qa360 1.0.3 → 1.1.0

package/dist/core/proof/verifier.js

@@ -0,0 +1,302 @@
+/**
+ * Proof Bundle Verification
+ *
+ * Verifies cryptographic signatures and integrity of proof bundles.
+ *
+ * @see docs/rfc/proof-bundle-v1.md#6-verification-procedure
+ */
+import { promises as fs } from 'fs';
+import { createHash } from 'crypto';
+import { canonicalizeForSigning } from './canonicalize.js';
+import { verify, loadKeys } from './signer.js';
+import { validateProofBundle } from './schema.js';
+/**
+ * Verification error codes (matches RFC)
+ */
+export var VerificationCode;
+(function (VerificationCode) {
+    VerificationCode[VerificationCode["PROOF_OK"] = 0] = "PROOF_OK";
+    VerificationCode[VerificationCode["PROOF_INVALID_SIG"] = 1] = "PROOF_INVALID_SIG";
+    VerificationCode[VerificationCode["PROOF_INVALID_SCHEMA"] = 2] = "PROOF_INVALID_SCHEMA";
+    VerificationCode[VerificationCode["PROOF_ARTIFACT_MISMATCH"] = 3] = "PROOF_ARTIFACT_MISMATCH";
+    VerificationCode[VerificationCode["PROOF_MISSING_KEY"] = 4] = "PROOF_MISSING_KEY";
+    VerificationCode[VerificationCode["PROOF_MALFORMED"] = 5] = "PROOF_MALFORMED";
+})(VerificationCode || (VerificationCode = {}));
+/**
+ * Verify proof bundle signature
+ *
+ * @param bundle - Proof bundle to verify
+ * @param publicKey - Optional public key (loads from ~/.qa360/keys if not provided)
+ * @returns Verification result
+ */
+export async function verifyProofBundle(bundle, publicKey) {
+    // Step 1: Validate JSON structure
+    try {
+        JSON.stringify(bundle);
+    }
+    catch {
+        return {
+            valid: false,
+            code: VerificationCode.PROOF_MALFORMED,
+            message: 'Malformed JSON structure',
+        };
+    }
+    // Step 2: Extract signature
+    const signatureB64 = bundle.signature;
+    if (!signatureB64) {
+        return {
+            valid: false,
+            code: VerificationCode.PROOF_INVALID_SIG,
+            message: 'Missing signature field',
+        };
+    }
+    // Step 3: Validate schema
+    const schemaValidation = validateProofBundle(bundle);
+    if (!schemaValidation.valid) {
+        return {
+            valid: false,
+            code: VerificationCode.PROOF_INVALID_SCHEMA,
+            message: `Schema validation failed: ${schemaValidation.errors?.join(', ')}`,
+        };
+    }
+    // Step 4: Load public key if not provided
+    let pubKey = publicKey;
+    if (!pubKey) {
+        try {
+            const keyPair = await loadKeys();
+            pubKey = keyPair.publicKey;
+        }
+        catch (error) {
+            return {
+                valid: false,
+                code: VerificationCode.PROOF_MISSING_KEY,
+                message: `Public key not found: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            };
+        }
+    }
+    // Step 5: Re-canonicalize (without signature)
+    const canonical = canonicalizeForSigning(bundle);
+    // Step 6: Compute hash for verification details
+    const hash = createHash('sha256').update(canonical, 'utf-8').digest('hex');
+    // Step 7: Verify signature
+    const signatureValid = verify(canonical, signatureB64, pubKey);
+    if (!signatureValid) {
+        return {
+            valid: false,
+            code: VerificationCode.PROOF_INVALID_SIG,
+            message: 'Invalid signature',
+            details: {
+                signerId: bundle.signing.signerId,
+                hash: `sha256-${hash}`,
+            },
+        };
+    }
+    // Step 8: Success
+    return {
+        valid: true,
+        code: VerificationCode.PROOF_OK,
+        message: 'Proof verified successfully',
+        details: {
+            signerId: bundle.signing.signerId,
+            hash: `sha256-${hash}`,
+            artifactsTotal: bundle.artifacts.length,
+            trustScore: bundle.results.trustScore,
+            runId: bundle.run.id,
+            startedAt: bundle.run.startedAt,
+            finishedAt: bundle.run.finishedAt,
+        },
+    };
+}
+/**
+ * Verify artifact integrity
+ *
+ * @param artifact - Artifact metadata
+ * @param filePath - Path to artifact file
+ * @returns true if hash matches
+ */
+export async function verifyArtifact(artifact, filePath) {
+    try {
+        const content = await fs.readFile(filePath);
+        const hash = createHash('sha256').update(content).digest('hex');
+        const expectedHash = artifact.sha256.replace('sha256-', '');
+        return hash === expectedHash;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Verify all artifacts in proof bundle
+ *
+ * @param bundle - Proof bundle
+ * @param options - Verification options
+ * @returns Verification result with artifact details
+ */
+export async function verifyArtifacts(bundle, options = {}) {
+    const { basePath = '.', skipMissing = false } = options;
+    let verified = 0;
+    const total = bundle.artifacts.length;
+    for (const artifact of bundle.artifacts) {
+        const filePath = artifact.path
+            ? `${basePath}/${artifact.path}`
+            : `${basePath}/${artifact.name}`;
+        try {
+            const valid = await verifyArtifact(artifact, filePath);
+            if (valid) {
+                verified++;
+            }
+            else if (!skipMissing) {
+                return {
+                    valid: false,
+                    code: VerificationCode.PROOF_ARTIFACT_MISMATCH,
+                    message: `Artifact hash mismatch: ${artifact.name}`,
+                    details: {
+                        artifactsVerified: verified,
+                        artifactsTotal: total,
+                    },
+                };
+            }
+        }
+        catch {
+            if (!skipMissing) {
+                return {
+                    valid: false,
+                    code: VerificationCode.PROOF_ARTIFACT_MISMATCH,
+                    message: `Artifact not found: ${artifact.name}`,
+                    details: {
+                        artifactsVerified: verified,
+                        artifactsTotal: total,
+                    },
+                };
+            }
+        }
+    }
+    return {
+        valid: true,
+        code: VerificationCode.PROOF_OK,
+        message: `All artifacts verified (${verified}/${total})`,
+        details: {
+            artifactsVerified: verified,
+            artifactsTotal: total,
+        },
+    };
+}
+/**
+ * Verify proof bundle and artifacts (complete verification)
+ *
+ * @param bundle - Proof bundle
+ * @param options - Artifact verification options
+ * @param publicKey - Optional public key
+ * @returns Complete verification result
+ */
+export async function verifyComplete(bundle, options = {}, publicKey) {
+    // Step 1: Verify signature
+    const sigResult = await verifyProofBundle(bundle, publicKey);
+    if (!sigResult.valid) {
+        return sigResult;
+    }
+    // Step 2: Verify artifacts (if any)
+    if (bundle.artifacts.length > 0) {
+        const artifactResult = await verifyArtifacts(bundle, options);
+        if (!artifactResult.valid) {
+            return artifactResult;
+        }
+        // Merge details
+        return {
+            ...sigResult,
+            details: {
+                ...sigResult.details,
+                ...artifactResult.details,
+            },
+        };
+    }
+    return sigResult;
+}
+/**
+ * Load and verify proof bundle from file
+ *
+ * @param filePath - Path to proof bundle JSON file
+ * @param options - Artifact verification options
+ * @param publicKey - Optional public key
+ * @returns Verification result
+ */
+export async function verifyProofFile(filePath, options = {}, publicKey) {
+    try {
+        const content = await fs.readFile(filePath, 'utf-8');
+        const bundle = JSON.parse(content);
+        return verifyComplete(bundle, options, publicKey);
+    }
+    catch (error) {
+        return {
+            valid: false,
+            code: VerificationCode.PROOF_MALFORMED,
+            message: `Failed to load proof: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        };
+    }
+}
+/**
+ * Verify Phase3 proof format (simplified)
+ *
+ * @param filePath - Path to Phase3 proof JSON
+ * @returns Verification result
+ */
+export async function verifyPhase3Proof(filePath) {
+    try {
+        const content = await fs.readFile(filePath, 'utf-8');
+        const proof = JSON.parse(content);
+        // Check if it's Phase3 format
+        if (!proof.version || !proof.signature || !proof.runId) {
+            return {
+                valid: false,
+                code: VerificationCode.PROOF_MALFORMED,
+                message: 'Not a valid Phase3 proof format',
+            };
+        }
+        // Extract signature info
+        const { signature, ...payload } = proof;
+        if (signature.algorithm === 'none' || !signature.publicKey) {
+            return {
+                valid: false,
+                code: VerificationCode.PROOF_INVALID_SIG,
+                message: 'Proof is unsigned',
+            };
+        }
+        // Decode public key from proof
+        const publicKey = new Uint8Array(Buffer.from(signature.publicKey, 'base64'));
+        // Canonicalize payload
+        const { canonicalize } = await import('./canonicalize.js');
+        const canonical = canonicalize(payload);
+        // Verify signature
+        const isValid = verify(canonical, signature.value, publicKey);
+        if (!isValid) {
+            return {
+                valid: false,
+                code: VerificationCode.PROOF_INVALID_SIG,
+                message: 'Invalid signature - proof may have been tampered with',
+                details: {
+                    runId: proof.runId,
+                    trustScore: proof.execution?.trustScore,
+                },
+            };
+        }
+        // Success
+        return {
+            valid: true,
+            code: VerificationCode.PROOF_OK,
+            message: 'Proof verified successfully',
+            details: {
+                runId: proof.runId,
+                trustScore: proof.execution?.trustScore,
+                startedAt: proof.timestamp,
+                artifactsTotal: proof.gates?.length || 0,
+            },
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            code: VerificationCode.PROOF_MALFORMED,
+            message: `Failed to verify proof: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        };
+    }
+}

package/dist/core/runner/phase3-runner.d.ts

@@ -0,0 +1,102 @@
+/**
+ * QA360 Phase 3 Runner
+ * Orchestrates hooks, adapters, and proof generation
+ */
+import { PackConfigV1 } from '../types/pack-v1.js';
+export interface Phase3RunnerOptions {
+    workingDir: string;
+    pack: PackConfigV1;
+    outputDir?: string;
+}
+export interface GateResult {
+    gate: string;
+    success: boolean;
+    duration: number;
+    adapter: string;
+    results: any;
+    junit?: string;
+    error?: string;
+}
+export interface Phase3RunResult {
+    success: boolean;
+    pack: PackConfigV1;
+    duration: number;
+    gates: GateResult[];
+    hooks: {
+        beforeAll: any[];
+        beforeEach: any[];
+        afterEach: any[];
+        afterAll: any[];
+    };
+    summary: {
+        total: number;
+        passed: number;
+        failed: number;
+        trustScore: number;
+    };
+    proofPath?: string;
+    error?: string;
+}
+export declare class Phase3Runner {
+    private workingDir;
+    private pack;
+    private outputDir;
+    private redactor;
+    private hooksRunner;
+    private keyPair?;
+    private vault?;
+    constructor(options: Phase3RunnerOptions);
+    /**
+     * Execute complete Phase 3 workflow
+     */
+    run(): Promise<Phase3RunResult>;
+    /**
+     * Execute a single quality gate
+     */
+    private executeGate;
+    /**
+     * Run API smoke gate
+     */
+    private runApiSmokeGate;
+    /**
+     * Run UI gate (includes basic accessibility)
+     */
+    private runUiGate;
+    /**
+     * Run A11y gate (focused accessibility testing)
+     */
+    private runA11yGate;
+    /**
+     * Run performance gate
+     */
+    private runPerfGate;
+    /**
+     * Run SAST gate
+     */
+    private runSastGate;
+    /**
+     * Run DAST gate (mock implementation)
+     */
+    private runDastGate;
+    /**
+     * Calculate execution summary
+     */
+    private calculateSummary;
+    /**
+     * Generate cryptographically signed proof document
+     */
+    private generateProof;
+    /**
+     * Save run results to Evidence Vault
+     */
+    private saveToVault;
+    /**
+     * Generate hash of pack configuration
+     */
+    private hashPack;
+    /**
+     * Ensure output directory exists
+     */
+    private ensureOutputDir;
+}
+//# sourceMappingURL=phase3-runner.d.ts.map

package/dist/core/runner/phase3-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"phase3-runner.d.ts","sourceRoot":"","sources":["../../../src/core/runner/phase3-runner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAWnD,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,YAAY,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,GAAG,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,KAAK,EAAE;QACL,SAAS,EAAE,GAAG,EAAE,CAAC;QACjB,UAAU,EAAE,GAAG,EAAE,CAAC;QAClB,SAAS,EAAE,GAAG,EAAE,CAAC;QACjB,QAAQ,EAAE,GAAG,EAAE,CAAC;KACjB,CAAC;IACF,OAAO,EAAE;QACP,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,IAAI,CAAe;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,OAAO,CAAC,CAAU;IAC1B,OAAO,CAAC,KAAK,CAAC,CAAgB;gBAElB,OAAO,EAAE,mBAAmB;IAcxC;;OAEG;IACG,GAAG,IAAI,OAAO,CAAC,eAAe,CAAC;IA2IrC;;OAEG;YACW,WAAW;IAkFzB;;OAEG;YACW,eAAe;IAc7B;;OAEG;YACW,SAAS;IAavB;;OAEG;YACW,WAAW;IAKzB;;OAEG;YACW,WAAW;IAgBzB;;OAEG;YACW,WAAW;IAWzB;;OAEG;YACW,WAAW;IAezB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;YACW,aAAa;IAsE3B;;OAEG;YACW,WAAW;IAmDzB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAOhB;;OAEG;IACH,OAAO,CAAC,eAAe;CAKxB"}