yakmesh 1.0.2 → 1.1.0

package/.github/workflows/ci.yml

@@ -0,0 +1,67 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Check syntax (ESLint)
+        run: |
+          npm install eslint --save-dev
+          npx eslint --no-eslintrc --env node,es2022 --parser-options ecmaVersion:2022,sourceType:module "**/*.js" --ignore-pattern node_modules/ --ignore-pattern dashboard/ || true
+        continue-on-error: true
+
+      - name: Validate imports
+        run: |
+          echo "Checking for valid ES module syntax..."
+          node --check server/index.js || true
+          node --check oracle/index.js || true
+          node --check cli/index.js || true
+
+      - name: Security audit
+        run: npm audit --audit-level=high || true
+        continue-on-error: true
+
+  publish-check:
+    runs-on: ubuntu-latest
+    needs: lint-and-test
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+
+      - name: Verify package.json
+        run: |
+          echo "Package name: $(node -p "require('./package.json').name")"
+          echo "Package version: $(node -p "require('./package.json').version")"
+          echo "License: $(node -p "require('./package.json').license")"
+
+      - name: Dry-run pack
+        run: npm pack --dry-run

package/CHANGELOG.md

@@ -0,0 +1,92 @@
+# Changelog
+
+All notable changes to YAKMESH™ will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.1.0] - 2026-01-14
+
+### Added
+- **NAVR (Network Assimilation Validation Routine)**: Computational identity verification for new nodes
+  - Replaces traditional "Proof of Work" terminology to avoid blockchain confusion
+  - One-time puzzle solve during node registration (NOT mining)
+  - Configurable difficulty for network defense scaling
+- **Sybil Defense Module** (`mesh/sybil-defense.js`):
+  - NAVR computational puzzle for identity creation
+  - ReputationTracker for trust scoring (0.0 to 1.0 scale)
+  - SubnetDiversity to prevent eclipse attacks (max 3 connections per /24 subnet)
+- **Replay Defense Module** (`mesh/replay-defense.js`):
+  - NonceRegistry with cryptographic 32-byte nonces (1hr expiry)
+  - TimestampValidator (10-minute freshness window)
+  - SequenceTracker for per-sender message ordering
+  - ChallengeResponse for mutual node authentication
+- **Message Validator Module** (`mesh/message-validator.js`):
+  - Size limits per message type (1MB max, gossip 64KB, handshake 8KB)
+  - Nesting depth protection (max 10 levels)
+  - SafeJsonParser with prototype pollution protection
+- Expanded test suite: 24 security tests covering all attack vectors
+
+### Security
+- Protection against Sybil attacks via NAVR + reputation + subnet diversity
+- Protection against replay attacks via nonces + timestamps + sequences
+- Protection against amplification attacks via message size limits
+- Protection against eclipse attacks via subnet connection limits
+
+## [1.0.3] - 2026-01-15
+
+### Fixed
+- **CRITICAL**: Fixed ML-DSA-65 signature verification parameter order (was: publicKey, message, signature → now: signature, message, publicKey)
+
+### Added
+- **Rate Limiter**: New `ConnectionRateLimiter` class for DoS protection
+  - Connection flood protection (30 connections/minute per IP)
+  - Handshake spam detection (100 handshakes/minute global)
+  - Gossip message throttling (500 messages/minute)
+  - Automatic cleanup of stale tracking data
+- Comprehensive test suite (17 tests covering crypto, security, performance)
+- Stress test suite (14 tests with edge cases)
+
+### Security
+- Integrated rate limiting into mesh/network.js WebSocket handling
+- Protection against 51% / network isolation attacks via message throttling
+
+## [1.0.2] - 2026-01-14
+
+### Fixed
+- Fixed README.md formatting for proper rendering on npm and GitHub
+
+## [1.0.1] - 2026-01-14
+
+### Fixed
+- Removed Pro-only security module from public npm package
+- Added `.npmignore` to exclude proprietary code
+
+## [1.0.0] - 2026-01-14
+
+### Added
+- **Post-Quantum Cryptography**: ML-DSA-65 (NIST FIPS 204) signatures
+- **Self-Verifying Oracle**: Deterministic validation without external trust
+- **Mesh Networking**: P2P WebSocket communication with gossip protocol
+- **Precision Timing**: Support for atomic clocks, GPS, PTP, NTP time sources
+- **Plugin Architecture**: BaseAdapter for custom database integrations
+- **Phase Modulation**: Time-based anti-replay protection
+- **Network Identity**: Configurable salts for isolated network deployments
+- **Code Proof Protocol**: Integrity verification for distributed code
+- **Consensus Engine**: Distributed agreement on network state
+- **CLI Tools**: `yakmesh init`, `yakmesh start`, `yakmesh status`
+- **Dashboard**: Web-based node monitoring interface
+- **Embedded Webserver**: Caddy integration for HTTPS/reverse proxy
+
+### Security
+- XChaCha20-Poly1305 encryption for message payloads
+- Lattice-based cryptography resistant to quantum attacks
+- Hardware timestamping support for timing attack mitigation
+
+---
+
+[1.0.3]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.3
+[1.0.2]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.2
+[1.0.1]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.1
+[1.0.0]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.0
+

package/SECURITY.md

@@ -0,0 +1,57 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+We take security seriously at YAKMESH™. If you discover a security vulnerability, please report it responsibly.
+
+### How to Report
+
+**Email**: security@yakmesh.dev
+
+**Do NOT**:
+- Open a public GitHub issue for security vulnerabilities
+- Disclose the vulnerability publicly before we've had a chance to address it
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial Assessment**: Within 7 days
+- **Resolution Target**: Within 30 days (depending on severity)
+
+### Recognition
+
+We appreciate responsible disclosure and will:
+- Credit you in the security advisory (unless you prefer anonymity)
+- Work with you to understand and resolve the issue
+- Not take legal action for good-faith security research
+
+## Security Features
+
+YAKMESH implements multiple layers of security:
+
+- **Post-Quantum Cryptography**: ML-DSA-65 signatures (NIST FIPS 204)
+- **Authenticated Encryption**: XChaCha20-Poly1305
+- **Replay Protection**: Phase-epoch based message validation
+- **Code Integrity**: Self-verifying oracle with module sealing
+
+## Known Limitations
+
+- NTP time sources are not suitable for oracle operations (use GPS/PTP/Atomic)
+- Community edition does not include WebSocket authentication (see Pro)
+
+---
+
+YAKMESH™ is a trademark of PeerQuanta (USPTO Serial No. 99594620)

package/identity/node-key.js

@@ -60,8 +60,8 @@ export function verifySignature(message, signatureHex, publicKeyHex) {
     const messageBytes = typeof message === 'string'
       ? new TextEncoder().encode(message)
       : message;
-    // ml_dsa65.verify takes (publicKey, message, signature)
-    return ml_dsa65.verify(publicKey, messageBytes, signature);
+    // ml_dsa65.verify takes (signature, message, publicKey)
+    return ml_dsa65.verify(signature, messageBytes, publicKey);
   } catch (e) {
     console.error('Signature verification failed:', e.message);
     return false;

package/mesh/message-validator.js

@@ -0,0 +1,95 @@
+/**
+ * Message Validation Module
+ * @module mesh/message-validator.js
+ */
+
+export const SIZE_LIMITS = {
+  maxMessageSize: 1024 * 1024,
+  maxPayloadSizes: { gossip: 64 * 1024, handshake: 8 * 1024, listing: 128 * 1024, data: 512 * 1024 },
+  maxDepth: 10,
+  maxArrayLength: 1000,
+  maxStringLength: 100000,
+};
+
+export class MessageValidator {
+  constructor(options = {}) {
+    this.limits = { ...SIZE_LIMITS, ...options.limits };
+    this.stats = { validated: 0, rejected: 0, rejectionReasons: new Map() };
+  }
+
+  validateRaw(rawMessage, type = 'gossip') {
+    const size = typeof rawMessage === 'string' ? Buffer.byteLength(rawMessage, 'utf8') : rawMessage.length;
+    if (size > this.limits.maxMessageSize) return this._reject('Message too large (' + size + ' > ' + this.limits.maxMessageSize + ')');
+    const typeLimit = this.limits.maxPayloadSizes[type] || this.limits.maxPayloadSizes.gossip;
+    if (size > typeLimit) return this._reject(type + ' message too large (' + size + ' > ' + typeLimit + ')');
+    this.stats.validated++;
+    return { valid: true, size };
+  }
+
+  validateStructure(message, type = 'gossip') {
+    if (message === null || message === undefined) return this._reject('Message is null or undefined');
+    if (typeof message !== 'object') return this._reject('Expected object, got ' + typeof message);
+    const depthCheck = this._checkDepth(message, 0);
+    if (!depthCheck.valid) return depthCheck;
+    const requiredCheck = this._checkRequiredFields(message, type);
+    if (!requiredCheck.valid) return requiredCheck;
+    this.stats.validated++;
+    return { valid: true };
+  }
+
+  _checkDepth(obj, depth) {
+    if (depth > this.limits.maxDepth) return this._reject('Message nesting too deep');
+    if (Array.isArray(obj)) {
+      if (obj.length > this.limits.maxArrayLength) return this._reject('Array too long');
+      for (const item of obj) {
+        if (typeof item === 'object' && item !== null) {
+          const check = this._checkDepth(item, depth + 1);
+          if (!check.valid) return check;
+        }
+      }
+    } else if (typeof obj === 'object' && obj !== null) {
+      for (const value of Object.values(obj)) {
+        if (typeof value === 'string' && value.length > this.limits.maxStringLength) return this._reject('String too long');
+        if (typeof value === 'object' && value !== null) {
+          const check = this._checkDepth(value, depth + 1);
+          if (!check.valid) return check;
+        }
+      }
+    }
+    return { valid: true };
+  }
+
+  _checkRequiredFields(message, type) {
+    const requirements = { handshake: ['type', 'nodeId'], gossip: ['type'], listing: ['type', 'data', 'signature'], data: ['type', 'payload'] };
+    const required = requirements[type] || requirements.gossip;
+    for (const field of required) { if (!(field in message)) return this._reject('Missing required field: ' + field); }
+    return { valid: true };
+  }
+
+  _reject(reason) {
+    this.stats.rejected++;
+    const count = this.stats.rejectionReasons.get(reason) || 0;
+    this.stats.rejectionReasons.set(reason, count + 1);
+    return { valid: false, reason };
+  }
+
+  getStats() {
+    return { validated: this.stats.validated, rejected: this.stats.rejected, topReasons: [...this.stats.rejectionReasons.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10) };
+  }
+}
+
+export class SafeJsonParser {
+  constructor(options = {}) {
+    this.maxSize = options.maxSize || SIZE_LIMITS.maxMessageSize;
+  }
+
+  parse(json) {
+    if (typeof json !== 'string') return { success: false, error: 'Input must be a string' };
+    if (json.length > this.maxSize) return { success: false, error: 'JSON too large' };
+    if (/__proto__|constructor.*prototype/i.test(json)) return { success: false, error: 'Suspicious content detected' };
+    try { return { success: true, data: JSON.parse(json) }; }
+    catch (e) { return { success: false, error: 'JSON parse error: ' + e.message }; }
+  }
+}
+
+export default MessageValidator;

package/mesh/network.js

@@ -4,6 +4,7 @@
  */
 
 import { WebSocketServer, WebSocket } from 'ws';
+import { ConnectionRateLimiter } from './rate-limiter.js';
 
 /**
  * Message types for mesh protocol
@@ -47,6 +48,9 @@ export class MeshNetwork {
     this.messageHandlers = new Map();
     this.seenMessages = new Set(); // For gossip deduplication
     
+    // Rate limiter for connection/message flood protection
+    this.rateLimiter = new ConnectionRateLimiter(config.rateLimiter || {});
+    
     this._setupDefaultHandlers();
   }
 
@@ -327,7 +331,16 @@ export class MeshNetwork {
   }
 
   _handleIncomingConnection(ws, req) {
-    console.log(`← Incoming connection from ${req.socket.remoteAddress}`);
+    const clientIp = req.socket.remoteAddress || 'unknown';
+    console.log(`← Incoming connection from ${clientIp}`);
+    
+    // SECURITY: Rate limit check for connection flood protection
+    const connectionCheck = this.rateLimiter.checkConnection(clientIp);
+    if (!connectionCheck.allowed) {
+      console.warn(`⚠️ Connection rejected (rate limit): ${clientIp} - ${connectionCheck.reason}`);
+      ws.close(1008, connectionCheck.reason);
+      return;
+    }
     
     ws.on('message', (data) => {
       this._handleMessage(ws, data, req);