vaspera 2.13.0 → 2.15.0

package/dist/__tests__/evidence/evidence.test.js

@@ -0,0 +1,240 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, rm, mkdir, writeFile } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { createHash } from "crypto";
+import { collectEvidence, calculateBundleDigest, formatEvidenceBundleAsMarkdown, } from "../../evidence/collector.js";
+import { storeEvidenceBundle, loadEvidenceBundle, listEvidenceBundles, verifyEvidenceBundle, getEvidenceStats, } from "../../evidence/store.js";
+const sha256 = (s) => createHash("sha256").update(Buffer.from(s, "utf-8")).digest("hex");
+function artifact(name, content) {
+    return {
+        type: "scan_result",
+        name,
+        description: `${name} artifact`,
+        contentDigest: sha256(content),
+        sizeBytes: Buffer.byteLength(content),
+        collectedAt: "2026-01-01T00:00:00.000Z",
+        content,
+    };
+}
+/** Seed a .vaspera dir with the files collectEvidence looks for. */
+async function seedVasperaDir(projectPath) {
+    const v = join(projectPath, ".vaspera");
+    await mkdir(join(v, "scans"), { recursive: true });
+    await writeFile(join(v, "config.json"), JSON.stringify({ rules: ["a"] }), "utf-8");
+    await writeFile(join(v, "history.jsonl"), '{"type":"scan","hash":"abc"}\n', "utf-8");
+    await writeFile(join(v, "sbom.json"), JSON.stringify({ bomFormat: "CycloneDX" }), "utf-8");
+    await writeFile(join(v, "scans", "scan-001.json"), JSON.stringify({ findings: [] }), "utf-8");
+}
+describe("calculateBundleDigest", () => {
+    it("is deterministic and order-independent (artifacts are sorted)", () => {
+        const a = artifact("a", "alpha");
+        const b = artifact("b", "beta");
+        const c = artifact("c", "gamma");
+        const d1 = calculateBundleDigest([a, b, c]);
+        const d2 = calculateBundleDigest([c, a, b]);
+        expect(d1).toBe(d2);
+        expect(d1).toMatch(/^[a-f0-9]{64}$/);
+    });
+    it("changes when any artifact content digest changes", () => {
+        const base = calculateBundleDigest([artifact("a", "alpha"), artifact("b", "beta")]);
+        const altered = calculateBundleDigest([artifact("a", "alpha"), artifact("b", "BETA")]);
+        expect(altered).not.toBe(base);
+    });
+    it("is empty-set stable", () => {
+        expect(calculateBundleDigest([])).toBe(sha256(""));
+    });
+});
+describe("collectEvidence", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "evidence-collect-"));
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("collects artifacts from .vaspera and produces a self-consistent bundle digest", async () => {
+        await seedVasperaDir(dir);
+        const result = await collectEvidence({ projectPath: dir, certificationId: "cert-1" });
+        expect(result.success).toBe(true);
+        const bundle = result.bundle;
+        expect(bundle.certificationId).toBe("cert-1");
+        expect(bundle.artifacts.length).toBeGreaterThan(0);
+        // bundle digest recomputes to the same value from its own artifacts
+        expect(calculateBundleDigest(bundle.artifacts)).toBe(bundle.bundleDigest);
+        // every artifact's digest matches its inline content
+        for (const a of bundle.artifacts) {
+            if (a.content)
+                expect(sha256(a.content)).toBe(a.contentDigest);
+        }
+    });
+    it("warns (not fails) when expected files are missing", async () => {
+        const result = await collectEvidence({ projectPath: dir, includeScanResults: true });
+        expect(result.success).toBe(true);
+        expect(result.warnings.length).toBeGreaterThan(0);
+    });
+});
+describe("verifyEvidenceBundle — the integrity guarantee", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "evidence-verify-"));
+        await seedVasperaDir(dir);
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("verifies an untampered freshly collected bundle", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.verified).toBe(true);
+        expect(result.artifactsIntact).toBe(true);
+        expect(result.failedArtifacts).toEqual([]);
+    });
+    it("detects tampered inline artifact content (digest mismatch)", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        // Tamper with content but recompute the bundle digest so the top-level
+        // check passes — forcing the per-artifact check to be the thing that catches it.
+        const target = bundle.artifacts.find((a) => a.content);
+        target.content = `${target.content} /* injected */`;
+        bundle.bundleDigest = calculateBundleDigest(bundle.artifacts);
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.verified).toBe(false);
+        expect(result.artifactsIntact).toBe(false);
+        expect(result.failedArtifacts).toContain(target.name);
+    });
+    it("detects a forged bundle digest", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        bundle.bundleDigest = "0".repeat(64);
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.verified).toBe(false);
+        expect(result.artifactsIntact).toBe(false);
+        expect(result.error).toMatch(/digest mismatch/i);
+    });
+    it("detects an artifact added without updating the bundle digest", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        bundle.artifacts.push(artifact("smuggled", "malicious payload"));
+        // bundleDigest left stale on purpose
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.verified).toBe(false);
+        expect(result.error).toMatch(/digest mismatch/i);
+    });
+    it("an unsigned bundle verifies with signatureValid undefined", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.verified).toBe(true);
+        expect(result.signatureValid).toBeUndefined();
+    });
+    it("verifies a real-shaped Sigstore signature over the bundle digest", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        // Mirror what collectEvidence({sign:true}) attaches: the signature is over
+        // bundleDigest, with a Sigstore bundle carrying a transparency-log entry.
+        bundle.signature = {
+            signed: true,
+            digest: sha256(bundle.bundleDigest),
+            signedAt: "2026-01-01T00:00:00.000Z",
+            rekorLogIndex: "12345",
+            bundle: { verificationMaterial: { tlogEntries: [{ logIndex: "12345" }] } },
+        };
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.signatureValid).toBe(true);
+        expect(result.verified).toBe(true);
+    });
+    it("rejects a signature whose digest does not match the bundle digest", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        bundle.signature = {
+            signed: true,
+            digest: sha256("not-the-bundle-digest"),
+            signedAt: "2026-01-01T00:00:00.000Z",
+            bundle: { verificationMaterial: { tlogEntries: [{ logIndex: "1" }] } },
+        };
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.signatureValid).toBe(false);
+        expect(result.verified).toBe(false);
+        expect(result.error).toMatch(/signature/i);
+    });
+    it("rejects a signature with no transparency-log entry", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir });
+        bundle.signature = {
+            signed: true,
+            digest: sha256(bundle.bundleDigest),
+            signedAt: "2026-01-01T00:00:00.000Z",
+            bundle: { verificationMaterial: { tlogEntries: [] } },
+        };
+        const result = await verifyEvidenceBundle(bundle);
+        expect(result.signatureValid).toBe(false);
+    });
+});
+describe("evidence store round-trip", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "evidence-store-"));
+        await seedVasperaDir(dir);
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("stores and loads a bundle byte-for-byte, and it still verifies", async () => {
+        const { bundle } = await collectEvidence({ projectPath: dir, certificationId: "cert-x" });
+        const path = await storeEvidenceBundle(dir, bundle);
+        expect(path).toContain(`${bundle.id}.json`);
+        const loaded = await loadEvidenceBundle(dir, bundle.id);
+        expect(loaded).not.toBeNull();
+        expect(loaded.bundleDigest).toBe(bundle.bundleDigest);
+        const result = await verifyEvidenceBundle(loaded);
+        expect(result.verified).toBe(true);
+    });
+    it("returns null loading an unknown bundle id", async () => {
+        expect(await loadEvidenceBundle(dir, "evidence-nope")).toBeNull();
+    });
+    it("lists stored bundles newest-first and reports stats", async () => {
+        const b1 = (await collectEvidence({ projectPath: dir })).bundle;
+        b1.id = "evidence-aaa";
+        b1.createdAt = "2026-01-01T00:00:00.000Z";
+        const b2 = (await collectEvidence({ projectPath: dir })).bundle;
+        b2.id = "evidence-bbb";
+        b2.createdAt = "2026-02-01T00:00:00.000Z";
+        await storeEvidenceBundle(dir, b1);
+        await storeEvidenceBundle(dir, b2);
+        const list = await listEvidenceBundles(dir);
+        expect(list.map((b) => b.id)).toEqual(["evidence-bbb", "evidence-aaa"]);
+        const stats = await getEvidenceStats(dir);
+        expect(stats.bundleCount).toBe(2);
+        expect(stats.totalSizeBytes).toBeGreaterThan(0);
+        expect(stats.oldestBundle).toBe("2026-01-01T00:00:00.000Z");
+        expect(stats.newestBundle).toBe("2026-02-01T00:00:00.000Z");
+    });
+    it("returns empty results for a project with no evidence dir", async () => {
+        const empty = await mkdtemp(join(tmpdir(), "evidence-empty-"));
+        try {
+            expect(await listEvidenceBundles(empty)).toEqual([]);
+            expect(await getEvidenceStats(empty)).toEqual({ bundleCount: 0, totalSizeBytes: 0 });
+        }
+        finally {
+            await rm(empty, { recursive: true, force: true });
+        }
+    });
+});
+describe("formatEvidenceBundleAsMarkdown", () => {
+    it("renders digest, artifacts, and unsigned status", () => {
+        const bundle = {
+            id: "evidence-md",
+            createdAt: "2026-01-01T00:00:00.000Z",
+            projectPath: "/p",
+            frameworks: [],
+            environment: {
+                os: "linux",
+                osVersion: "6",
+                nodeVersion: "v20",
+                vasperaVersion: "2.14.0",
+                capturedAt: "2026-01-01T00:00:00.000Z",
+            },
+            artifacts: [artifact("scan", "data")],
+            bundleDigest: calculateBundleDigest([artifact("scan", "data")]),
+        };
+        const md = formatEvidenceBundleAsMarkdown(bundle);
+        expect(md).toContain("# Evidence Bundle");
+        expect(md).toContain(bundle.bundleDigest);
+        expect(md).toContain("**Signature**: Not signed");
+    });
+});
+//# sourceMappingURL=evidence.test.js.map

package/dist/__tests__/evidence/evidence.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.test.js","sourceRoot":"","sources":["../../../src/__tests__/evidence/evidence.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,yBAAyB,CAAC;AAGjC,MAAM,MAAM,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAEjG,SAAS,QAAQ,CAAC,IAAY,EAAE,OAAe;IAC7C,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,IAAI;QACJ,WAAW,EAAE,GAAG,IAAI,WAAW;QAC/B,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC;QAC9B,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC;QACrC,WAAW,EAAE,0BAA0B;QACvC,OAAO;KACR,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,KAAK,UAAU,cAAc,CAAC,WAAmB;IAC/C,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACxC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IACnF,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,EAAE,eAAe,CAAC,EAAE,gCAAgC,EAAE,OAAO,CAAC,CAAC;IACrF,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAC3F,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,eAAe,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;AAChG,CAAC;AAED,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjC,MAAM,EAAE,GAAG,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACpB,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,IAAI,GAAG,qBAAqB,CAAC,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACpF,MAAM,OAAO,GAAG,qBAAqB,CAAC,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACvF,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAI,GAAW,CAAC;IAChB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IACH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,KAAK,IAAI,EAAE;QAC7F,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC,CAAC;QAEtF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAO,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACnD,oEAAoE;QACpE,MAAM,CAAC,qBAAqB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC1E,qDAAqD;QACrD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,OAAO;gBAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACjE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;QACrF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gDAAgD,EAAE,GAAG,EAAE;IAC9D,IAAI,GAAW,CAAC;IAChB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACxD,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,uEAAuE;QACvE,iFAAiF;QACjF,MAAM,MAAM,GAAG,MAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAE,CAAC;QACzD,MAAM,CAAC,OAAO,GAAG,GAAG,MAAM,CAAC,OAAO,iBAAiB,CAAC;QACpD,MAAO,CAAC,YAAY,GAAG,qBAAqB,CAAC,MAAO,CAAC,SAAS,CAAC,CAAC;QAEhE,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAO,CAAC,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAO,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,qCAAqC;QACrC,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,aAAa,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,2EAA2E;QAC3E,0EAA0E;QAC1E,MAAO,CAAC,SAAS,GAAG;YAClB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,MAAM,CAAC,MAAO,CAAC,YAAY,CAAC;YACpC,QAAQ,EAAE,0BAA0B;YACpC,aAAa,EAAE,OAAO;YACtB,MAAM,EAAE,EAAE,oBAAoB,EAAE,EAAE,WAAW,EAAE,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE;SAC3E,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAO,CAAC,SAAS,GAAG;YAClB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,MAAM,CAAC,uBAAuB,CAAC;YACvC,QAAQ,EAAE,0BAA0B;YACpC,MAAM,EAAE,EAAE,oBAAoB,EAAE,EAAE,WAAW,EAAE,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE;SACvE,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAO,CAAC,SAAS,GAAG;YAClB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,MAAM,CAAC,MAAO,CAAC,YAAY,CAAC;YACpC,QAAQ,EAAE,0BAA0B;YACpC,MAAM,EAAE,EAAE,oBAAoB,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE;SACtD,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAI,GAAW,CAAC;IAChB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QACvD,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC1F,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,MAAO,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,GAAG,MAAO,CAAC,EAAE,OAAO,CAAC,CAAC;QAE7C,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,MAAO,CAAC,EAAE,CAAC,CAAC;QACzD,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,MAAO,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAO,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,CAAC,MAAM,kBAAkB,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,EAAE,GAAG,CAAC,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,MAAO,CAAC;QACjE,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC;QACvB,EAAE,CAAC,SAAS,GAAG,0BAA0B,CAAC;QAC1C,MAAM,EAAE,GAAG,CAAC,MAAM,eAAe,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,MAAO,CAAC;QACjE,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC;QACvB,EAAE,CAAC,SAAS,GAAG,0BAA0B,CAAC;QAC1C,MAAM,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEnC,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC;QAExE,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC5D,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC/D,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACrD,MAAM,CAAC,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC,CAAC;QACvF,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,MAAM,GAAmB;YAC7B,EAAE,EAAE,aAAa;YACjB,SAAS,EAAE,0BAA0B;YACrC,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE,EAAE;YACd,WAAW,EAAE;gBACX,EAAE,EAAE,OAAO;gBACX,SAAS,EAAE,GAAG;gBACd,WAAW,EAAE,KAAK;gBAClB,cAAc,EAAE,QAAQ;gBACxB,UAAU,EAAE,0BAA0B;aACvC;YACD,SAAS,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACrC,YAAY,EAAE,qBAAqB,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;SAChE,CAAC;QACF,MAAM,EAAE,GAAG,8BAA8B,CAAC,MAAM,CAAC,CAAC;QAClD,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,2BAA2B,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/history/decisions.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=decisions.test.d.ts.map

package/dist/__tests__/history/decisions.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decisions.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/history/decisions.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/history/decisions.test.js

@@ -0,0 +1,54 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, rm } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { recordDecision, getDecisionProvenance } from "../../history/decisions.js";
+import { verifyHistoryIntegrity } from "../../history/verify.js";
+describe("decision provenance", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "decisions-"));
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("records a decision as a hash-chained entry with digests (not raw content)", async () => {
+        const entry = await recordDecision(dir, {
+            decisionType: "tool_call",
+            model: "claude-fable-5",
+            input: "secret-bearing input: token=sk-abc123",
+            prompt: "system prompt text",
+            output: "called tool X",
+            toolsInvoked: ["search"],
+            summary: "Chose to call search",
+            confidence: 88,
+        });
+        expect(entry.type).toBe("decision_record");
+        expect(entry.integrity?.hash).toMatch(/^[a-f0-9]{64}$/);
+        expect(entry.integrity?.previousHash).toBeTruthy();
+        // raw content is NOT stored — only digests
+        expect(entry.inputDigest).toMatch(/^[a-f0-9]{64}$/);
+        expect(JSON.stringify(entry)).not.toContain("sk-abc123");
+        expect(JSON.stringify(entry)).not.toContain("system prompt text");
+    });
+    it("chains multiple decisions and reports provenance", async () => {
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "a", output: "b" });
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "c", output: "d" });
+        const prov = await getDecisionProvenance(dir);
+        expect(prov.decisionRecords).toBe(2);
+        expect(prov.auditTrailHead).toMatch(/^[a-f0-9]{64}$/);
+    });
+    it("the decision chain verifies as tamper-evident", async () => {
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "a", output: "b" });
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "c", output: "d" });
+        const result = await verifyHistoryIntegrity(dir);
+        expect(result.verified).toBe(true);
+        expect(result.chainIntegrity).toBe(true);
+    });
+    it("empty project reports genesis head and zero records", async () => {
+        const prov = await getDecisionProvenance(dir);
+        expect(prov.decisionRecords).toBe(0);
+        expect(prov.auditTrailHead).toBeTruthy();
+    });
+});
+//# sourceMappingURL=decisions.test.js.map

package/dist/__tests__/history/decisions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decisions.test.js","sourceRoot":"","sources":["../../../src/__tests__/history/decisions.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,IAAI,GAAW,CAAC;IAEhB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE;YACtC,YAAY,EAAE,WAAW;YACzB,KAAK,EAAE,gBAAgB;YACvB,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,oBAAoB;YAC5B,MAAM,EAAE,eAAe;YACvB,YAAY,EAAE,CAAC,QAAQ,CAAC;YACxB,OAAO,EAAE,sBAAsB;YAC/B,UAAU,EAAE,EAAE;SACf,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC3C,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,UAAU,EAAE,CAAC;QACnD,2CAA2C;QAC3C,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,UAAU,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/http-auth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-auth.test.d.ts.map

package/dist/__tests__/http-auth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/http-auth.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/http-auth.test.js

@@ -0,0 +1,55 @@
+import { describe, it, expect } from "vitest";
+import { resolveAuthConfig, isAuthorized, HttpAuthConfigError, } from "../http-auth.js";
+const TOKEN = "0123456789abcdef0123456789abcdef";
+function requestWith(authorization) {
+    return { headers: authorization ? { authorization } : {} };
+}
+describe("resolveAuthConfig", () => {
+    it("enforces auth when VASPERA_HTTP_TOKEN is set", () => {
+        const config = resolveAuthConfig({ VASPERA_HTTP_TOKEN: TOKEN });
+        expect(config.token).toBe(TOKEN);
+    });
+    it("trims whitespace from the token", () => {
+        const config = resolveAuthConfig({ VASPERA_HTTP_TOKEN: `  ${TOKEN}  ` });
+        expect(config.token).toBe(TOKEN);
+    });
+    it("rejects tokens shorter than 16 characters", () => {
+        expect(() => resolveAuthConfig({ VASPERA_HTTP_TOKEN: "short" })).toThrow(HttpAuthConfigError);
+    });
+    it("refuses to start with no token and no explicit opt-in", () => {
+        expect(() => resolveAuthConfig({})).toThrow(HttpAuthConfigError);
+    });
+    it("treats an empty token as unset", () => {
+        expect(() => resolveAuthConfig({ VASPERA_HTTP_TOKEN: "  " })).toThrow(HttpAuthConfigError);
+    });
+    it("allows open mode only with explicit opt-in", () => {
+        const config = resolveAuthConfig({ VASPERA_HTTP_ALLOW_UNAUTHENTICATED: "true" });
+        expect(config.token).toBeNull();
+    });
+    it("does not accept opt-in values other than 'true'", () => {
+        expect(() => resolveAuthConfig({ VASPERA_HTTP_ALLOW_UNAUTHENTICATED: "1" })).toThrow(HttpAuthConfigError);
+    });
+});
+describe("isAuthorized", () => {
+    const config = { token: TOKEN };
+    it("accepts a matching bearer token", () => {
+        expect(isAuthorized(requestWith(`Bearer ${TOKEN}`), config)).toBe(true);
+    });
+    it("rejects a missing Authorization header", () => {
+        expect(isAuthorized(requestWith(), config)).toBe(false);
+    });
+    it("rejects a wrong token of the same length", () => {
+        const wrong = "f".repeat(TOKEN.length);
+        expect(isAuthorized(requestWith(`Bearer ${wrong}`), config)).toBe(false);
+    });
+    it("rejects a token of different length", () => {
+        expect(isAuthorized(requestWith(`Bearer ${TOKEN}extra`), config)).toBe(false);
+    });
+    it("rejects non-bearer schemes", () => {
+        expect(isAuthorized(requestWith(`Basic ${TOKEN}`), config)).toBe(false);
+    });
+    it("allows everything in explicit open mode", () => {
+        expect(isAuthorized(requestWith(), { token: null })).toBe(true);
+    });
+});
+//# sourceMappingURL=http-auth.test.js.map

package/dist/__tests__/http-auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth.test.js","sourceRoot":"","sources":["../../src/__tests__/http-auth.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AAEzB,MAAM,KAAK,GAAG,kCAAkC,CAAC;AAEjD,SAAS,WAAW,CAAC,aAAsB;IACzC,OAAO,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EAAqB,CAAC;AAChF,CAAC;AAED,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,KAAK,IAAI,EAAE,CAAC,CAAC;QACzE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CACtE,mBAAmB,CACpB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CACnE,mBAAmB,CACpB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kCAAkC,EAAE,MAAM,EAAE,CAAC,CAAC;QACjF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,GAAG,EAAE,CACV,iBAAiB,CAAC,EAAE,kCAAkC,EAAE,GAAG,EAAE,CAAC,CAC/D,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAEhC,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,KAAK,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/http-policy.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-policy.test.d.ts.map

package/dist/__tests__/http-policy.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-policy.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/http-policy.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/http-policy.test.js

@@ -0,0 +1,69 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { resolveToolPolicy, isToolAllowed, findBlockedToolCall, } from "../http-policy.js";
+import { toolAnnotations } from "../tool-guard.js";
+describe("resolveToolPolicy", () => {
+    it("defaults to readonly", () => {
+        expect(resolveToolPolicy({}).mode).toBe("readonly");
+    });
+    it("parses all", () => {
+        expect(resolveToolPolicy({ VASPERA_HTTP_TOOLS: "all" }).mode).toBe("all");
+    });
+    it("parses an explicit allowlist", () => {
+        const policy = resolveToolPolicy({
+            VASPERA_HTTP_TOOLS: "certification_status, hardening_dashboard",
+        });
+        expect(policy.mode).toBe("allowlist");
+        expect(policy.allowlist.has("certification_status")).toBe(true);
+        expect(policy.allowlist.has("hardening_dashboard")).toBe(true);
+    });
+});
+describe("isToolAllowed", () => {
+    beforeEach(() => {
+        toolAnnotations.clear();
+        toolAnnotations.set("read_tool", { readOnlyHint: true, destructiveHint: false });
+        toolAnnotations.set("write_tool", { readOnlyHint: false, destructiveHint: true });
+    });
+    it("readonly mode allows only readOnlyHint tools", () => {
+        const policy = resolveToolPolicy({});
+        expect(isToolAllowed("read_tool", policy)).toBe(true);
+        expect(isToolAllowed("write_tool", policy)).toBe(false);
+    });
+    it("readonly mode denies unknown tools", () => {
+        const policy = resolveToolPolicy({});
+        expect(isToolAllowed("never_registered", policy)).toBe(false);
+    });
+    it("all mode allows everything", () => {
+        const policy = resolveToolPolicy({ VASPERA_HTTP_TOOLS: "all" });
+        expect(isToolAllowed("write_tool", policy)).toBe(true);
+    });
+    it("allowlist mode allows exactly the listed tools", () => {
+        const policy = resolveToolPolicy({ VASPERA_HTTP_TOOLS: "write_tool" });
+        expect(isToolAllowed("write_tool", policy)).toBe(true);
+        expect(isToolAllowed("read_tool", policy)).toBe(false);
+    });
+});
+describe("findBlockedToolCall", () => {
+    beforeEach(() => {
+        toolAnnotations.clear();
+        toolAnnotations.set("read_tool", { readOnlyHint: true });
+    });
+    const policy = resolveToolPolicy({});
+    it("passes non-tool-call messages", () => {
+        expect(findBlockedToolCall({ method: "initialize", id: 1 }, policy)).toBeNull();
+    });
+    it("passes allowed tool calls", () => {
+        expect(findBlockedToolCall({ method: "tools/call", params: { name: "read_tool" }, id: 2 }, policy)).toBeNull();
+    });
+    it("blocks disallowed tool calls and reports the id", () => {
+        const blocked = findBlockedToolCall({ method: "tools/call", params: { name: "autofix_apply" }, id: 3 }, policy);
+        expect(blocked).toEqual({ toolName: "autofix_apply", id: 3 });
+    });
+    it("scans JSON-RPC batches", () => {
+        const blocked = findBlockedToolCall([
+            { method: "tools/call", params: { name: "read_tool" }, id: 1 },
+            { method: "tools/call", params: { name: "certification_scan" }, id: 2 },
+        ], policy);
+        expect(blocked).toEqual({ toolName: "certification_scan", id: 2 });
+    });
+});
+//# sourceMappingURL=http-policy.test.js.map

package/dist/__tests__/http-policy.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-policy.test.js","sourceRoot":"","sources":["../../src/__tests__/http-policy.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE;QACpB,MAAM,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,MAAM,GAAG,iBAAiB,CAAC;YAC/B,kBAAkB,EAAE,2CAA2C;SAChE,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,UAAU,CAAC,GAAG,EAAE;QACd,eAAe,CAAC,KAAK,EAAE,CAAC;QACxB,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC,CAAC;QACjF,eAAe,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,aAAa,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QACvE,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,UAAU,CAAC,GAAG,EAAE;QACd,eAAe,CAAC,KAAK,EAAE,CAAC;QACxB,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;IAErC,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CACJ,mBAAmB,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC,CAC7D,CAAC,QAAQ,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CACJ,mBAAmB,CACjB,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAC9D,MAAM,CACP,CACF,CAAC,QAAQ,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,OAAO,GAAG,mBAAmB,CACjC,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAClE,MAAM,CACP,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,OAAO,GAAG,mBAAmB,CACjC;YACE,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE;YAC9D,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE;SACxE,EACD,MAAM,CACP,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/http-server-transport.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-server-transport.test.d.ts.map

package/dist/__tests__/http-server-transport.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-server-transport.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/http-server-transport.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/http-server-transport.test.js

@@ -0,0 +1,132 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { spawn } from "child_process";
+import { once } from "events";
+import { existsSync, readFileSync } from "fs";
+// Needs the built server; CI builds before testing. Skip cleanly when
+// running `vitest` locally without a prior `npm run build`.
+const BUILT = existsSync("dist/http-server.js");
+/**
+ * End-to-end transport contract for the HTTP server. Guards the
+ * singleton-transport regression: the server must handle many
+ * sequential JSON-RPC clients (not just the first), and must answer GET
+ * with 405 so streaming clients fall back to POST instead of deadlocking.
+ */
+const PORT = 3211;
+const BASE = `http://localhost:${PORT}/mcp`;
+const TOKEN = "test-transport-token";
+let proc;
+async function rpc(body, token = TOKEN) {
+    return fetch(BASE, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json, text/event-stream",
+            ...(token ? { Authorization: `Bearer ${token}` } : {}),
+        },
+        body: JSON.stringify(body),
+    });
+}
+beforeAll(async () => {
+    proc = spawn("node", ["dist/http-server.js"], {
+        env: { ...process.env, VASPERA_HTTP_TOKEN: TOKEN, MCP_HTTP_PORT: String(PORT) },
+        stdio: ["ignore", "ignore", "pipe"],
+    });
+    // Wait for the startup line on stderr
+    const start = Date.now();
+    while (Date.now() - start < 20000) {
+        const [chunk] = (await once(proc.stderr, "data"));
+        if (chunk.toString().includes("http-server.started"))
+            return;
+    }
+    throw new Error("server did not start");
+}, 30000);
+afterAll(() => {
+    proc?.kill("SIGKILL");
+});
+describe.skipIf(!BUILT)("HTTP server transport contract", () => {
+    it("rejects POST without a token (401)", async () => {
+        const res = await rpc({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }, "");
+        expect(res.status).toBe(401);
+    });
+    it("answers GET with 405 (no server-initiated streaming)", async () => {
+        const res = await fetch(BASE, {
+            method: "GET",
+            headers: { Authorization: `Bearer ${TOKEN}` },
+        });
+        expect(res.status).toBe(405);
+        expect(res.headers.get("allow")).toBe("POST");
+    });
+    it("returns 400 for invalid JSON", async () => {
+        const res = await fetch(BASE, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${TOKEN}`,
+            },
+            body: "not json",
+        });
+        expect(res.status).toBe(400);
+    });
+    it("blocks a write tool over HTTP with a policy error (403)", async () => {
+        const res = await rpc({
+            jsonrpc: "2.0",
+            id: 2,
+            method: "tools/call",
+            params: { name: "autofix_apply", arguments: {} },
+        });
+        expect(res.status).toBe(403);
+        const body = await res.json();
+        expect(body.error.message).toMatch(/not exposed over HTTP/);
+    });
+    it("serves tools/list to many sequential clients (singleton regression)", async () => {
+        for (let i = 0; i < 3; i++) {
+            const res = await rpc({ jsonrpc: "2.0", id: 100 + i, method: "tools/list", params: {} });
+            expect(res.status).toBe(200);
+            const text = await res.text();
+            expect(text).toMatch(/certification_scan|hardening_list_projects/);
+        }
+    });
+});
+describe.skipIf(!BUILT)("public /verify endpoint (unauthenticated)", () => {
+    const VERIFY = `http://localhost:${PORT}/verify`;
+    const sampleCert = JSON.parse(readFileSync("examples/agent-certificate.sample.json", "utf-8"));
+    it("verifies a valid certificate WITHOUT a token (the whole point)", async () => {
+        const res = await fetch(VERIFY, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" }, // deliberately no Authorization
+            body: JSON.stringify(sampleCert),
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.valid).toBe(true);
+        expect(body.contentDigestValid).toBe(true);
+        expect(body.claims?.subject?.name).toBeTruthy();
+    });
+    it("reports a tampered certificate as invalid (still 200, verdict in body)", async () => {
+        const tampered = { ...sampleCert, overallScore: 100 };
+        const res = await fetch(VERIFY, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(tampered),
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.valid).toBe(false);
+        expect(body.contentDigestValid).toBe(false);
+    });
+    it("returns 400 for an invalid JSON body", async () => {
+        const res = await fetch(VERIFY, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: "not json",
+        });
+        expect(res.status).toBe(400);
+    });
+    it("serves GET /verify as self-documenting usage", async () => {
+        const res = await fetch(VERIFY, { method: "GET" });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.method).toBe("POST");
+    });
+});
+//# sourceMappingURL=http-server-transport.test.js.map