protect-mcp 0.5.5 → 0.6.2

package/dist/index.d.ts

@@ -95,6 +95,29 @@ interface SigningConfig {
     issuer?: string;
     /** Whether signing is enabled (default: true when key_path is set) */
     enabled?: boolean;
+    /**
+     * Commitment-mode signing.
+     *
+     * When enabled, listed fields are committed via SHA-256(salt || JCS({name, salt, value}))
+     * and the receipt payload carries a single committed_fields_root (Merkle root) instead
+     * of the cleartext field values. Per draft-farley-acta-signed-receipts-01 §commitment-mode.
+     *
+     * The receipt issuer keeps the openings (value + salt per field) for later selective
+     * disclosure. A receipt holder can prove a field's value to an auditor without
+     * revealing other committed fields.
+     *
+     * @since 0.6.0
+     */
+    commitment_mode?: {
+        /** Whether commitment-mode signing is active. Default: false. */
+        enabled?: boolean;
+        /**
+         * Names of payload fields to commit.
+         * Recommended defaults: tool, scope, payload_digest, swarm.
+         * Other fields remain cleartext.
+         */
+        committed_field_names?: string[];
+    };
 }
 interface RateLimit {
     count: number;
@@ -780,9 +803,9 @@ declare function validateCredentials(credentials: Record<string, CredentialConfi
  * Produces signed v2 artifact receipts for tool call decisions.
  * Uses @veritasacta/artifacts as a required dependency (Sprint 2+).
  *
- * If signing is configured, every decision produces a signed artifact.
- * If signing fails, the receipt is emitted unsigned with signature: null
- * and a warning — never crashes, never silently drops.
+ * If signing is configured, every decision must produce a signed artifact.
+ * Initialization and signing failures are returned as explicit errors so the
+ * enforce path can deny rather than silently proceeding without evidence.
  */
 
 /**
@@ -804,9 +827,11 @@ declare function initSigning(config: SigningConfig | undefined): Promise<string[
  * @standard RFC 8032 (Ed25519), RFC 8785 (JCS)
  */
 declare function signDecision(entry: DecisionLog): {
+    ok: boolean;
     signed: string | null;
     artifact_type: string;
     warning?: string;
+    error?: string;
 };
 /**
  * Get the signer's public key info for discovery/verification.
@@ -825,6 +850,131 @@ declare function getSignerInfo(): {
  */
 declare function isSigningEnabled(): boolean;
 
+/**
+ * A Merkle inclusion proof for a single leaf.
+ *
+ * The siblings array lists the sibling hashes encountered while walking
+ * from the leaf up to the root. Each sibling is hex-encoded SHA-256.
+ * The (index, treeSize) pair determines whether the current node is
+ * left or right at each level during verification.
+ */
+interface MerkleProof {
+    /** Zero-based index of the leaf in the canonically-sorted leaf list. */
+    index: number;
+    /** Total number of leaves in the tree. */
+    treeSize: number;
+    /** Sibling hashes from leaf upward, hex-encoded SHA-256 (lowercase). */
+    siblings: string[];
+}
+
+/**
+ * @scopeblind/protect-mcp: Commitment-Mode Signing
+ *
+ * Produces commitment-mode signed receipts per draft-farley-acta-signed-receipts-01
+ * §commitment-mode. Each listed field is independently committed via
+ * SHA-256(0x00 || JCS({name, salt, value})), arranged into an RFC 6962-style
+ * Merkle tree with explicit one-byte domain separation, and the receipt payload
+ * carries a single committed_fields_root field instead of the cleartext values.
+ *
+ * The receipt holder retains openings (value + salt per field) and can selectively
+ * disclose any subset to auditors via Merkle inclusion proofs verifiable by
+ * @veritasacta/verify@>=0.6.0.
+ *
+ * This module sits alongside signing.ts (the legacy @veritasacta/artifacts-based
+ * cleartext path) and is invoked when SigningConfig.commitment_mode.enabled is
+ * true. The two paths are mutually exclusive on a per-receipt basis.
+ *
+ * @since 0.6.0
+ * @standard draft-farley-acta-signed-receipts-01 §commitment-mode
+ * @standard RFC 6962 (Certificate Transparency Merkle tree construction)
+ * @standard RFC 8032 (Ed25519)
+ * @standard RFC 8785 (JCS)
+ */
+
+/**
+ * The opening information for a single committed field. Held by the
+ * receipt issuer; never embedded in the published receipt. Required to
+ * later produce a selective-disclosure proof.
+ */
+interface CommittedFieldOpening {
+    /** Field name (matches one of committed_field_names). */
+    name: string;
+    /** Cleartext value of the field. */
+    value: unknown;
+    /** Salt bytes (32 random bytes per field per receipt). */
+    salt: Uint8Array;
+    /** Zero-based index of the field in the canonically-sorted leaf list. */
+    index: number;
+}
+/**
+ * The result of signing a decision in commitment mode.
+ */
+interface CommittedSignResult {
+    /** The signed receipt as a JSON string (canonical wire form). */
+    signed: string;
+    /** Receipt artifact type, e.g. "decision_receipt_committed_v1". */
+    artifact_type: string;
+    /**
+     * Per-field openings, indexed by field name. The issuer MUST persist
+     * these securely if it intends to support selective disclosure later.
+     * Storing them is the issuer's responsibility; this library does not
+     * write them to disk.
+     */
+    openings: Record<string, CommittedFieldOpening>;
+    /** Lowercase hex SHA-256 of the canonical signed receipt. */
+    receipt_hash: string;
+}
+/**
+ * A minimal selective-disclosure envelope. Reveal a single committed field
+ * to an auditor by supplying its (name, value, salt, proof). The auditor
+ * recomputes the leaf hash and walks the proof to confirm it reconstructs
+ * the receipt's committed_fields_root.
+ *
+ * Compatible with @veritasacta/verify@>=0.6.0.
+ */
+interface MinimalDisclosure {
+    /** The receipt this disclosure targets, by canonical hash. */
+    parent_receipt_hash: string;
+    /** Disclosed field name. */
+    name: string;
+    /** Cleartext value of the disclosed field. */
+    value: unknown;
+    /** Salt as base64url (no padding). */
+    salt: string;
+    /** Merkle inclusion proof. */
+    proof: MerkleProof;
+}
+/**
+ * Sign a DecisionLog in commitment mode.
+ *
+ * @param entry - The decision log entry to sign.
+ * @param committedFieldNames - Names of fields to commit. Recommended:
+ *   ["tool", "scope", "payload_digest", "swarm"]. Fields not listed
+ *   remain cleartext in the signed payload.
+ * @param signingKey - Ed25519 private key (32 bytes hex or raw).
+ * @param publicKey - Ed25519 public key (32 bytes hex).
+ * @param kid - Key identifier (RFC 7638 JWK thumbprint or operator-chosen).
+ * @param issuer - Issuer identifier (e.g. "my-gateway.example.com").
+ *
+ * @returns Signed receipt JSON, openings (per field), and receipt hash.
+ *
+ * @standard draft-farley-acta-signed-receipts-01 §signature-scope
+ *   The signature covers SHA-256(JCS(payload_minus_signature)).
+ */
+declare function signCommittedDecision(entry: DecisionLog, committedFieldNames: string[], signingKey: string, publicKey: string, kid: string, issuer: string): CommittedSignResult;
+/**
+ * Build a minimal selective-disclosure envelope for a single committed
+ * field. The envelope can be verified offline by anyone who has the
+ * receipt's committed_fields_root (which the receipt itself carries).
+ *
+ * @param receiptHash - Canonical hash of the receipt the disclosure targets.
+ * @param fieldName - Which field to disclose.
+ * @param openings - The full openings map produced by signCommittedDecision.
+ *
+ * @standard draft-farley-acta-signed-receipts-01 §commitment-disclosure
+ */
+declare function discloseField(receiptHash: string, fieldName: string, openings: Record<string, CommittedFieldOpening>): MinimalDisclosure;
+
 /**
  * @scopeblind/protect-mcp — External PDP Adapter
  *
@@ -2763,4 +2913,73 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
     receipt: Record<string, unknown>;
 }>;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+/**
+ * scopeblind-bridge.ts
+ *
+ * Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
+ * tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
+ * receipt that protect-mcp emits also gets forwarded to the tenant's
+ * dashboard at https://scopeblind.com/console/<slug>.
+ *
+ * Lifecycle:
+ *   1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
+ *      auth proof from /fn/brass/issue. Cache the proof in memory until
+ *      ~5 minutes before expiry, then refresh.
+ *   2. As receipts are emitted by hook-server.ts, push them into an
+ *      in-memory batch queue.
+ *   3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
+ *      to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
+ *
+ * Failure mode: forward errors NEVER throw upstream. protect-mcp continues
+ * to mint and persist receipts locally regardless of dashboard availability.
+ * The bridge logs failures to stderr (best-effort) and retries on the next
+ * flush.
+ *
+ * Configuration:
+ *   SCOPEBLIND_TOKEN        Tenant bearer token (from welcome email).
+ *   SCOPEBLIND_TENANT       Optional slug override. By default we discover
+ *                           the slug from the BRASS proof's tenant_id.
+ *   SCOPEBLIND_BASE         Defaults to https://scopeblind.com.
+ *
+ * @license MIT
+ */
+interface BridgeStats {
+    enabled: boolean;
+    tenant_slug: string | null;
+    forwarded_total: number;
+    rejected_total: number;
+    last_flush_at: string | null;
+    last_error: string | null;
+}
+declare class ScopeBlindBridge {
+    private readonly token;
+    private readonly base;
+    private readonly tenantOverride;
+    private cachedProof;
+    private queue;
+    private flushTimer;
+    private stats;
+    private shuttingDown;
+    constructor(env?: Record<string, string | undefined>);
+    enabled(): boolean;
+    /** Push a signed receipt into the queue. Non-blocking. */
+    forward(signedReceipt: any): void;
+    /** Flush the queue. Safe to call concurrently. */
+    flush(): Promise<void>;
+    /** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
+    private ensureBrassProof;
+    /**
+     * Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
+     */
+    getStats(): BridgeStats & {
+        queued: number;
+        brass_proof_expires_at: string | null;
+    };
+    /** Flush remaining receipts and stop the interval. Called on process exit. */
+    shutdown(): Promise<void>;
+}
+declare function getScopeBlindBridge(): ScopeBlindBridge;
+/** Convenience: forward a signed receipt without instantiating yourself. */
+declare function forwardReceipt(signedReceipt: any): void;
+
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };