yakmesh 1.0.3 → 1.2.0

package/CHANGELOG.md

@@ -5,6 +5,65 @@ All notable changes to YAKMESH™ will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.0] - 2026-01-15
+
+### Added
+- **TME (Temporal Mesh Encoding)**: Novel packet resilience system unique to YAKMESH
+  - Exploits atomic time synchronization as the redundancy dimension
+  - Cryptographic temporal chaining binds data to specific points in time
+  - Mesh topology-aware encoding for intelligent path diversity
+  - NOT erasure coding - a fundamentally new approach to packet loss recovery
+- **TemporalSlice**: Atomic unit of TME with cryptographic time binding
+  - Temporal hash includes: data + timestamp + sequence + mesh position
+  - Chain integrity via prevTemporalHash linking
+  - Tamper detection on deserialization
+- **TemporalStream**: Message slicing and reassembly with temporal properties
+  - Configurable slice size and timing intervals
+  - Completion tracking and missing slice detection
+  - Temporal chain validation
+- **TemporalReconstructor**: Recovery system using timing proofs
+  - Consensus verification from multiple mesh neighbors
+  - Missing slice attestation via timing proofs
+  - Partial reconstruction capabilities
+- **TemporalMeshEncoder**: High-level API for TME operations
+  - Full encode/decode lifecycle management
+  - Statistics tracking (slices sent/received, completion rates)
+  - Stream status monitoring
+- New test suite: 18 TME-specific tests (test-tme.mjs)
+
+### Philosophy
+- "Time IS the redundancy dimension" - unlike Walrus/Red Stuff 2D erasure coding
+- Designed for real-time mesh networks with atomic clock sync
+- Leverages YAKMESH's unique post-quantum + atomic timing combination
+
+## [1.1.0] - 2026-01-14
+
+### Added
+- **NAVR (Network Assimilation Validation Routine)**: Computational identity verification for new nodes
+  - Replaces traditional "Proof of Work" terminology to avoid blockchain confusion
+  - One-time puzzle solve during node registration (NOT mining)
+  - Configurable difficulty for network defense scaling
+- **Sybil Defense Module** (`mesh/sybil-defense.js`):
+  - NAVR computational puzzle for identity creation
+  - ReputationTracker for trust scoring (0.0 to 1.0 scale)
+  - SubnetDiversity to prevent eclipse attacks (max 3 connections per /24 subnet)
+- **Replay Defense Module** (`mesh/replay-defense.js`):
+  - NonceRegistry with cryptographic 32-byte nonces (1hr expiry)
+  - TimestampValidator (10-minute freshness window)
+  - SequenceTracker for per-sender message ordering
+  - ChallengeResponse for mutual node authentication
+- **Message Validator Module** (`mesh/message-validator.js`):
+  - Size limits per message type (1MB max, gossip 64KB, handshake 8KB)
+  - Nesting depth protection (max 10 levels)
+  - SafeJsonParser with prototype pollution protection
+- Expanded test suite: 24 security tests covering all attack vectors
+
+### Security
+- Protection against Sybil attacks via NAVR + reputation + subnet diversity
+- Protection against replay attacks via nonces + timestamps + sequences
+- Protection against amplification attacks via message size limits
+- Protection against eclipse attacks via subnet connection limits
+
 ## [1.0.3] - 2026-01-15
 
 ### Fixed
@@ -61,3 +120,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.0.2]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.2
 [1.0.1]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.1
 [1.0.0]: https://github.com/yakmesh/yakmesh/releases/tag/v1.0.0
+
+

package/mesh/message-validator.js

@@ -0,0 +1,95 @@
+/**
+ * Message Validation Module
+ * @module mesh/message-validator.js
+ */
+
+export const SIZE_LIMITS = {
+  maxMessageSize: 1024 * 1024,
+  maxPayloadSizes: { gossip: 64 * 1024, handshake: 8 * 1024, listing: 128 * 1024, data: 512 * 1024 },
+  maxDepth: 10,
+  maxArrayLength: 1000,
+  maxStringLength: 100000,
+};
+
+export class MessageValidator {
+  constructor(options = {}) {
+    this.limits = { ...SIZE_LIMITS, ...options.limits };
+    this.stats = { validated: 0, rejected: 0, rejectionReasons: new Map() };
+  }
+
+  validateRaw(rawMessage, type = 'gossip') {
+    const size = typeof rawMessage === 'string' ? Buffer.byteLength(rawMessage, 'utf8') : rawMessage.length;
+    if (size > this.limits.maxMessageSize) return this._reject('Message too large (' + size + ' > ' + this.limits.maxMessageSize + ')');
+    const typeLimit = this.limits.maxPayloadSizes[type] || this.limits.maxPayloadSizes.gossip;
+    if (size > typeLimit) return this._reject(type + ' message too large (' + size + ' > ' + typeLimit + ')');
+    this.stats.validated++;
+    return { valid: true, size };
+  }
+
+  validateStructure(message, type = 'gossip') {
+    if (message === null || message === undefined) return this._reject('Message is null or undefined');
+    if (typeof message !== 'object') return this._reject('Expected object, got ' + typeof message);
+    const depthCheck = this._checkDepth(message, 0);
+    if (!depthCheck.valid) return depthCheck;
+    const requiredCheck = this._checkRequiredFields(message, type);
+    if (!requiredCheck.valid) return requiredCheck;
+    this.stats.validated++;
+    return { valid: true };
+  }
+
+  _checkDepth(obj, depth) {
+    if (depth > this.limits.maxDepth) return this._reject('Message nesting too deep');
+    if (Array.isArray(obj)) {
+      if (obj.length > this.limits.maxArrayLength) return this._reject('Array too long');
+      for (const item of obj) {
+        if (typeof item === 'object' && item !== null) {
+          const check = this._checkDepth(item, depth + 1);
+          if (!check.valid) return check;
+        }
+      }
+    } else if (typeof obj === 'object' && obj !== null) {
+      for (const value of Object.values(obj)) {
+        if (typeof value === 'string' && value.length > this.limits.maxStringLength) return this._reject('String too long');
+        if (typeof value === 'object' && value !== null) {
+          const check = this._checkDepth(value, depth + 1);
+          if (!check.valid) return check;
+        }
+      }
+    }
+    return { valid: true };
+  }
+
+  _checkRequiredFields(message, type) {
+    const requirements = { handshake: ['type', 'nodeId'], gossip: ['type'], listing: ['type', 'data', 'signature'], data: ['type', 'payload'] };
+    const required = requirements[type] || requirements.gossip;
+    for (const field of required) { if (!(field in message)) return this._reject('Missing required field: ' + field); }
+    return { valid: true };
+  }
+
+  _reject(reason) {
+    this.stats.rejected++;
+    const count = this.stats.rejectionReasons.get(reason) || 0;
+    this.stats.rejectionReasons.set(reason, count + 1);
+    return { valid: false, reason };
+  }
+
+  getStats() {
+    return { validated: this.stats.validated, rejected: this.stats.rejected, topReasons: [...this.stats.rejectionReasons.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10) };
+  }
+}
+
+export class SafeJsonParser {
+  constructor(options = {}) {
+    this.maxSize = options.maxSize || SIZE_LIMITS.maxMessageSize;
+  }
+
+  parse(json) {
+    if (typeof json !== 'string') return { success: false, error: 'Input must be a string' };
+    if (json.length > this.maxSize) return { success: false, error: 'JSON too large' };
+    if (/__proto__|constructor.*prototype/i.test(json)) return { success: false, error: 'Suspicious content detected' };
+    try { return { success: true, data: JSON.parse(json) }; }
+    catch (e) { return { success: false, error: 'JSON parse error: ' + e.message }; }
+  }
+}
+
+export default MessageValidator;

package/mesh/replay-defense.js

@@ -0,0 +1,138 @@
+/**
+ * Replay Attack Protection Module
+ * @module mesh/replay-defense.js
+ */
+
+import { bytesToHex, randomBytes } from '@noble/hashes/utils.js';
+
+export class NonceRegistry {
+  constructor(options = {}) {
+    this.maxAge = options.maxAge || 3600000;
+    this.maxSize = options.maxSize || 100000;
+    this.nonces = new Map();
+    this.cleanupInterval = setInterval(() => this.cleanup(), 60000);
+  }
+
+  generate() {
+    const nonce = bytesToHex(randomBytes(32));
+    this.nonces.set(nonce, Date.now());
+    return nonce;
+  }
+
+  validate(nonce) {
+    if (!nonce || typeof nonce !== 'string') return { valid: false, reason: 'Missing or invalid nonce' };
+    if (nonce.length !== 64) return { valid: false, reason: 'Invalid nonce length' };
+    if (this.nonces.has(nonce)) return { valid: false, reason: 'Nonce already used (replay detected)' };
+    this.nonces.set(nonce, Date.now());
+    if (this.nonces.size > this.maxSize) this.cleanup();
+    return { valid: true };
+  }
+
+  cleanup() {
+    const cutoff = Date.now() - this.maxAge;
+    for (const [nonce, ts] of this.nonces) { if (ts < cutoff) this.nonces.delete(nonce); }
+  }
+
+  getStats() { return { trackedNonces: this.nonces.size, maxSize: this.maxSize }; }
+  destroy() { clearInterval(this.cleanupInterval); }
+}
+
+export class TimestampValidator {
+  constructor(options = {}) {
+    this.maxAge = options.maxAge || 600000;
+    this.maxFuture = options.maxFuture || 60000;
+  }
+
+  validate(messageTime) {
+    if (!messageTime || typeof messageTime !== 'number') return { valid: false, reason: 'Missing or invalid timestamp' };
+    const drift = Date.now() - messageTime;
+    if (drift > this.maxAge) return { valid: false, reason: 'Message too old (' + Math.round(drift/1000) + 's)', drift };
+    if (drift < -this.maxFuture) return { valid: false, reason: 'Message from future', drift };
+    return { valid: true, drift };
+  }
+
+  create() { return Date.now(); }
+}
+
+export class SequenceTracker {
+  constructor(options = {}) {
+    this.maxSenders = options.maxSenders || 10000;
+    this.senders = new Map();
+    this.windowSize = options.windowSize || 64;
+    this.cleanupInterval = setInterval(() => this.cleanup(), 300000);
+  }
+
+  validate(senderId, seq) {
+    if (!senderId) return { valid: false, reason: 'Missing sender ID' };
+    if (typeof seq !== 'number' || seq < 0) return { valid: false, reason: 'Invalid sequence number' };
+
+    let sender = this.senders.get(senderId);
+    if (!sender) {
+      sender = { lastSeq: seq, lastSeen: Date.now(), window: new Set([seq]) };
+      this.senders.set(senderId, sender);
+      return { valid: true, isNew: true };
+    }
+
+    sender.lastSeen = Date.now();
+    if (sender.window.has(seq)) return { valid: false, reason: 'Duplicate sequence (replay)' };
+    if (seq < sender.lastSeq - this.windowSize) return { valid: false, reason: 'Sequence too old' };
+
+    sender.window.add(seq);
+    if (seq > sender.lastSeq) sender.lastSeq = seq;
+    if (sender.window.size > this.windowSize * 2) {
+      const minSeq = sender.lastSeq - this.windowSize;
+      for (const s of sender.window) { if (s < minSeq) sender.window.delete(s); }
+    }
+    return { valid: true };
+  }
+
+  nextSequence(peerId) {
+    let sender = this.senders.get(peerId);
+    if (!sender) { sender = { lastSeq: 0, lastSeen: Date.now(), window: new Set() }; this.senders.set(peerId, sender); }
+    return ++sender.lastSeq;
+  }
+
+  cleanup() {
+    const staleTime = 86400000;
+    for (const [id, s] of this.senders) { if (Date.now() - s.lastSeen > staleTime) this.senders.delete(id); }
+  }
+
+  getStats() { return { trackedSenders: this.senders.size }; }
+  destroy() { clearInterval(this.cleanupInterval); }
+}
+
+export class ReplayDefense {
+  constructor(options = {}) {
+    this.nonces = new NonceRegistry(options.nonces || {});
+    this.timestamps = new TimestampValidator(options.timestamps || {});
+    this.sequences = new SequenceTracker(options.sequences || {});
+  }
+
+  validateMessage(message) {
+    const details = {};
+    const timeCheck = this.timestamps.validate(message.timestamp);
+    details.timestamp = timeCheck;
+    if (!timeCheck.valid) return { valid: false, reason: timeCheck.reason, details };
+
+    const nonceCheck = this.nonces.validate(message.nonce);
+    details.nonce = nonceCheck;
+    if (!nonceCheck.valid) return { valid: false, reason: nonceCheck.reason, details };
+
+    if (message.senderId && message.seq !== undefined) {
+      const seqCheck = this.sequences.validate(message.senderId, message.seq);
+      details.sequence = seqCheck;
+      if (!seqCheck.valid) return { valid: false, reason: seqCheck.reason, details };
+    }
+    return { valid: true, details };
+  }
+
+  prepareMessage(senderId, peerId) {
+    return { nonce: this.nonces.generate(), timestamp: this.timestamps.create(), seq: this.sequences.nextSequence(peerId || 'broadcast') };
+  }
+
+  getStats() { return { nonces: this.nonces.getStats(), sequences: this.sequences.getStats() }; }
+
+  destroy() { this.nonces.destroy(); this.sequences.destroy(); }
+}
+
+export default ReplayDefense;

package/mesh/sybil-defense.js

@@ -0,0 +1,151 @@
+/**
+ * Sybil Attack Protection Module
+ * @module mesh/sybil-defense.js
+ */
+
+import { sha3_256 } from '@noble/hashes/sha3.js';
+import { bytesToHex, utf8ToBytes } from '@noble/hashes/utils.js';
+
+export class NAVR {
+  constructor(options = {}) {
+    this.difficulty = options.difficulty || 16;
+    this.maxAttempts = options.maxAttempts || 10_000_000;
+  }
+
+  createChallenge(nodeId, timestamp = Date.now()) {
+    const epochHour = Math.floor(timestamp / 3600000);
+    const challenge = bytesToHex(sha3_256(utf8ToBytes(nodeId + ':' + epochHour)));
+    return { nodeId, challenge, epochHour, difficulty: this.difficulty, expiresAt: (epochHour + 1) * 3600000 };
+  }
+
+  solve(challenge) {
+    const target = BigInt(2) ** BigInt(256 - challenge.difficulty);
+    for (let nonce = 0; nonce < this.maxAttempts; nonce++) {
+      const attempt = challenge.challenge + ':' + nonce;
+      const hash = sha3_256(utf8ToBytes(attempt));
+      const hashBigInt = BigInt('0x' + bytesToHex(hash));
+      if (hashBigInt < target) return { challenge: challenge.challenge, nonce, hash: bytesToHex(hash), attempts: nonce + 1 };
+    }
+    return null;
+  }
+
+  verify(challenge, solution) {
+    if (!challenge || !solution || challenge.challenge !== solution.challenge) return false;
+    if (Date.now() > challenge.expiresAt) return false;
+    const attempt = solution.challenge + ':' + solution.nonce;
+    const hash = sha3_256(utf8ToBytes(attempt));
+    const hashHex = bytesToHex(hash);
+    if (hashHex !== solution.hash) return false;
+    const target = BigInt(2) ** BigInt(256 - challenge.difficulty);
+    return BigInt('0x' + hashHex) < target;
+  }
+}
+
+export class ReputationTracker {
+  constructor(options = {}) {
+    this.nodes = new Map();
+    this.thresholds = { trusted: 0.6, normal: 0.3, suspicious: 0.1, banned: 0.0 };
+  }
+
+  registerNode(nodeId, NAVRSolution = null) {
+    if (this.nodes.has(nodeId)) return this.nodes.get(nodeId);
+    const record = { nodeId, reputation: NAVRSolution ? 0.3 : 0.1, registeredAt: Date.now(), lastSeen: Date.now(), goodBehaviors: 0, badBehaviors: 0 };
+    this.nodes.set(nodeId, record);
+    return record;
+  }
+
+  getTrustLevel(nodeId) {
+    const r = this.nodes.get(nodeId);
+    if (!r) return 'unknown';
+    if (r.reputation >= this.thresholds.trusted) return 'trusted';
+    if (r.reputation >= this.thresholds.normal) return 'normal';
+    if (r.reputation >= this.thresholds.suspicious) return 'suspicious';
+    return 'banned';
+  }
+
+  reportGoodBehavior(nodeId, weight = 0.01) {
+    const r = this.nodes.get(nodeId);
+    if (r) { r.goodBehaviors++; r.lastSeen = Date.now(); r.reputation = Math.min(1.0, r.reputation + weight); }
+  }
+
+  reportBadBehavior(nodeId, weight = 0.1) {
+    const r = this.nodes.get(nodeId);
+    if (r) { r.badBehaviors++; r.reputation = Math.max(0.0, r.reputation - weight); }
+  }
+
+  getStats() {
+    let trusted = 0, normal = 0, suspicious = 0, banned = 0;
+    for (const r of this.nodes.values()) {
+      const l = this.getTrustLevel(r.nodeId);
+      if (l === 'trusted') trusted++; else if (l === 'normal') normal++; else if (l === 'suspicious') suspicious++; else banned++;
+    }
+    return { total: this.nodes.size, trusted, normal, suspicious, banned };
+  }
+}
+
+export class SubnetDiversity {
+  constructor(options = {}) {
+    this.maxPerSubnet = options.maxPerSubnet || 3;
+    this.subnets = new Map();
+    this.connections = new Map();
+  }
+
+  getSubnet(ip) {
+    if (!ip) return 'unknown';
+    if (ip.includes('::ffff:')) ip = ip.split('::ffff:')[1];
+    if (ip.includes('.')) return ip.split('.').slice(0, 3).join('.');
+    return 'unknown';
+  }
+
+  allowConnection(ip) {
+    const subnet = this.getSubnet(ip);
+    const count = this.subnets.get(subnet) || 0;
+    if (count >= this.maxPerSubnet) return { allowed: false, reason: 'Too many from subnet ' + subnet };
+    return { allowed: true };
+  }
+
+  addConnection(ip, nodeId) {
+    const subnet = this.getSubnet(ip);
+    this.subnets.set(subnet, (this.subnets.get(subnet) || 0) + 1);
+    this.connections.set(ip, nodeId);
+  }
+
+  removeConnection(ip) {
+    const subnet = this.getSubnet(ip);
+    const count = this.subnets.get(subnet) || 0;
+    if (count > 0) this.subnets.set(subnet, count - 1);
+    this.connections.delete(ip);
+  }
+}
+
+export class SybilDefense {
+  constructor(options = {}) {
+    this.NAVR = new NAVR(options.NAVR || {});
+    this.reputation = new ReputationTracker(options.reputation || {});
+    this.diversity = new SubnetDiversity(options.diversity || {});
+  }
+
+  evaluateConnection(ip, nodeId, NAVRSolution = null) {
+    const divCheck = this.diversity.allowConnection(ip);
+    if (!divCheck.allowed) return { allowed: false, reason: divCheck.reason };
+    let record = this.reputation.nodes.get(nodeId);
+    if (!record) record = this.reputation.registerNode(nodeId, NAVRSolution);
+    const trustLevel = this.reputation.getTrustLevel(nodeId);
+    if (trustLevel === 'banned') return { allowed: false, reason: 'Node is banned' };
+    if (trustLevel === 'unknown' && !NAVRSolution) return { allowed: false, reason: 'NAVR required', challenge: this.NAVR.createChallenge(nodeId) };
+    this.diversity.addConnection(ip, nodeId);
+    return { allowed: true, trustLevel, reputation: record.reputation };
+  }
+
+  reportMessage(nodeId, valid) {
+    if (valid) this.reputation.reportGoodBehavior(nodeId, 0.005);
+    else this.reputation.reportBadBehavior(nodeId, 0.05);
+  }
+
+  handleDisconnect(ip) { this.diversity.removeConnection(ip); }
+
+  getStats() { return { reputation: this.reputation.getStats() }; }
+}
+
+export default SybilDefense;
+