forge-trust-chain 0.3.0 → 0.5.0

package/README.md

@@ -1,8 +1,28 @@
-# FORGE — Trust Chain Protocol v0.3
+# FORGE — Trust Chain Protocol v0.4
 
 > **Trust = Certainty × Existence**
 
-The trust layer for cloud operations and AI agents. Every operation produces a verifiable, undeniable, cryptographically chained fact anchored to the Bitcoin blockchain.
+FORGE is not a security tool. FORGE is an **accountability tool**.
+
+It doesn't protect your service — firewalls, access control, and encryption do that.
+It protects your **truth** — proving what happened, when, and making it **undeniable**.
+
+Safety is locking the door. FORGE is the surveillance camera with a tamper-proof tape that gets copied to a vault no one controls.
+
+**Rust core in development!** High-performance native implementation coming soon.
+
+---
+
+## What FORGE Does — and What It Doesn't
+
+| | FORGE Does (Accountability) | FORGE Does NOT Do (Security) |
+|--|----------------------------|------------------------------|
+| **Purpose** | Prove that operations happened | Prevent attacks or breaches |
+| **Mechanism** | Hash chain + Bitcoin anchor | Firewalls, encryption, access control |
+| **Analogy** | Surveillance camera + tamper-proof tape | Door locks + alarm system |
+| **When it matters** | After the fact — dispute, audit, compliance | Before the fact — prevention |
+
+FORGE records and anchors your operational truth. Your infrastructure security (VPS hardening, SSH config, firewall rules, patch management) is a separate, equally critical concern. **Both are necessary. Neither replaces the other.**
 
 ---
 
@@ -14,6 +34,7 @@ The trust layer for cloud operations and AI agents. Every operation produces a v
 | "Can you prove you deployed at 3pm?" | Bitcoin-anchored proof, undeniable |
 | "Someone deleted the audit log" | Hash chain + blockchain = impossible to delete |
 | "I need compliance evidence" | Export verifiable JSON, anyone can validate |
+| "The provider says they never deleted my server" | Divergence detection + anchored proof says otherwise |
 
 ---
 
@@ -55,7 +76,7 @@ forge status
 
 | Command | Description |
 |---------|-------------|
-| `forge scan` | Scan system for trust assumptions (ports, SSH, Docker, etc.) |
+| `forge scan` | Capture trust baseline — enumerate system assumptions before recording |
 | `forge log "<action>"` | Record an operation (TrustAtom) |
 | `forge verify` | Verify chain integrity |
 | `forge seal` | Seal atoms into a Merkle block |
@@ -197,7 +218,7 @@ Add to `~/.config/claude/claude_desktop_config.json`:
 
 | Tool | Description |
 |------|-------------|
-| `forge_scan` | Enumerate trust assumptions |
+| `forge_scan` | Capture trust baseline snapshot |
 | `forge_log` | Record a TrustAtom |
 | `forge_verify` | Verify chain integrity |
 | `forge_seal` | Seal atoms into Merkle block |
@@ -209,22 +230,33 @@ Add to `~/.config/claude/claude_desktop_config.json`:
 
 ---
 
-## Security Scanner
+## Trust Baseline Scanner
+
+`forge scan` does **not** fix security issues. It captures a snapshot of your system's current trust assumptions — the starting point for your audit trail.
 
-Forge includes a system scanner to enumerate trust assumptions:
+Think of it as: "Before I start recording, what does this system look like right now?"
 
 ```bash
 forge scan
 ```
 
-Detects:
-- Open ports (Redis, databases, management panels)
-- SSH configuration (root login, password auth)
-- Docker misconfigurations
-- Firewall status
-- Running processes
-- Cron jobs
-- Recent logins
+Enumerates trust assumptions:
+- Open ports (what services are exposed?)
+- SSH configuration (how is access controlled?)
+- Docker state (any risky configurations?)
+- Firewall status (what rules exist?)
+- Running processes (what's active?)
+- Cron jobs (what runs unmonitored?)
+- Recent logins (who has accessed this system?)
+
+After scanning, use `forge log` to record your remediation actions, creating an auditable trail of what you found and what you did about it.
+
+```bash
+forge scan                                    # Capture baseline
+forge log "found Redis exposed on 0.0.0.0"   # Record finding
+forge log "bound Redis to 127.0.0.1"         # Record remediation
+forge seal && forge anchor                    # Anchor the proof
+```
 
 Risk levels: 🔴 HIGH, 🟡 MEDIUM, 🔵 LOW, 🟢 INFO
 
@@ -338,8 +370,50 @@ node src/test.js
 
 ---
 
+## Rust Implementation
+
+A high-performance Rust implementation is in development (private repository).
+
+### Why Rust?
+
+| Aspect | JavaScript | Rust |
+|--------|------------|------|
+| **Speed** | Interpreted | Native binary |
+| **Memory** | GC managed | Zero-cost abstractions |
+| **Safety** | Runtime errors | Compile-time guarantees |
+| **Deployment** | Requires Node.js | Single binary |
+
+### Implementation Status
+
+| Module | JS | Rust | Status |
+|--------|:--:|:----:|--------|
+| TrustPixel (hash + witness) | ✅ | ✅ | Cross-validated |
+| TrustAtom (state transitions) | ✅ | ✅ | Cross-validated |
+| Merkle Tree | ✅ | 🚧 | In progress |
+| Chain Manager | ✅ | 🚧 | In progress |
+| Store (persistence) | ✅ | ⏳ | Planned |
+| Witness (OTS) | ✅ | ⏳ | Planned |
+| CLI | ✅ | ⏳ | Planned |
+| Scanner | ✅ | ⏳ | Planned |
+
+### Cross-Validation
+
+Rust and JavaScript produce identical outputs:
+
+```
+hash("hello") → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
+```
+
+Both implementations pass 20+ cross-validation tests.
+
+---
+
 ## Roadmap
 
+- [x] Rust core implementation (Phase 1)
+- [ ] Rust Merkle tree and chain (Phase 2)
+- [ ] Rust persistence and OTS (Phase 3)
+- [ ] Rust CLI (Phase 4)
 - [ ] Web dashboard for chain visualization
 - [ ] Team/organization support
 - [ ] Webhook notifications

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "forge-trust-chain",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "FORGE - Trust Chain Protocol: Verifiable, undeniable, Bitcoin-anchored audit trail for cloud operations and AI agents",
   "type": "module",
   "main": "src/cli/index.js",