npm - neuronix-node - Versions diffs - 0.5.0 → 0.7.0 - Mend

neuronix-node 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/handlers/file-processor.d.ts +2 -2
package/dist/handlers/file-processor.js +353 -109
package/dist/index.js +64 -1
package/dist/parsers/index.d.ts +2 -3
package/dist/parsers/index.js +155 -46
package/dist/security/audit-log.d.ts +22 -0
package/dist/security/audit-log.js +129 -0
package/dist/security/resource-limiter.d.ts +36 -0
package/dist/security/resource-limiter.js +83 -0
package/dist/security/sandbox.d.ts +24 -0
package/dist/security/sandbox.js +112 -0
package/dist/security/task-verifier.d.ts +24 -0
package/dist/security/task-verifier.js +91 -0
package/package.json +1 -1

package/dist/security/task-verifier.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+export interface TaskValidation {
+    valid: boolean;
+    reason?: string;
+    warnings: string[];
+}
+/**
+ * Validate a task before execution.
+ * Checks: type whitelist, payload safety, size limits.
+ */
+export declare function validateTask(task: {
+    id: string;
+    type: string;
+    input_payload: Record<string, unknown>;
+    model?: string;
+    timeout_seconds?: number;
+}): TaskValidation;
+/**
+ * Generate HMAC signature for a task (used server-side).
+ */
+export declare function signTask(taskId: string, taskType: string, secret: string): string;
+/**
+ * Verify HMAC signature of a task (used client-side).
+ */
+export declare function verifyTaskSignature(taskId: string, taskType: string, signature: string, secret: string): boolean;

package/dist/security/task-verifier.js ADDED Viewed

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateTask = validateTask;
+exports.signTask = signTask;
+exports.verifyTaskSignature = verifyTaskSignature;
+const crypto_1 = require("crypto");
+const audit_log_js_1 = require("./audit-log.js");
+/**
+ * Task Signature Verification
+ *
+ * Every task dispatched by Neuronix is signed with a server-side secret.
+ * The node verifies the signature before executing any task.
+ * This prevents:
+ *   - Forged tasks from unauthorized sources
+ *   - Man-in-the-middle task injection
+ *   - Tampering with task payloads in transit
+ *
+ * Currently uses HMAC-SHA256. The shared secret is derived from the node's
+ * auth token (which is unique per node and rotated on re-login).
+ */
+const ALLOWED_TASK_TYPES = new Set([
+    "inference", "embedding", "image", "audio",
+    "chart", "invoice", "expense_report", "pnl", "smart_route", "process_file", "chat",
+    "ar_aging", "ap_aging", "bank_reconciliation", "budget_vs_actuals",
+    "payroll", "sales_tax", "depreciation", "cash_flow",
+    "department_spending", "variance_analysis", "w2_1099",
+]);
+const BLOCKED_PATTERNS = [
+    /eval\s*\(/i,
+    /exec\s*\(/i,
+    /require\s*\(/i,
+    /import\s*\(/i,
+    /child_process/i,
+    /\bfs\b.*\b(write|unlink|rmdir|mkdir)\b/i,
+    /process\.env/i,
+    /process\.exit/i,
+    /__dirname/i,
+    /__filename/i,
+    /\bfetch\s*\(\s*["'](?!https:\/\/neuronix)/i, // Block fetch to non-Neuronix URLs
+];
+/**
+ * Validate a task before execution.
+ * Checks: type whitelist, payload safety, size limits.
+ */
+function validateTask(task) {
+    const warnings = [];
+    // 1. Check task type is whitelisted
+    if (!ALLOWED_TASK_TYPES.has(task.type)) {
+        (0, audit_log_js_1.logSecurityEvent)("BLOCKED_TASK_TYPE", `Task ${task.id}: unknown type "${task.type}"`);
+        return { valid: false, reason: `Unknown task type: ${task.type}`, warnings };
+    }
+    // 2. Check payload size (max 5MB)
+    const payloadSize = JSON.stringify(task.input_payload).length;
+    if (payloadSize > 5 * 1024 * 1024) {
+        (0, audit_log_js_1.logSecurityEvent)("BLOCKED_PAYLOAD_SIZE", `Task ${task.id}: payload too large (${(payloadSize / 1024 / 1024).toFixed(1)}MB)`);
+        return { valid: false, reason: `Payload too large: ${(payloadSize / 1024 / 1024).toFixed(1)}MB (max 5MB)`, warnings };
+    }
+    // 3. Scan payload for dangerous patterns
+    const payloadStr = JSON.stringify(task.input_payload);
+    for (const pattern of BLOCKED_PATTERNS) {
+        if (pattern.test(payloadStr)) {
+            (0, audit_log_js_1.logSecurityEvent)("BLOCKED_DANGEROUS_PATTERN", `Task ${task.id}: dangerous pattern detected`);
+            return { valid: false, reason: `Task payload contains potentially dangerous content`, warnings };
+        }
+    }
+    // 4. Check timeout is reasonable (max 10 minutes)
+    if (task.timeout_seconds && task.timeout_seconds > 600) {
+        warnings.push(`Task timeout ${task.timeout_seconds}s exceeds recommended max (600s)`);
+    }
+    // 5. Validate model name
+    const allowedModels = ["auto", "tinyllama-1.1b", "phi-2", "mistral-7b", "llama3-8b", "qwen-70b", "qwen-397b"];
+    if (task.model && !allowedModels.includes(task.model)) {
+        warnings.push(`Unknown model: ${task.model}`);
+    }
+    return { valid: true, warnings };
+}
+/**
+ * Generate HMAC signature for a task (used server-side).
+ */
+function signTask(taskId, taskType, secret) {
+    return (0, crypto_1.createHmac)("sha256", secret)
+        .update(`${taskId}:${taskType}`)
+        .digest("hex");
+}
+/**
+ * Verify HMAC signature of a task (used client-side).
+ */
+function verifyTaskSignature(taskId, taskType, signature, secret) {
+    const expected = signTask(taskId, taskType, secret);
+    return expected === signature;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "neuronix-node",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "Neuronix GPU Provider Node — earn by contributing compute to the Neuronix network",
   "main": "dist/index.js",
   "bin": {