qa360 1.0.3 → 1.1.0

package/dist/core/proof/canonicalize.js

@@ -0,0 +1,105 @@
+/**
+ * JSON Canonicalization for deterministic hashing
+ *
+ * Implements RFC 8785-like canonicalization:
+ * - Alphabetically sorted keys (recursive)
+ * - UTF-8 NFC normalization
+ * - No whitespace (compact)
+ * - Deterministic across platforms
+ *
+ * @see docs/rfc/proof-bundle-v1.md#4-canonicalization
+ */
+/**
+ * Canonicalize a JavaScript object into deterministic JSON string
+ *
+ * @param obj - Object to canonicalize
+ * @returns Canonical JSON string (compact, sorted keys, UTF-8 NFC)
+ *
+ * @example
+ * ```ts
+ * const obj = { b: 2, a: 1 };
+ * const canonical = canonicalize(obj);
+ * // Returns: '{"a":1,"b":2}\n'
+ * ```
+ */
+export function canonicalize(obj) {
+    // Handle primitives
+    if (obj === null)
+        return 'null';
+    if (obj === undefined)
+        return 'null'; // Treat undefined as null
+    const type = typeof obj;
+    if (type === 'boolean')
+        return obj ? 'true' : 'false';
+    if (type === 'number') {
+        // Ensure decimal notation (no scientific notation)
+        if (!isFinite(obj)) {
+            throw new Error('Cannot canonicalize non-finite number');
+        }
+        return String(obj);
+    }
+    if (type === 'string') {
+        // Unicode NFC normalization
+        const normalized = obj.normalize('NFC');
+        // JSON.stringify handles escaping
+        return JSON.stringify(normalized);
+    }
+    // Handle arrays
+    if (Array.isArray(obj)) {
+        const items = obj.map(item => canonicalize(item));
+        return `[${items.join(',')}]`;
+    }
+    // Handle objects
+    if (type === 'object') {
+        // Get keys and sort alphabetically
+        const keys = Object.keys(obj).sort();
+        // Build key-value pairs
+        const pairs = keys.map(key => {
+            const value = obj[key];
+            const canonicalKey = canonicalize(key);
+            const canonicalValue = canonicalize(value);
+            return `${canonicalKey}:${canonicalValue}`;
+        });
+        return `{${pairs.join(',')}}`;
+    }
+    throw new Error(`Cannot canonicalize type: ${type}`);
+}
+/**
+ * Canonicalize and append newline (standard format)
+ *
+ * @param obj - Object to canonicalize
+ * @returns Canonical JSON string with trailing newline
+ */
+export function canonicalizeWithNewline(obj) {
+    return canonicalize(obj) + '\n';
+}
+/**
+ * Remove signature field and canonicalize
+ * Used for signature verification
+ *
+ * @param bundle - Proof bundle (may contain signature field)
+ * @returns Canonical JSON without signature field
+ */
+export function canonicalizeForSigning(bundle) {
+    // Clone to avoid mutating original
+    const clone = JSON.parse(JSON.stringify(bundle));
+    // Remove signature field
+    delete clone.signature;
+    return canonicalizeWithNewline(clone);
+}
+/**
+ * Verify canonicalization is deterministic
+ *
+ * @param obj - Object to test
+ * @returns true if canonicalization is stable
+ */
+export function isCanonicalStable(obj) {
+    try {
+        const first = canonicalize(obj);
+        const second = canonicalize(obj);
+        return first === second;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/core/proof/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * QA360 Proof Bundle System
+ *
+ * Cryptographically signed, verifiable proof bundles for test results.
+ *
+ * @module @qa360/core/proof
+ * @see docs/rfc/proof-bundle-v1.md
+ */
+export { canonicalize, canonicalizeWithNewline, canonicalizeForSigning, isCanonicalStable, } from './canonicalize.js';
+export { generateKeys, saveKeys, loadKeys, keysExist, initializeKeys, ensureProofKeys, sha256, sign, verify, testRoundtrip, getKeyDirectory, getKeyPaths, type KeyPair, type KeyPaths, } from './signer.js';
+export { validateProofBundle, getSchema, patterns, type ValidationResult, } from './schema.js';
+export { createProofBundle, createProofBundleFromPack, computeSHA256, type ProofBundle, type RunMetadata, type Environment, type CIContext, type Artifact, type TestResults, type Gate, type SigningMetadata, type TimestampInfo, type IdentityInfo, type ProofBundleParams, } from './bundle.js';
+export { verifyProofBundle, verifyArtifact, verifyArtifacts, verifyComplete, verifyProofFile, verifyPhase3Proof, VerificationCode, type VerificationResult, type VerificationDetails, type ArtifactVerificationOptions, } from './verifier.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/proof/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/proof/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,YAAY,EACZ,QAAQ,EACR,QAAQ,EACR,SAAS,EACT,cAAc,EACd,eAAe,EACf,MAAM,EACN,IAAI,EACJ,MAAM,EACN,aAAa,EACb,eAAe,EACf,WAAW,EACX,KAAK,OAAO,EACZ,KAAK,QAAQ,GACd,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,mBAAmB,EACnB,SAAS,EACT,QAAQ,EACR,KAAK,gBAAgB,GACtB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,iBAAiB,EACjB,yBAAyB,EACzB,aAAa,EACb,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,QAAQ,EACb,KAAK,WAAW,EAChB,KAAK,IAAI,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,GACjC,MAAM,eAAe,CAAC"}

package/dist/core/proof/index.js

@@ -0,0 +1,18 @@
+/**
+ * QA360 Proof Bundle System
+ *
+ * Cryptographically signed, verifiable proof bundles for test results.
+ *
+ * @module @qa360/core/proof
+ * @see docs/rfc/proof-bundle-v1.md
+ */
+// Canonicalization
+export { canonicalize, canonicalizeWithNewline, canonicalizeForSigning, isCanonicalStable, } from './canonicalize.js';
+// Signing
+export { generateKeys, saveKeys, loadKeys, keysExist, initializeKeys, ensureProofKeys, sha256, sign, verify, testRoundtrip, getKeyDirectory, getKeyPaths, } from './signer.js';
+// Schema validation
+export { validateProofBundle, getSchema, patterns, } from './schema.js';
+// Bundle creation
+export { createProofBundle, createProofBundleFromPack, computeSHA256, } from './bundle.js';
+// Verification
+export { verifyProofBundle, verifyArtifact, verifyArtifacts, verifyComplete, verifyProofFile, verifyPhase3Proof, VerificationCode, } from './verifier.js';

package/dist/core/proof/schema.d.ts

@@ -0,0 +1,218 @@
+/**
+ * JSON Schema Validation for Proof Bundles
+ *
+ * Validates proof bundles against the v1 schema using AJV.
+ *
+ * @see docs/rfc/proof-bundle-v1.md#7-json-schema
+ */
+/**
+ * Validation result
+ */
+export interface ValidationResult {
+    valid: boolean;
+    errors?: string[];
+}
+/**
+ * Validate proof bundle against schema
+ *
+ * @param bundle - Proof bundle to validate
+ * @returns Validation result with errors if invalid
+ */
+export declare function validateProofBundle(bundle: any): ValidationResult;
+/**
+ * Get the JSON Schema object
+ *
+ * @returns Proof Bundle v1 schema
+ */
+export declare function getSchema(): {
+    $schema: string;
+    $id: string;
+    title: string;
+    type: string;
+    required: string[];
+    additionalProperties: boolean;
+    properties: {
+        spec: {
+            type: string;
+            const: string;
+        };
+        run: {
+            type: string;
+            required: string[];
+            additionalProperties: boolean;
+            properties: {
+                id: {
+                    type: string;
+                    format: string;
+                };
+                startedAt: {
+                    type: string;
+                    format: string;
+                };
+                finishedAt: {
+                    type: string;
+                    format: string;
+                };
+                environment: {
+                    type: string;
+                    required: string[];
+                    additionalProperties: boolean;
+                    properties: {
+                        os: {
+                            type: string;
+                            enum: string[];
+                        };
+                        node: {
+                            type: string;
+                            pattern: string;
+                        };
+                        arch: {
+                            type: string;
+                            enum: string[];
+                        };
+                        ci: {
+                            type: string;
+                        };
+                    };
+                };
+                packHash: {
+                    type: string;
+                    pattern: string;
+                };
+                ciContext: {
+                    type: string;
+                    properties: {
+                        provider: {
+                            type: string[];
+                        };
+                    };
+                };
+            };
+        };
+        artifacts: {
+            type: string;
+            items: {
+                type: string;
+                required: string[];
+                additionalProperties: boolean;
+                properties: {
+                    name: {
+                        type: string;
+                        minLength: number;
+                    };
+                    sha256: {
+                        type: string;
+                        pattern: string;
+                    };
+                    size: {
+                        type: string;
+                        minimum: number;
+                    };
+                    path: {
+                        type: string;
+                    };
+                };
+            };
+        };
+        results: {
+            type: string;
+            required: string[];
+            additionalProperties: boolean;
+            properties: {
+                trustScore: {
+                    type: string;
+                    minimum: number;
+                    maximum: number;
+                };
+                gates: {
+                    type: string;
+                    items: {
+                        type: string;
+                        required: string[];
+                        additionalProperties: boolean;
+                        properties: {
+                            name: {
+                                type: string;
+                                minLength: number;
+                            };
+                            status: {
+                                type: string;
+                                enum: string[];
+                            };
+                            metrics: {
+                                type: string;
+                            };
+                        };
+                    };
+                };
+            };
+        };
+        signing: {
+            type: string;
+            required: string[];
+            additionalProperties: boolean;
+            properties: {
+                algo: {
+                    type: string;
+                    const: string;
+                };
+                signerId: {
+                    type: string;
+                    minLength: number;
+                };
+                timestamp: {
+                    type: string;
+                    required: string[];
+                    properties: {
+                        type: {
+                            type: string;
+                            enum: string[];
+                        };
+                        token: {
+                            type: string[];
+                        };
+                    };
+                };
+                identity: {
+                    type: string;
+                    required: string[];
+                    properties: {
+                        type: {
+                            type: string;
+                            enum: string[];
+                        };
+                        evidence: {
+                            type: string[];
+                        };
+                    };
+                };
+            };
+        };
+        signature: {
+            type: string;
+            pattern: string;
+        };
+    };
+};
+/**
+ * Validate specific field patterns
+ */
+export declare const patterns: {
+    /**
+     * Validate SHA-256 hash format
+     */
+    sha256: (hash: string) => boolean;
+    /**
+     * Validate UUID v4 format
+     */
+    uuid: (id: string) => boolean;
+    /**
+     * Validate Ed25519 signature format (base64, 88 chars)
+     */
+    signature: (sig: string) => boolean;
+    /**
+     * Validate Node.js version format
+     */
+    nodeVersion: (version: string) => boolean;
+};
+//# sourceMappingURL=schema.d.ts.map

package/dist/core/proof/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../../src/core/proof/schema.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AA4MD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,GAAG,GAAG,gBAAgB,CAcjE;AAED;;;;GAIG;AACH,wBAAgB,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAExB;AAED;;GAEG;AACH,eAAO,MAAM,QAAQ;IACnB;;OAEG;mBACY,MAAM,KAAG,OAAO;IAI/B;;OAEG;eACQ,MAAM,KAAG,OAAO;IAI3B;;OAEG;qBACc,MAAM,KAAG,OAAO;IAIjC;;OAEG;2BACoB,MAAM,KAAG,OAAO;CAGxC,CAAC"}

package/dist/core/proof/schema.js

@@ -0,0 +1,263 @@
+/**
+ * JSON Schema Validation for Proof Bundles
+ *
+ * Validates proof bundles against the v1 schema using AJV.
+ *
+ * @see docs/rfc/proof-bundle-v1.md#7-json-schema
+ */
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+/**
+ * Proof Bundle v1 JSON Schema (Draft 2020-12)
+ *
+ * Uses AJV 2020-12 for full JSON Schema 2020-12 support.
+ * This ensures compatibility with the RFC Proof Bundle v1 specification.
+ */
+const PROOF_BUNDLE_SCHEMA = {
+    $schema: 'https://json-schema.org/draft/2020-12/schema',
+    $id: 'https://qa360.dev/schemas/proof-bundle-v1.json',
+    title: 'QA360 Proof Bundle v1',
+    type: 'object',
+    required: ['spec', 'run', 'artifacts', 'results', 'signing', 'signature'],
+    additionalProperties: false,
+    properties: {
+        spec: {
+            type: 'string',
+            const: 'qa360.proof.v1',
+        },
+        run: {
+            type: 'object',
+            required: ['id', 'startedAt', 'finishedAt', 'environment', 'packHash'],
+            additionalProperties: false,
+            properties: {
+                id: {
+                    type: 'string',
+                    format: 'uuid',
+                },
+                startedAt: {
+                    type: 'string',
+                    format: 'date-time',
+                },
+                finishedAt: {
+                    type: 'string',
+                    format: 'date-time',
+                },
+                environment: {
+                    type: 'object',
+                    required: ['os', 'node', 'arch', 'ci'],
+                    additionalProperties: false,
+                    properties: {
+                        os: {
+                            type: 'string',
+                            enum: ['windows', 'linux', 'darwin'],
+                        },
+                        node: {
+                            type: 'string',
+                            pattern: '^\\d+\\.\\d+\\.\\d+$',
+                        },
+                        arch: {
+                            type: 'string',
+                            enum: ['x64', 'arm64'],
+                        },
+                        ci: {
+                            type: 'boolean',
+                        },
+                    },
+                },
+                packHash: {
+                    type: 'string',
+                    pattern: '^sha256-[0-9a-f]{64}$',
+                },
+                ciContext: {
+                    type: 'object',
+                    properties: {
+                        provider: {
+                            type: ['string', 'null'],
+                        },
+                    },
+                },
+            },
+        },
+        artifacts: {
+            type: 'array',
+            items: {
+                type: 'object',
+                required: ['name', 'sha256', 'size'],
+                additionalProperties: false,
+                properties: {
+                    name: {
+                        type: 'string',
+                        minLength: 1,
+                    },
+                    sha256: {
+                        type: 'string',
+                        pattern: '^sha256-[0-9a-f]{64}$',
+                    },
+                    size: {
+                        type: 'integer',
+                        minimum: 0,
+                    },
+                    path: {
+                        type: 'string',
+                    },
+                },
+            },
+        },
+        results: {
+            type: 'object',
+            required: ['trustScore', 'gates'],
+            additionalProperties: false,
+            properties: {
+                trustScore: {
+                    type: 'integer',
+                    minimum: 0,
+                    maximum: 100,
+                },
+                gates: {
+                    type: 'array',
+                    items: {
+                        type: 'object',
+                        required: ['name', 'status'],
+                        additionalProperties: false,
+                        properties: {
+                            name: {
+                                type: 'string',
+                                minLength: 1,
+                            },
+                            status: {
+                                type: 'string',
+                                enum: ['pass', 'fail', 'skip'],
+                            },
+                            metrics: {
+                                type: 'object',
+                            },
+                        },
+                    },
+                },
+            },
+        },
+        signing: {
+            type: 'object',
+            required: ['algo', 'signerId', 'timestamp', 'identity'],
+            additionalProperties: false,
+            properties: {
+                algo: {
+                    type: 'string',
+                    const: 'ed25519',
+                },
+                signerId: {
+                    type: 'string',
+                    minLength: 1,
+                },
+                timestamp: {
+                    type: 'object',
+                    required: ['type'],
+                    properties: {
+                        type: {
+                            type: 'string',
+                            enum: ['none', 'rfc3161'],
+                        },
+                        token: {
+                            type: ['string', 'null'],
+                        },
+                    },
+                },
+                identity: {
+                    type: 'object',
+                    required: ['type'],
+                    properties: {
+                        type: {
+                            type: 'string',
+                            enum: ['none', 'did', 'sigstore'],
+                        },
+                        evidence: {
+                            type: ['string', 'object', 'null'],
+                        },
+                    },
+                },
+            },
+        },
+        signature: {
+            type: 'string',
+            pattern: '^[A-Za-z0-9+/]{86}==$',
+        },
+    },
+};
+/**
+ * Create AJV 2020-12 validator instance
+ *
+ * Configured with:
+ * - strict: true (enforce strict schema validation)
+ * - allErrors: true (collect all validation errors)
+ * - allowUnionTypes: true (support type unions like ['string', 'null'])
+ * - strictTypes: false (allow flexible type checking for edge cases)
+ */
+let validator = null;
+function getValidator() {
+    if (!validator) {
+        const ajv = new Ajv2020({
+            strict: true,
+            allErrors: true,
+            allowUnionTypes: true,
+            strictTypes: false,
+        });
+        addFormats(ajv);
+        validator = ajv.compile(PROOF_BUNDLE_SCHEMA);
+    }
+    return validator;
+}
+/**
+ * Validate proof bundle against schema
+ *
+ * @param bundle - Proof bundle to validate
+ * @returns Validation result with errors if invalid
+ */
+export function validateProofBundle(bundle) {
+    const validate = getValidator();
+    const valid = validate(bundle);
+    if (valid) {
+        return { valid: true };
+    }
+    const errors = validate.errors?.map(err => {
+        const path = err.instancePath || 'root';
+        return `${path}: ${err.message}`;
+    }) || ['Unknown validation error'];
+    return { valid: false, errors };
+}
+/**
+ * Get the JSON Schema object
+ *
+ * @returns Proof Bundle v1 schema
+ */
+export function getSchema() {
+    return PROOF_BUNDLE_SCHEMA;
+}
+/**
+ * Validate specific field patterns
+ */
+export const patterns = {
+    /**
+     * Validate SHA-256 hash format
+     */
+    sha256: (hash) => {
+        return /^sha256-[0-9a-f]{64}$/.test(hash);
+    },
+    /**
+     * Validate UUID v4 format
+     */
+    uuid: (id) => {
+        return /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(id);
+    },
+    /**
+     * Validate Ed25519 signature format (base64, 88 chars)
+     */
+    signature: (sig) => {
+        return /^[A-Za-z0-9+/]{86}==$/.test(sig);
+    },
+    /**
+     * Validate Node.js version format
+     */
+    nodeVersion: (version) => {
+        return /^\d+\.\d+\.\d+$/.test(version);
+    },
+};