wyrm-mcp 7.2.0 → 7.2.2

package/dist/audit.js

@@ -1,460 +1,5 @@
-/**
- * Compliance audit trail (Tier 3.9) — per-agent attribution + versioned
- * Ed25519 signing (v7 F2, T010).
- *
- * Hash-chained event log: each row records sha256(prev_hash || payload ||
- * timestamp). Tampering with any historical entry breaks the chain.
- * Optional Ed25519 signing layered on top provides a SOC2 / HIPAA-grade
- * audit surface — every AI decision, prompt, tool call, code edit, with
- * the prompt that caused it.
- *
- * `wyrm_audit_export(range)` produces a tamper-evident JSON bundle that
- * an external auditor can verify offline:
- *   1. Recompute the hash chain from genesis through the range.
- *   2. Verify Ed25519 signatures against the operator's public key(s).
- *   3. Confirm no gaps in IDs.
- *
- * ## Signed-payload versioning (v7 F2, T010)
- *
- * Migration 20's `agent_id`/`run_id` columns are NOT part of the hash-chain
- * input — the chain rule is byte-identical to 6.x:
- *
- *     row_hash = sha256(`${prev_hash}|${event_kind}|${payload_json}|${logged_at}`)
- *
- * so a 6.x DB opened under v7 keeps verifying and the v1→v2 transition can
- * never break the chain (old rows verify as v1, new rows as v2, one chain).
- * Attribution is instead bound TAMPER-EVIDENTLY into the Ed25519 signature
- * via a payload-version byte:
- *
- *   v1 (legacy 6.x): signed message  = utf8(row_hash)          — no attribution
- *                    stored signature = bare base64 (unchanged on old rows)
- *   v2 (v7):         signed message  = 0x02 ‖ utf8(JSON.stringify(
- *                        { row_hash, agent_id, run_id }))      — attribution bound
- *                    stored signature = `v2:<key_fp16>:<base64>`
- *
- * The leading 0x02 version byte domain-separates the payloads (a v1 message
- * is 64 ASCII-hex bytes and can never begin with 0x02), and the canonical
- * JSON body (fixed key order, NULLs preserved) makes the agent_id/run_id
- * field boundaries unambiguous — no delimiter-shifting forgeries.
- * `key_fp16` = first 16 hex chars of sha256(SPKI DER of the signing public
- * key): the "which key" answer, claimed in the row and CONFIRMED whenever
- * public keys are handed to `verify()`.
- *
- * ## The rule for 6.x verifiers (explicit — locked by tests/audit-attribution.test.ts)
- *
- * The verify structure 6.x actually shipped (`verify()` / `verifyBundle()`)
- * checks ONLY the hash chain and never parses the `signature` column.
- * Therefore:
- *   (a) a 6.x verifier verifies BOTH v1 and v2 rows exactly as today — the
- *       chain rule is unchanged, mixed v1/v2 chains pass, and exported
- *       bundles remain version-1 bundles that 6.x `verifyBundle()` accepts;
- *   (b) a 6.x auditor's out-of-band Ed25519 step ("signature of the
- *       row_hash") FAILS CLOSED on a v2 row: the stored `v2:`-prefixed value
- *       is not the base64 of an Ed25519 signature over the row_hash, so the
- *       6.x signature check reports INVALID — it can never silently accept a
- *       v7 signature (and so can never silently accept forged attribution).
- *       The chain walk itself stays green.
- *
- * Signing is OPT-IN (Articles I & VII): no key configured → rows are written
- * unsigned, byte-identical to 6.x behavior. `WYRM_AUDIT_SIGNING_KEY` holds a
- * PEM-encoded (pkcs8) Ed25519 private key, or a path to one.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { createHash, createPrivateKey, createPublicKey, sign as edSign, verify as edVerify, } from 'crypto';
-import { readFileSync } from 'fs';
-import { getActor } from './handlers/boundary.js';
-import { resolveAttribution } from './attribution.js';
-const GENESIS_HASH = 'genesis';
-// ==================== v7 F2 (T010) — versioned signed payload ====================
-/** Stored-signature prefix marking a v2 (attribution-binding) signature. */
-export const AUDIT_SIG_V2_PREFIX = 'v2:';
-/** The payload-version byte prepended to the v2 signed message. */
-const V2_VERSION_BYTE = 0x02;
-/** Hex chars of sha256(SPKI DER) used as the key fingerprint. */
-const KEY_FP_LEN = 16;
-const KEY_FP_RE = new RegExp(`^[0-9a-f]{${KEY_FP_LEN}}$`);
-/**
- * Classify a stored signature string by payload version.
- * Bare base64 (anything without the `v2:` prefix) = v1 legacy; `v2:<fp>:<b64>`
- * = v2. Returns null for unsigned (NULL/empty). Never throws.
- */
-export function parseAuditSignature(signature) {
-    if (typeof signature !== 'string' || signature.length === 0)
-        return null;
-    if (signature.startsWith(AUDIT_SIG_V2_PREFIX)) {
-        const rest = signature.slice(AUDIT_SIG_V2_PREFIX.length);
-        const sep = rest.indexOf(':');
-        const fp = sep >= 0 ? rest.slice(0, sep) : '';
-        const b64 = sep >= 0 ? rest.slice(sep + 1) : '';
-        return { version: 2, key_fp: KEY_FP_RE.test(fp) ? fp : null, sig_b64: b64 };
-    }
-    return { version: 1, key_fp: null, sig_b64: signature };
-}
-/** Fingerprint of an Ed25519 public key: sha256 over the SPKI DER, first 16 hex. */
-export function auditKeyFingerprint(publicKey) {
-    const key = typeof publicKey === 'string' ? createPublicKey(publicKey) : publicKey;
-    const der = key.export({ type: 'spki', format: 'der' });
-    return createHash('sha256').update(der).digest('hex').slice(0, KEY_FP_LEN);
-}
-/**
- * Build the exact byte string an audit Ed25519 signature covers.
- *   v1: utf8(row_hash) — the legacy 6.x payload, no attribution.
- *   v2: 0x02 version byte ‖ utf8(JSON.stringify({row_hash, agent_id, run_id})).
- */
-export function buildSignedPayload(version, fields) {
-    if (version === 1)
-        return Buffer.from(fields.row_hash, 'utf-8');
-    const body = JSON.stringify({
-        row_hash: fields.row_hash,
-        agent_id: fields.agent_id ?? null,
-        run_id: fields.run_id ?? null,
-    });
-    return Buffer.concat([Buffer.from([V2_VERSION_BYTE]), Buffer.from(body, 'utf-8')]);
-}
-/** Materialize a signer from a PEM (pkcs8) Ed25519 private key; the public
- * half and fingerprint are derived. Throws on non-Ed25519 keys. */
-export function createAuditSigner(privateKeyPem) {
-    const privateKey = createPrivateKey(privateKeyPem);
-    if (privateKey.asymmetricKeyType !== 'ed25519') {
-        throw new Error(`audit signing key must be Ed25519 (got ${privateKey.asymmetricKeyType})`);
-    }
-    const pub = createPublicKey(privateKey);
-    return {
-        privateKey,
-        publicKeyPem: pub.export({ type: 'spki', format: 'pem' }).toString(),
-        key_fp: auditKeyFingerprint(pub),
-    };
-}
-/** Sign the v2 payload for a row. Returns the stored form `v2:<fp>:<base64>`. */
-export function signAuditEntry(signer, fields) {
-    const sig = edSign(null, buildSignedPayload(2, fields), signer.privateKey);
-    return `${AUDIT_SIG_V2_PREFIX}${signer.key_fp}:${sig.toString('base64')}`;
-}
-/**
- * Opt-in signer bootstrap (Articles I & VII): `WYRM_AUDIT_SIGNING_KEY` is a
- * PEM string or a path to a PEM file. Absent → null (rows stay unsigned —
- * exactly the 6.x behavior). Unusable → warn on STDERR (stdout is the MCP
- * wire) and run unsigned; never throws.
- */
-export function loadAuditSignerFromEnv(env = process.env) {
-    const raw = env.WYRM_AUDIT_SIGNING_KEY?.trim();
-    if (!raw)
-        return null;
-    try {
-        const pem = raw.includes('-----BEGIN') ? raw : readFileSync(raw, 'utf-8');
-        return createAuditSigner(pem);
-    }
-    catch (e) {
-        console.error(`[wyrm] WYRM_AUDIT_SIGNING_KEY unusable (${e.message}) — audit rows will be unsigned`);
-        return null;
-    }
-}
-/**
- * Verify ONE row's signature against a set of public keys (PEM or KeyObject).
- * Fail-closed: malformed signatures, unknown fingerprints, undecodable
- * base64, and crypto-layer rejections all report ok=false. Never throws.
- */
-export function verifyAuditEntrySignature(row, publicKeys) {
-    const parsed = parseAuditSignature(row.signature);
-    if (!parsed)
-        return { ok: true, version: null, key_fp: null };
-    const keys = [];
-    for (const k of publicKeys) {
-        try {
-            const key = typeof k === 'string' ? createPublicKey(k) : k;
-            keys.push({ key, fp: auditKeyFingerprint(key) });
-        }
-        catch { /* unusable provided key — skipped (signed rows then fail closed) */ }
-    }
-    const sig = Buffer.from(parsed.sig_b64, 'base64');
-    if (parsed.version === 2) {
-        if (!parsed.key_fp) {
-            return { ok: false, version: 2, key_fp: null, reason: 'malformed v2 signature (missing key fingerprint)' };
-        }
-        const candidates = keys.filter((k) => k.fp === parsed.key_fp);
-        if (candidates.length === 0) {
-            return { ok: false, version: 2, key_fp: parsed.key_fp, reason: `no provided key matches fingerprint ${parsed.key_fp}` };
-        }
-        const payload = buildSignedPayload(2, row);
-        for (const c of candidates) {
-            try {
-                if (edVerify(null, payload, c.key, sig))
-                    return { ok: true, version: 2, key_fp: parsed.key_fp };
-            }
-            catch { /* fail closed */ }
-        }
-        return {
-            ok: false, version: 2, key_fp: parsed.key_fp,
-            reason: 'v2 signature does not verify (row_hash/agent_id/run_id tampered or wrong key)',
-        };
-    }
-    // v1: legacy signature over the bare row_hash; no fingerprint — try every key.
-    const payload = buildSignedPayload(1, row);
-    for (const c of keys) {
-        try {
-            if (edVerify(null, payload, c.key, sig))
-                return { ok: true, version: 1, key_fp: c.fp };
-        }
-        catch { /* fail closed */ }
-    }
-    return { ok: false, version: 1, key_fp: null, reason: 'v1 signature does not verify under any provided key' };
-}
-/** Shared by verify()/verifyBundle(): version counts, who/which-run/which-key,
- * and (when keys are provided) the signature-layer check. */
-function summarizeAttribution(rows, publicKeys) {
-    const versions = { v1: 0, v2: 0, unsigned: 0 };
-    const agents = new Set();
-    const runs = new Set();
-    const keysSeen = new Set();
-    const checkSigs = Array.isArray(publicKeys) && publicKeys.length > 0;
-    // Materialize keys ONCE (not per row).
-    const materialized = [];
-    if (checkSigs) {
-        for (const k of publicKeys) {
-            try {
-                materialized.push(createPublicKey(k));
-            }
-            catch { /* skipped — fail closed below */ }
-        }
-    }
-    const report = { checked: 0, valid: 0, invalid: 0 };
-    for (const row of rows) {
-        const att = resolveAttribution(row);
-        agents.add(att.actor);
-        if (att.run_id)
-            runs.add(att.run_id);
-        const parsed = parseAuditSignature(row.signature);
-        if (!parsed)
-            versions.unsigned++;
-        else if (parsed.version === 2) {
-            versions.v2++;
-            if (parsed.key_fp)
-                keysSeen.add(parsed.key_fp);
-        }
-        else
-            versions.v1++;
-        if (checkSigs && parsed) {
-            report.checked++;
-            const res = verifyAuditEntrySignature(row, materialized);
-            if (res.ok) {
-                report.valid++;
-                if (res.key_fp)
-                    keysSeen.add(res.key_fp);
-            }
-            else {
-                report.invalid++;
-                if (report.first_invalid_id === undefined) {
-                    report.first_invalid_id = row.id;
-                    report.reason = res.reason;
-                }
-            }
-        }
-    }
-    return {
-        payload_versions: versions,
-        attribution: { agents: [...agents].sort(), runs: [...runs].sort(), keys: [...keysSeen].sort() },
-        signatures: checkSigs ? report : undefined,
-        sigOk: !checkSigs || report.invalid === 0,
-        sigReason: report.first_invalid_id !== undefined
-            ? `signature invalid at id ${report.first_invalid_id}: ${report.reason}`
-            : undefined,
-    };
-}
-export class AuditLog {
-    db;
-    signer;
-    constructor(db, signer) {
-        this.db = db;
-        this.signer = signer ?? null;
-    }
-    /** Swap or clear the signing identity (key rotation, tests). */
-    setSigner(signer) {
-        this.signer = signer;
-    }
-    /** Get the hash of the most recent entry (or 'genesis' if empty). */
-    latestHash() {
-        const row = this.db.prepare('SELECT row_hash FROM audit_log ORDER BY id DESC LIMIT 1').get();
-        return row?.row_hash ?? GENESIS_HASH;
-    }
-    /** Append a hash-chained event. Returns the inserted row.
-     *
-     * v7 F2 review fix: the head-read + INSERT pair runs in ONE transaction
-     * declared IMMEDIATE, so BEGIN takes the cross-process write lock BEFORE
-     * latestHash() reads the chain head. Two concurrent OS processes appending
-     * (the T010 per-agent-key fleet shape — audit ops are not in
-     * DAEMON_WRITE_OPS, so fleet agents write audit_log directly) could
-     * otherwise both read head H and both insert prev_hash=H, FORKING the
-     * chain — after which verify() reports the compliance log as tampered
-     * forever on legitimate writes. */
-    log(input) {
-        const payloadJson = JSON.stringify(input.payload);
-        const loggedAt = new Date().toISOString();
-        // v7 F2 (T009): attribution columns ride beside the chained fields. The
-        // hash input is UNCHANGED (6.x verifiers keep verifying); the v2 signed
-        // payload (T010) is what binds agent_id/run_id tamper-evidently.
-        const ambient = getActor();
-        const agentId = input.agent_id !== undefined ? input.agent_id : ambient.agent_id;
-        const runId = input.run_id !== undefined ? input.run_id : ambient.run_id;
-        const append = this.db.transaction(() => {
-            const prevHash = this.latestHash();
-            const hashInput = `${prevHash}|${input.event_kind}|${payloadJson}|${loggedAt}`;
-            const rowHash = createHash('sha256').update(hashInput).digest('hex');
-            // v7 F2 (T010): explicit caller-supplied signature wins (legacy v1 path,
-            // stored as-is); otherwise a configured signer auto-signs the v2 payload.
-            const signature = input.signature != null
-                ? input.signature
-                : this.signer
-                    ? signAuditEntry(this.signer, { row_hash: rowHash, agent_id: agentId, run_id: runId })
-                    : null;
-            const info = this.db.prepare(`
+import{createHash as g,createPrivateKey as w,createPublicKey as c,sign as $,verify as y}from"crypto";import{readFileSync as R}from"fs";import{getActor as I}from"./handlers/boundary.js";import{resolveAttribution as O}from"./attribution.js";const h="genesis",p="v2:",x=2,k=16,b=new RegExp(`^[0-9a-f]{${k}}$`);function m(s){if(typeof s!="string"||s.length===0)return null;if(s.startsWith(p)){const e=s.slice(p.length),t=e.indexOf(":"),o=t>=0?e.slice(0,t):"",r=t>=0?e.slice(t+1):"";return{version:2,key_fp:b.test(o)?o:null,sig_b64:r}}return{version:1,key_fp:null,sig_b64:s}}function E(s){const t=(typeof s=="string"?c(s):s).export({type:"spki",format:"der"});return g("sha256").update(t).digest("hex").slice(0,k)}function v(s,e){if(s===1)return Buffer.from(e.row_hash,"utf-8");const t=JSON.stringify({row_hash:e.row_hash,agent_id:e.agent_id??null,run_id:e.run_id??null});return Buffer.concat([Buffer.from([x]),Buffer.from(t,"utf-8")])}function A(s){const e=w(s);if(e.asymmetricKeyType!=="ed25519")throw new Error(`audit signing key must be Ed25519 (got ${e.asymmetricKeyType})`);const t=c(e);return{privateKey:e,publicKeyPem:t.export({type:"spki",format:"pem"}).toString(),key_fp:E(t)}}function D(s,e){const t=$(null,v(2,e),s.privateKey);return`${p}${s.key_fp}:${t.toString("base64")}`}function Y(s=process.env){const e=s.WYRM_AUDIT_SIGNING_KEY?.trim();if(!e)return null;try{const t=e.includes("-----BEGIN")?e:R(e,"utf-8");return A(t)}catch(t){return console.error(`[wyrm] WYRM_AUDIT_SIGNING_KEY unusable (${t.message}) \u2014 audit rows will be unsigned`),null}}function T(s,e){const t=m(s.signature);if(!t)return{ok:!0,version:null,key_fp:null};const o=[];for(const n of e)try{const d=typeof n=="string"?c(n):n;o.push({key:d,fp:E(d)})}catch{}const r=Buffer.from(t.sig_b64,"base64");if(t.version===2){if(!t.key_fp)return{ok:!1,version:2,key_fp:null,reason:"malformed v2 signature (missing key fingerprint)"};const n=o.filter(a=>a.fp===t.key_fp);if(n.length===0)return{ok:!1,version:2,key_fp:t.key_fp,reason:`no provided key matches fingerprint ${t.key_fp}`};const d=v(2,s);for(const a of n)try{if(y(null,d,a.key,r))return{ok:!0,version:2,key_fp:t.key_fp}}catch{}return{ok:!1,version:2,key_fp:t.key_fp,reason:"v2 signature does not verify (row_hash/agent_id/run_id tampered or wrong key)"}}const i=v(1,s);for(const n of o)try{if(y(null,i,n.key,r))return{ok:!0,version:1,key_fp:n.fp}}catch{}return{ok:!1,version:1,key_fp:null,reason:"v1 signature does not verify under any provided key"}}function S(s,e){const t={v1:0,v2:0,unsigned:0},o=new Set,r=new Set,i=new Set,n=Array.isArray(e)&&e.length>0,d=[];if(n)for(const l of e)try{d.push(c(l))}catch{}const a={checked:0,valid:0,invalid:0};for(const l of s){const f=O(l);o.add(f.actor),f.run_id&&r.add(f.run_id);const _=m(l.signature);if(_?_.version===2?(t.v2++,_.key_fp&&i.add(_.key_fp)):t.v1++:t.unsigned++,n&&_){a.checked++;const u=T(l,d);u.ok?(a.valid++,u.key_fp&&i.add(u.key_fp)):(a.invalid++,a.first_invalid_id===void 0&&(a.first_invalid_id=l.id,a.reason=u.reason))}}return{payload_versions:t,attribution:{agents:[...o].sort(),runs:[...r].sort(),keys:[...i].sort()},signatures:n?a:void 0,sigOk:!n||a.invalid===0,sigReason:a.first_invalid_id!==void 0?`signature invalid at id ${a.first_invalid_id}: ${a.reason}`:void 0}}class C{db;signer;constructor(e,t){this.db=e,this.signer=t??null}setSigner(e){this.signer=e}latestHash(){return this.db.prepare("SELECT row_hash FROM audit_log ORDER BY id DESC LIMIT 1").get()?.row_hash??h}log(e){const t=JSON.stringify(e.payload),o=new Date().toISOString(),r=I(),i=e.agent_id!==void 0?e.agent_id:r.agent_id,n=e.run_id!==void 0?e.run_id:r.run_id,d=this.db.transaction(()=>{const a=this.latestHash(),l=`${a}|${e.event_kind}|${t}|${o}`,f=g("sha256").update(l).digest("hex"),_=e.signature!=null?e.signature:this.signer?D(this.signer,{row_hash:f,agent_id:i,run_id:n}):null;return this.db.prepare(`
         INSERT INTO audit_log
           (event_kind, actor, project_id, payload_json, prev_hash, row_hash, signature, logged_at, agent_id, run_id)
         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-      `).run(input.event_kind, input.actor ?? null, input.project_id ?? null, payloadJson, prevHash, rowHash, signature, loggedAt, agentId, runId);
-            return info.lastInsertRowid;
-        });
-        return this.get(append.immediate());
-    }
-    get(id) {
-        return this.db.prepare('SELECT * FROM audit_log WHERE id = ?').get(id) ?? null;
-    }
-    /** Verify the entire chain from the first row through the latest.
-     * Useful for periodic self-audits.
-     *
-     * v7 F2 (T010): pass `publicKeys` (PEM strings) to additionally verify the
-     * Ed25519 signature layer; the report then answers who / which-run /
-     * which-key. Without keys the result is the 6.x chain-only semantics plus
-     * the attribution summary. */
-    verify(opts) {
-        const rows = this.db.prepare('SELECT * FROM audit_log ORDER BY id ASC').all();
-        if (rows.length === 0) {
-            return {
-                ok: true, total: 0, verified: 0,
-                payload_versions: { v1: 0, v2: 0, unsigned: 0 },
-                attribution: { agents: [], runs: [], keys: [] },
-                ...(opts?.publicKeys?.length ? { signatures: { checked: 0, valid: 0, invalid: 0 } } : {}),
-            };
-        }
-        let expectedPrev = GENESIS_HASH;
-        for (const row of rows) {
-            if (row.prev_hash !== expectedPrev) {
-                return {
-                    ok: false, total: rows.length, verified: row.id - 1,
-                    first_invalid_id: row.id,
-                    reason: `prev_hash mismatch: expected ${expectedPrev}, got ${row.prev_hash}`,
-                };
-            }
-            const recomputed = createHash('sha256')
-                .update(`${row.prev_hash}|${row.event_kind}|${row.payload_json}|${row.logged_at}`)
-                .digest('hex');
-            if (recomputed !== row.row_hash) {
-                return {
-                    ok: false, total: rows.length, verified: row.id - 1,
-                    first_invalid_id: row.id,
-                    reason: `row_hash mismatch at id ${row.id}: recomputed ${recomputed}, stored ${row.row_hash}`,
-                };
-            }
-            expectedPrev = row.row_hash;
-        }
-        const s = summarizeAttribution(rows, opts?.publicKeys);
-        return {
-            ok: s.sigOk,
-            total: rows.length,
-            verified: rows.length,
-            ...(s.sigOk ? {} : { reason: s.sigReason }),
-            payload_versions: s.payload_versions,
-            attribution: s.attribution,
-            ...(s.signatures ? { signatures: s.signatures } : {}),
-        };
-    }
-    /** Export a date-ranged tamper-evident bundle. Range is inclusive on
-     * both ends. Verification still walks from genesis to ensure no gaps. */
-    export(opts) {
-        const params = [];
-        let where = '';
-        if (opts.range_start) {
-            where += ' AND logged_at >= ?';
-            params.push(opts.range_start);
-        }
-        if (opts.range_end) {
-            where += ' AND logged_at <= ?';
-            params.push(opts.range_end);
-        }
-        const entries = this.db.prepare(`SELECT * FROM audit_log WHERE 1=1 ${where} ORDER BY id ASC`).all(...params);
-        return {
-            version: 1,
-            range: {
-                start: opts.range_start ?? entries[0]?.logged_at ?? new Date(0).toISOString(),
-                end: opts.range_end ?? entries[entries.length - 1]?.logged_at ?? new Date().toISOString(),
-            },
-            exported_at: new Date().toISOString(),
-            entry_count: entries.length,
-            first_id: entries[0]?.id ?? null,
-            last_id: entries[entries.length - 1]?.id ?? null,
-            genesis_prev_hash: entries[0]?.prev_hash ?? GENESIS_HASH,
-            final_row_hash: entries[entries.length - 1]?.row_hash ?? GENESIS_HASH,
-            entries,
-        };
-    }
-    /** Statically verify a previously-exported bundle (no DB required).
-     * Useful for the external auditor who only has the JSON file.
-     *
-     * The chain walk is the unchanged 6.x structure — it never parses
-     * signatures, so mixed v1/v2 bundles verify exactly as they did under 6.x.
-     * v7 F2 (T010): optional `publicKeys` adds the signature-layer check, same
-     * as the instance `verify()`. */
-    static verifyBundle(bundle, opts) {
-        if (bundle.version !== 1) {
-            return { ok: false, total: bundle.entry_count, verified: 0, reason: `Unknown bundle version ${bundle.version}` };
-        }
-        let expectedPrev = bundle.genesis_prev_hash;
-        let verified = 0;
-        for (const row of bundle.entries) {
-            if (row.prev_hash !== expectedPrev) {
-                return {
-                    ok: false, total: bundle.entries.length, verified,
-                    first_invalid_id: row.id,
-                    reason: `prev_hash mismatch: expected ${expectedPrev}, got ${row.prev_hash}`,
-                };
-            }
-            const recomputed = createHash('sha256')
-                .update(`${row.prev_hash}|${row.event_kind}|${row.payload_json}|${row.logged_at}`)
-                .digest('hex');
-            if (recomputed !== row.row_hash) {
-                return {
-                    ok: false, total: bundle.entries.length, verified,
-                    first_invalid_id: row.id,
-                    reason: `row_hash mismatch at id ${row.id}`,
-                };
-            }
-            expectedPrev = row.row_hash;
-            verified++;
-        }
-        if (bundle.entries.length > 0 && bundle.final_row_hash !== expectedPrev) {
-            return {
-                ok: false, total: bundle.entries.length, verified,
-                reason: `final_row_hash mismatch`,
-            };
-        }
-        const s = summarizeAttribution(bundle.entries, opts?.publicKeys);
-        return {
-            ok: s.sigOk,
-            total: bundle.entries.length,
-            verified,
-            ...(s.sigOk ? {} : { reason: s.sigReason }),
-            payload_versions: s.payload_versions,
-            attribution: s.attribution,
-            ...(s.signatures ? { signatures: s.signatures } : {}),
-        };
-    }
-    /** Slim query for recent entries — UI / dashboards. */
-    recent(limit = 100, kind) {
-        if (kind) {
-            return this.db.prepare('SELECT * FROM audit_log WHERE event_kind = ? ORDER BY id DESC LIMIT ?').all(kind, limit);
-        }
-        return this.db.prepare('SELECT * FROM audit_log ORDER BY id DESC LIMIT ?').all(limit);
-    }
-}
-//# sourceMappingURL=audit.js.map
+      `).run(e.event_kind,e.actor??null,e.project_id??null,t,a,f,_,o,i,n).lastInsertRowid});return this.get(d.immediate())}get(e){return this.db.prepare("SELECT * FROM audit_log WHERE id = ?").get(e)??null}verify(e){const t=this.db.prepare("SELECT * FROM audit_log ORDER BY id ASC").all();if(t.length===0)return{ok:!0,total:0,verified:0,payload_versions:{v1:0,v2:0,unsigned:0},attribution:{agents:[],runs:[],keys:[]},...e?.publicKeys?.length?{signatures:{checked:0,valid:0,invalid:0}}:{}};let o=h;for(const i of t){if(i.prev_hash!==o)return{ok:!1,total:t.length,verified:i.id-1,first_invalid_id:i.id,reason:`prev_hash mismatch: expected ${o}, got ${i.prev_hash}`};const n=g("sha256").update(`${i.prev_hash}|${i.event_kind}|${i.payload_json}|${i.logged_at}`).digest("hex");if(n!==i.row_hash)return{ok:!1,total:t.length,verified:i.id-1,first_invalid_id:i.id,reason:`row_hash mismatch at id ${i.id}: recomputed ${n}, stored ${i.row_hash}`};o=i.row_hash}const r=S(t,e?.publicKeys);return{ok:r.sigOk,total:t.length,verified:t.length,...r.sigOk?{}:{reason:r.sigReason},payload_versions:r.payload_versions,attribution:r.attribution,...r.signatures?{signatures:r.signatures}:{}}}export(e){const t=[];let o="";e.range_start&&(o+=" AND logged_at >= ?",t.push(e.range_start)),e.range_end&&(o+=" AND logged_at <= ?",t.push(e.range_end));const r=this.db.prepare(`SELECT * FROM audit_log WHERE 1=1 ${o} ORDER BY id ASC`).all(...t);return{version:1,range:{start:e.range_start??r[0]?.logged_at??new Date(0).toISOString(),end:e.range_end??r[r.length-1]?.logged_at??new Date().toISOString()},exported_at:new Date().toISOString(),entry_count:r.length,first_id:r[0]?.id??null,last_id:r[r.length-1]?.id??null,genesis_prev_hash:r[0]?.prev_hash??h,final_row_hash:r[r.length-1]?.row_hash??h,entries:r}}static verifyBundle(e,t){if(e.version!==1)return{ok:!1,total:e.entry_count,verified:0,reason:`Unknown bundle version ${e.version}`};let o=e.genesis_prev_hash,r=0;for(const n of e.entries){if(n.prev_hash!==o)return{ok:!1,total:e.entries.length,verified:r,first_invalid_id:n.id,reason:`prev_hash mismatch: expected ${o}, got ${n.prev_hash}`};if(g("sha256").update(`${n.prev_hash}|${n.event_kind}|${n.payload_json}|${n.logged_at}`).digest("hex")!==n.row_hash)return{ok:!1,total:e.entries.length,verified:r,first_invalid_id:n.id,reason:`row_hash mismatch at id ${n.id}`};o=n.row_hash,r++}if(e.entries.length>0&&e.final_row_hash!==o)return{ok:!1,total:e.entries.length,verified:r,reason:"final_row_hash mismatch"};const i=S(e.entries,t?.publicKeys);return{ok:i.sigOk,total:e.entries.length,verified:r,...i.sigOk?{}:{reason:i.sigReason},payload_versions:i.payload_versions,attribution:i.attribution,...i.signatures?{signatures:i.signatures}:{}}}recent(e=100,t){return t?this.db.prepare("SELECT * FROM audit_log WHERE event_kind = ? ORDER BY id DESC LIMIT ?").all(t,e):this.db.prepare("SELECT * FROM audit_log ORDER BY id DESC LIMIT ?").all(e)}}export{p as AUDIT_SIG_V2_PREFIX,C as AuditLog,E as auditKeyFingerprint,v as buildSignedPayload,A as createAuditSigner,Y as loadAuditSignerFromEnv,m as parseAuditSignature,D as signAuditEntry,T as verifyAuditEntrySignature};

package/dist/auto-capture.js

@@ -1,23 +1,4 @@
-/**
- * Auto-extraction (bet #2) — turn freeform text (a session, notes, a transcript)
- * into candidate memories that land in the REVIEW QUEUE for operator approval.
- *
- * Closes the "just talk, it remembers" gap WITHOUT an expensive cloud LLM, via a
- * pluggable LOCAL extractor:
- *   - LLM: any Ollama model (`WYRM_EXTRACT_MODEL`) — the slot the future DragonSpark
- *     nano-LLM drops into. Structured JSON out, robustly parsed.
- *   - Deterministic fallback: sentence segmentation + signal markers + classifyCapture,
- *     used when no model is configured or the LLM is unreachable.
- * Always produces candidates, never blocks a write, never throws. Candidates are
- * stored with needs_review=1 so the operator vets them (wyrm_review) — nothing
- * auto-trusted, matching Wyrm's distillation-queue discipline.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { classifyCapture } from './capture.js';
-const KINDS = ['truth', 'failure', 'decision', 'pattern', 'lesson'];
-const EXTRACT_PROMPT = (text) => `You extract DURABLE, REUSABLE memories from a developer's working notes/transcript.
+import{classifyCapture as l}from"./capture.js";const d=["truth","failure","decision","pattern","lesson"],p=t=>`You extract DURABLE, REUSABLE memories from a developer's working notes/transcript.
 Output ONLY a JSON array, no prose. Each item: {"kind": one of ["truth","failure","decision","pattern","lesson"], "text": "<one self-contained sentence>"}.
 - truth: a validated fact/constraint ("X uses Y", "Z is required").
 - failure: an approach that FAILED and why (so it is not repeated).
@@ -28,122 +9,6 @@ Skip chit-chat, questions, and ephemeral status. Extract 0-8 items; fewer + high
 
 NOTES:
 """
-${text.slice(0, 8000)}
+${t.slice(0,8e3)}
 """
-JSON:`;
-/** Robustly pull a candidate array out of an LLM response (small models wrap JSON in prose/markdown). */
-export function parseCandidates(raw) {
-    const m = raw.match(/\[[\s\S]*\]/);
-    if (!m)
-        return [];
-    let arr;
-    try {
-        arr = JSON.parse(m[0]);
-    }
-    catch {
-        return [];
-    }
-    if (!Array.isArray(arr))
-        return [];
-    const out = [];
-    const seen = new Set();
-    for (const it of arr) {
-        if (!it || typeof it !== 'object')
-            continue;
-        const kind = it.kind;
-        const text = it.text;
-        if (typeof text !== 'string' || text.trim().length < 8)
-            continue;
-        const t = text.trim().slice(0, 1000);
-        const key = t.toLowerCase().replace(/\s+/g, ' ').slice(0, 80);
-        if (seen.has(key))
-            continue;
-        seen.add(key);
-        out.push({ kind: KINDS.includes(kind) ? kind : 'pattern', text: t, confidence: 0.6 });
-        if (out.length >= 12)
-            break;
-    }
-    return out;
-}
-async function extractViaLLM(text, model, url) {
-    try {
-        const res = await fetch(`${url.replace(/\/$/, '')}/api/generate`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ model, prompt: EXTRACT_PROMPT(text), stream: false, options: { temperature: 0 } }),
-            signal: AbortSignal.timeout(120_000),
-        });
-        if (!res.ok)
-            return null;
-        const data = await res.json();
-        return data.response ? parseCandidates(data.response) : null;
-    }
-    catch {
-        return null;
-    }
-}
-/** No-LLM extractor: segment into statements, keep durable-looking ones, classify. */
-export function extractDeterministic(text) {
-    const segs = text.split(/(?<=[.!?])\s+|\n+/).map((s) => s.trim()).filter((s) => s.length >= 20 && s.length <= 400);
-    const out = [];
-    const seen = new Set();
-    for (const s of segs) {
-        if (!/\b(use[sd]?|decided|because|fail(s|ed)?|error|always|never|must|should|learned|lesson|turned out|prefer|avoid|root cause|fixed|broke|requires?)\b/i.test(s))
-            continue;
-        const key = s.toLowerCase().replace(/\s+/g, ' ').slice(0, 80);
-        if (seen.has(key))
-            continue;
-        seen.add(key);
-        const c = classifyCapture(s);
-        const kind = /\b(fail(s|ed)?|error|broke|bug|mistake)\b/i.test(s) ? 'failure'
-            : c.type === 'truth' ? 'truth'
-                : /\bbecause\b/i.test(s) ? 'decision'
-                    : c.subtype === 'lesson' ? 'lesson'
-                        : 'pattern';
-        out.push({ kind, text: s, confidence: (c.confidence ?? 60) / 100 });
-        if (out.length >= 8)
-            break;
-    }
-    return out;
-}
-/**
- * Extract candidate memories from text. Tries the configured local LLM first
- * (if any), falls back to deterministic. Never throws.
- */
-export async function extractCandidates(text, opts = {}) {
-    const url = opts.ollamaUrl || process.env.WYRM_OLLAMA_URL || 'http://localhost:11434';
-    const model = opts.model || process.env.WYRM_EXTRACT_MODEL || '';
-    if (model) {
-        const llm = await extractViaLLM(text, model, url);
-        if (llm && llm.length)
-            return { candidates: llm, method: 'llm', model };
-    }
-    return { candidates: extractDeterministic(text), method: 'deterministic' };
-}
-/**
- * Escape SQL LIKE metacharacters (`%`, `_`, and the escape char itself) so a
- * CONTENT-DERIVED dedup signature can be bound into `LIKE ? ESCAPE '\'`
- * without acting as a wildcard (F3 security pass #1, confirmed finding: the
- * ax:/harvest sig is derived from caller text, so a learning containing `%`
- * previously turned the dedup probe into a broad-match pattern that silently
- * suppressed legitimate capture — counted as `skipped`, never surfaced).
- * Every sig-dedup probe (run debrief, wyrm_auto_capture, harvest MCP + CLI)
- * routes through this one helper.
- */
-export function escapeLikePattern(s) {
-    return s.replace(/[\\%_]/g, (ch) => '\\' + ch);
-}
-/** Map a candidate to its review-queue memory-artifact shape (needs_review=1). */
-export function candidateToArtifact(c) {
-    const map = {
-        failure: 'anti_pattern',
-        decision: 'reasoning_trace',
-        lesson: 'lesson',
-        pattern: 'pattern',
-        truth: 'heuristic',
-    };
-    // A stable signature for dedup against re-extraction of the same text.
-    const sig = 'ax:' + c.text.toLowerCase().replace(/\s+/g, ' ').trim().slice(0, 64);
-    return { kind: map[c.kind], problem: c.text, tags: ['auto-extract', `intent:${c.kind}`, sig], confidence: c.confidence };
-}
-//# sourceMappingURL=auto-capture.js.map
+JSON:`;function f(t){const n=t.match(/\[[\s\S]*\]/);if(!n)return[];let r;try{r=JSON.parse(n[0])}catch{return[]}if(!Array.isArray(r))return[];const s=[],e=new Set;for(const a of r){if(!a||typeof a!="object")continue;const o=a.kind,i=a.text;if(typeof i!="string"||i.trim().length<8)continue;const c=i.trim().slice(0,1e3),u=c.toLowerCase().replace(/\s+/g," ").slice(0,80);if(!e.has(u)&&(e.add(u),s.push({kind:d.includes(o)?o:"pattern",text:c,confidence:.6}),s.length>=12))break}return s}async function h(t,n,r){try{const s=await fetch(`${r.replace(/\/$/,"")}/api/generate`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({model:n,prompt:p(t),stream:!1,options:{temperature:0}}),signal:AbortSignal.timeout(12e4)});if(!s.ok)return null;const e=await s.json();return e.response?f(e.response):null}catch{return null}}function m(t){const n=t.split(/(?<=[.!?])\s+|\n+/).map(e=>e.trim()).filter(e=>e.length>=20&&e.length<=400),r=[],s=new Set;for(const e of n){if(!/\b(use[sd]?|decided|because|fail(s|ed)?|error|always|never|must|should|learned|lesson|turned out|prefer|avoid|root cause|fixed|broke|requires?)\b/i.test(e))continue;const a=e.toLowerCase().replace(/\s+/g," ").slice(0,80);if(s.has(a))continue;s.add(a);const o=l(e),i=/\b(fail(s|ed)?|error|broke|bug|mistake)\b/i.test(e)?"failure":o.type==="truth"?"truth":/\bbecause\b/i.test(e)?"decision":o.subtype==="lesson"?"lesson":"pattern";if(r.push({kind:i,text:e,confidence:(o.confidence??60)/100}),r.length>=8)break}return r}async function b(t,n={}){const r=n.ollamaUrl||process.env.WYRM_OLLAMA_URL||"http://localhost:11434",s=n.model||process.env.WYRM_EXTRACT_MODEL||"";if(s){const e=await h(t,s,r);if(e&&e.length)return{candidates:e,method:"llm",model:s}}return{candidates:m(t),method:"deterministic"}}function k(t){return t.replace(/[\\%_]/g,n=>"\\"+n)}function y(t){const n={failure:"anti_pattern",decision:"reasoning_trace",lesson:"lesson",pattern:"pattern",truth:"heuristic"},r="ax:"+t.text.toLowerCase().replace(/\s+/g," ").trim().slice(0,64);return{kind:n[t.kind],problem:t.text,tags:["auto-extract",`intent:${t.kind}`,r],confidence:t.confidence}}export{y as candidateToArtifact,k as escapeLikePattern,b as extractCandidates,m as extractDeterministic,f as parseCandidates};