yakmesh 2.8.2 → 3.0.0

package/security/sakshi.js

@@ -1440,7 +1440,7 @@ export function assessComputationTrust(computation, computedBy, options = {}) {
     }))
   );
 
-  if (verificationAgreement.agreed && verificationAgreement.value === 'VALID') {
+  if (verificationAgreement.agreed && verificationAgreement.data?.value === 'VALID') {
     return {
       trusted: true,
       basis: 'VERIFIED',
@@ -1449,7 +1449,7 @@ export function assessComputationTrust(computation, computedBy, options = {}) {
     };
   }
 
-  if (verificationAgreement.agreed && verificationAgreement.value === 'INVALID') {
+  if (verificationAgreement.agreed && verificationAgreement.data?.value === 'INVALID') {
     return {
       trusted: false,
       basis: 'VERIFICATION_FAILED',
@@ -1462,11 +1462,462 @@ export function assessComputationTrust(computation, computedBy, options = {}) {
   return {
     trusted: false,
     basis: 'VERIFIERS_DISAGREE',
-    action: verificationAgreement.action,
+    action: verificationAgreement.data?.action,
     suggestion: 'Need more verifiers or investigate disagreement',
   };
 }
 
+// =============================================================================
+// BEHAVIOR VELOCITY MONITORING
+// =============================================================================
+
+/**
+ * VEGATI - Velocity-based Behavior Change Detection
+ * वेगति (Sanskrit: "velocity, momentum")
+ * 
+ * Monitors nodes for sudden behavioral changes that may indicate:
+ * - Compromised hardware/keys
+ * - Reputation farming then abuse
+ * - Insider threat activation
+ * 
+ * Uses exponential moving average to establish behavioral baselines,
+ * then triggers alerts when current behavior deviates significantly.
+ */
+
+/**
+ * Velocity alert severity levels
+ */
+export const VELOCITY_ALERT = Object.freeze({
+  NORMAL: 'normal',           // Within expected variance
+  ELEVATED: 'elevated',       // Notable change, monitor closely
+  WARNING: 'warning',         // Significant deviation
+  CRITICAL: 'critical',       // Dramatic behavioral shift
+});
+
+/**
+ * Behavior dimensions tracked for velocity detection
+ */
+export const BEHAVIOR_DIMENSION = Object.freeze({
+  MESSAGE_RATE: 'message_rate',         // Messages per minute
+  GOSSIP_RATIO: 'gossip_ratio',         // Gossip vs direct messages
+  ERROR_RATE: 'error_rate',             // Invalid messages/signatures
+  ATTESTATION_RATE: 'attestation_rate', // Revocation attestations filed
+  CONNECTION_CHURN: 'connection_churn', // Connect/disconnect frequency
+  RESPONSE_LATENCY: 'response_latency', // Average response time
+});
+
+/**
+ * BehaviorVelocityMonitor - Tracks behavioral baselines and detects anomalies
+ * 
+ * Each node builds a behavioral "fingerprint" over time.
+ * Sudden changes from this fingerprint trigger velocity alerts.
+ */
+export class BehaviorVelocityMonitor {
+  constructor(options = {}) {
+    this.profiles = new Map();  // nodeId -> BehaviorProfile
+    this._inferenceEngine = options.inferenceEngine || null;
+    this._modelName = 'sakshi-anomaly';
+    
+    // Configuration
+    this.config = {
+      // EMA smoothing factor (0-1, lower = slower adaptation)
+      emaSmoothingFactor: options.emaSmoothingFactor || 0.1,
+      
+      // Minimum observations before establishing baseline
+      minObservationsForBaseline: options.minObservationsForBaseline || 50,
+      
+      // Standard deviation thresholds for alerts
+      thresholds: {
+        elevated: options.elevatedThreshold || 2.0,   // 2 sigma
+        warning: options.warningThreshold || 3.0,     // 3 sigma
+        critical: options.criticalThreshold || 4.0,   // 4 sigma
+      },
+      
+      // Cooldown period after alert before re-alerting (ms)
+      alertCooldown: options.alertCooldown || 60000,
+      
+      // Profile retention (ms)
+      profileTTL: options.profileTTL || 7 * 24 * 60 * 60 * 1000, // 7 days
+    };
+    
+    // Alert callbacks
+    this.alertCallbacks = [];
+    
+    log.info('vegati', 'Behavior velocity monitor initialized');
+  }
+
+  /**
+   * Register a callback for velocity alerts
+   */
+  onAlert(callback) {
+    this.alertCallbacks.push(callback);
+  }
+
+  /**
+   * Record an observation for a node
+   * 
+   * @param {string} nodeId - Node identifier
+   * @param {string} dimension - Which behavior dimension (from BEHAVIOR_DIMENSION)
+   * @param {number} value - Observed value
+   * @returns {Object} Current velocity status for this dimension
+   */
+  observe(nodeId, dimension, value) {
+    let profile = this.profiles.get(nodeId);
+    
+    if (!profile) {
+      profile = this._createProfile(nodeId);
+      this.profiles.set(nodeId, profile);
+    }
+    
+    profile.lastSeen = Date.now();
+    
+    // Get or create dimension stats
+    let stats = profile.dimensions.get(dimension);
+    if (!stats) {
+      stats = {
+        count: 0,
+        ema: value,          // Exponential moving average
+        emVar: 0,            // Exponential moving variance
+        lastValue: value,
+        lastAlert: 0,
+        alertCount: 0,
+      };
+      profile.dimensions.set(dimension, stats);
+    }
+    
+    stats.count++;
+    stats.lastValue = value;
+    
+    // Update EMA (baseline)
+    const alpha = this.config.emaSmoothingFactor;
+    const delta = value - stats.ema;
+    stats.ema = stats.ema + alpha * delta;
+    
+    // Update exponential moving variance (for std dev calculation)
+    stats.emVar = (1 - alpha) * (stats.emVar + alpha * delta * delta);
+    
+    // Only check velocity once we have baseline
+    if (stats.count < this.config.minObservationsForBaseline) {
+      return {
+        status: VELOCITY_ALERT.NORMAL,
+        reason: 'BUILDING_BASELINE',
+        progress: stats.count / this.config.minObservationsForBaseline,
+      };
+    }
+    
+    // Calculate z-score (standard deviations from mean)
+    const stdDev = Math.sqrt(stats.emVar);
+    const zScore = stdDev > 0 ? Math.abs(delta) / stdDev : 0;
+    
+    // Determine alert level
+    let alertLevel = VELOCITY_ALERT.NORMAL;
+    if (zScore >= this.config.thresholds.critical) {
+      alertLevel = VELOCITY_ALERT.CRITICAL;
+    } else if (zScore >= this.config.thresholds.warning) {
+      alertLevel = VELOCITY_ALERT.WARNING;
+    } else if (zScore >= this.config.thresholds.elevated) {
+      alertLevel = VELOCITY_ALERT.ELEVATED;
+    }
+    
+    // Emit alert if significant and not in cooldown
+    const now = Date.now();
+    if (alertLevel !== VELOCITY_ALERT.NORMAL && 
+        now - stats.lastAlert > this.config.alertCooldown) {
+      stats.lastAlert = now;
+      stats.alertCount++;
+      
+      const alert = {
+        nodeId,
+        dimension,
+        level: alertLevel,
+        zScore,
+        currentValue: value,
+        baselineEma: stats.ema,
+        baselineStdDev: stdDev,
+        deviation: delta,
+        alertCount: stats.alertCount,
+        timestamp: now,
+      };
+      
+      // Emit to callbacks
+      for (const callback of this.alertCallbacks) {
+        try {
+          callback(alert);
+        } catch (e) {
+          log.error('vegati', 'Alert callback error', { error: e.message });
+        }
+      }
+      
+      log.warn('vegati', `Velocity alert: ${alertLevel}`, {
+        nodeId,
+        dimension,
+        zScore: zScore.toFixed(2),
+        deviation: delta.toFixed(4),
+      });
+    }
+    
+    return {
+      status: alertLevel,
+      zScore,
+      deviation: delta,
+      baseline: stats.ema,
+      stdDev,
+    };
+  }
+
+  /**
+   * Get the current behavioral profile for a node
+   */
+  getProfile(nodeId) {
+    const profile = this.profiles.get(nodeId);
+    if (!profile) return null;
+    
+    const dimensions = {};
+    for (const [dim, stats] of profile.dimensions) {
+      dimensions[dim] = {
+        baseline: stats.ema,
+        stdDev: Math.sqrt(stats.emVar),
+        observations: stats.count,
+        lastValue: stats.lastValue,
+        alertCount: stats.alertCount,
+        hasBaseline: stats.count >= this.config.minObservationsForBaseline,
+      };
+    }
+    
+    return {
+      nodeId: profile.nodeId,
+      createdAt: profile.createdAt,
+      lastSeen: profile.lastSeen,
+      dimensions,
+    };
+  }
+
+  /**
+   * Get nodes with active alerts
+   */
+  getActiveAlerts() {
+    const alerts = [];
+    const now = Date.now();
+    
+    for (const profile of this.profiles.values()) {
+      for (const [dim, stats] of profile.dimensions) {
+        if (stats.alertCount > 0 && now - stats.lastAlert < this.config.alertCooldown * 2) {
+          const stdDev = Math.sqrt(stats.emVar);
+          const zScore = stdDev > 0 ? Math.abs(stats.lastValue - stats.ema) / stdDev : 0;
+          
+          let level = VELOCITY_ALERT.NORMAL;
+          if (zScore >= this.config.thresholds.critical) level = VELOCITY_ALERT.CRITICAL;
+          else if (zScore >= this.config.thresholds.warning) level = VELOCITY_ALERT.WARNING;
+          else if (zScore >= this.config.thresholds.elevated) level = VELOCITY_ALERT.ELEVATED;
+          
+          if (level !== VELOCITY_ALERT.NORMAL) {
+            alerts.push({
+              nodeId: profile.nodeId,
+              dimension: dim,
+              level,
+              zScore,
+              totalAlerts: stats.alertCount,
+              lastAlert: stats.lastAlert,
+            });
+          }
+        }
+      }
+    }
+    
+    return alerts;
+  }
+
+  /**
+   * Get aggregate velocity statistics
+   */
+  getStats() {
+    let totalProfiles = 0;
+    let profilesWithBaseline = 0;
+    let activeAlerts = 0;
+    const alertsByLevel = {
+      [VELOCITY_ALERT.ELEVATED]: 0,
+      [VELOCITY_ALERT.WARNING]: 0,
+      [VELOCITY_ALERT.CRITICAL]: 0,
+    };
+    
+    for (const profile of this.profiles.values()) {
+      totalProfiles++;
+      let hasAnyBaseline = false;
+      
+      for (const [dim, stats] of profile.dimensions) {
+        if (stats.count >= this.config.minObservationsForBaseline) {
+          hasAnyBaseline = true;
+        }
+        
+        if (stats.alertCount > 0) {
+          const stdDev = Math.sqrt(stats.emVar);
+          const zScore = stdDev > 0 ? Math.abs(stats.lastValue - stats.ema) / stdDev : 0;
+          
+          if (zScore >= this.config.thresholds.critical) {
+            activeAlerts++;
+            alertsByLevel[VELOCITY_ALERT.CRITICAL]++;
+          } else if (zScore >= this.config.thresholds.warning) {
+            activeAlerts++;
+            alertsByLevel[VELOCITY_ALERT.WARNING]++;
+          } else if (zScore >= this.config.thresholds.elevated) {
+            activeAlerts++;
+            alertsByLevel[VELOCITY_ALERT.ELEVATED]++;
+          }
+        }
+      }
+      
+      if (hasAnyBaseline) profilesWithBaseline++;
+    }
+    
+    return {
+      totalProfiles,
+      profilesWithBaseline,
+      activeAlerts,
+      alertsByLevel,
+    };
+  }
+
+  /**
+   * NPU-accelerated anomaly assessment for a node.
+   * Feeds all behavioral dimensions + contextual features into the
+   * sakshi-anomaly ONNX model for multi-class attack detection.
+   * 
+   * Falls back to CPU heuristic (z-score based) if ONNX Runtime is unavailable.
+   * 
+   * @param {string} nodeId - Node to assess
+   * @param {Object} context - Additional context features
+   * @param {number} [context.uptimePercent=0.5] - Node uptime (0-1)
+   * @param {number} [context.networkAgeDays=0] - Days on network
+   * @param {number} [context.karmaScore=0.5] - Current KARMA score (0-1)
+   * @param {boolean} [context.hasAesni=false] - Hardware AES-NI attestation
+   * @param {number} [context.timeSourceQuality=0] - Time source quality (0=system, 0.5=ntp, 1=ptp)
+   * @param {number} [context.observationCount=0] - Total observations recorded
+   * @returns {Promise<Object>} Anomaly assessment with scores per threat type
+   */
+  async assessNode(nodeId, context = {}) {
+    const profile = this.profiles.get(nodeId);
+
+    // Default feature values (zero-filled if no profile)
+    const getDimValue = (dim) => {
+      if (!profile) return 0;
+      const stats = profile.dimensions.get(dim);
+      return stats ? stats.lastValue : 0;
+    };
+
+    // Build 12-feature input vector (must match training data order)
+    const features = new Float32Array([
+      getDimValue(BEHAVIOR_DIMENSION.MESSAGE_RATE),
+      getDimValue(BEHAVIOR_DIMENSION.GOSSIP_RATIO),
+      getDimValue(BEHAVIOR_DIMENSION.ERROR_RATE),
+      getDimValue(BEHAVIOR_DIMENSION.ATTESTATION_RATE),
+      getDimValue(BEHAVIOR_DIMENSION.CONNECTION_CHURN),
+      getDimValue(BEHAVIOR_DIMENSION.RESPONSE_LATENCY),
+      Math.min(1.0, context.uptimePercent ?? 0.5),
+      Math.min(1.0, (context.networkAgeDays ?? 0) / 365),
+      Math.min(1.0, context.karmaScore ?? 0.5),
+      context.hasAesni ? 1.0 : 0.0,
+      Math.min(1.0, context.timeSourceQuality ?? 0),
+      Math.min(1.0, (context.observationCount ?? 0) / 1000),
+    ]);
+
+    // NPU path: use ONNX model if available
+    const engine = this._inferenceEngine;
+    if (engine && engine.hasModel(this._modelName)) {
+      try {
+        const result = await engine.infer(this._modelName, {
+          behavior_features: features,
+        });
+        if (result && result.anomaly_scores) {
+          const scores = result.anomaly_scores;
+          return {
+            source: 'NPU',
+            nodeId,
+            anomalyScore: scores[0],
+            sybilScore: scores[1],
+            eclipseScore: scores[2],
+            floodScore: scores[3],
+            features,
+          };
+        }
+      } catch (err) {
+        log.warn('vegati', `NPU assessment failed for ${nodeId}: ${err.message}`);
+      }
+    }
+
+    // CPU fallback: aggregate z-scores across dimensions
+    let maxZScore = 0;
+    let anomalySum = 0;
+    let dimCount = 0;
+
+    if (profile) {
+      for (const [, stats] of profile.dimensions) {
+        if (stats.count >= this.config.minObservationsForBaseline) {
+          const stdDev = Math.sqrt(stats.emVar);
+          const zScore = stdDev > 0 ? Math.abs(stats.lastValue - stats.ema) / stdDev : 0;
+          maxZScore = Math.max(maxZScore, zScore);
+          anomalySum += Math.min(1.0, zScore / this.config.thresholds.critical);
+          dimCount++;
+        }
+      }
+    }
+
+    const anomalyScore = dimCount > 0 ? anomalySum / dimCount : 0;
+    return {
+      source: 'CPU',
+      nodeId,
+      anomalyScore,
+      sybilScore: 0,   // CPU fallback cannot distinguish attack types
+      eclipseScore: 0,
+      floodScore: 0,
+      maxZScore,
+      features,
+    };
+  }
+
+  /**
+   * Cleanup old profiles
+   */
+  cleanup() {
+    const now = Date.now();
+    let removed = 0;
+    
+    for (const [nodeId, profile] of this.profiles) {
+      if (now - profile.lastSeen > this.config.profileTTL) {
+        this.profiles.delete(nodeId);
+        removed++;
+      }
+    }
+    
+    if (removed > 0) {
+      log.info('vegati', `Cleaned up ${removed} stale profiles`);
+    }
+    
+    return removed;
+  }
+
+  _createProfile(nodeId) {
+    return {
+      nodeId,
+      createdAt: Date.now(),
+      lastSeen: Date.now(),
+      dimensions: new Map(),
+    };
+  }
+}
+
+// Singleton instance
+let _velocityMonitor = null;
+
+/**
+ * Get the singleton velocity monitor instance
+ */
+export function getVelocityMonitor(options) {
+  if (!_velocityMonitor) {
+    _velocityMonitor = new BehaviorVelocityMonitor(options);
+  }
+  return _velocityMonitor;
+}
+
 // =============================================================================
 // EXPORTS
 // =============================================================================
@@ -1506,4 +1957,10 @@ export default {
   checkRevocationAgreement,
   aggregateAttestations,
   assessComputationTrust,
+  
+  // Velocity detection (VEGATI)
+  VELOCITY_ALERT,
+  BEHAVIOR_DIMENSION,
+  BehaviorVelocityMonitor,
+  getVelocityMonitor,
 };