH_MISSING";
|
|
9
|
+
export const DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA = "DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA";
|
|
10
|
+
export const DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED = "DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED";
|
|
11
|
+
export const DECISION_BUNDLE_SIGNATURE_INVALID = "DECISION_BUNDLE_SIGNATURE_INVALID";
|
|
12
|
+
export const DECISION_BUNDLE_FAILURE_MESSAGES = {
|
|
13
|
+
[MANIFEST_SCHEMA]: "manifest.json failed schema validation or is not a supported manifest version.",
|
|
14
|
+
[DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH]: "outcome-certificate.json sha256 does not match manifest.certificate.sha256",
|
|
15
|
+
[DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH]: "material-truth.json sha256 does not match manifest.materialTruth.sha256",
|
|
16
|
+
[DECISION_BUNDLE_MATERIAL_TRUTH_MISSING]: "material-truth.json is required for manifest schemaVersion 2 and was not found.",
|
|
17
|
+
[DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA]: "material-truth.json failed material-truth-v2 schema validation.",
|
|
18
|
+
[DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED]: "manifest.sig.json is present; pass --public-key <path> with the signer's SPKI PEM.",
|
|
19
|
+
[DECISION_BUNDLE_SIGNATURE_INVALID]: "manifest.sig.json failed Ed25519 verification or does not match manifest.json bytes.",
|
|
20
|
+
};
|
|
21
|
+
export function decisionBundleFailure(code) {
|
|
22
|
+
return { code, message: DECISION_BUNDLE_FAILURE_MESSAGES[code] };
|
|
23
|
+
}
|
|
24
|
+
//# sourceMappingURL=failureCodes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"failureCodes.js","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/failureCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,CAAC;AACjD,MAAM,CAAC,MAAM,yCAAyC,GAAG,2CAA2C,CAAC;AACrG,MAAM,CAAC,MAAM,mDAAmD,GAC9D,qDAAqD,CAAC;AACxD,MAAM,CAAC,MAAM,sCAAsC,GAAG,wCAAwC,CAAC;AAC/F,MAAM,CAAC,MAAM,qCAAqC,GAAG,uCAAuC,CAAC;AAC7F,MAAM,CAAC,MAAM,sCAAsC,GAAG,wCAAwC,CAAC;AAC/F,MAAM,CAAC,MAAM,iCAAiC,GAAG,mCAAmC,CAAC;AAErF,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,CAAC,eAAe,CAAC,EAAE,gFAAgF;IACnG,CAAC,yCAAyC,CAAC,EACzC,4EAA4E;IAC9E,CAAC,mDAAmD,CAAC,EACnD,yEAAyE;IAC3E,CAAC,sCAAsC,CAAC,EACtC,iFAAiF;IACnF,CAAC,qCAAqC,CAAC,EACrC,iEAAiE;IACnE,CAAC,sCAAsC,CAAC,EACtC,oFAAoF;IACtF,CAAC,iCAAiC,CAAC,EACjC,sFAAsF;CAChF,CAAC;AAIX,MAAM,UAAU,qBAAqB,CAAC,IAA+B;IACnE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,gCAAgC,CAAC,IAAI,CAAC,EAAE,CAAC;AACnE,CAAC"}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
export { DECISION_EVIDENCE_FILES } from "./constants.js";
|
|
2
2
|
export { exitCodeFromOutcomeCertificate } from "./exitCode.js";
|
|
3
|
+
export { fingerprintUtf8JsonFileBytes, lineUtf8JsonFileBytes } from "./canonicalBytes.js";
|
|
4
|
+
export { MANIFEST_SCHEMA, DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH, DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH, DECISION_BUNDLE_MATERIAL_TRUTH_MISSING, DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA, DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED, DECISION_BUNDLE_SIGNATURE_INVALID, DECISION_BUNDLE_FAILURE_MESSAGES, decisionBundleFailure, type DecisionBundleFailureCode, } from "./failureCodes.js";
|
|
3
5
|
export { a5RequiredFromCertificate, computeCompletenessFromParts, type DecisionEvidenceCompleteness, type DecisionEvidenceCompletenessStatus, type DecisionEvidenceArtifactsFlags, } from "./completeness.js";
|
|
4
6
|
export { writeDecisionEvidenceBundle, type WriteDecisionEvidenceBundleOptions } from "./writeDecisionEvidenceBundle.js";
|
|
5
7
|
export { validateDecisionEvidenceBundle, formatValidationStdout, type DecisionBundleValidationLine, } from "./validateDecisionEvidenceBundle.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,KAAK,4BAA4B,EACjC,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,GACpC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,2BAA2B,EAAE,KAAK,kCAAkC,EAAE,MAAM,kCAAkC,CAAC;AACxH,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,EACtB,KAAK,4BAA4B,GAClC,MAAM,qCAAqC,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC1F,OAAO,EACL,eAAe,EACf,yCAAyC,EACzC,mDAAmD,EACnD,sCAAsC,EACtC,qCAAqC,EACrC,sCAAsC,EACtC,iCAAiC,EACjC,gCAAgC,EAChC,qBAAqB,EACrB,KAAK,yBAAyB,GAC/B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,KAAK,4BAA4B,EACjC,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,GACpC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,2BAA2B,EAAE,KAAK,kCAAkC,EAAE,MAAM,kCAAkC,CAAC;AACxH,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,EACtB,KAAK,4BAA4B,GAClC,MAAM,qCAAqC,CAAC"}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
export { DECISION_EVIDENCE_FILES } from "./constants.js";
|
|
2
2
|
export { exitCodeFromOutcomeCertificate } from "./exitCode.js";
|
|
3
|
+
export { fingerprintUtf8JsonFileBytes, lineUtf8JsonFileBytes } from "./canonicalBytes.js";
|
|
4
|
+
export { MANIFEST_SCHEMA, DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH, DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH, DECISION_BUNDLE_MATERIAL_TRUTH_MISSING, DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA, DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED, DECISION_BUNDLE_SIGNATURE_INVALID, DECISION_BUNDLE_FAILURE_MESSAGES, decisionBundleFailure, } from "./failureCodes.js";
|
|
3
5
|
export { a5RequiredFromCertificate, computeCompletenessFromParts, } from "./completeness.js";
|
|
4
6
|
export { writeDecisionEvidenceBundle } from "./writeDecisionEvidenceBundle.js";
|
|
5
7
|
export { validateDecisionEvidenceBundle, formatValidationStdout, } from "./validateDecisionEvidenceBundle.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EACL,yBAAyB,EACzB,4BAA4B,GAI7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,2BAA2B,EAA2C,MAAM,kCAAkC,CAAC;AACxH,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,GAEvB,MAAM,qCAAqC,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC1F,OAAO,EACL,eAAe,EACf,yCAAyC,EACzC,mDAAmD,EACnD,sCAAsC,EACtC,qCAAqC,EACrC,sCAAsC,EACtC,iCAAiC,EACjC,gCAAgC,EAChC,qBAAqB,GAEtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,yBAAyB,EACzB,4BAA4B,GAI7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,2BAA2B,EAA2C,MAAM,kCAAkC,CAAC;AACxH,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,GAEvB,MAAM,qCAAqC,CAAC"}
|
|
@@ -1,24 +1,45 @@
|
|
|
1
|
+
type ArtifactsFlags = {
|
|
2
|
+
a4Present: boolean;
|
|
3
|
+
a5Present: boolean;
|
|
4
|
+
a5Required: boolean;
|
|
5
|
+
};
|
|
6
|
+
type Completeness = {
|
|
7
|
+
status: "complete" | "partial" | "invalid";
|
|
8
|
+
artifacts: ArtifactsFlags;
|
|
9
|
+
};
|
|
10
|
+
type IntegritySignature = "absent" | "valid" | "invalid";
|
|
11
|
+
type Integrity = {
|
|
12
|
+
manifestVersion: 1 | 2;
|
|
13
|
+
certificateFingerprintOk: boolean | null;
|
|
14
|
+
materialTruthFingerprintOk: boolean | null;
|
|
15
|
+
materialTruthPresent: boolean;
|
|
16
|
+
selfVerifying: boolean;
|
|
17
|
+
signature: IntegritySignature;
|
|
18
|
+
signaturePublicKeySpkiPem: string | null;
|
|
19
|
+
};
|
|
1
20
|
export type DecisionBundleValidationLine = {
|
|
2
21
|
schemaVersion: 1;
|
|
3
22
|
kind: "decision_bundle_validation";
|
|
4
|
-
status: "
|
|
23
|
+
status: "valid" | "invalid";
|
|
5
24
|
bundleDir: string;
|
|
6
|
-
completeness:
|
|
7
|
-
status: "complete" | "partial" | "invalid";
|
|
8
|
-
artifacts: {
|
|
9
|
-
a4Present: boolean;
|
|
10
|
-
a5Present: boolean;
|
|
11
|
-
a5Required: boolean;
|
|
12
|
-
};
|
|
13
|
-
};
|
|
25
|
+
completeness: Completeness;
|
|
14
26
|
errors: Array<{
|
|
15
27
|
code: string;
|
|
16
28
|
message: string;
|
|
17
29
|
}>;
|
|
30
|
+
integrity: Integrity;
|
|
31
|
+
};
|
|
32
|
+
export type ValidateDecisionEvidenceBundleOptions = {
|
|
33
|
+
/** When set, used to verify `manifest.sig.json` if present. */
|
|
34
|
+
publicKeyPemUtf8?: string;
|
|
18
35
|
};
|
|
19
36
|
/**
|
|
20
|
-
* Validates a directory produced by writeDecisionEvidenceBundle.
|
|
37
|
+
* Validates a directory produced by writeDecisionEvidenceBundle.
|
|
38
|
+
*
|
|
39
|
+
* Tier 1 (throws): `realpathSync` / `readdirSync` on `bundleDir` fail. Caller maps to exit 3.
|
|
40
|
+
* Tier 2 (returns): Always returns a `DecisionBundleValidationLine` with `integrity` populated.
|
|
21
41
|
*/
|
|
22
|
-
export declare function validateDecisionEvidenceBundle(bundleDir: string): DecisionBundleValidationLine;
|
|
42
|
+
export declare function validateDecisionEvidenceBundle(bundleDir: string, options?: ValidateDecisionEvidenceBundleOptions): DecisionBundleValidationLine;
|
|
23
43
|
export declare function formatValidationStdout(line: DecisionBundleValidationLine): string;
|
|
44
|
+
export {};
|
|
24
45
|
//# sourceMappingURL=validateDecisionEvidenceBundle.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validateDecisionEvidenceBundle.d.ts","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/validateDecisionEvidenceBundle.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"validateDecisionEvidenceBundle.d.ts","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/validateDecisionEvidenceBundle.ts"],"names":[],"mappings":"AAoBA,KAAK,cAAc,GAAG;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,KAAK,YAAY,GAAG;IAClB,MAAM,EAAE,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;IAC3C,SAAS,EAAE,cAAc,CAAC;CAC3B,CAAC;AAEF,KAAK,kBAAkB,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;AAEzD,KAAK,SAAS,GAAG;IACf,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC;IACvB,wBAAwB,EAAE,OAAO,GAAG,IAAI,CAAC;IACzC,0BAA0B,EAAE,OAAO,GAAG,IAAI,CAAC;IAC3C,oBAAoB,EAAE,OAAO,CAAC;IAC9B,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,EAAE,kBAAkB,CAAC;IAC9B,yBAAyB,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1C,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,aAAa,EAAE,CAAC,CAAC;IACjB,IAAI,EAAE,4BAA4B,CAAC;IACnC,MAAM,EAAE,OAAO,GAAG,SAAS,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,SAAS,EAAE,SAAS,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,qCAAqC,GAAG;IAClD,+DAA+D;IAC/D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AA0FF;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAC5C,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,qCAA0C,GAClD,4BAA4B,CAoL9B;AAED,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,4BAA4B,GAAG,MAAM,CAEjF"}
|
|
@@ -1,159 +1,259 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { createHash, createPublicKey, verify } from "node:crypto";
|
|
2
|
+
import { existsSync, readFileSync, readdirSync, realpathSync } from "node:fs";
|
|
2
3
|
import path from "node:path";
|
|
3
4
|
import { stringifyWithSortedKeys } from "../sortedJsonStringify.js";
|
|
4
5
|
import { loadSchemaValidator } from "../schemaLoad.js";
|
|
6
|
+
import { lfCanonicalUtf8Payload, sha256Hex } from "../agentRunRecord.js";
|
|
7
|
+
import { normalizeSpkiPemForSidecar } from "../workflowResultSignaturePemNormalize.js";
|
|
5
8
|
import { DECISION_EVIDENCE_FILES } from "./constants.js";
|
|
6
|
-
import {
|
|
7
|
-
function
|
|
9
|
+
import { DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH, DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH, DECISION_BUNDLE_MATERIAL_TRUTH_MISSING, DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA, DECISION_BUNDLE_SIGNATURE_INVALID, DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED, decisionBundleFailure, MANIFEST_SCHEMA, } from "./failureCodes.js";
|
|
10
|
+
function sha256HexBuf(buf) {
|
|
11
|
+
return createHash("sha256").update(buf).digest("hex");
|
|
12
|
+
}
|
|
13
|
+
function parseJson(buf) {
|
|
14
|
+
try {
|
|
15
|
+
return { ok: true, value: JSON.parse(buf.toString("utf8")) };
|
|
16
|
+
}
|
|
17
|
+
catch {
|
|
18
|
+
return { ok: false };
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
function existsArtifact(absPath) {
|
|
8
22
|
try {
|
|
9
|
-
|
|
10
|
-
return { ok: true, value: JSON.parse(raw) };
|
|
23
|
+
return existsSync(absPath);
|
|
11
24
|
}
|
|
12
|
-
catch
|
|
13
|
-
|
|
14
|
-
|
|
25
|
+
catch {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
function readFileOptional(absPath) {
|
|
30
|
+
try {
|
|
31
|
+
return readFileSync(absPath);
|
|
32
|
+
}
|
|
33
|
+
catch {
|
|
34
|
+
return null;
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
function detectManifestVersion(parsed) {
|
|
38
|
+
if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
|
|
39
|
+
const obj = parsed;
|
|
40
|
+
const sv = obj.schemaVersion;
|
|
41
|
+
if (sv === 1)
|
|
42
|
+
return 1;
|
|
43
|
+
}
|
|
44
|
+
return 2;
|
|
45
|
+
}
|
|
46
|
+
function manifestSchemaFailureEnvelope(args) {
|
|
47
|
+
return {
|
|
48
|
+
schemaVersion: 1,
|
|
49
|
+
kind: "decision_bundle_validation",
|
|
50
|
+
status: "invalid",
|
|
51
|
+
bundleDir: args.resolved,
|
|
52
|
+
completeness: {
|
|
53
|
+
status: "invalid",
|
|
54
|
+
artifacts: args.artifacts,
|
|
55
|
+
},
|
|
56
|
+
errors: [decisionBundleFailure(MANIFEST_SCHEMA)],
|
|
57
|
+
integrity: {
|
|
58
|
+
manifestVersion: args.manifestVersion,
|
|
59
|
+
certificateFingerprintOk: null,
|
|
60
|
+
materialTruthFingerprintOk: null,
|
|
61
|
+
materialTruthPresent: args.materialTruthPresent,
|
|
62
|
+
selfVerifying: false,
|
|
63
|
+
signature: "absent",
|
|
64
|
+
signaturePublicKeySpkiPem: null,
|
|
65
|
+
},
|
|
66
|
+
};
|
|
67
|
+
}
|
|
68
|
+
function tryVerifySignature(args) {
|
|
69
|
+
try {
|
|
70
|
+
const sidecar = JSON.parse(args.sidecarBytes.toString("utf8"));
|
|
71
|
+
const validateSidecar = loadSchemaValidator("workflow-result-signature");
|
|
72
|
+
if (!validateSidecar(sidecar))
|
|
73
|
+
return false;
|
|
74
|
+
const sigB64 = String(sidecar.signatureBase64);
|
|
75
|
+
const lfManifest = lfCanonicalUtf8Payload(args.manifestBytes);
|
|
76
|
+
const expectedHash = sha256Hex(lfManifest);
|
|
77
|
+
if (sidecar.signedContentSha256Hex !== expectedHash)
|
|
78
|
+
return false;
|
|
79
|
+
const pubKey = createPublicKey({
|
|
80
|
+
key: normalizeSpkiPemForSidecar(args.publicKeyPemUtf8),
|
|
81
|
+
format: "pem",
|
|
82
|
+
});
|
|
83
|
+
return verify(null, lfManifest, pubKey, Buffer.from(sigB64, "base64"));
|
|
84
|
+
}
|
|
85
|
+
catch {
|
|
86
|
+
return false;
|
|
15
87
|
}
|
|
16
88
|
}
|
|
17
89
|
/**
|
|
18
|
-
* Validates a directory produced by writeDecisionEvidenceBundle.
|
|
90
|
+
* Validates a directory produced by writeDecisionEvidenceBundle.
|
|
91
|
+
*
|
|
92
|
+
* Tier 1 (throws): `realpathSync` / `readdirSync` on `bundleDir` fail. Caller maps to exit 3.
|
|
93
|
+
* Tier 2 (returns): Always returns a `DecisionBundleValidationLine` with `integrity` populated.
|
|
19
94
|
*/
|
|
20
|
-
export function validateDecisionEvidenceBundle(bundleDir) {
|
|
21
|
-
const resolved = path.resolve(bundleDir);
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
const exitPath = path.join(resolved, DECISION_EVIDENCE_FILES.exit);
|
|
25
|
-
const hlPath = path.join(resolved, DECISION_EVIDENCE_FILES.humanLayer);
|
|
95
|
+
export function validateDecisionEvidenceBundle(bundleDir, options = {}) {
|
|
96
|
+
const resolved = realpathSync(path.resolve(bundleDir));
|
|
97
|
+
// Tier-1 probe: directory must be open for read.
|
|
98
|
+
readdirSync(resolved);
|
|
26
99
|
const manifestPath = path.join(resolved, DECISION_EVIDENCE_FILES.manifest);
|
|
100
|
+
const sigPath = path.join(resolved, DECISION_EVIDENCE_FILES.manifestSignature);
|
|
101
|
+
const ocPath = path.join(resolved, DECISION_EVIDENCE_FILES.outcomeCertificate);
|
|
102
|
+
const mtPath = path.join(resolved, DECISION_EVIDENCE_FILES.materialTruth);
|
|
27
103
|
const a4Path = path.join(resolved, DECISION_EVIDENCE_FILES.attestation);
|
|
28
104
|
const a5Path = path.join(resolved, DECISION_EVIDENCE_FILES.nextAction);
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
105
|
+
const a4Present = existsArtifact(a4Path);
|
|
106
|
+
const a5Present = existsArtifact(a5Path);
|
|
107
|
+
const materialTruthPresent = existsArtifact(mtPath);
|
|
108
|
+
const baseArtifacts = { a4Present, a5Present, a5Required: false };
|
|
109
|
+
// --- Tier 2: load manifest bytes (any IO failure collapses to MANIFEST_SCHEMA + exit 2)
|
|
110
|
+
const manifestBytes = readFileOptional(manifestPath);
|
|
111
|
+
if (manifestBytes === null) {
|
|
112
|
+
return manifestSchemaFailureEnvelope({
|
|
113
|
+
resolved,
|
|
114
|
+
manifestVersion: 2,
|
|
115
|
+
materialTruthPresent,
|
|
116
|
+
artifacts: baseArtifacts,
|
|
117
|
+
});
|
|
38
118
|
}
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
const v = loadSchemaValidator("outcome-certificate-v3");
|
|
48
|
-
if (!v(parsed.value)) {
|
|
49
|
-
structuralErrors.push({
|
|
50
|
-
code: "CERTIFICATE_SCHEMA",
|
|
51
|
-
message: JSON.stringify(v.errors ?? []),
|
|
52
|
-
});
|
|
53
|
-
}
|
|
54
|
-
else {
|
|
55
|
-
certificateValid = true;
|
|
56
|
-
certificate = parsed.value;
|
|
57
|
-
}
|
|
58
|
-
}
|
|
119
|
+
const parsedManifest = parseJson(manifestBytes);
|
|
120
|
+
if (!parsedManifest.ok) {
|
|
121
|
+
return manifestSchemaFailureEnvelope({
|
|
122
|
+
resolved,
|
|
123
|
+
manifestVersion: 2,
|
|
124
|
+
materialTruthPresent,
|
|
125
|
+
artifacts: baseArtifacts,
|
|
126
|
+
});
|
|
59
127
|
}
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
128
|
+
const manifestVersion = detectManifestVersion(parsedManifest.value);
|
|
129
|
+
const v1Validator = loadSchemaValidator("decision-evidence-bundle-manifest-v1");
|
|
130
|
+
const v2Validator = loadSchemaValidator("decision-evidence-bundle-manifest-v2");
|
|
131
|
+
const v1Ok = v1Validator(parsedManifest.value);
|
|
132
|
+
const v2Ok = v2Validator(parsedManifest.value);
|
|
133
|
+
if (!v1Ok && !v2Ok) {
|
|
134
|
+
return manifestSchemaFailureEnvelope({
|
|
135
|
+
resolved,
|
|
136
|
+
manifestVersion,
|
|
137
|
+
materialTruthPresent,
|
|
138
|
+
artifacts: baseArtifacts,
|
|
139
|
+
});
|
|
71
140
|
}
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
141
|
+
const manifest = parsedManifest.value;
|
|
142
|
+
const manifestCompleteness = manifest.completeness;
|
|
143
|
+
const manifestStatus = typeof manifestCompleteness?.status === "string" &&
|
|
144
|
+
(manifestCompleteness.status === "complete" ||
|
|
145
|
+
manifestCompleteness.status === "partial" ||
|
|
146
|
+
manifestCompleteness.status === "invalid")
|
|
147
|
+
? manifestCompleteness.status
|
|
148
|
+
: "invalid";
|
|
149
|
+
const manifestArtifacts = (manifestCompleteness?.artifacts ?? {});
|
|
150
|
+
const completenessArtifacts = {
|
|
151
|
+
a4Present: typeof manifestArtifacts.a4Present === "boolean" ? manifestArtifacts.a4Present : a4Present,
|
|
152
|
+
a5Present: typeof manifestArtifacts.a5Present === "boolean" ? manifestArtifacts.a5Present : a5Present,
|
|
153
|
+
a5Required: typeof manifestArtifacts.a5Required === "boolean" ? manifestArtifacts.a5Required : false,
|
|
154
|
+
};
|
|
155
|
+
const certBytes = readFileOptional(ocPath);
|
|
156
|
+
const errors = [];
|
|
157
|
+
let certificateFingerprintOk;
|
|
158
|
+
let materialTruthFingerprintOk;
|
|
159
|
+
let signature = "absent";
|
|
160
|
+
let signaturePublicKeySpkiPem = null;
|
|
161
|
+
if (manifestVersion === 1) {
|
|
162
|
+
certificateFingerprintOk = null;
|
|
163
|
+
materialTruthFingerprintOk = null;
|
|
164
|
+
signature = "absent";
|
|
83
165
|
}
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
const
|
|
88
|
-
if (
|
|
89
|
-
|
|
166
|
+
else {
|
|
167
|
+
// v2 path
|
|
168
|
+
const certEntry = manifest.certificate;
|
|
169
|
+
const declaredCertSha = typeof certEntry?.sha256 === "string" ? certEntry.sha256 : "";
|
|
170
|
+
if (certBytes !== null && declaredCertSha) {
|
|
171
|
+
certificateFingerprintOk = sha256HexBuf(certBytes) === declaredCertSha;
|
|
172
|
+
if (!certificateFingerprintOk) {
|
|
173
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH));
|
|
174
|
+
}
|
|
90
175
|
}
|
|
91
176
|
else {
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
structuralErrors.push({ code: "ATTESTATION_SCHEMA", message: JSON.stringify(v.errors ?? []) });
|
|
95
|
-
}
|
|
177
|
+
certificateFingerprintOk = false;
|
|
178
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_CERT_FINGERPRINT_MISMATCH));
|
|
96
179
|
}
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
180
|
+
const mtEntry = manifest.materialTruth;
|
|
181
|
+
const declaredMtSha = typeof mtEntry?.sha256 === "string" ? mtEntry.sha256 : "";
|
|
182
|
+
if (!materialTruthPresent) {
|
|
183
|
+
materialTruthFingerprintOk = null;
|
|
184
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_MATERIAL_TRUTH_MISSING));
|
|
102
185
|
}
|
|
103
186
|
else {
|
|
104
|
-
const
|
|
105
|
-
if (
|
|
106
|
-
|
|
187
|
+
const mtBytes = readFileOptional(mtPath);
|
|
188
|
+
if (mtBytes === null) {
|
|
189
|
+
materialTruthFingerprintOk = null;
|
|
190
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_MATERIAL_TRUTH_MISSING));
|
|
191
|
+
}
|
|
192
|
+
else {
|
|
193
|
+
// Fingerprint check first; mt-v2 schema check only when the bytes hash to the declared digest.
|
|
194
|
+
materialTruthFingerprintOk = sha256HexBuf(mtBytes) === declaredMtSha;
|
|
195
|
+
if (!materialTruthFingerprintOk) {
|
|
196
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_MATERIAL_TRUTH_FINGERPRINT_MISMATCH));
|
|
197
|
+
}
|
|
198
|
+
else {
|
|
199
|
+
const parsedMt = parseJson(mtBytes);
|
|
200
|
+
const mtSchemaOk = parsedMt.ok && loadSchemaValidator("material-truth-v2")(parsedMt.value);
|
|
201
|
+
if (!mtSchemaOk) {
|
|
202
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_MATERIAL_TRUTH_SCHEMA));
|
|
203
|
+
}
|
|
204
|
+
}
|
|
107
205
|
}
|
|
108
206
|
}
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
207
|
+
// Signature handling (v2 only)
|
|
208
|
+
const sidecarBytes = readFileOptional(sigPath);
|
|
209
|
+
if (sidecarBytes !== null) {
|
|
210
|
+
if (options.publicKeyPemUtf8 === undefined) {
|
|
211
|
+
signature = "invalid";
|
|
212
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_SIGNATURE_KEY_REQUIRED));
|
|
213
|
+
}
|
|
214
|
+
else {
|
|
215
|
+
const ok = tryVerifySignature({
|
|
216
|
+
manifestBytes,
|
|
217
|
+
sidecarBytes,
|
|
218
|
+
publicKeyPemUtf8: options.publicKeyPemUtf8,
|
|
219
|
+
});
|
|
220
|
+
if (ok) {
|
|
221
|
+
signature = "valid";
|
|
222
|
+
signaturePublicKeySpkiPem = normalizeSpkiPemForSidecar(options.publicKeyPemUtf8);
|
|
223
|
+
}
|
|
224
|
+
else {
|
|
225
|
+
signature = "invalid";
|
|
226
|
+
errors.push(decisionBundleFailure(DECISION_BUNDLE_SIGNATURE_INVALID));
|
|
227
|
+
}
|
|
119
228
|
}
|
|
120
229
|
}
|
|
121
230
|
}
|
|
122
|
-
const
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
certificate,
|
|
130
|
-
a4Present,
|
|
131
|
-
a5Present,
|
|
132
|
-
});
|
|
133
|
-
if (structuralErrors.length > 0) {
|
|
134
|
-
return {
|
|
135
|
-
schemaVersion: 1,
|
|
136
|
-
kind: "decision_bundle_validation",
|
|
137
|
-
status: "invalid",
|
|
138
|
-
bundleDir: resolved,
|
|
139
|
-
completeness: {
|
|
140
|
-
status: "invalid",
|
|
141
|
-
artifacts: computed.artifacts,
|
|
142
|
-
},
|
|
143
|
-
errors: structuralErrors,
|
|
144
|
-
};
|
|
145
|
-
}
|
|
146
|
-
const status = computed.status;
|
|
231
|
+
const hasIntegrityError = errors.length > 0;
|
|
232
|
+
const completenessStatus = manifestStatus;
|
|
233
|
+
const status = hasIntegrityError || completenessStatus === "invalid" ? "invalid" : "valid";
|
|
234
|
+
const selfVerifying = manifestVersion === 2 &&
|
|
235
|
+
status === "valid" &&
|
|
236
|
+
!hasIntegrityError &&
|
|
237
|
+
(signature === "absent" || signature === "valid");
|
|
147
238
|
return {
|
|
148
239
|
schemaVersion: 1,
|
|
149
240
|
kind: "decision_bundle_validation",
|
|
150
241
|
status,
|
|
151
242
|
bundleDir: resolved,
|
|
152
243
|
completeness: {
|
|
153
|
-
status,
|
|
154
|
-
artifacts:
|
|
244
|
+
status: completenessStatus,
|
|
245
|
+
artifacts: completenessArtifacts,
|
|
246
|
+
},
|
|
247
|
+
errors,
|
|
248
|
+
integrity: {
|
|
249
|
+
manifestVersion,
|
|
250
|
+
certificateFingerprintOk,
|
|
251
|
+
materialTruthFingerprintOk,
|
|
252
|
+
materialTruthPresent,
|
|
253
|
+
selfVerifying,
|
|
254
|
+
signature,
|
|
255
|
+
signaturePublicKeySpkiPem,
|
|
155
256
|
},
|
|
156
|
-
errors: computed.errors,
|
|
157
257
|
};
|
|
158
258
|
}
|
|
159
259
|
export function formatValidationStdout(line) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validateDecisionEvidenceBundle.js","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/validateDecisionEvidenceBundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"validateDecisionEvidenceBundle.js","sourceRoot":"","sources":["../../src/decisionEvidenceBundle/validateDecisionEvidenceBundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC9E,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2CAA2C,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EACL,yCAAyC,EACzC,mDAAmD,EACnD,sCAAsC,EACtC,qCAAqC,EACrC,iCAAiC,EACjC,sCAAsC,EACtC,qBAAqB,EACrB,eAAe,GAEhB,MAAM,mBAAmB,CAAC;AAwC3B,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAY,EAAE,CAAC;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,OAAe;IACrC,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAe;IAC5C,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,GAAG,GAAG,MAAiC,CAAC;QAC9C,MAAM,EAAE,GAAG,GAAG,CAAC,aAAa,CAAC;QAC7B,IAAI,EAAE,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,6BAA6B,CAAC,IAKtC;IACC,OAAO;QACL,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,4BAA4B;QAClC,MAAM,EAAE,SAAS;QACjB,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,YAAY,EAAE;YACZ,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B;QACD,MAAM,EAAE,CAAC,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAChD,SAAS,EAAE;YACT,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,wBAAwB,EAAE,IAAI;YAC9B,0BAA0B,EAAE,IAAI;YAChC,oBAAoB,EAAE,IAAI,CAAC,oBAAoB;YAC/C,aAAa,EAAE,KAAK;YACpB,SAAS,EAAE,QAAQ;YACnB,yBAAyB,EAAE,IAAI;SAChC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,IAI3B;IACC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA4B,CAAC;QAC1F,MAAM,eAAe,GAAG,mBAAmB,CAAC,2BAA2B,CAAC,CAAC;QACzE,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,sBAAsB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC9D,MAAM,YAAY,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,OAAO,CAAC,sBAAsB,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,MAAM,GAAG,eAAe,CAAC;YAC7B,GAAG,EAAE,0BAA0B,CAAC,IAAI,CAAC,gBAAgB,CAAC;YACtD,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,8BAA8B,CAC5C,SAAiB,EACjB,UAAiD,EAAE;IAEnD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACvD,iDAAiD;IACjD,WAAW,CAAC,QAAQ,CAAC,CAAC;IAEtB,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAC3E,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;IAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;IAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,aAAa,CAAC,CAAC;IAC1E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAEvE,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,oBAAoB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IAEpD,MAAM,aAAa,GAAmB,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IAElF,yFAAyF;IACzF,MAAM,aAAa,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;IACrD,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,OAAO,6BAA6B,CAAC;YACnC,QAAQ;YACR,eAAe,EAAE,CAAC;YAClB,oBAAoB;YACpB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,cAAc,GAAG,SAAS,CAAC,aAAa,CAAC,CAAC;IAChD,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;QACvB,OAAO,6BAA6B,CAAC;YACnC,QAAQ;YACR,eAAe,EAAE,CAAC;YAClB,oBAAoB;YACpB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,eAAe,GAAG,qBAAqB,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAEpE,MAAM,WAAW,GAAG,mBAAmB,CAAC,sCAAsC,CAAC,CAAC;IAChF,MAAM,WAAW,GAAG,mBAAmB,CAAC,sCAAsC,CAAC,CAAC;IAChF,MAAM,IAAI,GAAG,WAAW,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,WAAW,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAE/C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACnB,OAAO,6BAA6B,CAAC;YACnC,QAAQ;YACR,eAAe;YACf,oBAAoB;YACpB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAgC,CAAC;IACjE,MAAM,oBAAoB,GAAG,QAAQ,CAAC,YAEzB,CAAC;IACd,MAAM,cAAc,GAClB,OAAO,oBAAoB,EAAE,MAAM,KAAK,QAAQ;QAChD,CAAC,oBAAoB,CAAC,MAAM,KAAK,UAAU;YACzC,oBAAoB,CAAC,MAAM,KAAK,SAAS;YACzC,oBAAoB,CAAC,MAAM,KAAK,SAAS,CAAC;QAC1C,CAAC,CAAE,oBAAoB,CAAC,MAA6C;QACrE,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,iBAAiB,GAAG,CAAC,oBAAoB,EAAE,SAAS,IAAI,EAAE,CAA4B,CAAC;IAC7F,MAAM,qBAAqB,GAAmB;QAC5C,SAAS,EACP,OAAO,iBAAiB,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAC5F,SAAS,EACP,OAAO,iBAAiB,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAC5F,UAAU,EACR,OAAO,iBAAiB,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK;KAC3F,CAAC;IAEF,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAyE,EAAE,CAAC;IACxF,IAAI,wBAAwC,CAAC;IAC7C,IAAI,0BAA0C,CAAC;IAC/C,IAAI,SAAS,GAAuB,QAAQ,CAAC;IAC7C,IAAI,yBAAyB,GAAkB,IAAI,CAAC;IAEpD,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QAC1B,wBAAwB,GAAG,IAAI,CAAC;QAChC,0BAA0B,GAAG,IAAI,CAAC;QAClC,SAAS,GAAG,QAAQ,CAAC;IACvB,CAAC;SAAM,CAAC;QACN,UAAU;QACV,MAAM,SAAS,GAAG,QAAQ,CAAC,WAA+C,CAAC;QAC3E,MAAM,eAAe,GAAG,OAAO,SAAS,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QACtF,IAAI,SAAS,KAAK,IAAI,IAAI,eAAe,EAAE,CAAC;YAC1C,wBAAwB,GAAG,YAAY,CAAC,SAAS,CAAC,KAAK,eAAe,CAAC;YACvE,IAAI,CAAC,wBAAwB,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,yCAAyC,CAAC,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;aAAM,CAAC;YACN,wBAAwB,GAAG,KAAK,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,yCAAyC,CAAC,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,aAAiD,CAAC;QAC3E,MAAM,aAAa,GAAG,OAAO,OAAO,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,0BAA0B,GAAG,IAAI,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,sCAAsC,CAAC,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;gBACrB,0BAA0B,GAAG,IAAI,CAAC;gBAClC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,sCAAsC,CAAC,CAAC,CAAC;YAC7E,CAAC;iBAAM,CAAC;gBACN,+FAA+F;gBAC/F,0BAA0B,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,aAAa,CAAC;gBACrE,IAAI,CAAC,0BAA0B,EAAE,CAAC;oBAChC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,mDAAmD,CAAC,CAAC,CAAC;gBAC1F,CAAC;qBAAM,CAAC;oBACN,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;oBACpC,MAAM,UAAU,GACd,QAAQ,CAAC,EAAE,IAAI,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBAC1E,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,qCAAqC,CAAC,CAAC,CAAC;oBAC5E,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;YAC1B,IAAI,OAAO,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC;gBACtB,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,sCAAsC,CAAC,CAAC,CAAC;YAC7E,CAAC;iBAAM,CAAC;gBACN,MAAM,EAAE,GAAG,kBAAkB,CAAC;oBAC5B,aAAa;oBACb,YAAY;oBACZ,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;iBAC3C,CAAC,CAAC;gBACH,IAAI,EAAE,EAAE,CAAC;oBACP,SAAS,GAAG,OAAO,CAAC;oBACpB,yBAAyB,GAAG,0BAA0B,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;gBACnF,CAAC;qBAAM,CAAC;oBACN,SAAS,GAAG,SAAS,CAAC;oBACtB,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,iCAAiC,CAAC,CAAC,CAAC;gBACxE,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IAC5C,MAAM,kBAAkB,GAAG,cAAc,CAAC;IAC1C,MAAM,MAAM,GACV,iBAAiB,IAAI,kBAAkB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;IAC9E,MAAM,aAAa,GACjB,eAAe,KAAK,CAAC;QACrB,MAAM,KAAK,OAAO;QAClB,CAAC,iBAAiB;QAClB,CAAC,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,OAAO,CAAC,CAAC;IAEpD,OAAO;QACL,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,4BAA4B;QAClC,MAAM;QACN,SAAS,EAAE,QAAQ;QACnB,YAAY,EAAE;YACZ,MAAM,EAAE,kBAAkB;YAC1B,SAAS,EAAE,qBAAqB;SACjC;QACD,MAAM;QACN,SAAS,EAAE;YACT,eAAe;YACf,wBAAwB;YACxB,0BAA0B;YAC1B,oBAAoB;YACpB,aAAa;YACb,SAAS;YACT,yBAAyB;SAC1B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,IAAkC;IACvE,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC"}
|
|
@@ -13,9 +13,23 @@ export type WriteDecisionEvidenceBundleOptions = {
|
|
|
13
13
|
attestation?: unknown;
|
|
14
14
|
/** Validated against decision-evidence-next-action-v1 when present. */
|
|
15
15
|
nextAction?: unknown;
|
|
16
|
+
/** Override createdAt timestamp (fixtures / tests); otherwise `new Date().toISOString()`. */
|
|
17
|
+
createdAt?: string;
|
|
18
|
+
/**
|
|
19
|
+
* When set, emit `manifest.sig.json` next to `manifest.json` produced by
|
|
20
|
+
* {@link signCanonicalBytesEd25519} over the canonicalised manifest bytes.
|
|
21
|
+
*/
|
|
22
|
+
signingPrivateKeyPemUtf8?: string;
|
|
16
23
|
};
|
|
17
24
|
/**
|
|
18
|
-
* Writes Decision Evidence Bundle:
|
|
25
|
+
* Writes a v2 Decision Evidence Bundle:
|
|
26
|
+
* outcome-certificate.json (canonical sorted JSON, no trailing newline)
|
|
27
|
+
* material-truth.json (canonical sorted JSON, no trailing newline)
|
|
28
|
+
* exit.json (existing format: JSON.stringify + newline)
|
|
29
|
+
* human-layer.json (existing format: JSON.stringify + newline)
|
|
30
|
+
* optional attestation.json, next-action.json
|
|
31
|
+
* manifest.json (sorted JSON + newline, v2 with fingerprints)
|
|
32
|
+
* optional manifest.sig.json (Ed25519 sidecar over the manifest bytes)
|
|
19
33
|
*/
|
|
20
34
|
export declare function writeDecisionEvidenceBundle(options: WriteDecisionEvidenceBundleOptions): DecisionEvidenceCompleteness;
|
|
21
35
|
//# sourceMappingURL=writeDecisionEvidenceBundle.d.ts.map
|