sello 0.1.1 → 0.1.3

package/dist/cli/bench.js

@@ -0,0 +1,389 @@
+#!/usr/bin/env node
+
+import { performance } from "node:perf_hooks";
+
+import { encodeReceiptBody } from "../receipt/body.js";
+import { decodeReceiptEnvelope, generateEd25519KeyPair } from "../cose/sign1.js";
+import { toHex } from "../crypto/identifiers.js";
+import { generateHpkeKeyPair } from "../hpke/receipt.js";
+import { MockTransparencyLog } from "../log/mock-log.js";
+import { verifyReceipts } from "../owner/verify.js";
+import {
+  loadSignedRegistry,
+  signRegistryJson,
+} from "../registry/json-registry.js";
+import {
+  createReceiptFromJwsToken,
+                      
+} from "../service/create-receipt.js";
+import { base64urlEncode, signSelloJwsToken } from "../token/jws-profile.js";
+
+                     
+                
+               
+                 
+              
+              
+                 
+  
+
+                    
+                     
+                            
+               
+          
+                                    
+                                   
+                               
+                                      
+                                      
+    
+               
+                               
+                                   
+                               
+                                     
+    
+                  
+                                 
+                                     
+                                                    
+                                                          
+    
+  
+
+const DEFAULT_WARMUP_ITERATIONS = 500;
+
+const textEncoder = new TextEncoder();
+const logUrl = "https://rekor.example.com/api"                   ;
+const serviceIdentifier = "github.com/mcp/v1";
+
+const options = parseArgs(process.argv.slice(2));
+const result = runBenchmark(options.iterations, options.warmupIterations);
+
+if (options.json) {
+  console.log(JSON.stringify(result, null, 2));
+} else {
+  printText(result);
+}
+
+function runBenchmark(iterations        , warmupIterations        )              {
+  const sampleFixture = makeFixture();
+  const sampleReceipt = createBenchReceipt(sampleFixture, 0);
+  const sampleEnvelope = decodeReceiptEnvelope(sampleReceipt.envelope);
+  const sizes = {
+    receipt_body_cbor_bytes: encodeReceiptBody(sampleReceipt.receiptBody).byteLength,
+    protected_header_bytes: sampleReceipt.protectedHeaderBytes.byteLength,
+    hpke_payload_bytes: sampleEnvelope.payload.byteLength,
+    cose_sign1_envelope_bytes: sampleReceipt.envelope.byteLength,
+    mock_log_proof_json_bytes: textEncoder.encode(
+      JSON.stringify(sampleReceipt.logEntry.proof),
+    ).byteLength,
+  };
+
+  // When --expose-gc is set, force a baseline GC before warmup so the steady-state
+  // sample isn't contaminated by collection of size-sample allocations. Silently
+  // skipped if the flag isn't present.
+  if (typeof globalThis.gc === "function") {
+    globalThis.gc();
+  }
+
+  warmup(warmupIterations);
+
+  const createFixture = makeFixture();
+  const createDurations = new Array        (iterations);
+  for (let index = 0; index < iterations; index += 1) {
+    const t0 = performance.now();
+    createBenchReceipt(createFixture, index);
+    createDurations[index] = performance.now() - t0;
+  }
+
+  const verifyOneFixture = makeFixture();
+  createBenchReceipt(verifyOneFixture, 0);
+  const verifyOneDurations = new Array        (iterations);
+  for (let index = 0; index < iterations; index += 1) {
+    const t0 = performance.now();
+    const result = verifyReceipts(verifyOneFixture.ownerInput());
+    verifyOneDurations[index] = performance.now() - t0;
+    assertVerifiedCount(result.receipts.length, 1);
+  }
+
+  const batchFixture = makeFixture();
+  for (let index = 0; index < iterations; index += 1) {
+    createBenchReceipt(batchFixture, index);
+  }
+  const verifyBatchTiming = time(() => {
+    const result = verifyReceipts(batchFixture.ownerInput());
+    assertVerifiedCount(result.receipts.length, iterations);
+  });
+
+  const createTotal = sum(createDurations);
+  const verifyOneTotal = sum(verifyOneDurations);
+
+  return {
+    iterations,
+    warmup_iterations: warmupIterations,
+    node: process.version,
+    sizes,
+    timings_ms: {
+      create_receipt_avg: roundMs(createTotal / iterations),
+      verify_one_receipt_avg: roundMs(verifyOneTotal / iterations),
+      verify_batch_total: roundMs(verifyBatchTiming),
+      verify_batch_per_receipt: roundMs(verifyBatchTiming / iterations),
+    },
+    distributions: {
+      create_receipt: summarize(createDurations),
+      verify_one_receipt: summarize(verifyOneDurations),
+      verify_batch_total: { count: 1, value: roundMs(verifyBatchTiming) },
+      verify_batch_per_receipt: {
+        count: 1,
+        value: roundMs(verifyBatchTiming / iterations),
+      },
+    },
+  };
+}
+
+function warmup(count        )       {
+  const fixture = makeFixture();
+  for (let index = 0; index < count; index += 1) {
+    createBenchReceipt(fixture, index);
+  }
+  const verifyFixture = makeFixture();
+  createBenchReceipt(verifyFixture, 0);
+  for (let index = 0; index < count; index += 1) {
+    const result = verifyReceipts(verifyFixture.ownerInput());
+    assertVerifiedCount(result.receipts.length, 1);
+  }
+}
+
+function summarize(durations          )               {
+  if (durations.length === 0) {
+    throw new Error("cannot summarize empty distribution");
+  }
+  const sorted = durations.slice().sort((a, b) => a - b);
+  const count = sorted.length;
+  const total = sum(sorted);
+  const mean = total / count;
+  const variance =
+    sorted.reduce((acc, value) => acc + (value - mean) ** 2, 0) / count;
+  return {
+    count,
+    mean: roundMs(mean),
+    median: roundMs(percentile(sorted, 0.5)),
+    p95: roundMs(percentile(sorted, 0.95)),
+    p99: roundMs(percentile(sorted, 0.99)),
+    stddev: roundMs(Math.sqrt(variance)),
+  };
+}
+
+function percentile(sortedAscending          , quantile        )         {
+  if (sortedAscending.length === 1) {
+    return sortedAscending[0];
+  }
+  const rank = quantile * (sortedAscending.length - 1);
+  const lower = Math.floor(rank);
+  const upper = Math.ceil(rank);
+  if (lower === upper) {
+    return sortedAscending[lower];
+  }
+  const fraction = rank - lower;
+  return sortedAscending[lower] * (1 - fraction) + sortedAscending[upper] * fraction;
+}
+
+function sum(values          )         {
+  let total = 0;
+  for (const value of values) {
+    total += value;
+  }
+  return total;
+}
+
+function makeFixture() {
+  const owner = generateHpkeKeyPair();
+  const service = generateEd25519KeyPair();
+  const trustRoot = generateEd25519KeyPair();
+  const tokenIssuer = generateEd25519KeyPair();
+  const serviceKid = textEncoder.encode("github-mcp-v1-2026-q2");
+  const log = new MockTransparencyLog(logUrl);
+  const authorizationToken = signSelloJwsToken({
+    issuerPrivateKey: tokenIssuer.privateKey,
+    payload: {
+      sub: "bench-agent",
+      owner_hpke_pk: base64urlEncode(owner.publicKey),
+      sello_logs: [logUrl],
+    },
+  });
+  const registryBytes = textEncoder.encode(
+    JSON.stringify({
+      [toHex(serviceKid)]: {
+        service_identifier: serviceIdentifier,
+        public_key_ed25519: Buffer.from(service.publicKey).toString("base64url"),
+      },
+    }),
+  );
+  const registry = loadSignedRegistry({
+    registryBytes,
+    signatureBase64Url: signRegistryJson(registryBytes, trustRoot.privateKey),
+    trustRootPublicKey: trustRoot.publicKey,
+  });
+
+  return {
+    authorizationToken,
+    tokenIssuerPublicKey: tokenIssuer.publicKey,
+    serviceKid,
+    servicePrivateKey: service.privateKey,
+    serviceIdentifier,
+    log,
+    ownerInput: () => ({
+      authorizationTokenBytes: textEncoder.encode(authorizationToken),
+      trustedLogs: [log],
+      registry,
+      ownerPrivateKey: owner.privateKey,
+    }),
+  };
+}
+
+function createBenchReceipt(
+  fixture                                ,
+  index        ,
+)                 {
+  return createReceiptFromJwsToken({
+    authorizationToken: fixture.authorizationToken,
+    tokenIssuerPublicKey: fixture.tokenIssuerPublicKey,
+    serviceKid: fixture.serviceKid,
+    servicePrivateKey: fixture.servicePrivateKey,
+    serviceIdentifier: fixture.serviceIdentifier,
+    log: fixture.log,
+    actionType: "tools/call",
+    actionInputBytes: textEncoder.encode(`bench input ${index}`),
+    actionOutputBytes: textEncoder.encode(`bench output ${index}`),
+    resultStatus: "success",
+    timestamp: timestampForIndex(index),
+  });
+}
+
+function timestampForIndex(index        )         {
+  const base = Date.parse("2026-05-28T10:00:00Z");
+  return new Date(base + index * 1000).toISOString().replace(/\.\d{3}Z$/, "Z");
+}
+
+function time(callback            )         {
+  const start = performance.now();
+  callback();
+  return performance.now() - start;
+}
+
+function parseArgs(args          )   
+                     
+                           
+                
+  {
+  let iterations = 100;
+  let warmupIterations = DEFAULT_WARMUP_ITERATIONS;
+  let json = false;
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+
+    if (arg === "--json") {
+      json = true;
+      continue;
+    }
+
+    if (arg === "--iterations") {
+      const raw = args[index + 1];
+      index += 1;
+      iterations = parseIterations(raw);
+      continue;
+    }
+
+    if (arg.startsWith("--iterations=")) {
+      iterations = parseIterations(arg.slice("--iterations=".length));
+      continue;
+    }
+
+    if (arg === "--warmup") {
+      const raw = args[index + 1];
+      index += 1;
+      warmupIterations = parseWarmupIterations(raw);
+      continue;
+    }
+
+    if (arg.startsWith("--warmup=")) {
+      warmupIterations = parseWarmupIterations(arg.slice("--warmup=".length));
+      continue;
+    }
+
+    if (arg === "--help") {
+      printHelp();
+      process.exit(0);
+    }
+
+    throw new TypeError(`unknown argument: ${arg}`);
+  }
+
+  return { iterations, warmupIterations, json };
+}
+
+function parseIterations(value                    )         {
+  const iterations = Number(value);
+
+  if (!Number.isSafeInteger(iterations) || iterations < 1) {
+    throw new TypeError("--iterations must be a positive integer");
+  }
+
+  return iterations;
+}
+
+function parseWarmupIterations(value                    )         {
+  const iterations = Number(value);
+
+  if (!Number.isSafeInteger(iterations) || iterations < 0) {
+    throw new TypeError("--warmup must be a non-negative integer");
+  }
+
+  return iterations;
+}
+
+function assertVerifiedCount(actual        , expected        )       {
+  if (actual !== expected) {
+    throw new Error(`expected ${expected} verified receipts, got ${actual}`);
+  }
+}
+
+function roundMs(value        )         {
+  return Math.round(value * 1000) / 1000;
+}
+
+function printText(result             )       {
+  console.log(
+    `Sello benchmark (${result.iterations} iterations, ${result.warmup_iterations} warmup, ${result.node})`,
+  );
+  console.log("");
+  console.log("Receipt sizes:");
+  for (const [name, value] of Object.entries(result.sizes)) {
+    console.log(`  ${name}: ${value} bytes`);
+  }
+  console.log("");
+  console.log("Timings:");
+  for (const [name, value] of Object.entries(result.timings_ms)) {
+    console.log(`  ${name}: ${value} ms`);
+  }
+  console.log("");
+  console.log("Distributions:");
+  printDistribution("create_receipt", result.distributions.create_receipt);
+  printDistribution("verify_one_receipt", result.distributions.verify_one_receipt);
+}
+
+function printHelp()       {
+  console.log(`Usage: sello-bench [--iterations N] [--warmup N] [--json]
+
+Runs a local benchmark over the mock-log Sello receipt flow.
+Results are useful for rough regression tracking, not formal crypto benchmarks.`);
+}
+
+function printDistribution(name        , distribution              )       {
+  console.log(
+    `  ${name}: mean ${distribution.mean} ms, median ${distribution.median} ms, p95 ${distribution.p95} ms, p99 ${distribution.p99} ms, stddev ${distribution.stddev} ms`,
+  );
+}

package/dist/cli/demo.js

@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+
+import { encodeCbor } from "../cbor.js";
+import { decodeReceiptEnvelope, generateEd25519KeyPair } from "../cose/sign1.js";
+import { toHex } from "../crypto/identifiers.js";
+import { generateHpkeKeyPair } from "../hpke/receipt.js";
+import { MockTransparencyLog } from "../log/mock-log.js";
+import { verifyReceipts } from "../owner/verify.js";
+import {
+  loadSignedRegistry,
+  signRegistryJson,
+} from "../registry/json-registry.js";
+import { createReceiptFromJwsToken } from "../service/create-receipt.js";
+import { base64urlEncode, signSelloJwsToken } from "../token/jws-profile.js";
+
+const textEncoder = new TextEncoder();
+const logUrl = "https://rekor.example.com/api"                   ;
+const serviceIdentifier = "github.com/mcp/v1";
+
+const owner = generateHpkeKeyPair();
+const service = generateEd25519KeyPair();
+const trustRoot = generateEd25519KeyPair();
+const tokenIssuer = generateEd25519KeyPair();
+const serviceKid = textEncoder.encode("github-mcp-v1-2026-q2");
+const log = new MockTransparencyLog(logUrl);
+const authorizationToken = signSelloJwsToken({
+  issuerPrivateKey: tokenIssuer.privateKey,
+  payload: {
+    sub: "demo-agent",
+    owner_hpke_pk: base64urlEncode(owner.publicKey),
+    sello_logs: [logUrl],
+  },
+});
+const registryBytes = textEncoder.encode(
+  JSON.stringify({
+    [toHex(serviceKid)]: {
+      service_identifier: serviceIdentifier,
+      public_key_ed25519: Buffer.from(service.publicKey).toString("base64url"),
+    },
+  }),
+);
+const registry = loadSignedRegistry({
+  registryBytes,
+  signatureBase64Url: signRegistryJson(registryBytes, trustRoot.privateKey),
+  trustRootPublicKey: trustRoot.publicKey,
+});
+
+const created = [
+  createDemoReceipt("success", "2026-05-28T10:00:00Z", "issue created"),
+  createDemoReceipt("error", "2026-05-28T10:00:01Z", "service error"),
+  createDemoReceipt("denied", "2026-05-28T10:00:02Z", "ignored"),
+];
+
+if (process.argv.includes("--tamper")) {
+  const decoded = decodeReceiptEnvelope(created[0].envelope);
+  log.append(
+    encodeCbor([
+      decoded.protectedBytes,
+      new Map(),
+      textEncoder.encode("tampered payload"),
+      decoded.signature,
+    ]),
+    "2026-05-28T10:00:03Z",
+  );
+}
+
+const result = verifyReceipts({
+  authorizationTokenBytes: textEncoder.encode(authorizationToken),
+  trustedLogs: [log],
+  registry,
+  ownerPrivateKey: owner.privateKey,
+});
+
+console.log(
+  JSON.stringify(
+    {
+      receipts: result.receipts.map((record) => ({
+        service: record.serviceIdentifier,
+        "action-type": record.receipt["action-type"],
+        "result-status": record.receipt["result-status"],
+        timestamp: record.receipt.timestamp,
+        verified: record.status === "valid",
+        status: record.status,
+      })),
+      rejected: result.rejected.map((record) => ({
+        code: record.code,
+        message: record.message,
+      })),
+    },
+    null,
+    2,
+  ),
+);
+
+function createDemoReceipt(
+  resultStatus                                ,
+  timestamp        ,
+  outputText        ,
+) {
+  return createReceiptFromJwsToken({
+    authorizationToken,
+    tokenIssuerPublicKey: tokenIssuer.publicKey,
+    serviceKid,
+    servicePrivateKey: service.privateKey,
+    serviceIdentifier,
+    log,
+    actionType: "tools/call",
+    actionInputBytes: textEncoder.encode(`demo ${resultStatus} input`),
+    actionOutputBytes: textEncoder.encode(outputText),
+    resultStatus,
+    timestamp,
+  });
+}