sello 0.1.1 → 0.1.2

package/dist/cbor.js

@@ -0,0 +1,337 @@
+                                      
+
+                       
+          
+          
+              
+                        
+              
+            
+
+                                              
+
+                          
+              
+                   
+  
+
+export function cborTag(tag        , value           )             {
+  assertNonNegativeSafeInteger(tag, "tag");
+  return { tag, value };
+}
+
+export function encodeCbor(value           )             {
+  if (typeof value === "number") {
+    return encodeInteger(value);
+  }
+
+  if (typeof value === "string") {
+    return concat([encodeLength(3, utf8ByteLength(value)), encodeUtf8(value)]);
+  }
+
+  if (value instanceof Uint8Array) {
+    return concat([encodeLength(2, value.byteLength), value]);
+  }
+
+  if (Array.isArray(value)) {
+    return concat([
+      encodeLength(4, value.length),
+      ...value.map((entry) => encodeCbor(entry)),
+    ]);
+  }
+
+  if (value instanceof Map) {
+    return encodeMap(value);
+  }
+
+  if (isTagged(value)) {
+    return concat([encodeLength(6, value.tag), encodeCbor(value.value)]);
+  }
+
+  throw new TypeError("unsupported CBOR value");
+}
+
+export function decodeCbor(bytes            )            {
+  const reader = new CborReader(bytes);
+  const value = reader.readValue();
+  reader.assertDone();
+  return value;
+}
+
+export function concat(parts                       )             {
+  const length = parts.reduce((sum, part) => sum + part.byteLength, 0);
+  const out = new Uint8Array(length);
+  let offset = 0;
+
+  for (const part of parts) {
+    out.set(part, offset);
+    offset += part.byteLength;
+  }
+
+  return out;
+}
+
+function encodeInteger(value        )             {
+  if (!Number.isSafeInteger(value)) {
+    throw new TypeError("CBOR integer must be a safe integer");
+  }
+
+  if (value >= 0) {
+    return encodeLength(0, value);
+  }
+
+  return encodeLength(1, -1 - value);
+}
+
+function encodeMap(value         )             {
+  const entries = [...value.entries()].map(([key, entryValue]) => {
+    if (typeof key !== "number" && typeof key !== "string") {
+      throw new TypeError("CBOR map keys must be strings or numbers");
+    }
+
+    return {
+      key: encodeCbor(key),
+      value: encodeCbor(entryValue),
+    };
+  });
+
+  entries.sort((a, b) => compareBytes(a.key, b.key));
+
+  for (let index = 1; index < entries.length; index += 1) {
+    if (compareBytes(entries[index - 1].key, entries[index].key) === 0) {
+      throw new TypeError("CBOR map contains duplicate keys");
+    }
+  }
+
+  return concat([
+    encodeLength(5, entries.length),
+    ...entries.flatMap((entry) => [entry.key, entry.value]),
+  ]);
+}
+
+function encodeLength(majorType        , value        )             {
+  assertNonNegativeSafeInteger(value, "CBOR length/value");
+  const prefix = majorType << 5;
+
+  if (value < 24) {
+    return Uint8Array.of(prefix | value);
+  }
+
+  if (value <= 0xff) {
+    return Uint8Array.of(prefix | 24, value);
+  }
+
+  if (value <= 0xffff) {
+    return Uint8Array.of(prefix | 25, value >> 8, value & 0xff);
+  }
+
+  if (value <= 0xffffffff) {
+    return Uint8Array.of(
+      prefix | 26,
+      (value >>> 24) & 0xff,
+      (value >>> 16) & 0xff,
+      (value >>> 8) & 0xff,
+      value & 0xff,
+    );
+  }
+
+  throw new RangeError("CBOR values larger than uint32 are not supported yet");
+}
+
+function compareBytes(a            , b            )         {
+  const length = Math.min(a.byteLength, b.byteLength);
+
+  for (let index = 0; index < length; index += 1) {
+    const diff = a[index] - b[index];
+    if (diff !== 0) {
+      return diff;
+    }
+  }
+
+  return a.byteLength - b.byteLength;
+}
+
+function assertNonNegativeSafeInteger(value        , name        )       {
+  if (!Number.isSafeInteger(value) || value < 0) {
+    throw new TypeError(`${name} must be a non-negative safe integer`);
+  }
+}
+
+function isTagged(value         )                      {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    "tag" in value &&
+    "value" in value
+  );
+}
+
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder("utf-8", { fatal: true });
+
+function encodeUtf8(value        )             {
+  return textEncoder.encode(value);
+}
+
+function decodeUtf8(value            )         {
+  return textDecoder.decode(value);
+}
+
+function utf8ByteLength(value        )         {
+  return encodeUtf8(value).byteLength;
+}
+
+class CborReader {
+           #bytes            ;
+  #offset = 0;
+
+  constructor(bytes            ) {
+    this.#bytes = bytes;
+  }
+
+  readValue()            {
+    const initialByte = this.readByte();
+    const majorType = initialByte >> 5;
+    const additionalInfo = initialByte & 0x1f;
+
+    if (majorType === 0) {
+      return this.readLength(additionalInfo);
+    }
+
+    if (majorType === 1) {
+      return -1 - this.readLength(additionalInfo);
+    }
+
+    if (majorType === 2) {
+      const length = this.readLength(additionalInfo);
+      return this.readBytes(length);
+    }
+
+    if (majorType === 3) {
+      const length = this.readLength(additionalInfo);
+      return decodeUtf8(this.readBytes(length));
+    }
+
+    if (majorType === 4) {
+      const length = this.readLength(additionalInfo);
+      return this.readArray(length);
+    }
+
+    if (majorType === 5) {
+      const length = this.readLength(additionalInfo);
+      return this.readMap(length);
+    }
+
+    if (majorType === 6) {
+      const tag = this.readLength(additionalInfo);
+      return cborTag(tag, this.readValue());
+    }
+
+    throw new TypeError(`unsupported CBOR major type ${majorType}`);
+  }
+
+  assertDone()       {
+    if (this.#offset !== this.#bytes.byteLength) {
+      throw new TypeError("CBOR data has trailing bytes");
+    }
+  }
+
+          readArray(length        )              {
+    const out              = [];
+
+    for (let index = 0; index < length; index += 1) {
+      out.push(this.readValue());
+    }
+
+    return out;
+  }
+
+          readMap(length        )          {
+    const out          = new Map();
+    let previousEncodedKey                        ;
+
+    for (let index = 0; index < length; index += 1) {
+      const keyStart = this.#offset;
+      const key = this.readValue();
+      const encodedKey = this.#bytes.subarray(keyStart, this.#offset);
+
+      if (typeof key !== "string" && typeof key !== "number") {
+        throw new TypeError("CBOR map keys must be strings or numbers");
+      }
+
+      if (previousEncodedKey && compareBytes(previousEncodedKey, encodedKey) >= 0) {
+        throw new TypeError("CBOR map keys are not in deterministic order");
+      }
+
+      previousEncodedKey = encodedKey;
+      out.set(key, this.readValue());
+    }
+
+    return out;
+  }
+
+          readLength(additionalInfo        )         {
+    if (additionalInfo < 24) {
+      return additionalInfo;
+    }
+
+    if (additionalInfo === 24) {
+      const value = this.readByte();
+      if (value < 24) {
+        throw new TypeError("CBOR integer/length is not minimally encoded");
+      }
+      return value;
+    }
+
+    if (additionalInfo === 25) {
+      const value = this.readUint16();
+      if (value <= 0xff) {
+        throw new TypeError("CBOR integer/length is not minimally encoded");
+      }
+      return value;
+    }
+
+    if (additionalInfo === 26) {
+      const value = this.readUint32();
+      if (value <= 0xffff) {
+        throw new TypeError("CBOR integer/length is not minimally encoded");
+      }
+      return value;
+    }
+
+    throw new TypeError("CBOR indefinite or uint64 lengths are not supported");
+  }
+
+          readByte()         {
+    if (this.#offset >= this.#bytes.byteLength) {
+      throw new TypeError("unexpected end of CBOR data");
+    }
+
+    return this.#bytes[this.#offset++];
+  }
+
+          readBytes(length        )             {
+    const end = this.#offset + length;
+
+    if (end > this.#bytes.byteLength) {
+      throw new TypeError("unexpected end of CBOR data");
+    }
+
+    const out = this.#bytes.subarray(this.#offset, end);
+    this.#offset = end;
+    return out;
+  }
+
+          readUint16()         {
+    return (this.readByte() << 8) | this.readByte();
+  }
+
+          readUint32()         {
+    return (
+      (this.readByte() * 0x1000000) +
+      (this.readByte() << 16) +
+      (this.readByte() << 8) +
+      this.readByte()
+    );
+  }
+}

package/dist/cli/bench.js

@@ -0,0 +1,389 @@
+#!/usr/bin/env node
+
+import { performance } from "node:perf_hooks";
+
+import { encodeReceiptBody } from "../receipt/body.js";
+import { decodeReceiptEnvelope, generateEd25519KeyPair } from "../cose/sign1.js";
+import { toHex } from "../crypto/identifiers.js";
+import { generateHpkeKeyPair } from "../hpke/receipt.js";
+import { MockTransparencyLog } from "../log/mock-log.js";
+import { verifyReceipts } from "../owner/verify.js";
+import {
+  loadSignedRegistry,
+  signRegistryJson,
+} from "../registry/json-registry.js";
+import {
+  createReceiptFromJwsToken,
+                      
+} from "../service/create-receipt.js";
+import { base64urlEncode, signSelloJwsToken } from "../token/jws-profile.js";
+
+                     
+                
+               
+                 
+              
+              
+                 
+  
+
+                    
+                     
+                            
+               
+          
+                                    
+                                   
+                               
+                                      
+                                      
+    
+               
+                               
+                                   
+                               
+                                     
+    
+                  
+                                 
+                                     
+                                                    
+                                                          
+    
+  
+
+const DEFAULT_WARMUP_ITERATIONS = 500;
+
+const textEncoder = new TextEncoder();
+const logUrl = "https://rekor.example.com/api"                   ;
+const serviceIdentifier = "github.com/mcp/v1";
+
+const options = parseArgs(process.argv.slice(2));
+const result = runBenchmark(options.iterations, options.warmupIterations);
+
+if (options.json) {
+  console.log(JSON.stringify(result, null, 2));
+} else {
+  printText(result);
+}
+
+function runBenchmark(iterations        , warmupIterations        )              {
+  const sampleFixture = makeFixture();
+  const sampleReceipt = createBenchReceipt(sampleFixture, 0);
+  const sampleEnvelope = decodeReceiptEnvelope(sampleReceipt.envelope);
+  const sizes = {
+    receipt_body_cbor_bytes: encodeReceiptBody(sampleReceipt.receiptBody).byteLength,
+    protected_header_bytes: sampleReceipt.protectedHeaderBytes.byteLength,
+    hpke_payload_bytes: sampleEnvelope.payload.byteLength,
+    cose_sign1_envelope_bytes: sampleReceipt.envelope.byteLength,
+    mock_log_proof_json_bytes: textEncoder.encode(
+      JSON.stringify(sampleReceipt.logEntry.proof),
+    ).byteLength,
+  };
+
+  // When --expose-gc is set, force a baseline GC before warmup so the steady-state
+  // sample isn't contaminated by collection of size-sample allocations. Silently
+  // skipped if the flag isn't present.
+  if (typeof globalThis.gc === "function") {
+    globalThis.gc();
+  }
+
+  warmup(warmupIterations);
+
+  const createFixture = makeFixture();
+  const createDurations = new Array        (iterations);
+  for (let index = 0; index < iterations; index += 1) {
+    const t0 = performance.now();
+    createBenchReceipt(createFixture, index);
+    createDurations[index] = performance.now() - t0;
+  }
+
+  const verifyOneFixture = makeFixture();
+  createBenchReceipt(verifyOneFixture, 0);
+  const verifyOneDurations = new Array        (iterations);
+  for (let index = 0; index < iterations; index += 1) {
+    const t0 = performance.now();
+    const result = verifyReceipts(verifyOneFixture.ownerInput());
+    verifyOneDurations[index] = performance.now() - t0;
+    assertVerifiedCount(result.receipts.length, 1);
+  }
+
+  const batchFixture = makeFixture();
+  for (let index = 0; index < iterations; index += 1) {
+    createBenchReceipt(batchFixture, index);
+  }
+  const verifyBatchTiming = time(() => {
+    const result = verifyReceipts(batchFixture.ownerInput());
+    assertVerifiedCount(result.receipts.length, iterations);
+  });
+
+  const createTotal = sum(createDurations);
+  const verifyOneTotal = sum(verifyOneDurations);
+
+  return {
+    iterations,
+    warmup_iterations: warmupIterations,
+    node: process.version,
+    sizes,
+    timings_ms: {
+      create_receipt_avg: roundMs(createTotal / iterations),
+      verify_one_receipt_avg: roundMs(verifyOneTotal / iterations),
+      verify_batch_total: roundMs(verifyBatchTiming),
+      verify_batch_per_receipt: roundMs(verifyBatchTiming / iterations),
+    },
+    distributions: {
+      create_receipt: summarize(createDurations),
+      verify_one_receipt: summarize(verifyOneDurations),
+      verify_batch_total: { count: 1, value: roundMs(verifyBatchTiming) },
+      verify_batch_per_receipt: {
+        count: 1,
+        value: roundMs(verifyBatchTiming / iterations),
+      },
+    },
+  };
+}
+
+function warmup(count        )       {
+  const fixture = makeFixture();
+  for (let index = 0; index < count; index += 1) {
+    createBenchReceipt(fixture, index);
+  }
+  const verifyFixture = makeFixture();
+  createBenchReceipt(verifyFixture, 0);
+  for (let index = 0; index < count; index += 1) {
+    const result = verifyReceipts(verifyFixture.ownerInput());
+    assertVerifiedCount(result.receipts.length, 1);
+  }
+}
+
+function summarize(durations          )               {
+  if (durations.length === 0) {
+    throw new Error("cannot summarize empty distribution");
+  }
+  const sorted = durations.slice().sort((a, b) => a - b);
+  const count = sorted.length;
+  const total = sum(sorted);
+  const mean = total / count;
+  const variance =
+    sorted.reduce((acc, value) => acc + (value - mean) ** 2, 0) / count;
+  return {
+    count,
+    mean: roundMs(mean),
+    median: roundMs(percentile(sorted, 0.5)),
+    p95: roundMs(percentile(sorted, 0.95)),
+    p99: roundMs(percentile(sorted, 0.99)),
+    stddev: roundMs(Math.sqrt(variance)),
+  };
+}
+
+function percentile(sortedAscending          , quantile        )         {
+  if (sortedAscending.length === 1) {
+    return sortedAscending[0];
+  }
+  const rank = quantile * (sortedAscending.length - 1);
+  const lower = Math.floor(rank);
+  const upper = Math.ceil(rank);
+  if (lower === upper) {
+    return sortedAscending[lower];
+  }
+  const fraction = rank - lower;
+  return sortedAscending[lower] * (1 - fraction) + sortedAscending[upper] * fraction;
+}
+
+function sum(values          )         {
+  let total = 0;
+  for (const value of values) {
+    total += value;
+  }
+  return total;
+}
+
+function makeFixture() {
+  const owner = generateHpkeKeyPair();
+  const service = generateEd25519KeyPair();
+  const trustRoot = generateEd25519KeyPair();
+  const tokenIssuer = generateEd25519KeyPair();
+  const serviceKid = textEncoder.encode("github-mcp-v1-2026-q2");
+  const log = new MockTransparencyLog(logUrl);
+  const authorizationToken = signSelloJwsToken({
+    issuerPrivateKey: tokenIssuer.privateKey,
+    payload: {
+      sub: "bench-agent",
+      owner_hpke_pk: base64urlEncode(owner.publicKey),
+      sello_logs: [logUrl],
+    },
+  });
+  const registryBytes = textEncoder.encode(
+    JSON.stringify({
+      [toHex(serviceKid)]: {
+        service_identifier: serviceIdentifier,
+        public_key_ed25519: Buffer.from(service.publicKey).toString("base64url"),
+      },
+    }),
+  );
+  const registry = loadSignedRegistry({
+    registryBytes,
+    signatureBase64Url: signRegistryJson(registryBytes, trustRoot.privateKey),
+    trustRootPublicKey: trustRoot.publicKey,
+  });
+
+  return {
+    authorizationToken,
+    tokenIssuerPublicKey: tokenIssuer.publicKey,
+    serviceKid,
+    servicePrivateKey: service.privateKey,
+    serviceIdentifier,
+    log,
+    ownerInput: () => ({
+      authorizationTokenBytes: textEncoder.encode(authorizationToken),
+      trustedLogs: [log],
+      registry,
+      ownerPrivateKey: owner.privateKey,
+    }),
+  };
+}
+
+function createBenchReceipt(
+  fixture                                ,
+  index        ,
+)                 {
+  return createReceiptFromJwsToken({
+    authorizationToken: fixture.authorizationToken,
+    tokenIssuerPublicKey: fixture.tokenIssuerPublicKey,
+    serviceKid: fixture.serviceKid,
+    servicePrivateKey: fixture.servicePrivateKey,
+    serviceIdentifier: fixture.serviceIdentifier,
+    log: fixture.log,
+    actionType: "tools/call",
+    actionInputBytes: textEncoder.encode(`bench input ${index}`),
+    actionOutputBytes: textEncoder.encode(`bench output ${index}`),
+    resultStatus: "success",
+    timestamp: timestampForIndex(index),
+  });
+}
+
+function timestampForIndex(index        )         {
+  const base = Date.parse("2026-05-28T10:00:00Z");
+  return new Date(base + index * 1000).toISOString().replace(/\.\d{3}Z$/, "Z");
+}
+
+function time(callback            )         {
+  const start = performance.now();
+  callback();
+  return performance.now() - start;
+}
+
+function parseArgs(args          )   
+                     
+                           
+                
+  {
+  let iterations = 100;
+  let warmupIterations = DEFAULT_WARMUP_ITERATIONS;
+  let json = false;
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+
+    if (arg === "--json") {
+      json = true;
+      continue;
+    }
+
+    if (arg === "--iterations") {
+      const raw = args[index + 1];
+      index += 1;
+      iterations = parseIterations(raw);
+      continue;
+    }
+
+    if (arg.startsWith("--iterations=")) {
+      iterations = parseIterations(arg.slice("--iterations=".length));
+      continue;
+    }
+
+    if (arg === "--warmup") {
+      const raw = args[index + 1];
+      index += 1;
+      warmupIterations = parseWarmupIterations(raw);
+      continue;
+    }
+
+    if (arg.startsWith("--warmup=")) {
+      warmupIterations = parseWarmupIterations(arg.slice("--warmup=".length));
+      continue;
+    }
+
+    if (arg === "--help") {
+      printHelp();
+      process.exit(0);
+    }
+
+    throw new TypeError(`unknown argument: ${arg}`);
+  }
+
+  return { iterations, warmupIterations, json };
+}
+
+function parseIterations(value                    )         {
+  const iterations = Number(value);
+
+  if (!Number.isSafeInteger(iterations) || iterations < 1) {
+    throw new TypeError("--iterations must be a positive integer");
+  }
+
+  return iterations;
+}
+
+function parseWarmupIterations(value                    )         {
+  const iterations = Number(value);
+
+  if (!Number.isSafeInteger(iterations) || iterations < 0) {
+    throw new TypeError("--warmup must be a non-negative integer");
+  }
+
+  return iterations;
+}
+
+function assertVerifiedCount(actual        , expected        )       {
+  if (actual !== expected) {
+    throw new Error(`expected ${expected} verified receipts, got ${actual}`);
+  }
+}
+
+function roundMs(value        )         {
+  return Math.round(value * 1000) / 1000;
+}
+
+function printText(result             )       {
+  console.log(
+    `Sello benchmark (${result.iterations} iterations, ${result.warmup_iterations} warmup, ${result.node})`,
+  );
+  console.log("");
+  console.log("Receipt sizes:");
+  for (const [name, value] of Object.entries(result.sizes)) {
+    console.log(`  ${name}: ${value} bytes`);
+  }
+  console.log("");
+  console.log("Timings:");
+  for (const [name, value] of Object.entries(result.timings_ms)) {
+    console.log(`  ${name}: ${value} ms`);
+  }
+  console.log("");
+  console.log("Distributions:");
+  printDistribution("create_receipt", result.distributions.create_receipt);
+  printDistribution("verify_one_receipt", result.distributions.verify_one_receipt);
+}
+
+function printHelp()       {
+  console.log(`Usage: sello-bench [--iterations N] [--warmup N] [--json]
+
+Runs a local benchmark over the mock-log Sello receipt flow.
+Results are useful for rough regression tracking, not formal crypto benchmarks.`);
+}
+
+function printDistribution(name        , distribution              )       {
+  console.log(
+    `  ${name}: mean ${distribution.mean} ms, median ${distribution.median} ms, p95 ${distribution.p95} ms, p99 ${distribution.p99} ms, stddev ${distribution.stddev} ms`,
+  );
+}