vaspera 2.14.0 → 2.15.0

package/CHANGELOG.md

@@ -1,10 +1,43 @@
 # Changelog
 
+## 2.15.0
+
+### Minor Changes
+
+- [#61](https://github.com/RCOLKITT/hardening-mcp/pull/61) [`1ecf11d`](https://github.com/RCOLKITT/hardening-mcp/commit/1ecf11dbc073af3430e6df17d0792e2b87ad2568) Thanks [@RCOLKITT](https://github.com/RCOLKITT)! - Agent Certification, independent verification, accuracy + red-team benchmarks, and hardening.
+
+  **Agent Certification**
+
+  - Versioned, signable agent certificate schema (six dimensions) with deterministic content digest; `agent_certificate_generate` / `agent_certificate_verify` MCP tools.
+  - ISO 42001 + NIST AI RMF compliance mappings and tamper-evident decision provenance (`decision_record`) on the hash chain.
+  - EU AI Act control mapping wired into the certification path (31 controls).
+
+  **Independent verification (don't trust us — verify)**
+
+  - Standalone certificate verifier: `npm run verify:cert` CLI and a public, unauthenticated `POST /verify` HTTP endpoint that re-checks schema, content digest, and signature without trusting the issuer.
+
+  **Measured accuracy + red-team**
+
+  - Accuracy benchmark (`npm run benchmark`, `npm run benchmark:llm`) over labeled fixtures with precision/recall/F1; built-in Semgrep taint rules took deterministic recall from ~10% to ~63% (added SQLi/cmd/SSRF, then insecure-deserialization + XXE), precision 100%.
+  - LLM-layer + Anthropic/OpenAI cross-model consensus benchmark.
+  - Red-team resistance harness (`npm run benchmark:redteam`) — reproducible prompt-injection resistance score + tool-scope/exfil exposure; fixed a false-positive bug that flagged 100% of tools.
+
+  **Integrity + supply chain**
+
+  - Evidence bundles can now be Sigstore-signed and their signatures are really verified (was a presence-only stub).
+  - Published manifest now exposes real per-tool input schemas (was an empty placeholder for all tools).
+  - Resolved a transitive esbuild advisory.
+
+  **Hardening (potentially breaking for three tools)**
+
+  - `deploy_vercel_promote`, `deploy_vercel_rollback`, and `consensus_clear` are now fail-closed: they return a no-op preview unless called with `confirm: true`. Callers that previously relied on these executing immediately must now pass `confirm: true`.
+
 ## [2.14.0] - 2026-06-05
 
 ### Added
 
 #### Antagonist Agent
+
 - New meta-analysis agent that runs after all other agents complete
 - **Synthesis mode**: Chains findings into attack narratives mapped to MITRE ATT&CK kill chain
 - **Challenger mode**: Internal critic that flags false positives, coverage gaps, and inconsistencies
@@ -13,22 +46,26 @@
 - New `antagonist_challenge` tool - manually challenge specific findings
 
 #### Attack Narrative Features
+
 - Builds attack graphs from findings and exploit chains
 - Maps vulnerabilities to 14 MITRE ATT&CK kill chain phases
 - Identifies bottleneck findings that block multiple attack paths
 - Generates human-readable attack stories with difficulty/likelihood ratings
 
 #### Challenger Features
+
 - Detects potential false positives (test files, low confidence, generic descriptions)
 - Identifies untested attack vectors (17 categories tracked)
 - Flags agents with zero findings as potentially incomplete
 - Calculates coverage score across attack surface
 
 ### Fixed
+
 - Empty catch blocks in `store.ts` and `signing.ts` now log errors
 - Antagonist agent integration test types corrected
 
 ### Changed
+
 - MCP tools increased from 108 to 110
 - New agent type `antagonist` with weight 0.15 (informs but doesn't dominate consensus)
 - Added to AGENT_VERIFICATION_MAP (verified by security, adversary, redteam)
@@ -38,17 +75,20 @@
 ### Added
 
 #### False Positive Feedback System
+
 - New `feedback_submit` tool to mark findings as true/false positives
 - New `feedback_report` tool to view FP rates by scanner and rule
 - New `feedback_suppressions` tool to get rule suppression suggestions based on feedback
 - Feedback stored in `.vaspera/fp-feedback.json` with full audit trail
 
 #### Diff-Aware CI Scanning
+
 - New `certification_scan_diff` tool scans only changed files (git diff)
 - Estimates scan time savings vs full scan
 - Auto-detects security-critical files that always get scanned
 
 #### Standalone Autofix Preview
+
 - `autofix_preview` now works without certification_id
 - Provide file + pattern_id to preview fixes directly
 - Use `autofix_list_patterns` to see available fix patterns
@@ -56,27 +96,32 @@
 ### Fixed
 
 #### Persistence DB Fallback
+
 - Added JSON file fallback when SQLite is unavailable
 - New `src/persistence/json-fallback.ts` with atomic writes
 - Graceful degradation: warns but continues operating
 
 #### scale_bottlenecks False Positives
+
 - Added semantic analysis for workflow/pipeline patterns
 - Confidence scoring (60-100) based on context
 - Sequential workflows no longer flagged as N+1 queries
 
 #### ai_code_verify Diagnostics
+
 - Returns detailed diagnostics when 0 files found
 - Shows which extensions were searched
 - Reports which exclude patterns matched
 - Suggests alternative file extensions
 
 #### Scanner Error Messages
+
 - Added `ScannerErrorDetails` with actionable suggestions
 - tsc/eslint now report phase (init/scan/parse) and fix steps
 - Full error output available for debugging
 
 ### Changed
+
 - MCP tools increased from 103 to 108
 
 ## 2.10.0

package/README.md

@@ -2,12 +2,25 @@
 
 Enterprise-grade security certification for codebases **and AI agent systems** with deterministic scanners, LLM-powered analysis, and signed attestations.
 
+[![Self-Certification](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/certify.yml/badge.svg)](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/certify.yml)
+[![CI](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/ci.yml)
 ![npm version](https://img.shields.io/npm/v/vaspera)
 ![License](https://img.shields.io/badge/License-MIT-green)
-![Tools](https://img.shields.io/badge/MCP_Tools-78-purple)
+![Tools](https://img.shields.io/badge/MCP_Tools-113-purple)
 ![AI Frameworks](https://img.shields.io/badge/AI_Frameworks-5-blue)
 ![Scanners](https://img.shields.io/badge/Scanners-12-orange)
-![Tests](https://img.shields.io/badge/Tests-2942-brightgreen)
+![Tests](https://img.shields.io/badge/Tests-1891-brightgreen)
+
+> **We pass our own strictest certification on every commit.** The
+> Self-Certification badge above is the live result of running this
+> product against its own codebase as a blocking CI gate — the one claim
+> a scanner-wrapper can't fake. [How it works »](docs/SELF-CERTIFICATION.md)
+>
+> **Don't trust us — verify.** Any agent certificate can be checked
+> independently (`npm run verify:cert -- cert.json`, or `POST /verify`)
+> with no token and no trust in Vaspera: it recomputes the content digest
+> and checks the signature from the certificate itself.
+> [Verifying a certificate »](docs/VERIFYING-A-CERTIFICATE.md)
 
 ---
 

package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=agent-certificate-e2e.test.d.ts.map

package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-certificate-e2e.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-e2e.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/certification/agent-certificate-e2e.test.js

@@ -0,0 +1,90 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, rm } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { recordDecision, getDecisionProvenance } from "../../history/decisions.js";
+import { certificationToCertificateBody } from "../../certification/agent-certificate-map.js";
+import { finalizeCertificate, verifyCertificate } from "../../certification/agent-certificate.js";
+function certification() {
+    return {
+        metadata: {
+            id: "cert_e2e",
+            project_name: "e2e-agent",
+            project_path: "/tmp/e2e-agent",
+            started_at: "2026-06-12T00:00:00.000Z",
+            completed_at: "2026-06-12T00:05:00.000Z",
+            status: "completed",
+            agents_requested: ["security"],
+            agents_completed: ["security"],
+            certification_level: "APPROVED",
+            final_score: 84,
+            project_hash: "deadbeef",
+        },
+        agents: {
+            security: {
+                agent: "security",
+                started_at: "2026-06-12T00:00:00.000Z",
+                completed_at: "2026-06-12T00:03:00.000Z",
+                status: "completed",
+                findings: [
+                    {
+                        id: "f1",
+                        severity: "high",
+                        category: "exfil-path",
+                        description: "Secret can reach the network",
+                        evidence: "…",
+                        confidence: 95,
+                        verifications: [],
+                        created_at: "2026-06-12T00:01:00.000Z",
+                    },
+                ],
+            },
+        },
+        cross_verifications: [],
+        red_team_challenges: [],
+    };
+}
+describe("agent certificate — full flow (decisions + frameworks + provenance)", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "cert-e2e-"));
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("records decisions, builds a certificate with real frameworks + provenance, verifies", async () => {
+        // 1) capture decision provenance on the hash chain
+        await recordDecision(dir, { decisionType: "tool_call", model: "m", input: "x", output: "y" });
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "p", output: "q" });
+        const provenance = await getDecisionProvenance(dir);
+        expect(provenance.decisionRecords).toBe(2);
+        // 2) build a certificate from a real certification + AI frameworks + provenance
+        const body = certificationToCertificateBody(certification(), {
+            toolVersion: "2.14.0",
+            issuedAt: "2026-06-12T00:00:00.000Z",
+            expiresAt: "2026-09-10T00:00:00.000Z",
+            certificateId: "vac_e2e_1",
+            complianceFrameworks: ["ISO-42001", "NIST-AI-RMF"],
+            provenance,
+        });
+        // compliance dimension is real (mapped controls, not a label)
+        expect(body.dimensions.compliance.frameworks.map((f) => f.framework)).toEqual([
+            "ISO-42001",
+            "NIST-AI-RMF",
+        ]);
+        expect(body.dimensions.compliance.frameworks[0].controlsTotal).toBeGreaterThan(0);
+        // the exfil-path finding should fail at least one control
+        const totalFailed = body.dimensions.compliance.frameworks.reduce((n, f) => n + f.controlsFailed, 0);
+        expect(totalFailed).toBeGreaterThan(0);
+        // explainability reflects the recorded decisions
+        expect(body.dimensions.explainability.checks.some((c) => c.id === "decision-provenance")).toBe(true);
+        expect(body.provenance.decisionRecords).toBe(2);
+        expect(body.provenance.auditTrailHead).toBe(provenance.auditTrailHead);
+        // 3) finalize + verify independently
+        const cert = await finalizeCertificate(body);
+        const result = await verifyCertificate(cert);
+        expect(result.valid).toBe(true);
+        expect(result.contentDigestValid).toBe(true);
+    });
+});
+//# sourceMappingURL=agent-certificate-e2e.test.js.map

package/dist/__tests__/certification/agent-certificate-e2e.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-certificate-e2e.test.js","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-e2e.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnF,OAAO,EAAE,8BAA8B,EAAE,MAAM,8CAA8C,CAAC;AAC9F,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAGlG,SAAS,aAAa;IACpB,OAAO;QACL,QAAQ,EAAE;YACR,EAAE,EAAE,UAAU;YACd,YAAY,EAAE,WAAW;YACzB,YAAY,EAAE,gBAAgB;YAC9B,UAAU,EAAE,0BAA0B;YACtC,YAAY,EAAE,0BAA0B;YACxC,MAAM,EAAE,WAAW;YACnB,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,mBAAmB,EAAE,UAAU;YAC/B,WAAW,EAAE,EAAE;YACf,YAAY,EAAE,UAAU;SACzB;QACD,MAAM,EAAE;YACN,QAAQ,EAAE;gBACR,KAAK,EAAE,UAAU;gBACjB,UAAU,EAAE,0BAA0B;gBACtC,YAAY,EAAE,0BAA0B;gBACxC,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR;wBACE,EAAE,EAAE,IAAI;wBACR,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,YAAY;wBACtB,WAAW,EAAE,8BAA8B;wBAC3C,QAAQ,EAAE,GAAG;wBACb,UAAU,EAAE,EAAE;wBACd,aAAa,EAAE,EAAE;wBACjB,UAAU,EAAE,0BAA0B;qBACvC;iBACF;aACF;SACF;QACD,mBAAmB,EAAE,EAAE;QACvB,mBAAmB,EAAE,EAAE;KACxB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,qEAAqE,EAAE,GAAG,EAAE;IACnF,IAAI,GAAW,CAAC;IAChB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IACH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qFAAqF,EAAE,KAAK,IAAI,EAAE;QACnG,mDAAmD;QACnD,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9F,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,UAAU,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACpD,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE3C,gFAAgF;QAChF,MAAM,IAAI,GAAG,8BAA8B,CAAC,aAAa,EAAE,EAAE;YAC3D,WAAW,EAAE,QAAQ;YACrB,QAAQ,EAAE,0BAA0B;YACpC,SAAS,EAAE,0BAA0B;YACrC,aAAa,EAAE,WAAW;YAC1B,oBAAoB,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC;YAClD,UAAU;SACX,CAAC,CAAC;QAEH,8DAA8D;QAC9D,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;YAC5E,WAAW;YACX,aAAa;SACd,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAClF,0DAA0D;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,CAC9D,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,cAAc,EAC9B,CAAC,CACF,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEvC,iDAAiD;QACjD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAC5F,IAAI,CACL,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QAEvE,qCAAqC;QACrC,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/certification/agent-certificate-map.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=agent-certificate-map.test.d.ts.map

package/dist/__tests__/certification/agent-certificate-map.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-certificate-map.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-map.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/certification/agent-certificate-map.test.js

@@ -0,0 +1,107 @@
+import { describe, it, expect } from "vitest";
+import { certificationToCertificateBody, baselineCertificateBody, } from "../../certification/agent-certificate-map.js";
+import { finalizeCertificate, verifyCertificate, } from "../../certification/agent-certificate.js";
+const opts = {
+    toolVersion: "2.14.0",
+    issuedAt: "2026-06-11T00:00:00.000Z",
+    expiresAt: "2026-09-09T00:00:00.000Z",
+    certificateId: "vac_map_0001",
+};
+function fakeCertification() {
+    return {
+        metadata: {
+            id: "cert_1",
+            project_name: "demo-agent",
+            project_path: "/tmp/demo-agent",
+            started_at: "2026-06-11T00:00:00.000Z",
+            completed_at: "2026-06-11T00:05:00.000Z",
+            status: "completed",
+            agents_requested: ["security", "quality"],
+            agents_completed: ["security", "quality"],
+            certification_level: "APPROVED",
+            final_score: 82,
+            project_hash: "abc123def456",
+        },
+        agents: {
+            security: {
+                agent: "security",
+                started_at: "2026-06-11T00:00:00.000Z",
+                completed_at: "2026-06-11T00:03:00.000Z",
+                status: "completed",
+                findings: [
+                    {
+                        id: "f1",
+                        severity: "high",
+                        category: "prompt-injection",
+                        file: "src/agent.ts",
+                        line: 42,
+                        description: "Untrusted input flows into the system prompt",
+                        evidence: "…",
+                        confidence: 90,
+                        verifications: [],
+                        created_at: "2026-06-11T00:01:00.000Z",
+                    },
+                    {
+                        id: "f2",
+                        severity: "low",
+                        category: "logging-failure",
+                        description: "Missing structured logging",
+                        evidence: "…",
+                        confidence: 70,
+                        verifications: [],
+                        created_at: "2026-06-11T00:02:00.000Z",
+                    },
+                ],
+            },
+            quality: {
+                agent: "quality",
+                started_at: "2026-06-11T00:00:00.000Z",
+                completed_at: "2026-06-11T00:04:00.000Z",
+                status: "completed",
+                findings: [],
+            },
+        },
+        cross_verifications: [],
+        red_team_challenges: [],
+    };
+}
+describe("certificationToCertificateBody", () => {
+    it("maps a real certification into a verifiable certificate", async () => {
+        const body = certificationToCertificateBody(fakeCertification(), opts);
+        expect(body.subject.name).toBe("demo-agent");
+        expect(body.subject.digest).toBe("abc123def456");
+        expect(body.level).toBe("APPROVED");
+        expect(body.overallScore).toBe(82);
+        // security has a high finding -> fail status, surfaced as a check
+        expect(body.dimensions.security.status).toBe("fail");
+        expect(body.dimensions.security.checks.some((c) => c.category === "prompt-injection")).toBe(true);
+        // quality had no findings -> pass
+        expect(body.dimensions.quality.status).toBe("pass");
+        // compliance not run -> not_assessed (never fabricated)
+        expect(body.dimensions.compliance.status).toBe("not_assessed");
+        const cert = await finalizeCertificate(body);
+        const result = await verifyCertificate(cert);
+        expect(result.valid).toBe(true);
+    });
+    it("surfaces the most severe findings first and caps the list", () => {
+        const c = fakeCertification();
+        const body = certificationToCertificateBody(c, opts);
+        expect(body.dimensions.security.checks[0].severity).toBe("high");
+    });
+    it("baseline body is honest — all dimensions not_assessed and verifiable", async () => {
+        const body = baselineCertificateBody({
+            ...opts,
+            subjectName: "fresh-agent",
+            subjectKind: "agent",
+            identifier: "/tmp/fresh-agent",
+        });
+        expect(body.overallScore).toBe(0);
+        expect(body.level).toBe("REVIEW_REQUIRED");
+        for (const dim of Object.values(body.dimensions)) {
+            expect(dim.status).toBe("not_assessed");
+        }
+        const cert = await finalizeCertificate(body);
+        expect((await verifyCertificate(cert)).valid).toBe(true);
+    });
+});
+//# sourceMappingURL=agent-certificate-map.test.js.map

package/dist/__tests__/certification/agent-certificate-map.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-certificate-map.test.js","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-map.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,8CAA8C,CAAC;AACtD,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0CAA0C,CAAC;AAGlD,MAAM,IAAI,GAAG;IACX,WAAW,EAAE,QAAQ;IACrB,QAAQ,EAAE,0BAA0B;IACpC,SAAS,EAAE,0BAA0B;IACrC,aAAa,EAAE,cAAc;CAC9B,CAAC;AAEF,SAAS,iBAAiB;IACxB,OAAO;QACL,QAAQ,EAAE;YACR,EAAE,EAAE,QAAQ;YACZ,YAAY,EAAE,YAAY;YAC1B,YAAY,EAAE,iBAAiB;YAC/B,UAAU,EAAE,0BAA0B;YACtC,YAAY,EAAE,0BAA0B;YACxC,MAAM,EAAE,WAAW;YACnB,gBAAgB,EAAE,CAAC,UAAU,EAAE,SAAS,CAAC;YACzC,gBAAgB,EAAE,CAAC,UAAU,EAAE,SAAS,CAAC;YACzC,mBAAmB,EAAE,UAAU;YAC/B,WAAW,EAAE,EAAE;YACf,YAAY,EAAE,cAAc;SAC7B;QACD,MAAM,EAAE;YACN,QAAQ,EAAE;gBACR,KAAK,EAAE,UAAU;gBACjB,UAAU,EAAE,0BAA0B;gBACtC,YAAY,EAAE,0BAA0B;gBACxC,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR;wBACE,EAAE,EAAE,IAAI;wBACR,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,kBAAkB;wBAC5B,IAAI,EAAE,cAAc;wBACpB,IAAI,EAAE,EAAE;wBACR,WAAW,EAAE,8CAA8C;wBAC3D,QAAQ,EAAE,GAAG;wBACb,UAAU,EAAE,EAAE;wBACd,aAAa,EAAE,EAAE;wBACjB,UAAU,EAAE,0BAA0B;qBACvC;oBACD;wBACE,EAAE,EAAE,IAAI;wBACR,QAAQ,EAAE,KAAK;wBACf,QAAQ,EAAE,iBAAiB;wBAC3B,WAAW,EAAE,4BAA4B;wBACzC,QAAQ,EAAE,GAAG;wBACb,UAAU,EAAE,EAAE;wBACd,aAAa,EAAE,EAAE;wBACjB,UAAU,EAAE,0BAA0B;qBACvC;iBACF;aACF;YACD,OAAO,EAAE;gBACP,KAAK,EAAE,SAAS;gBAChB,UAAU,EAAE,0BAA0B;gBACtC,YAAY,EAAE,0BAA0B;gBACxC,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE,EAAE;aACb;SACF;QACD,mBAAmB,EAAE,EAAE;QACvB,mBAAmB,EAAE,EAAE;KACxB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,IAAI,GAAG,8BAA8B,CAAC,iBAAiB,EAAE,EAAE,IAAI,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnC,kEAAkE;QAClE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClG,kCAAkC;QAClC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpD,wDAAwD;QACxD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAE/D,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,CAAC,GAAG,iBAAiB,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,8BAA8B,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,IAAI,GAAG,uBAAuB,CAAC;YACnC,GAAG,IAAI;YACP,WAAW,EAAE,aAAa;YAC1B,WAAW,EAAE,OAAO;YACpB,UAAU,EAAE,kBAAkB;SAC/B,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACjD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/certification/agent-certificate.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=agent-certificate.test.d.ts.map

package/dist/__tests__/certification/agent-certificate.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-certificate.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/certification/agent-certificate.test.js

@@ -0,0 +1,78 @@
+import { describe, it, expect } from "vitest";
+import { finalizeCertificate, verifyCertificate, canonicalize, computeContentDigest, parseCertificate, CertificateError, AgentCertificateSchema, AGENT_CERTIFICATE_SCHEMA, } from "../../certification/agent-certificate.js";
+import { buildSampleCertificateBody } from "../../certification/agent-certificate-sample.js";
+const sampleOpts = {
+    toolVersion: "2.14.0",
+    issuedAt: "2026-06-11T00:00:00.000Z",
+    expiresAt: "2026-09-09T00:00:00.000Z",
+    certificateId: "vac_test_0001",
+};
+function body() {
+    return buildSampleCertificateBody(sampleOpts);
+}
+describe("agent certificate", () => {
+    it("finalizes a valid body with a content digest", async () => {
+        const cert = await finalizeCertificate(body());
+        expect(cert.schemaVersion).toBe(AGENT_CERTIFICATE_SCHEMA);
+        expect(cert.integrity.algorithm).toBe("sha256");
+        expect(cert.integrity.contentDigest).toMatch(/^[a-f0-9]{64}$/);
+        // digest is over the body alone (no signature when unsigned)
+        expect(cert.signature).toBeUndefined();
+    });
+    it("produces a deterministic digest regardless of key order", async () => {
+        const a = await finalizeCertificate(body());
+        // shuffle top-level key order of the body
+        const shuffled = Object.fromEntries(Object.entries(body()).reverse());
+        const b = await finalizeCertificate(shuffled);
+        expect(a.integrity.contentDigest).toBe(b.integrity.contentDigest);
+    });
+    it("verifies an untampered certificate", async () => {
+        const cert = await finalizeCertificate(body());
+        const result = await verifyCertificate(cert);
+        expect(result.valid).toBe(true);
+        expect(result.schemaValid).toBe(true);
+        expect(result.contentDigestValid).toBe(true);
+        expect(result.signaturePresent).toBe(false);
+    });
+    it("detects tampering — any field change breaks the digest", async () => {
+        const cert = await finalizeCertificate(body());
+        const tampered = { ...cert, overallScore: 100 };
+        const result = await verifyCertificate(tampered);
+        expect(result.contentDigestValid).toBe(false);
+        expect(result.valid).toBe(false);
+        expect(result.errors.join(" ")).toMatch(/digest mismatch/i);
+    });
+    it("detects tampering inside a nested dimension", async () => {
+        const cert = await finalizeCertificate(body());
+        const tampered = JSON.parse(JSON.stringify(cert));
+        tampered.dimensions.security.score = 10;
+        const result = await verifyCertificate(tampered);
+        expect(result.valid).toBe(false);
+    });
+    it("rejects a structurally invalid certificate", async () => {
+        const result = await verifyCertificate({ not: "a certificate" });
+        expect(result.valid).toBe(false);
+        expect(result.schemaValid).toBe(false);
+    });
+    it("round-trips through parseCertificate", async () => {
+        const cert = await finalizeCertificate(body());
+        const json = JSON.parse(JSON.stringify(cert));
+        const parsed = parseCertificate(json);
+        expect(parsed.certificateId).toBe(cert.certificateId);
+    });
+    it("throws a typed error for an invalid body", async () => {
+        const bad = { ...body(), overallScore: 999 };
+        await expect(finalizeCertificate(bad)).rejects.toBeInstanceOf(CertificateError);
+    });
+    it("the sample body validates against the full schema once finalized", async () => {
+        const cert = await finalizeCertificate(body());
+        expect(AgentCertificateSchema.safeParse(cert).success).toBe(true);
+    });
+    it("canonicalize + computeContentDigest agree with finalize", async () => {
+        const b = body();
+        const cert = await finalizeCertificate(b);
+        expect(computeContentDigest(b)).toBe(cert.integrity.contentDigest);
+        expect(typeof canonicalize(b)).toBe("string");
+    });
+});
+//# sourceMappingURL=agent-certificate.test.js.map

package/dist/__tests__/certification/agent-certificate.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-certificate.test.js","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,0BAA0B,EAAE,MAAM,iDAAiD,CAAC;AAE7F,MAAM,UAAU,GAAG;IACjB,WAAW,EAAE,QAAQ;IACrB,QAAQ,EAAE,0BAA0B;IACpC,SAAS,EAAE,0BAA0B;IACrC,aAAa,EAAE,eAAe;CAC/B,CAAC;AAEF,SAAS,IAAI;IACX,OAAO,0BAA0B,CAAC,UAAU,CAAC,CAAC;AAChD,CAAC;AAED,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC/D,6DAA6D;QAC7D,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,aAAa,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,CAAC,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5C,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CACjC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CACN,CAAC;QAC7B,MAAM,CAAC,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAClD,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;QACjE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,GAAG,GAAG,EAAE,GAAG,IAAI,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QAC7C,MAAM,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,CAAC;QAC1C,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/certification/verify-endpoint.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=verify-endpoint.test.d.ts.map

package/dist/__tests__/certification/verify-endpoint.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-endpoint.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/certification/verify-endpoint.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/certification/verify-endpoint.test.js

@@ -0,0 +1,81 @@
+import { describe, it, expect, beforeAll } from "vitest";
+import { finalizeCertificate, AGENT_CERTIFICATE_SCHEMA, } from "../../certification/agent-certificate.js";
+import { verifyCertificatePayload } from "../../certification/verify-endpoint.js";
+const NOW = new Date("2026-06-15T00:00:00.000Z");
+function bodyFixture(over = {}) {
+    const dim = {
+        status: "pass",
+        score: 95,
+        summary: "ok",
+        checks: [],
+    };
+    return {
+        schemaVersion: AGENT_CERTIFICATE_SCHEMA,
+        certificateId: "vac_test_0001",
+        subject: { kind: "mcp-server", name: "test-subject", version: "1.0.0" },
+        issuer: { name: "Vaspera", tool: "vaspera-hardening", toolVersion: "2.14.0" },
+        issuedAt: "2026-06-10T00:00:00.000Z",
+        expiresAt: "2026-09-10T00:00:00.000Z",
+        level: "CERTIFIED",
+        overallScore: 95,
+        dimensions: {
+            security: dim,
+            scalability: dim,
+            quality: dim,
+            explainability: dim,
+            compliance: { status: "pass", score: 95, summary: "ok", frameworks: [] },
+            aiBom: { status: "pass", score: 95, summary: "ok", components: [] },
+        },
+        provenance: {},
+        evidence: [],
+        ...over,
+    };
+}
+describe("verifyCertificatePayload", () => {
+    let validCert;
+    beforeAll(async () => {
+        validCert = await finalizeCertificate(bodyFixture());
+    });
+    it("verifies a well-formed, untampered certificate", async () => {
+        const r = await verifyCertificatePayload(validCert, NOW);
+        expect(r.valid).toBe(true);
+        expect(r.schemaValid).toBe(true);
+        expect(r.contentDigestValid).toBe(true);
+        expect(r.summary).toMatch(/^VALID/);
+    });
+    it("surfaces the certificate's claims when structurally valid", async () => {
+        const r = await verifyCertificatePayload(validCert, NOW);
+        expect(r.claims).toBeDefined();
+        expect(r.claims.subject.name).toBe("test-subject");
+        expect(r.claims.level).toBe("CERTIFIED");
+        expect(r.claims.overallScore).toBe(95);
+    });
+    it("rejects a tampered certificate (digest mismatch)", async () => {
+        const tampered = JSON.parse(JSON.stringify(validCert));
+        tampered.overallScore = 100; // mutate body without recomputing the digest
+        const r = await verifyCertificatePayload(tampered, NOW);
+        expect(r.valid).toBe(false);
+        expect(r.contentDigestValid).toBe(false);
+        expect(r.summary).toMatch(/tampered/i);
+    });
+    it("rejects a non-certificate document", async () => {
+        const r = await verifyCertificatePayload({ hello: "world" }, NOW);
+        expect(r.valid).toBe(false);
+        expect(r.schemaValid).toBe(false);
+        expect(r.summary).toMatch(/not a well-formed/i);
+    });
+    it("flags an expired certificate as VALID but EXPIRED", async () => {
+        const expired = await finalizeCertificate(bodyFixture({ expiresAt: "2026-01-01T00:00:00.000Z" }));
+        const r = await verifyCertificatePayload(expired, NOW);
+        expect(r.valid).toBe(true); // integrity is independent of expiry
+        expect(r.expired).toBe(true);
+        expect(r.warnings.some((w) => /expired/i.test(w))).toBe(true);
+        expect(r.summary).toMatch(/EXPIRED/);
+    });
+    it("warns that a digest-only certificate is unsigned", async () => {
+        const r = await verifyCertificatePayload(validCert, NOW);
+        expect(r.signaturePresent).toBe(false);
+        expect(r.warnings.some((w) => /unsigned/i.test(w))).toBe(true);
+    });
+});
+//# sourceMappingURL=verify-endpoint.test.js.map

package/dist/__tests__/certification/verify-endpoint.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-endpoint.test.js","sourceRoot":"","sources":["../../../src/__tests__/certification/verify-endpoint.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzD,OAAO,EACL,mBAAmB,EAEnB,wBAAwB,GACzB,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAE,MAAM,wCAAwC,CAAC;AAElF,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,0BAA0B,CAAC,CAAC;AAEjD,SAAS,WAAW,CAAC,OAAsC,EAAE;IAC3D,MAAM,GAAG,GAAG;QACV,MAAM,EAAE,MAAe;QACvB,KAAK,EAAE,EAAE;QACT,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,EAAE;KACX,CAAC;IACF,OAAO;QACL,aAAa,EAAE,wBAAwB;QACvC,aAAa,EAAE,eAAe;QAC9B,OAAO,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE;QACvE,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,QAAQ,EAAE;QAC7E,QAAQ,EAAE,0BAA0B;QACpC,SAAS,EAAE,0BAA0B;QACrC,KAAK,EAAE,WAAW;QAClB,YAAY,EAAE,EAAE;QAChB,UAAU,EAAE;YACV,QAAQ,EAAE,GAAG;YACb,WAAW,EAAE,GAAG;YAChB,OAAO,EAAE,GAAG;YACZ,cAAc,EAAE,GAAG;YACnB,UAAU,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE;YACxE,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE;SACpE;QACD,UAAU,EAAE,EAAE;QACd,QAAQ,EAAE,EAAE;QACZ,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,IAAI,SAAkB,CAAC;IAEvB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,SAAS,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,CAAC,GAAG,MAAM,wBAAwB,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,CAAC,GAAG,MAAM,wBAAwB,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,CAAC,CAAC,MAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,CAAC,CAAC,CAAC,MAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1C,MAAM,CAAC,CAAC,CAAC,MAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;QACvD,QAAQ,CAAC,YAAY,GAAG,GAAG,CAAC,CAAC,6CAA6C;QAC1E,MAAM,CAAC,GAAG,MAAM,wBAAwB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACxD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,CAAC,GAAG,MAAM,wBAAwB,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAClE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,OAAO,GAAG,MAAM,mBAAmB,CACvC,WAAW,CAAC,EAAE,SAAS,EAAE,0BAA0B,EAAE,CAAC,CACvD,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,wBAAwB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACvD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,qCAAqC;QACjE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,CAAC,GAAG,MAAM,wBAAwB,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/compliance/ai-frameworks.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ai-frameworks.test.d.ts.map

package/dist/__tests__/compliance/ai-frameworks.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-frameworks.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/compliance/ai-frameworks.test.ts"],"names":[],"mappings":""}