yakmesh 1.3.0 → 1.3.1

package/CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to YAKMESH will be documented in this file.
 
+## [1.3.1] - 2026-01-16
+
+### Security
+- Hardened peer handshake protocol validation
+- Enhanced network fingerprint verification in HELLO/WELCOME exchange
+- Added CodebaseLock module for runtime source integrity
+
+### Added
+- 3-node test infrastructure for protocol verification
+- iO-style (indistinguishability obfuscation) network identity derivation
+- Human-readable network names from codebase fingerprint
+
+### Fixed
+- Config path resolution for relative/absolute paths
+- Test suite node ID prefix assertion
+
+---
+
 ## [1.3.0] - 2026-01-15
 
 ### 🌟 Major New Systems - "A Beacon in the Darkness"
@@ -40,6 +58,19 @@ All notable changes to YAKMESH will be documented in this file.
 - Timing attack resistance in PHANTOM
 - Improved rate limiting integration
 
+### 🛡️ Code Proof Protocol Hardening
+- **CRITICAL FIX**: HELLO message now includes `networkFingerprint`
+- **CRITICAL FIX**: WELCOME handler validates fingerprint, rejects mismatches (code 1008)
+- Added `CodebaseLock` module for runtime source file protection
+- Fixed config loading for relative/absolute path handling
+- Comprehensive 3-node test suite: 17/17 tests passing
+  - Same-codebase peering verification
+  - Cross-codebase rejection (bidirectional)
+  - N-way fingerprint isolation matrix
+  - Empty/partial fingerprint attack blocking
+  - Flood attack resistance (20 simultaneous rejected)
+  - Fingerprint spoofing prevention
+
 ---
 
 ## [1.2.0] - 2026-01-15
@@ -79,4 +110,4 @@ All notable changes to YAKMESH will be documented in this file.
 - ML-DSA-65 post-quantum signatures
 - SQLite-based distributed oracle
 - WebSocket mesh networking
-- Phase-based consensus timing
+- Phase-based consensus timing

package/README.md

@@ -1,185 +1,185 @@
-<div align="center">
-  <img src="https://yakmesh.dev/assets/yakmesh-logo2.png" alt="YAKMESH" width="200">
-
-  <h1>🏔️ YAKMESH™: Sturdy & Secure</h1>
-
-  <p><strong>Yielding Atomic Kernel Modular Encryption Secured Hub</strong></p>
-
-  <p>
-    <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
-    <a href="https://nodejs.org"><img src="https://img.shields.io/badge/Node.js-18+-green.svg" alt="Node.js"></a>
-    <a href="https://csrc.nist.gov/projects/post-quantum-cryptography"><img src="https://img.shields.io/badge/Crypto-Post--Quantum-blue.svg" alt="Post-Quantum"></a>
-    <a href="https://www.npmjs.com/package/yakmesh"><img src="https://img.shields.io/npm/v/yakmesh.svg" alt="npm version"></a>
-  </p>
-</div>
-
----
-
-YAKMESH is a high-resiliency, decentralized networking layer designed for the 2026 threat landscape. Built with quantum-resistant cryptography at its core and anchored by PCIe atomic timing synchronization, YAKMESH provides a "sturdy" substrate for distributed systems that cannot afford to fail.
-
-## Why YAKMESH?
-
-In an era where traditional ECDSA is increasingly vulnerable and network jitter can desynchronize global state, YAKMESH offers a three-pillar solution:
-
-🌿 **Yielding Resilience**: A self-healing mesh topology that adapts to node failure and adversarial interference without central authority.
-
-⚛️ **Atomic Precision**: Integrated support for PCIe atomic clock hardware, enabling nanosecond-level hardware timestamping for low-latency synchronization.
-
-🔐 **Quantum Hardened**: Fully compatible with Project Zond and the QRL (Quantum Resistant Ledger) ecosystem, utilizing stateless lattice-based signatures (ML-DSA) from Genesis.
-
----
-
-## The Y.A.K.M.E.S.H. Philosophy
-
-| Letter | Principle | Description |
-|--------|-----------|-------------|
-| **Y** | **Yielding** | Not brittle; flexible enough to absorb network shocks |
-| **A** | **Atomic** | Grounded in the absolute truth of physical time |
-| **K** | **Kernel** | The essential, innermost part of the secure stack |
-| **M** | **Modular** | Swap out encryption primitives or transport layers as tech evolves |
-| **E** | **Encryption** | Privacy and integrity by default |
-| **S** | **Secured** | Hardened against both classical and quantum vectors |
-| **H** | **Hub** | A nexus for decentralized data and peer-to-peer logic |
-
----
-
-## Features
-
-- 🔒 **Post-Quantum Secure** - ML-DSA-65 (NIST FIPS 204) signatures
-- 🔮 **Self-Verifying Oracle** - Deterministic validation without external trust
-- 🌐 **Mesh Networking** - P2P WebSocket communication with gossip protocol
-- ⏱️ **Precision Timing** - Support for atomic clocks, GPS, PTP, NTP
-- 🔌 **Plugin Architecture** - Adapters for any database or API
-- 🛡️ **Phase Modulation** - Time-based anti-replay protection
-
-## Quick Start
-
-```bash
-npm install yakmesh
-```
-
-```javascript
-import { YakmeshNode } from 'yakmesh';
-
-const node = new YakmeshNode({
-  node: { name: 'My Node' },
-  network: { httpPort: 3000, wsPort: 9001 },
-});
-
-await node.start();
-```
-
-## CLI
-
-```bash
-# Initialize a new node
-npx yakmesh init
-
-# Start the node
-npx yakmesh start
-
-# Check status
-npx yakmesh status
-```
-
-## Documentation
-
-Full documentation available at **[yakmesh.dev](https://yakmesh.dev)**
-
-## Architecture
-
-```
-yakmesh/
-├── oracle/           # Self-verifying validation engine
-├── mesh/             # WebSocket P2P networking
-├── gossip/           # Epidemic-style message propagation
-├── identity/         # Post-quantum key management
-├── database/         # SQLite replication engine
-├── adapters/         # Platform integration plugins
-├── webserver/        # Embedded Caddy web server
-└── server/           # HTTP/WS server
-```
-
-## Network Identity
-
-Each YAKMESH network has a unique identity derived from configurable salts:
-
-```javascript
-import { setIdentityConfig } from 'yakmesh/oracle/network-identity.js';
-
-setIdentityConfig({
-  networkPrefix: 'my',           // Network ID prefix
-  identitySalt: 'my-app-v1',     // Unique network salt
-});
-
-// Different salt = different network (cannot interoperate)
-```
-
-## Time Source Trust Levels
-
-| Level | Source | Tolerance | Oracle Capable |
-|-------|--------|-----------|----------------|
-| ATOMIC | PCIe atomic clock | ±100ms | ✅ Yes |
-| GPS | GPS with PPS | ±500ms | ✅ Yes |
-| PTP | IEEE 1588 (Meinberg) | ±500ms | ⚠️ Partial |
-| NTP | Standard NTP | ±5000ms | ❌ No |
-
-## Adapters
-
-Create custom adapters by extending `BaseAdapter`:
-
-```javascript
-import { BaseAdapter } from 'yakmesh/adapters/base-adapter.js';
-
-class MyAdapter extends BaseAdapter {
-  async init() { /* Connect to your database */ }
-  getSchema() { return { tables: ['users', 'orders'] }; }
-  async fetchChanges(since) { /* Return changed records */ }
-  async applyChange(table, record, op) { /* Write to database */ }
-}
-```
-
-### Official Adapters
-
-- `@yakmesh/adapter-peerquanta` - PeerQuanta phpBB marketplace
-
-## API Endpoints
-
-| Endpoint | Method | Description |
-|----------|--------|-------------|
-| `/health` | GET | Node health status |
-| `/node` | GET | Node identity info |
-| `/peers` | GET | Connected peers |
-| `/oracle/status` | GET | Oracle integrity check |
-| `/network/identity` | GET | Network identity (hash obfuscated) |
-| `/time/status` | GET | Time source detection |
-| `/time/capabilities` | GET | Time oracle eligibility |
-| `/connect` | POST | Connect to a peer |
-
-## Pro Features
-
-YAKMESH Pro includes additional security features:
-
-- 🔐 **WebSocket Authentication** - Challenge-response auth with signatures
-- 🔒 **Message Encryption** - XChaCha20-Poly1305 encrypted messages
-- 📋 **Peer Allowlist/Blocklist** - Access control for private networks
-- 🛡️ **Connection Rate Limiting** - DDoS protection
-
-## License
-
-- **Community Edition**: MIT License (see [LICENSE](LICENSE))
-- **Pro Edition**: Proprietary License
-
-See [TRADEMARK.md](TRADEMARK.md) for trademark usage policy.
-
----
-
-<div align="center">
-  <sub>Built with quantum principles. Secured by math.</sub>
-  <br><br>
-  <strong><a href="https://yakmesh.dev">yakmesh.dev</a></strong>
-  <br><br>
-  <sub>© 2026 YAKMESH™ Project. Sturdy & Secure.</sub>
-  <br>
-  <sub>YAKMESH™ is a trademark of PeerQuanta, application pending (Serial No. 99594620).</sub>
-</div>
+<div align="center">
+  <img src="https://yakmesh.dev/assets/yakmesh-logo2.png" alt="YAKMESH" width="200">
+
+  <h1>🏔️ YAKMESH™: Sturdy & Secure</h1>
+
+  <p><strong>Yielding Atomic Kernel Modular Encryption Secured Hub</strong></p>
+
+  <p>
+    <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
+    <a href="https://nodejs.org"><img src="https://img.shields.io/badge/Node.js-18+-green.svg" alt="Node.js"></a>
+    <a href="https://csrc.nist.gov/projects/post-quantum-cryptography"><img src="https://img.shields.io/badge/Crypto-Post--Quantum-blue.svg" alt="Post-Quantum"></a>
+    <a href="https://www.npmjs.com/package/yakmesh"><img src="https://img.shields.io/npm/v/yakmesh.svg" alt="npm version"></a>
+  </p>
+</div>
+
+---
+
+YAKMESH is a high-resiliency, decentralized networking layer designed for the 2026 threat landscape. Built with quantum-resistant cryptography at its core and anchored by PCIe atomic timing synchronization, YAKMESH provides a "sturdy" substrate for distributed systems that cannot afford to fail.
+
+## Why YAKMESH?
+
+In an era where traditional ECDSA is increasingly vulnerable and network jitter can desynchronize global state, YAKMESH offers a three-pillar solution:
+
+🌿 **Yielding Resilience**: A self-healing mesh topology that adapts to node failure and adversarial interference without central authority.
+
+⚛️ **Atomic Precision**: Integrated support for PCIe atomic clock hardware, enabling hardware timestamping with support for high-precision time sources for low-latency synchronization.
+
+🔐 **Quantum Hardened**: Fully compatible with Project Zond and the QRL (Quantum Resistant Ledger) ecosystem, utilizing stateless lattice-based signatures (ML-DSA) from Genesis.
+
+---
+
+## The Y.A.K.M.E.S.H. Philosophy
+
+| Letter | Principle | Description |
+|--------|-----------|-------------|
+| **Y** | **Yielding** | Not brittle; flexible enough to absorb network shocks |
+| **A** | **Atomic** | Grounded in the absolute truth of physical time |
+| **K** | **Kernel** | The essential, innermost part of the secure stack |
+| **M** | **Modular** | Swap out encryption primitives or transport layers as tech evolves |
+| **E** | **Encryption** | Privacy and integrity by default |
+| **S** | **Secured** | Hardened against both classical and quantum vectors |
+| **H** | **Hub** | A nexus for decentralized data and peer-to-peer logic |
+
+---
+
+## Features
+
+- 🔒 **Post-Quantum Secure** - ML-DSA-65 (NIST FIPS 204) signatures
+- 🔮 **Self-Verifying Oracle** - Deterministic validation without external trust
+- 🌐 **Mesh Networking** - P2P WebSocket communication with gossip protocol
+- ⏱️ **Precision Timing** - Support for atomic clocks, GPS, PTP, NTP
+- 🔌 **Plugin Architecture** - Adapters for any database or API
+- 🛡️ **Phase Modulation** - Time-based anti-replay protection
+
+## Quick Start
+
+```bash
+npm install yakmesh
+```
+
+```javascript
+import { YakmeshNode } from 'yakmesh';
+
+const node = new YakmeshNode({
+  node: { name: 'My Node' },
+  network: { httpPort: 3000, wsPort: 9001 },
+});
+
+await node.start();
+```
+
+## CLI
+
+```bash
+# Initialize a new node
+npx yakmesh init
+
+# Start the node
+npx yakmesh start
+
+# Check status
+npx yakmesh status
+```
+
+## Documentation
+
+Full documentation available at **[yakmesh.dev](https://yakmesh.dev)**
+
+## Architecture
+
+```
+yakmesh/
+├── oracle/           # Self-verifying validation engine
+├── mesh/             # WebSocket P2P networking
+├── gossip/           # Epidemic-style message propagation
+├── identity/         # Post-quantum key management
+├── database/         # SQLite replication engine
+├── adapters/         # Platform integration plugins
+├── webserver/        # Embedded Caddy web server
+└── server/           # HTTP/WS server
+```
+
+## Network Identity
+
+Each YAKMESH network has a unique identity derived from configurable salts:
+
+```javascript
+import { setIdentityConfig } from 'yakmesh/oracle/network-identity.js';
+
+setIdentityConfig({
+  networkPrefix: 'my',           // Network ID prefix
+  identitySalt: 'my-app-v1',     // Unique network salt
+});
+
+// Different salt = different network (cannot interoperate)
+```
+
+## Time Source Trust Levels
+
+| Level | Source | Tolerance | Oracle Capable |
+|-------|--------|-----------|----------------|
+| ATOMIC | PCIe atomic clock | ±100ms | ✅ Yes |
+| GPS | GPS with PPS | ±500ms | ✅ Yes |
+| PTP | IEEE 1588 (Meinberg) | ±500ms | ⚠️ Partial |
+| NTP | Standard NTP | ±5000ms | ❌ No |
+
+## Adapters
+
+Create custom adapters by extending `BaseAdapter`:
+
+```javascript
+import { BaseAdapter } from 'yakmesh/adapters/base-adapter.js';
+
+class MyAdapter extends BaseAdapter {
+  async init() { /* Connect to your database */ }
+  getSchema() { return { tables: ['users', 'orders'] }; }
+  async fetchChanges(since) { /* Return changed records */ }
+  async applyChange(table, record, op) { /* Write to database */ }
+}
+```
+
+### Official Adapters
+
+- `@yakmesh/adapter-peerquanta` - PeerQuanta phpBB marketplace
+
+## API Endpoints
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/health` | GET | Node health status |
+| `/node` | GET | Node identity info |
+| `/peers` | GET | Connected peers |
+| `/oracle/status` | GET | Oracle integrity check |
+| `/network/identity` | GET | Network identity (hash obfuscated) |
+| `/time/status` | GET | Time source detection |
+| `/time/capabilities` | GET | Time oracle eligibility |
+| `/connect` | POST | Connect to a peer |
+
+## Pro Features
+
+YAKMESH Pro includes additional security features:
+
+- 🔐 **WebSocket Authentication** - Challenge-response auth with signatures
+- 🔒 **Message Encryption** - XChaCha20-Poly1305 encrypted messages
+- 📋 **Peer Allowlist/Blocklist** - Access control for private networks
+- 🛡️ **Connection Rate Limiting** - DDoS protection
+
+## License
+
+- **Community Edition**: MIT License (see [LICENSE](LICENSE))
+- **Pro Edition**: Proprietary License
+
+See [TRADEMARK.md](TRADEMARK.md) for trademark usage policy.
+
+---
+
+<div align="center">
+  <sub>Built with quantum principles. Secured by math.</sub>
+  <br><br>
+  <strong><a href="https://yakmesh.dev">yakmesh.dev</a></strong>
+  <br><br>
+  <sub>© 2026 YAKMESH™ Project. Sturdy & Secure.</sub>
+  <br>
+  <sub>YAKMESH™ is a trademark of PeerQuanta, application pending (Serial No. 99594620).</sub>
+</div>

package/discord.md

@@ -1,74 +1,74 @@
-# 🦬 YAKMESH™ — Post-Quantum Mesh Networking
-
-**The Yielding Atomic Kernel for quantum-resistant mesh orchestration**
-
-```
-npm install yakmesh
-```
-
----
-
-## ⚡ What is YAKMESH?
-
-A **post-quantum secure** mesh networking library featuring:
-
-🔐 **ML-DSA-65 Signatures** — NIST FIPS 204 standard, quantum-resistant
-⏱️ **Atomic Time Sync** — Nanosecond precision for mesh coordination  
-🛡️ **TME™ (Temporal Matrix Encoding)** — Novel packet resilience without retransmission
-
----
-
-## 🆚 How is TME Different?
-
-| Walrus/Red Stuff | YAKMESH TME |
-|------------------|-------------|
-| Encodes across **space** (nodes) | Encodes across **time** (slices) |
-| For storage | For transmission |
-| Retransmit on loss | **Zero latency** recovery |
-
-> *"Time IS the redundancy dimension."*
-
----
-
-## 🛠️ Quick Start
-
-```js
-import { TemporalMeshEncoder } from 'yakmesh';
-
-const encoder = new TemporalMeshEncoder();
-const { slices } = encoder.encode('Hello mesh!');
-// Slices sent across different paths
-// Lost slices reconstructed from timing proofs
-```
-
----
-
-## 🔒 Security Modules
-
-- **NAVR** — Sybil attack prevention (computational identity puzzle)
-- **Replay Defense** — Nonces + timestamps + sequence tracking
-- **Rate Limiter** — DoS protection (30 conn/min per IP)
-- **Message Validator** — Size limits, depth checks, prototype pollution protection
-
----
-
-## 📦 Current Version: `1.2.0`
-
-✅ TME (Temporal Matrix Encoding)
-✅ ML-DSA-65 Post-Quantum Signatures  
-✅ Full security hardening suite
-✅ 42+ tests passing
-
----
-
-**Links:**
-🌐 Website: https://yakmesh.dev
-📦 npm: https://npmjs.com/package/yakmesh
-📖 GitHub: https://github.com/yakmesh/yakmesh
-📄 Whitepaper: `docs/WHITEPAPER.md`
-
-**USPTO Serial No. 99594620**
-
----
-
+# 🦬 YAKMESH™ — Post-Quantum Mesh Networking
+
+**The Yielding Atomic Kernel for quantum-resistant mesh orchestration**
+
+```
+npm install yakmesh
+```
+
+---
+
+## ⚡ What is YAKMESH?
+
+A **post-quantum secure** mesh networking library featuring:
+
+🔐 **ML-DSA-65 Signatures** — NIST FIPS 204 standard, quantum-resistant
+⏱️ **Atomic Time Sync** — High-precision timing for mesh coordination  
+🛡️ **TME™ (Temporal Matrix Encoding)** — Novel packet resilience without retransmission
+
+---
+
+## 🆚 How is TME Different?
+
+| Walrus/Red Stuff | YAKMESH TME |
+|------------------|-------------|
+| Encodes across **space** (nodes) | Encodes across **time** (slices) |
+| For storage | For transmission |
+| Retransmit on loss | **Zero latency** recovery |
+
+> *"Time IS the redundancy dimension."*
+
+---
+
+## 🛠️ Quick Start
+
+```js
+import { TemporalMeshEncoder } from 'yakmesh';
+
+const encoder = new TemporalMeshEncoder();
+const { slices } = encoder.encode('Hello mesh!');
+// Slices sent across different paths
+// Lost slices reconstructed from timing proofs
+```
+
+---
+
+## 🔒 Security Modules
+
+- **NAVR** — Sybil attack prevention (computational identity puzzle)
+- **Replay Defense** — Nonces + timestamps + sequence tracking
+- **Rate Limiter** — DoS protection (30 conn/min per IP)
+- **Message Validator** — Size limits, depth checks, prototype pollution protection
+
+---
+
+## 📦 Current Version: `1.2.0`
+
+✅ TME (Temporal Matrix Encoding)
+✅ ML-DSA-65 Post-Quantum Signatures  
+✅ Full security hardening suite
+✅ 42+ tests passing
+
+---
+
+**Links:**
+🌐 Website: https://yakmesh.dev
+📦 npm: https://npmjs.com/package/yakmesh
+📖 GitHub: https://github.com/yakmesh/yakmesh
+📄 Whitepaper: `docs/WHITEPAPER.md`
+
+**USPTO Serial No. 99594620**
+
+---
+
 *Powered by TME™ — The world's first temporal-erasure protocol for atomically-synced mesh networks.*

package/identity/node-key.js

@@ -4,6 +4,10 @@
  * 
  * Security Level: NIST Level 3 (~192-bit classical security)
  * Quantum Resistant: Yes (lattice-based)
+ * 
+ * IMPORTANT: Node IDs use iO (indistinguishability obfuscation) style
+ * derivation to avoid exposing raw hashes. The internal hash is kept
+ * private while the public-facing ID is a human-readable derived name.
  */
 
 import { ml_dsa65 } from '@noble/post-quantum/ml-dsa.js';
@@ -12,14 +16,37 @@ import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
 import { join } from 'path';
 
+// Import iO network identity for obfuscated node IDs
+import { deriveNetworkName, deriveNetworkId } from '../oracle/network-identity.js';
+
 /**
- * Generate a unique node ID from public key
- * Uses SHA3-256 hash of public key, truncated to 16 bytes
+ * Generate a unique node ID from public key using iO obfuscation
+ * Instead of exposing raw hashes, we derive a human-readable name
+ * 
+ * @param {Uint8Array} publicKey - The node's public key
+ * @returns {string} iO-derived node ID like "qubit-lattice-prism"
  */
 export function generateNodeId(publicKey) {
   const hash = sha3_256(publicKey);
-  const idBytes = hash.slice(0, 16);
-  return 'lantern_' + bytesToHex(idBytes);
+  const hashHex = bytesToHex(hash);
+  
+  // Use iO to derive a human-readable, non-reversible ID
+  // The raw hash is never exposed externally
+  const networkName = deriveNetworkName(hashHex, 3);
+  const shortId = deriveNetworkId(hashHex);
+  
+  // Format: "node-[3-word-name]-[short-id]"
+  // e.g., "node-qubit-lattice-prism-pq-a7x9"
+  return `node-${networkName}-${shortId}`;
+}
+
+/**
+ * Generate internal hash for private operations (NOT exposed externally)
+ * This is kept for signature verification and internal lookups
+ */
+export function generateInternalHash(publicKey) {
+  const hash = sha3_256(publicKey);
+  return bytesToHex(hash.slice(0, 16));
 }
 
 /**