usertrust 0.1.0

package/dist/audit/canonical.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Deterministic JSON canonicalization for hash computation.
+ * Sorts object keys alphabetically at every nesting level.
+ * Strips undefined values. Preserves null. Arrays keep order.
+ */
+export declare function canonicalize(value: unknown): string;
+//# sourceMappingURL=canonical.d.ts.map

package/dist/audit/canonical.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../../src/audit/canonical.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAcnD"}

package/dist/audit/canonical.js

@@ -0,0 +1,24 @@
+/**
+ * Deterministic JSON canonicalization for hash computation.
+ * Sorts object keys alphabetically at every nesting level.
+ * Strips undefined values. Preserves null. Arrays keep order.
+ */
+export function canonicalize(value) {
+    if (value === null || value === undefined)
+        return JSON.stringify(value);
+    if (typeof value !== "object")
+        return JSON.stringify(value);
+    if (Array.isArray(value)) {
+        return `[${value.map((v) => canonicalize(v)).join(",")}]`;
+    }
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const parts = [];
+    for (const key of keys) {
+        if (obj[key] === undefined)
+            continue;
+        parts.push(`${JSON.stringify(key)}:${canonicalize(obj[key])}`);
+    }
+    return `{${parts.join(",")}}`;
+}
+//# sourceMappingURL=canonical.js.map

package/dist/audit/canonical.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../src/audit/canonical.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,KAAc;IAC1C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxE,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAC3D,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,GAAG,CAAC,GAAG,CAAC,KAAK,SAAS;YAAE,SAAS;QACrC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAC/B,CAAC"}

package/dist/audit/chain.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Audit Chain Writer — SHA-256 hash-chained JSONL
+ *
+ * Appends audit events to a JSONL log where each event's hash covers
+ * the previous event's hash, creating a tamper-evident chain. Single-writer
+ * semantics are enforced via advisory file lock + in-process async mutex.
+ *
+ * Adapted from usertools-stealth governance/audit/writer.ts — removes
+ * SurrealDB dual-write, replaces sendAlert with console.warn, replaces
+ * writeDeadLetter with local DLQ JSONL.
+ */
+import type { AuditEvent } from "../shared/types.js";
+export interface AppendEventInput {
+    kind: string;
+    actor: string;
+    data: Record<string, unknown>;
+}
+export interface AuditWriter {
+    appendEvent(input: AppendEventInput): Promise<AuditEvent>;
+    getWriteFailures(): number;
+    isDegraded(): boolean;
+    flush(): Promise<void>;
+    release(): void;
+}
+/**
+ * Create an audit writer instance for the given vault path.
+ *
+ * The writer appends events to `<vaultPath>/.usertools/audit/events.jsonl`.
+ * Each event's SHA-256 hash covers the previous event's hash, creating a
+ * tamper-evident chain. The first event chains from GENESIS_HASH.
+ */
+export declare function createAuditWriter(vaultPath: string): AuditWriter;
+//# sourceMappingURL=chain.d.ts.map

package/dist/audit/chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.d.ts","sourceRoot":"","sources":["../../src/audit/chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAeH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAKrD,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,WAAW;IAC3B,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1D,gBAAgB,IAAI,MAAM,CAAC;IAC3B,UAAU,IAAI,OAAO,CAAC;IACtB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,OAAO,IAAI,IAAI,CAAC;CAChB;AAqMD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CAyGhE"}

package/dist/audit/chain.js

@@ -0,0 +1,285 @@
+/**
+ * Audit Chain Writer — SHA-256 hash-chained JSONL
+ *
+ * Appends audit events to a JSONL log where each event's hash covers
+ * the previous event's hash, creating a tamper-evident chain. Single-writer
+ * semantics are enforced via advisory file lock + in-process async mutex.
+ *
+ * Adapted from usertools-stealth governance/audit/writer.ts — removes
+ * SurrealDB dual-write, replaces sendAlert with console.warn, replaces
+ * writeDeadLetter with local DLQ JSONL.
+ */
+import { createHash, randomUUID } from "node:crypto";
+import { closeSync, existsSync, fsyncSync, mkdirSync, openSync, readFileSync, unlinkSync, writeSync, } from "node:fs";
+import { dirname, join } from "node:path";
+import { GENESIS_HASH, VAULT_DIR } from "../shared/constants.js";
+import { canonicalize } from "./canonical.js";
+// ── AsyncMutex ──
+/**
+ * In-process async mutex for serializing audit writes.
+ *
+ * SINGLE-PROCESS CONSTRAINT: This mutex is process-local (in-memory).
+ * It guarantees sequential writes within a single Node.js process but
+ * provides NO protection across multiple processes.
+ */
+class AsyncMutex {
+    queue = Promise.resolve();
+    async acquire() {
+        let release;
+        const next = new Promise((resolve) => {
+            release = resolve;
+        });
+        const prev = this.queue;
+        this.queue = next;
+        await prev;
+        return release;
+    }
+}
+// ── Advisory Lock ──
+function acquireProcessLock(logPath, locksByDir) {
+    const dir = dirname(logPath);
+    if (locksByDir.has(dir))
+        return;
+    const candidateLockPath = `${dir}/.audit-writer.lock`;
+    if (existsSync(candidateLockPath)) {
+        try {
+            const content = readFileSync(candidateLockPath, "utf-8");
+            const lockData = JSON.parse(content);
+            if (lockData.pid === process.pid) {
+                console.warn(`[AUDIT] Reclaiming stale same-PID lock (PID ${process.pid}). Previous process exited without releasing the lock.`);
+                unlinkSync(candidateLockPath);
+            }
+            else {
+                try {
+                    process.kill(lockData.pid, 0);
+                    throw new Error(`Audit writer lock held by PID ${lockData.pid}. Only one process may write to the audit log. Lock file: ${candidateLockPath}`);
+                }
+                catch (killErr) {
+                    if (killErr instanceof Error && "code" in killErr) {
+                        const code = killErr.code;
+                        if (code === "ESRCH") {
+                            unlinkSync(candidateLockPath);
+                        }
+                        else if (code === "EPERM") {
+                            throw new Error(`Audit writer lock held by PID ${lockData.pid}. Only one process may write to the audit log. Lock file: ${candidateLockPath}`);
+                        }
+                        else {
+                            throw killErr;
+                        }
+                    }
+                    else {
+                        throw killErr;
+                    }
+                }
+            }
+        }
+        catch (parseErr) {
+            if (parseErr instanceof Error && parseErr.message.includes("Audit writer lock held")) {
+                throw parseErr;
+            }
+            try {
+                unlinkSync(candidateLockPath);
+            }
+            catch {
+                /* best effort */
+            }
+        }
+    }
+    const fd = openSync(candidateLockPath, "wx");
+    const lockContent = JSON.stringify({
+        pid: process.pid,
+        startedAt: new Date().toISOString(),
+    });
+    writeSync(fd, lockContent);
+    fsyncSync(fd);
+    locksByDir.set(dir, { fd, path: candidateLockPath });
+}
+function releaseLocks(locksByDir) {
+    for (const [dir, lock] of locksByDir) {
+        try {
+            closeSync(lock.fd);
+        }
+        catch {
+            /* already closed */
+        }
+        try {
+            unlinkSync(lock.path);
+        }
+        catch {
+            /* already removed */
+        }
+        locksByDir.delete(dir);
+    }
+}
+function getLastEvent(logPath, cache) {
+    const cached = cache.get(logPath);
+    if (cached)
+        return cached;
+    if (!existsSync(logPath))
+        return null;
+    const content = readFileSync(logPath, "utf-8").trim();
+    if (!content) {
+        const metaPath = `${logPath}.meta`;
+        if (existsSync(metaPath)) {
+            try {
+                const meta = JSON.parse(readFileSync(metaPath, "utf-8"));
+                return { hash: meta.lastHash, sequence: meta.sequence };
+            }
+            catch {
+                /* ignore corrupt meta */
+            }
+        }
+        return null;
+    }
+    const lines = content.split("\n");
+    const lastLine = lines[lines.length - 1];
+    if (!lastLine)
+        return null;
+    try {
+        const event = JSON.parse(lastLine);
+        const sequence = typeof event.sequence === "number" ? event.sequence : lines.length;
+        const tail = { hash: event.hash, sequence };
+        cache.set(logPath, tail);
+        return tail;
+    }
+    catch {
+        const metaPath = `${logPath}.meta`;
+        if (existsSync(metaPath)) {
+            try {
+                const meta = JSON.parse(readFileSync(metaPath, "utf-8"));
+                return { hash: meta.lastHash, sequence: meta.sequence };
+            }
+            catch {
+                /* ignore corrupt meta */
+            }
+        }
+        return null;
+    }
+}
+// ── DLQ Writer ──
+function writeDeadLetter(vaultPath, entry) {
+    try {
+        const dlqDir = join(vaultPath, VAULT_DIR, "dlq");
+        if (!existsSync(dlqDir)) {
+            mkdirSync(dlqDir, { recursive: true });
+        }
+        const dlqPath = join(dlqDir, "dead-letters.jsonl");
+        const fd = openSync(dlqPath, "a");
+        try {
+            writeSync(fd, `${JSON.stringify(entry)}\n`);
+            fsyncSync(fd);
+        }
+        finally {
+            closeSync(fd);
+        }
+    }
+    catch {
+        // DLQ write failure — last resort, cannot do anything else
+        console.error("[AUDIT] Dead-letter write failed", entry);
+    }
+}
+// ── Factory ──
+/**
+ * Create an audit writer instance for the given vault path.
+ *
+ * The writer appends events to `<vaultPath>/.usertools/audit/events.jsonl`.
+ * Each event's SHA-256 hash covers the previous event's hash, creating a
+ * tamper-evident chain. The first event chains from GENESIS_HASH.
+ */
+export function createAuditWriter(vaultPath) {
+    const auditDir = join(vaultPath, VAULT_DIR, "audit");
+    if (!existsSync(auditDir)) {
+        mkdirSync(auditDir, { recursive: true });
+    }
+    const logPath = join(auditDir, "events.jsonl");
+    const mutex = new AsyncMutex();
+    const lastEventCache = new Map();
+    const locksByDir = new Map();
+    let degraded = false;
+    let writeFailures = 0;
+    async function appendEvent(input) {
+        const release = await mutex.acquire();
+        try {
+            acquireProcessLock(logPath, locksByDir);
+            const last = getLastEvent(logPath, lastEventCache);
+            const previousHash = last?.hash ?? GENESIS_HASH;
+            const sequence = (last?.sequence ?? 0) + 1;
+            const event = {
+                id: randomUUID(),
+                timestamp: new Date().toISOString(),
+                previousHash,
+                kind: input.kind,
+                actor: input.actor,
+                data: input.data,
+                sequence,
+            };
+            const canonical = canonicalize(event);
+            const hash = createHash("sha256").update(canonical).digest("hex");
+            const fullEvent = {
+                ...event,
+                hash,
+            };
+            const fd = openSync(logPath, "a");
+            try {
+                writeSync(fd, `${JSON.stringify(fullEvent)}\n`);
+                fsyncSync(fd);
+            }
+            finally {
+                closeSync(fd);
+            }
+            lastEventCache.set(logPath, { hash, sequence });
+            // Persist last hash to sidecar for cross-segment chain continuity
+            const metaPath = `${logPath}.meta`;
+            const metaFd = openSync(metaPath, "w");
+            try {
+                writeSync(metaFd, JSON.stringify({ lastHash: hash, sequence }));
+                fsyncSync(metaFd);
+            }
+            finally {
+                closeSync(metaFd);
+            }
+            return fullEvent;
+        }
+        catch (err) {
+            degraded = true;
+            writeFailures++;
+            console.warn("[AUDIT] Audit trail degraded — write failed", {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            writeDeadLetter(vaultPath, {
+                source: "audit.chain.appendEvent",
+                payload: input,
+                error: err instanceof Error ? err.message : String(err),
+                timestamp: new Date().toISOString(),
+            });
+            throw err;
+        }
+        finally {
+            release();
+        }
+    }
+    function getWriteFailures() {
+        return writeFailures;
+    }
+    function isDegradedFn() {
+        return degraded;
+    }
+    async function flush() {
+        const release = await mutex.acquire();
+        release();
+    }
+    function releaseWriter() {
+        lastEventCache.clear();
+        releaseLocks(locksByDir);
+        degraded = false;
+        writeFailures = 0;
+    }
+    return {
+        appendEvent,
+        getWriteFailures,
+        isDegraded: isDegradedFn,
+        flush,
+        release: releaseWriter,
+    };
+}
+//# sourceMappingURL=chain.js.map

package/dist/audit/chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.js","sourceRoot":"","sources":["../../src/audit/chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EACN,SAAS,EACT,UAAU,EACV,SAAS,EACT,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,SAAS,GACT,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEjE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAkB9C,mBAAmB;AAEnB;;;;;;GAMG;AACH,MAAM,UAAU;IACP,KAAK,GAAkB,OAAO,CAAC,OAAO,EAAE,CAAC;IAEjD,KAAK,CAAC,OAAO;QACZ,IAAI,OAAiC,CAAC;QACtC,MAAM,IAAI,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAC1C,OAAO,GAAG,OAAO,CAAC;QACnB,CAAC,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,MAAM,IAAI,CAAC;QACX,OAAO,OAAqB,CAAC;IAC9B,CAAC;CACD;AAED,sBAAsB;AAEtB,SAAS,kBAAkB,CAC1B,OAAe,EACf,UAAqD;IAErD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAEhC,MAAM,iBAAiB,GAAG,GAAG,GAAG,qBAAqB,CAAC;IAEtD,IAAI,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;YACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAoB,CAAC;YACxD,IAAI,QAAQ,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;gBAClC,OAAO,CAAC,IAAI,CACX,+CAA+C,OAAO,CAAC,GAAG,wDAAwD,CAClH,CAAC;gBACF,UAAU,CAAC,iBAAiB,CAAC,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACP,IAAI,CAAC;oBACJ,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;oBAC9B,MAAM,IAAI,KAAK,CACd,iCAAiC,QAAQ,CAAC,GAAG,6DAA6D,iBAAiB,EAAE,CAC7H,CAAC;gBACH,CAAC;gBAAC,OAAO,OAAgB,EAAE,CAAC;oBAC3B,IAAI,OAAO,YAAY,KAAK,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;wBACnD,MAAM,IAAI,GAAI,OAA6B,CAAC,IAAI,CAAC;wBACjD,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;4BACtB,UAAU,CAAC,iBAAiB,CAAC,CAAC;wBAC/B,CAAC;6BAAM,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;4BAC7B,MAAM,IAAI,KAAK,CACd,iCAAiC,QAAQ,CAAC,GAAG,6DAA6D,iBAAiB,EAAE,CAC7H,CAAC;wBACH,CAAC;6BAAM,CAAC;4BACP,MAAM,OAAO,CAAC;wBACf,CAAC;oBACF,CAAC;yBAAM,CAAC;wBACP,MAAM,OAAO,CAAC;oBACf,CAAC;gBACF,CAAC;YACF,CAAC;QACF,CAAC;QAAC,OAAO,QAAQ,EAAE,CAAC;YACnB,IAAI,QAAQ,YAAY,KAAK,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;gBACtF,MAAM,QAAQ,CAAC;YAChB,CAAC;YACD,IAAI,CAAC;gBACJ,UAAU,CAAC,iBAAiB,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACR,iBAAiB;YAClB,CAAC;QACF,CAAC;IACF,CAAC;IAED,MAAM,EAAE,GAAG,QAAQ,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;QAClC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;IACH,SAAS,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IAC3B,SAAS,CAAC,EAAE,CAAC,CAAC;IACd,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,YAAY,CAAC,UAAqD;IAC1E,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,UAAU,EAAE,CAAC;QACtC,IAAI,CAAC;YACJ,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACR,oBAAoB;QACrB,CAAC;QACD,IAAI,CAAC;YACJ,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACR,qBAAqB;QACtB,CAAC;QACD,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;AACF,CAAC;AASD,SAAS,YAAY,CAAC,OAAe,EAAE,KAA8B;IACpE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACd,MAAM,QAAQ,GAAG,GAAG,OAAO,OAAO,CAAC;QACnC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAGtD,CAAC;gBACF,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACR,yBAAyB;YAC1B,CAAC;QACF,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,IAAI,CAAC;QACJ,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAuC,CAAC;QACzE,MAAM,QAAQ,GAAG,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QACpF,MAAM,IAAI,GAAe,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC;QACxD,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACzB,OAAO,IAAI,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACR,MAAM,QAAQ,GAAG,GAAG,OAAO,OAAO,CAAC;QACnC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAGtD,CAAC;gBACF,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACR,yBAAyB;YAC1B,CAAC;QACF,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED,mBAAmB;AAEnB,SAAS,eAAe,CACvB,SAAiB,EACjB,KAMC;IAED,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;QACnD,MAAM,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC;YACJ,SAAS,CAAC,EAAE,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5C,SAAS,CAAC,EAAE,CAAC,CAAC;QACf,CAAC;gBAAS,CAAC;YACV,SAAS,CAAC,EAAE,CAAC,CAAC;QACf,CAAC;IACF,CAAC;IAAC,MAAM,CAAC;QACR,2DAA2D;QAC3D,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;AACF,CAAC;AAED,gBAAgB;AAEhB;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAiB;IAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAE/C,MAAM,KAAK,GAAG,IAAI,UAAU,EAAE,CAAC;IAC/B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAsB,CAAC;IACrD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAwC,CAAC;IACnE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,UAAU,WAAW,CAAC,KAAuB;QACjD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC;QACtC,IAAI,CAAC;YACJ,kBAAkB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YAExC,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YACnD,MAAM,YAAY,GAAG,IAAI,EAAE,IAAI,IAAI,YAAY,CAAC;YAChD,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAE3C,MAAM,KAAK,GAAoD;gBAC9D,EAAE,EAAE,UAAU,EAAE;gBAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,YAAY;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,QAAQ;aACR,CAAC;YAEF,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAElE,MAAM,SAAS,GAAsC;gBACpD,GAAG,KAAK;gBACR,IAAI;aACJ,CAAC;YAEF,MAAM,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC;gBACJ,SAAS,CAAC,EAAE,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBAChD,SAAS,CAAC,EAAE,CAAC,CAAC;YACf,CAAC;oBAAS,CAAC;gBACV,SAAS,CAAC,EAAE,CAAC,CAAC;YACf,CAAC;YACD,cAAc,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;YAEhD,kEAAkE;YAClE,MAAM,QAAQ,GAAG,GAAG,OAAO,OAAO,CAAC;YACnC,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACvC,IAAI,CAAC;gBACJ,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;gBAChE,SAAS,CAAC,MAAM,CAAC,CAAC;YACnB,CAAC;oBAAS,CAAC;gBACV,SAAS,CAAC,MAAM,CAAC,CAAC;YACnB,CAAC;YAED,OAAO,SAAS,CAAC;QAClB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,aAAa,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE;gBAC3D,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACvD,CAAC,CAAC;YACH,eAAe,CAAC,SAAS,EAAE;gBAC1B,MAAM,EAAE,yBAAyB;gBACjC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACnC,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACX,CAAC;gBAAS,CAAC;YACV,OAAO,EAAE,CAAC;QACX,CAAC;IACF,CAAC;IAED,SAAS,gBAAgB;QACxB,OAAO,aAAa,CAAC;IACtB,CAAC;IAED,SAAS,YAAY;QACpB,OAAO,QAAQ,CAAC;IACjB,CAAC;IAED,KAAK,UAAU,KAAK;QACnB,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC;QACtC,OAAO,EAAE,CAAC;IACX,CAAC;IAED,SAAS,aAAa;QACrB,cAAc,CAAC,KAAK,EAAE,CAAC;QACvB,YAAY,CAAC,UAAU,CAAC,CAAC;QACzB,QAAQ,GAAG,KAAK,CAAC;QACjB,aAAa,GAAG,CAAC,CAAC;IACnB,CAAC;IAED,OAAO;QACN,WAAW;QACX,gBAAgB;QAChB,UAAU,EAAE,YAAY;QACxB,KAAK;QACL,OAAO,EAAE,aAAa;KACtB,CAAC;AACH,CAAC"}

package/dist/audit/entropy.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Entropy Diagnostics — Governance Health Signal
+ *
+ * Derives 6 entropy signals from audit event data to assess governance
+ * health. Entropy is a diagnostic signal, not a runtime gate.
+ *
+ * Signals:
+ *   1. Policy violations
+ *   2. Budget utilization
+ *   3. Chain integrity
+ *   4. PII detections
+ *   5. Circuit breaker trips
+ *   6. Pattern memory hits
+ *
+ * Returns a composite score 0–100 (0 = healthy, 100 = maximum entropy).
+ *
+ * Adapted from Field Project fermion/neutrino/entropy.ts — signals
+ * remapped to SDK vault structure.
+ */
+export interface EntropyEventInput {
+    kind: string;
+    data: Record<string, unknown>;
+}
+export interface EntropySignal {
+    /** Machine-readable condition identifier */
+    condition: string;
+    /** Human-readable label */
+    label: string;
+    /** Signal value 0–1 (0 = no entropy, 1 = full entropy) */
+    value: number;
+    /** Number of events exhibiting this condition */
+    hits: number;
+    /** Total relevant events evaluated */
+    total: number;
+}
+export type EntropyLevel = "low" | "elevated" | "critical";
+export interface EntropyReport {
+    /** Composite score 0–100 (weighted average of all signals, scaled) */
+    score: number;
+    /** Human-readable level derived from score */
+    level: EntropyLevel;
+    /** Per-signal breakdown */
+    signals: EntropySignal[];
+    /** ISO-8601 timestamp when the report was computed */
+    computedAt: string;
+    /** Number of events analyzed */
+    eventCount: number;
+}
+/**
+ * Signal 1: Policy violations
+ *
+ * Events where kind contains "policy" and data indicates a deny/block decision.
+ */
+export declare function extractPolicyViolations(events: EntropyEventInput[]): EntropySignal;
+/**
+ * Signal 2: Budget utilization
+ *
+ * Events with budget data where utilization exceeds 80%.
+ */
+export declare function extractBudgetUtilization(events: EntropyEventInput[]): EntropySignal;
+/**
+ * Signal 3: Chain integrity
+ *
+ * Events indicating hash chain verification failures or audit degradation.
+ */
+export declare function extractChainIntegrity(events: EntropyEventInput[]): EntropySignal;
+/**
+ * Signal 4: PII detections
+ *
+ * Events where PII was detected in the data flow.
+ */
+export declare function extractPiiDetections(events: EntropyEventInput[]): EntropySignal;
+/**
+ * Signal 5: Circuit breaker trips
+ *
+ * Events where circuit breakers were triggered.
+ */
+export declare function extractCircuitBreakerTrips(events: EntropyEventInput[]): EntropySignal;
+/**
+ * Signal 6: Pattern memory hits
+ *
+ * Events where pattern memory detected recurring issues or anomalies.
+ */
+export declare function extractPatternMemoryHits(events: EntropyEventInput[]): EntropySignal;
+/**
+ * Compute the composite entropy report from audit events.
+ *
+ * Each of the 6 signals contributes equally (weight = 1/6).
+ * The composite score is 0–100.
+ *
+ * @param events - Array of audit events to analyze
+ * @returns Entropy report with composite score and per-signal breakdown
+ */
+export declare function computeEntropyScore(events: EntropyEventInput[]): EntropyReport;
+//# sourceMappingURL=entropy.d.ts.map

package/dist/audit/entropy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../src/audit/entropy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,MAAM,WAAW,iBAAiB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC7B,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,0DAA0D;IAC1D,KAAK,EAAE,MAAM,CAAC;IACd,iDAAiD;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,UAAU,GAAG,UAAU,CAAC;AAE3D,MAAM,WAAW,aAAa;IAC7B,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;IACd,8CAA8C;IAC9C,KAAK,EAAE,YAAY,CAAC;IACpB,2BAA2B;IAC3B,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,sDAAsD;IACtD,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;CACnB;AAID;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CAmBlF;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CAkCnF;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CAwBhF;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CA0B/E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CA2BrF;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CA4BnF;AAmBD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,aAAa,CAc9E"}