forge-trust-chain 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +45 -15
- package/package.json +1 -1
- package/src/cli/index.js +468 -35
- package/src/core/chain.js +3 -1
- package/src/core/identity.js +467 -0
- package/src/core/keys.js +237 -0
- package/src/core/trust-atom.js +107 -9
- package/src/mcp/server.js +159 -22
- package/src/scanner/index.js +8 -5
- package/src/store/store.js +84 -2
- package/src/test.js +219 -4
package/README.md
CHANGED
|
@@ -2,9 +2,27 @@
|
|
|
2
2
|
|
|
3
3
|
> **Trust = Certainty × Existence**
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
FORGE is not a security tool. FORGE is an **accountability tool**.
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
It doesn't protect your service — firewalls, access control, and encryption do that.
|
|
8
|
+
It protects your **truth** — proving what happened, when, and making it **undeniable**.
|
|
9
|
+
|
|
10
|
+
Safety is locking the door. FORGE is the surveillance camera with a tamper-proof tape that gets copied to a vault no one controls.
|
|
11
|
+
|
|
12
|
+
**Rust core in development!** High-performance native implementation coming soon.
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
## What FORGE Does — and What It Doesn't
|
|
17
|
+
|
|
18
|
+
| | FORGE Does (Accountability) | FORGE Does NOT Do (Security) |
|
|
19
|
+
|--|----------------------------|------------------------------|
|
|
20
|
+
| **Purpose** | Prove that operations happened | Prevent attacks or breaches |
|
|
21
|
+
| **Mechanism** | Hash chain + Bitcoin anchor | Firewalls, encryption, access control |
|
|
22
|
+
| **Analogy** | Surveillance camera + tamper-proof tape | Door locks + alarm system |
|
|
23
|
+
| **When it matters** | After the fact — dispute, audit, compliance | Before the fact — prevention |
|
|
24
|
+
|
|
25
|
+
FORGE records and anchors your operational truth. Your infrastructure security (VPS hardening, SSH config, firewall rules, patch management) is a separate, equally critical concern. **Both are necessary. Neither replaces the other.**
|
|
8
26
|
|
|
9
27
|
---
|
|
10
28
|
|
|
@@ -16,6 +34,7 @@ The trust layer for cloud operations and AI agents. Every operation produces a v
|
|
|
16
34
|
| "Can you prove you deployed at 3pm?" | Bitcoin-anchored proof, undeniable |
|
|
17
35
|
| "Someone deleted the audit log" | Hash chain + blockchain = impossible to delete |
|
|
18
36
|
| "I need compliance evidence" | Export verifiable JSON, anyone can validate |
|
|
37
|
+
| "The provider says they never deleted my server" | Divergence detection + anchored proof says otherwise |
|
|
19
38
|
|
|
20
39
|
---
|
|
21
40
|
|
|
@@ -57,7 +76,7 @@ forge status
|
|
|
57
76
|
|
|
58
77
|
| Command | Description |
|
|
59
78
|
|---------|-------------|
|
|
60
|
-
| `forge scan` |
|
|
79
|
+
| `forge scan` | Capture trust baseline — enumerate system assumptions before recording |
|
|
61
80
|
| `forge log "<action>"` | Record an operation (TrustAtom) |
|
|
62
81
|
| `forge verify` | Verify chain integrity |
|
|
63
82
|
| `forge seal` | Seal atoms into a Merkle block |
|
|
@@ -199,7 +218,7 @@ Add to `~/.config/claude/claude_desktop_config.json`:
|
|
|
199
218
|
|
|
200
219
|
| Tool | Description |
|
|
201
220
|
|------|-------------|
|
|
202
|
-
| `forge_scan` |
|
|
221
|
+
| `forge_scan` | Capture trust baseline snapshot |
|
|
203
222
|
| `forge_log` | Record a TrustAtom |
|
|
204
223
|
| `forge_verify` | Verify chain integrity |
|
|
205
224
|
| `forge_seal` | Seal atoms into Merkle block |
|
|
@@ -211,22 +230,33 @@ Add to `~/.config/claude/claude_desktop_config.json`:
|
|
|
211
230
|
|
|
212
231
|
---
|
|
213
232
|
|
|
214
|
-
##
|
|
233
|
+
## Trust Baseline Scanner
|
|
234
|
+
|
|
235
|
+
`forge scan` does **not** fix security issues. It captures a snapshot of your system's current trust assumptions — the starting point for your audit trail.
|
|
215
236
|
|
|
216
|
-
|
|
237
|
+
Think of it as: "Before I start recording, what does this system look like right now?"
|
|
217
238
|
|
|
218
239
|
```bash
|
|
219
240
|
forge scan
|
|
220
241
|
```
|
|
221
242
|
|
|
222
|
-
|
|
223
|
-
- Open ports (
|
|
224
|
-
- SSH configuration (
|
|
225
|
-
- Docker
|
|
226
|
-
- Firewall status
|
|
227
|
-
- Running processes
|
|
228
|
-
- Cron jobs
|
|
229
|
-
- Recent logins
|
|
243
|
+
Enumerates trust assumptions:
|
|
244
|
+
- Open ports (what services are exposed?)
|
|
245
|
+
- SSH configuration (how is access controlled?)
|
|
246
|
+
- Docker state (any risky configurations?)
|
|
247
|
+
- Firewall status (what rules exist?)
|
|
248
|
+
- Running processes (what's active?)
|
|
249
|
+
- Cron jobs (what runs unmonitored?)
|
|
250
|
+
- Recent logins (who has accessed this system?)
|
|
251
|
+
|
|
252
|
+
After scanning, use `forge log` to record your remediation actions, creating an auditable trail of what you found and what you did about it.
|
|
253
|
+
|
|
254
|
+
```bash
|
|
255
|
+
forge scan # Capture baseline
|
|
256
|
+
forge log "found Redis exposed on 0.0.0.0" # Record finding
|
|
257
|
+
forge log "bound Redis to 127.0.0.1" # Record remediation
|
|
258
|
+
forge seal && forge anchor # Anchor the proof
|
|
259
|
+
```
|
|
230
260
|
|
|
231
261
|
Risk levels: 🔴 HIGH, 🟡 MEDIUM, 🔵 LOW, 🟢 INFO
|
|
232
262
|
|
|
@@ -342,7 +372,7 @@ node src/test.js
|
|
|
342
372
|
|
|
343
373
|
## Rust Implementation
|
|
344
374
|
|
|
345
|
-
A high-performance Rust implementation is
|
|
375
|
+
A high-performance Rust implementation is in development (private repository).
|
|
346
376
|
|
|
347
377
|
### Why Rust?
|
|
348
378
|
|
package/package.json
CHANGED