yakmesh 2.8.2 → 3.0.0

package/reference/cpp/yakmesh_ypc27.cpp

@@ -0,0 +1,179 @@
+#include <iostream>
+#include <vector>
+#include <array>
+#include <cstdint>
+#include <numeric>
+#include <iomanip>
+
+// ============================================================================
+// YAKMESH CORE: YPC-27 (27-Trit Polynomial Checksum)
+// Ring: R = Z[x] / (x^27 - 1) mod 3
+// Coefficients: Balanced Ternary {-1, 0, 1}
+// ============================================================================
+
+namespace yakmesh {
+
+    constexpr int N = 27;
+
+    // Balanced Ternary Trit: Can be -1, 0, or 1
+    using Trit = int8_t;
+
+    struct Poly27 {
+        std::array<Trit, N> coeffs;
+
+        Poly27() { coeffs.fill(0); }
+
+        // Print representation (e.g., + - 0 + ...)
+        void print() const {
+            std::cout << "[ ";
+            for (int i = 0; i < N; ++i) {
+                if (coeffs[i] == 1) std::cout << "+";
+                else if (coeffs[i] == -1) std::cout << "-";
+                else std::cout << "0";
+            }
+            std::cout << " ]" << std::endl;
+        }
+    };
+
+    // ------------------------------------------------------------------------
+    // MATH HELPERS (Mod 3)
+    // ------------------------------------------------------------------------
+
+    // Canonical reduction to balanced ternary {-1, 0, 1}
+    // (val % 3) -> {0, 1, 2} -> {-1, 0, 1}
+    constexpr Trit reduce3(int val) {
+        int r = val % 3;
+        if (r < 0) r += 3; // Handle C++ negative modulo behavior
+        // Map {0, 1, 2} => {0, 1, -1}
+        return (r == 2) ? -1 : static_cast<Trit>(r);
+    }
+
+    // Polynomial Addition: A + B mod 3
+    Poly27 add(const Poly27& a, const Poly27& b) {
+        Poly27 res;
+        for (int i = 0; i < N; ++i) {
+            res.coeffs[i] = reduce3(a.coeffs[i] + b.coeffs[i]);
+        }
+        return res;
+    }
+
+    // Polynomial Multiplication: A * B mod (x^27 - 1) mod 3
+    // Since N=27 is small, we use direct convolution O(N^2).
+    // For x^N - 1, index wraps simply: (i + j) % N
+    Poly27 multiply(const Poly27& a, const Poly27& b) {
+        Poly27 res;
+        for (int i = 0; i < N; ++i) {
+            for (int j = 0; j < N; ++j) {
+                int idx = (i + j) % N; // Cyclic convolution
+                int prod = a.coeffs[i] * b.coeffs[j];
+                // Accumulate without immediate reduction for speed (optional)
+                // But doing it step-wise keeps ints small.
+                int current = res.coeffs[idx] + prod;
+                res.coeffs[idx] = reduce3(current);
+            }
+        }
+        return res;
+    }
+
+    // ------------------------------------------------------------------------
+    // DATA CONVERSION
+    // ------------------------------------------------------------------------
+
+    // Convert raw Bytes to Trits (5 Trits per Byte)
+    // 3^5 = 243, so we can map 0-242 exactly.
+    // Values 243-255 are wrapped (mod 243) to avoid bias, or just simple mod 3 loop.
+    std::vector<Trit> bytesToTrits(const std::vector<uint8_t>& data) {
+        std::vector<Trit> trits;
+        trits.reserve(data.size() * 5);
+
+        for (uint8_t b : data) {
+            int val = static_cast<int>(b);
+            // Extract 5 trits (Little Endian)
+            for (int k = 0; k < 5; ++k) {
+                trits.push_back(reduce3(val % 3));
+                val /= 3;
+            }
+        }
+        return trits;
+    }
+
+    // ------------------------------------------------------------------------
+    // CHECKSUM ENGINE
+    // ------------------------------------------------------------------------
+
+    class YPC27Checksum {
+        Poly27 state;
+        Poly27 seed; // The "Challenge" or "Key" polynomial
+
+    public:
+        // Initialize with a "Seed" (e.g., derived from PeerID or Network Key)
+        YPC27Checksum(const Poly27& network_seed) : seed(network_seed) {
+            state.coeffs.fill(0);
+        }
+
+        // Rolling Update: State = (State + Input_Poly) * Seed
+        // This makes order significant and diffuses the bits across the lattice.
+        void update(const std::vector<uint8_t>& data) {
+            std::vector<Trit> raw_trits = bytesToTrits(data);
+
+            // Process in chunks of N (27) trits
+            size_t num_chunks = (raw_trits.size() + N - 1) / N;
+
+            for (size_t k = 0; k < num_chunks; ++k) {
+                Poly27 chunk_poly;
+                for (int i = 0; i < N; ++i) {
+                    size_t src_idx = k * N + i;
+                    if (src_idx < raw_trits.size()) {
+                        chunk_poly.coeffs[i] = raw_trits[src_idx];
+                    } else {
+                        chunk_poly.coeffs[i] = 0; // Padding
+                    }
+                }
+
+                // The Core "Lattice" Mix: S_new = (S_old + M) * G
+                Poly27 sum = add(state, chunk_poly);
+                state = multiply(sum, seed);
+            }
+        }
+
+        Poly27 digest() const {
+            return state;
+        }
+    };
+}
+
+// ----------------------------------------------------------------------------
+// TEST HARNESS
+// ----------------------------------------------------------------------------
+int main() {
+    using namespace yakmesh;
+
+    // 1. Define a Network Seed (e.g., The "Yakmesh Gen 1" constant)
+    // In production, this would be hardcoded or derived from the PeerID.
+    Poly27 seed;
+    for(int i=0; i<N; ++i) seed.coeffs[i] = (i % 3 == 0) ? 1 : (i % 3 == 1) ? -1 : 0;
+
+    std::cout << "Yakmesh YPC-27 Initialization..." << std::endl;
+    std::cout << "Seed Poly: "; seed.print();
+
+    // 2. Create the Checksum Engine
+    YPC27Checksum hasher(seed);
+
+    // 3. Simulate a Packet (Hello World)
+    std::string msg = "Yakmesh_Packet_v1:Keep_It_Ternary";
+    std::vector<uint8_t> packet(msg.begin(), msg.end());
+
+    // 4. Update
+    hasher.update(packet);
+
+    // 5. Final Digest
+    Poly27 checksum = hasher.digest();
+
+    std::cout << "\nInput Data: \"" << msg << "\"" << std::endl;
+    std::cout << "YPC-27 Checksum: ";
+    checksum.print();
+
+    // Verification Logic:
+    // A receiver does the same. If (Checksum_Calc - Checksum_Header) != 0, drop packet.
+    return 0;
+}

package/sbom.json

@@ -0,0 +1,87 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2026-02-24T21:17:21.964Z",
+    "component": {
+      "type": "application",
+      "name": "yakmesh",
+      "version": "3.0.0"
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "@noble/hashes",
+      "version": "2.0.0",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "@noble/post-quantum",
+      "version": "0.5.4",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "chalk",
+      "version": "5.3.0",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "commander",
+      "version": "12.0.0",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "express",
+      "version": "4.18.2",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "express-rate-limit",
+      "version": "8.2.1",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "node-forge",
+      "version": "1.3.3",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "onnxruntime-node",
+      "version": "1.24.2",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "sql.js",
+      "version": "1.10.0",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "ws",
+      "version": "8.16.0",
+      "scope": "required"
+    },
+    {
+      "type": "library",
+      "name": "nodemon",
+      "version": "3.0.0",
+      "scope": "optional"
+    },
+    {
+      "type": "library",
+      "name": "vitest",
+      "version": "4.0.17",
+      "scope": "optional"
+    }
+  ]
+}

package/scripts/security-audit.mjs

@@ -0,0 +1,264 @@
+#!/usr/bin/env node
+/**
+ * Security Audit Script
+ * 
+ * Runs dependency security checks and generates SBOM.
+ * Run before deployment or as part of CI/CD.
+ * 
+ * Usage:
+ *   node scripts/security-audit.mjs
+ *   node scripts/security-audit.mjs --fix       # Auto-fix where possible
+ *   node scripts/security-audit.mjs --sbom      # Generate SBOM only
+ *   node scripts/security-audit.mjs --json      # JSON output for CI
+ * 
+ * @module scripts/security-audit
+ * @version 1.0.0
+ */
+
+import { spawnSync } from 'child_process';
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { createHash } from 'crypto';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const ROOT_DIR = join(__dirname, '..');
+
+const args = process.argv.slice(2);
+const FIX_MODE = args.includes('--fix');
+const SBOM_ONLY = args.includes('--sbom');
+const JSON_OUTPUT = args.includes('--json');
+
+const results = {
+  timestamp: new Date().toISOString(),
+  audit: null,
+  lockfileIntegrity: null,
+  sbom: null,
+  recommendations: [],
+};
+
+/**
+ * Run npm audit
+ */
+function runAudit() {
+  console.log('\n📦 Running npm audit...\n');
+  
+  try {
+    const cmdArgs = FIX_MODE 
+      ? ['audit', 'fix', '--audit-level=moderate']
+      : ['audit', '--json'];
+    
+    const result = spawnSync('npm', cmdArgs, {
+      cwd: ROOT_DIR,
+      encoding: 'utf-8',
+      shell: true,
+    });
+    
+    if (JSON_OUTPUT || !FIX_MODE) {
+      try {
+        const auditData = JSON.parse(result.stdout);
+        results.audit = {
+          vulnerabilities: auditData.metadata?.vulnerabilities || {},
+          totalDependencies: auditData.metadata?.dependencies?.total || 0,
+          advisories: Object.keys(auditData.advisories || {}).length,
+        };
+        
+        const vulns = results.audit.vulnerabilities;
+        const total = (vulns.critical || 0) + (vulns.high || 0) + (vulns.moderate || 0) + (vulns.low || 0);
+        
+        if (vulns.critical > 0) {
+          results.recommendations.push(`🔴 CRITICAL: ${vulns.critical} critical vulnerabilities found!`);
+        }
+        if (vulns.high > 0) {
+          results.recommendations.push(`🟠 HIGH: ${vulns.high} high severity vulnerabilities`);
+        }
+        
+        console.log(`   Total dependencies: ${results.audit.totalDependencies}`);
+        console.log(`   Vulnerabilities: ${total} (${vulns.critical || 0} critical, ${vulns.high || 0} high)`);
+        
+        return total === 0;
+      } catch (e) {
+        // npm audit returns non-zero on vulnerabilities, output may not be valid JSON
+        if (result.stderr) {
+          console.log('   Audit stderr:', result.stderr.slice(0, 200));
+        }
+        results.audit = { raw: result.stdout?.slice(0, 500) };
+        return false;
+      }
+    } else {
+      console.log(result.stdout);
+      return result.status === 0;
+    }
+  } catch (e) {
+    console.error('   Audit failed:', e.message);
+    results.audit = { error: e.message };
+    return false;
+  }
+}
+
+/**
+ * Verify package-lock.json integrity
+ */
+function verifyLockfile() {
+  console.log('\n🔒 Verifying lockfile integrity...\n');
+  
+  const lockPath = join(ROOT_DIR, 'package-lock.json');
+  
+  if (!existsSync(lockPath)) {
+    console.log('   ⚠️ No package-lock.json found');
+    results.lockfileIntegrity = { exists: false };
+    results.recommendations.push('Generate package-lock.json with npm install');
+    return false;
+  }
+  
+  try {
+    const lockContent = readFileSync(lockPath, 'utf-8');
+    const lockData = JSON.parse(lockContent);
+    
+    // Calculate hash of lockfile
+    const hash = createHash('sha256').update(lockContent).digest('hex');
+    
+    results.lockfileIntegrity = {
+      exists: true,
+      hash: hash.slice(0, 16),
+      lockfileVersion: lockData.lockfileVersion,
+      packageCount: Object.keys(lockData.packages || {}).length,
+    };
+    
+    console.log(`   Lockfile version: ${lockData.lockfileVersion}`);
+    console.log(`   Packages locked: ${results.lockfileIntegrity.packageCount}`);
+    console.log(`   Lockfile hash: ${hash.slice(0, 16)}...`);
+    
+    // Verify with npm ci (dry run)
+    const verifyResult = spawnSync('npm', ['ci', '--dry-run'], {
+      cwd: ROOT_DIR,
+      encoding: 'utf-8',
+      shell: true,
+    });
+    
+    if (verifyResult.status === 0) {
+      console.log('   ✓ Lockfile is valid and consistent');
+      return true;
+    } else {
+      console.log('   ⚠️ Lockfile may be out of sync with package.json');
+      results.recommendations.push('Run npm install to regenerate lockfile');
+      return false;
+    }
+  } catch (e) {
+    console.error('   Lockfile verification failed:', e.message);
+    results.lockfileIntegrity = { error: e.message };
+    return false;
+  }
+}
+
+/**
+ * Generate Software Bill of Materials (SBOM)
+ */
+function generateSBOM() {
+  console.log('\n📋 Generating SBOM...\n');
+  
+  const packagePath = join(ROOT_DIR, 'package.json');
+  const lockPath = join(ROOT_DIR, 'package-lock.json');
+  
+  try {
+    const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
+    const lock = existsSync(lockPath) ? JSON.parse(readFileSync(lockPath, 'utf-8')) : null;
+    
+    const sbom = {
+      bomFormat: 'CycloneDX',
+      specVersion: '1.4',
+      version: 1,
+      metadata: {
+        timestamp: new Date().toISOString(),
+        component: {
+          type: 'application',
+          name: pkg.name,
+          version: pkg.version,
+        },
+      },
+      components: [],
+    };
+    
+    // Add direct dependencies
+    for (const [name, version] of Object.entries(pkg.dependencies || {})) {
+      sbom.components.push({
+        type: 'library',
+        name,
+        version: version.replace(/^[\^~]/, ''),
+        scope: 'required',
+      });
+    }
+    
+    // Add dev dependencies
+    for (const [name, version] of Object.entries(pkg.devDependencies || {})) {
+      sbom.components.push({
+        type: 'library',
+        name,
+        version: version.replace(/^[\^~]/, ''),
+        scope: 'optional',
+      });
+    }
+    
+    const sbomPath = join(ROOT_DIR, 'sbom.json');
+    writeFileSync(sbomPath, JSON.stringify(sbom, null, 2));
+    
+    results.sbom = {
+      generated: true,
+      path: 'sbom.json',
+      componentCount: sbom.components.length,
+    };
+    
+    console.log(`   Generated sbom.json with ${sbom.components.length} components`);
+    console.log(`   Direct deps: ${Object.keys(pkg.dependencies || {}).length}`);
+    console.log(`   Dev deps: ${Object.keys(pkg.devDependencies || {}).length}`);
+    
+    return true;
+  } catch (e) {
+    console.error('   SBOM generation failed:', e.message);
+    results.sbom = { error: e.message };
+    return false;
+  }
+}
+
+/**
+ * Main
+ */
+async function main() {
+  console.log('╔════════════════════════════════════════════════════════════╗');
+  console.log('║           YAKMESH SECURITY AUDIT                           ║');
+  console.log('╚════════════════════════════════════════════════════════════╝');
+  
+  let allPassed = true;
+  
+  if (SBOM_ONLY) {
+    generateSBOM();
+  } else {
+    allPassed = runAudit() && allPassed;
+    allPassed = verifyLockfile() && allPassed;
+    generateSBOM();
+  }
+  
+  console.log('\n═══════════════════════════════════════════════════════════════');
+  
+  if (results.recommendations.length > 0) {
+    console.log('\n📝 Recommendations:\n');
+    for (const rec of results.recommendations) {
+      console.log(`   ${rec}`);
+    }
+  }
+  
+  if (JSON_OUTPUT) {
+    console.log('\n📊 JSON Results:\n');
+    console.log(JSON.stringify(results, null, 2));
+  }
+  
+  console.log('\n' + (allPassed ? '✅ Security audit passed' : '⚠️ Security issues detected'));
+  
+  process.exit(allPassed ? 0 : 1);
+}
+
+main().catch(e => {
+  console.error('Audit failed:', e);
+  process.exit(1);
+});