npm - yakmesh - Versions diffs - 2.8.2 → 3.0.0 - Mend

yakmesh 2.8.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (232) hide show

package/CHANGELOG.md +637 -0
package/CONTRIBUTING.md +42 -0
package/Caddyfile +77 -0
package/README.md +119 -29
package/adapters/adapter-mlv-bible/README.md +124 -0
package/adapters/adapter-mlv-bible/index.js +400 -0
package/adapters/chat-mod-adapter.js +532 -0
package/adapters/content-adapter.js +273 -0
package/content/api.js +50 -41
package/content/index.js +2 -2
package/content/store.js +355 -173
package/dashboard/index.html +19 -3
package/database/replication.js +117 -37
package/docs/CRYPTO-AGILITY.md +204 -0
package/docs/MTLS-RESEARCH.md +367 -0
package/docs/NAMCHE-SPEC.md +681 -0
package/docs/PEERQUANTA-YAKMESH-INTEGRATION.md +407 -0
package/docs/PRECISION-DISCLOSURE.md +96 -0
package/docs/README.md +76 -0
package/docs/ROADMAP-2.4.0.md +447 -0
package/docs/ROADMAP-2.5.0.md +244 -0
package/docs/SECURITY-AUDIT-REPORT.md +306 -0
package/docs/SST-INTEGRATION.md +712 -0
package/docs/STEADYWATCH-IMPLEMENTATION.md +303 -0
package/docs/TERNARY-AUDIT-REPORT.md +247 -0
package/docs/TME-FAQ.md +221 -0
package/docs/WHITEPAPER.md +623 -0
package/docs/adapters.html +1001 -0
package/docs/advanced-systems.html +1045 -0
package/docs/annex.html +1046 -0
package/docs/api.html +970 -0
package/docs/business/response-templates.md +160 -0
package/docs/c2c.html +1225 -0
package/docs/cli.html +1332 -0
package/docs/configuration.html +1248 -0
package/docs/darshan.html +1085 -0
package/docs/dharma.html +966 -0
package/docs/docs-bundle.html +1075 -0
package/docs/docs.css +3120 -0
package/docs/docs.js +556 -0
package/docs/doko.html +969 -0
package/docs/geo-proof.html +858 -0
package/docs/getting-started.html +840 -0
package/docs/gumba-tutorial.html +1144 -0
package/docs/gumba.html +1098 -0
package/docs/index.html +914 -0
package/docs/jhilke.html +1312 -0
package/docs/karma.html +1100 -0
package/docs/katha.html +1037 -0
package/docs/lama.html +978 -0
package/docs/mandala.html +1067 -0
package/docs/mani.html +964 -0
package/docs/mantra.html +967 -0
package/docs/mesh.html +1409 -0
package/docs/nakpak.html +869 -0
package/docs/namche.html +928 -0
package/docs/nav-order.json +53 -0
package/docs/prahari.html +1043 -0
package/docs/prism-bash.min.js +1 -0
package/docs/prism-javascript.min.js +1 -0
package/docs/prism-json.min.js +1 -0
package/docs/prism-tomorrow.min.css +1 -0
package/docs/prism.min.js +1 -0
package/docs/privacy.html +699 -0
package/docs/quick-reference.html +1181 -0
package/docs/sakshi.html +1402 -0
package/docs/sandboxing.md +386 -0
package/docs/seva.html +911 -0
package/docs/sherpa.html +871 -0
package/docs/studio.html +860 -0
package/docs/stupa.html +995 -0
package/docs/tailwind.min.css +2 -0
package/docs/tattva.html +1332 -0
package/docs/terms.html +686 -0
package/docs/time-server-deployment.md +166 -0
package/docs/time-sources.html +1392 -0
package/docs/tivra.html +1127 -0
package/docs/trademark-policy.html +686 -0
package/docs/tribhuj.html +1183 -0
package/docs/trust-security.html +1029 -0
package/docs/tutorials/backup-recovery.html +654 -0
package/docs/tutorials/dashboard.html +604 -0
package/docs/tutorials/domain-setup.html +605 -0
package/docs/tutorials/host-website.html +456 -0
package/docs/tutorials/mesh-network.html +505 -0
package/docs/tutorials/mobile-access.html +445 -0
package/docs/tutorials/privacy.html +467 -0
package/docs/tutorials/raspberry-pi.html +600 -0
package/docs/tutorials/security-basics.html +539 -0
package/docs/tutorials/share-files.html +431 -0
package/docs/tutorials/troubleshooting.html +637 -0
package/docs/tutorials/trust-karma.html +419 -0
package/docs/tutorials/yak-protocol.html +456 -0
package/docs/tutorials.html +1034 -0
package/docs/vani.html +1270 -0
package/docs/webserver.html +809 -0
package/docs/yak-protocol.html +940 -0
package/docs/yak-timeserver-design.md +475 -0
package/docs/yakapp.html +1015 -0
package/docs/ypc27.html +1069 -0
package/docs/yurt.html +1344 -0
package/embedded-docs/bundle.js +334 -74
package/gossip/protocol.js +247 -27
package/identity/key-resolver.js +262 -0
package/identity/machine-seed.js +632 -0
package/identity/node-key.js +669 -368
package/identity/tribhuj-ratchet.js +506 -0
package/knowledge-base.js +37 -8
package/launcher/yakmesh.bat +62 -0
package/launcher/yakmesh.sh +70 -0
package/mesh/annex.js +462 -108
package/mesh/beacon-broadcast.js +113 -1
package/mesh/darshan.js +1718 -0
package/mesh/gumba.js +1567 -0
package/mesh/jhilke.js +651 -0
package/mesh/katha.js +1012 -0
package/mesh/nakpak-routing.js +8 -5
package/mesh/network.js +724 -34
package/mesh/pulse-sync.js +4 -1
package/mesh/rate-limiter.js +127 -15
package/mesh/seva.js +526 -0
package/mesh/sherpa-discovery.js +89 -8
package/mesh/sybil-defense.js +19 -5
package/mesh/temporal-encoder.js +4 -3
package/mesh/vani.js +1364 -0
package/mesh/yurt.js +1340 -0
package/models/entropy-sentinel.onnx +0 -0
package/models/karma-trust.onnx +0 -0
package/models/manifest.json +43 -0
package/models/sakshi-anomaly.onnx +0 -0
package/oracle/code-proof-protocol.js +7 -6
package/oracle/codebase-lock.js +257 -28
package/oracle/index.js +74 -15
package/oracle/ma902-snmp.js +678 -0
package/oracle/module-sealer.js +5 -3
package/oracle/network-identity.js +16 -0
package/oracle/packet-checksum.js +201 -0
package/oracle/sst.js +579 -0
package/oracle/ternary-144t.js +714 -0
package/oracle/ternary-ml.js +481 -0
package/oracle/time-api.js +239 -0
package/oracle/time-source.js +137 -47
package/oracle/validation-oracle-hardened.js +1111 -1071
package/oracle/validation-oracle.js +4 -2
package/oracle/ypc27.js +211 -0
package/package.json +20 -3
package/protocol/yak-handler.js +35 -9
package/protocol/yak-protocol.js +28 -13
package/reference/cpp/yakmesh_mceliece_shard.cpp +168 -0
package/reference/cpp/yakmesh_ypc27.cpp +179 -0
package/sbom.json +87 -0
package/scripts/security-audit.mjs +264 -0
package/scripts/update-docs-nav.js +194 -0
package/scripts/update-docs-sidebar.cjs +164 -0
package/security/crypto-config.js +4 -3
package/security/dharma-moderation.js +517 -0
package/security/doko-identity.js +193 -143
package/security/domain-consensus.js +86 -85
package/security/fs-hardening.js +620 -0
package/security/hardware-attestation.js +5 -3
package/security/hybrid-trust.js +227 -87
package/security/karma-rate-limiter.js +692 -0
package/security/khata-protocol.js +22 -21
package/security/khata-trust-integration.js +277 -150
package/security/memory-safety.js +635 -0
package/security/mesh-auth.js +11 -10
package/security/mesh-revocation.js +373 -5
package/security/namche-gateway.js +298 -69
package/security/sakshi.js +460 -3
package/security/sangha.js +770 -0
package/security/secure-config.js +473 -0
package/security/silicon-parity.js +13 -10
package/security/steadywatch.js +1142 -0
package/security/strike-system.js +32 -3
package/security/temporal-signing.js +488 -0
package/security/trit-commitment.js +464 -0
package/server/crypto/annex.js +247 -0
package/server/darshan-api.js +343 -0
package/server/index.js +3259 -362
package/server/komm-api.js +668 -0
package/utils/accel.js +2273 -0
package/utils/ternary-id.js +79 -0
package/utils/verify-worker.js +57 -0
package/webserver/index.js +95 -5
package/assets/yakmesh-logo.png +0 -0
package/assets/yakmesh-logo.svg +0 -80
package/assets/yakmesh-logo2.png +0 -0
package/assets/yakmesh-logo2sm.png +0 -0
package/assets/ymsm.png +0 -0
package/website/assets/silhouettes/adapters.svg +0 -107
package/website/assets/silhouettes/api-endpoints.svg +0 -115
package/website/assets/silhouettes/atomic-clock.svg +0 -83
package/website/assets/silhouettes/base-camp.svg +0 -81
package/website/assets/silhouettes/bridge.svg +0 -69
package/website/assets/silhouettes/docs-bundle.svg +0 -113
package/website/assets/silhouettes/doko-basket.svg +0 -70
package/website/assets/silhouettes/fortress.svg +0 -93
package/website/assets/silhouettes/gateway.svg +0 -54
package/website/assets/silhouettes/gears.svg +0 -93
package/website/assets/silhouettes/globe-satellite.svg +0 -67
package/website/assets/silhouettes/karma-wheel.svg +0 -137
package/website/assets/silhouettes/lama-council.svg +0 -141
package/website/assets/silhouettes/mandala-network.svg +0 -169
package/website/assets/silhouettes/mani-stones.svg +0 -149
package/website/assets/silhouettes/mantra-wheel.svg +0 -116
package/website/assets/silhouettes/mesh-nodes.svg +0 -113
package/website/assets/silhouettes/nakpak.svg +0 -56
package/website/assets/silhouettes/peak-lightning.svg +0 -73
package/website/assets/silhouettes/sherpa.svg +0 -69
package/website/assets/silhouettes/stupa-tower.svg +0 -119
package/website/assets/silhouettes/tattva-eye.svg +0 -78
package/website/assets/silhouettes/terminal.svg +0 -74
package/website/assets/silhouettes/webserver.svg +0 -145
package/website/assets/silhouettes/yak.svg +0 -78
package/website/assets/yakmesh-logo.png +0 -0
package/website/assets/yakmesh-logo.webp +0 -0
package/website/assets/yakmesh-logo128x140.webp +0 -0
package/website/assets/yakmesh-logo2.png +0 -0
package/website/assets/yakmesh-logo2.svg +0 -51
package/website/assets/yakmesh-logo40x44.webp +0 -0
package/website/assets/yakmesh.gif +0 -0
package/website/assets/yakmesh.ico +0 -0
package/website/assets/yakmesh.jpg +0 -0
package/website/assets/yakmesh.pdf +0 -0
package/website/assets/yakmesh.png +0 -0
package/website/assets/yakmesh.svg +0 -70
package/website/assets/yakmesh128.webp +0 -0
package/website/assets/yakmesh32.png +0 -0
package/website/assets/yakmesh32.svg +0 -65
package/website/assets/yakmesh32o.ico +0 -2
package/website/assets/yakmesh32o.svg +0 -65
package/website/assets/yakmesh32o.svgz +0 -0

package/docs/sandboxing.md ADDED Viewed

@@ -0,0 +1,386 @@
+# Yakmesh Sandboxing Guide
+## Overview
+This document describes how to run Yakmesh in a sandboxed environment on Linux and macOS. While the core security features (SANGHA, FS Hardening, Memory Safety, etc.) work on all platforms, OS-level sandboxing provides an additional defense layer.
+## Linux Sandboxing
+### Option 1: systemd Service with Sandboxing
+Create `/etc/systemd/system/yakmesh.service`:
+```ini
+[Unit]
+Description=Yakmesh P2P Mesh Network Node
+After=network.target
+[Service]
+Type=simple
+User=yakmesh
+Group=yakmesh
+WorkingDirectory=/opt/yakmesh
+ExecStart=/usr/bin/node server/index.js
+Restart=always
+RestartSec=10
+# Sandboxing directives
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+# Allow only necessary capabilities
+CapabilityBoundingSet=
+AmbientCapabilities=
+# Filesystem access
+ReadWritePaths=/opt/yakmesh/data
+ReadOnlyPaths=/opt/yakmesh
+# Resource limits
+LimitNOFILE=65535
+LimitNPROC=4096
+[Install]
+WantedBy=multi-user.target
+```
+Enable and start:
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable yakmesh
+sudo systemctl start yakmesh
+```
+### Option 2: Firejail
+Install firejail and create profile `/etc/firejail/yakmesh.profile`:
+```
+# Yakmesh Firejail profile
+include /etc/firejail/default.profile
+# Restrict to yakmesh directory
+whitelist /opt/yakmesh
+read-only /opt/yakmesh
+read-write /opt/yakmesh/data
+# Network access
+net eth0
+# Capabilities
+caps.drop all
+caps.keep net_bind_service
+# Seccomp
+seccomp
+# Memory
+memory-deny-write-execute
+# Disable unneeded features
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+novideo
+```
+Run:
+```bash
+firejail --profile=/etc/firejail/yakmesh.profile node /opt/yakmesh/server/index.js
+```
+### Option 3: Docker with seccomp/AppArmor
+Dockerfile:
+```dockerfile
+FROM node:24-slim
+# Create non-root user
+RUN groupadd -r yakmesh && useradd -r -g yakmesh yakmesh
+# Set up app
+WORKDIR /app
+COPY --chown=yakmesh:yakmesh . .
+RUN npm ci --production
+# Switch to non-root
+USER yakmesh
+# Expose ports
+EXPOSE 3080 9080
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 \
+  CMD curl -f http://localhost:3080/health || exit 1
+CMD ["node", "server/index.js"]
+```
+Docker Compose with security options:
+```yaml
+version: '3.8'
+services:
+  yakmesh:
+    build: .
+    security_opt:
+      - no-new-privileges:true
+      - seccomp:unconfined  # Or use custom seccomp profile
+    cap_drop:
+      - ALL
+    read_only: true
+    tmpfs:
+      - /tmp
+    volumes:
+      - ./data:/app/data:rw
+    ports:
+      - "3080:3080"
+      - "9080:9080"
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 2G
+```
+### Option 4: bubblewrap (bwrap)
+Minimal sandboxing with bubblewrap:
+```bash
+#!/bin/bash
+bwrap \
+  --ro-bind /usr /usr \
+  --ro-bind /lib /lib \
+  --ro-bind /lib64 /lib64 \
+  --ro-bind /opt/yakmesh /opt/yakmesh \
+  --bind /opt/yakmesh/data /opt/yakmesh/data \
+  --tmpfs /tmp \
+  --proc /proc \
+  --dev /dev \
+  --unshare-all \
+  --share-net \
+  --die-with-parent \
+  --new-session \
+  --hostname yakmesh \
+  --chdir /opt/yakmesh \
+  /usr/bin/node server/index.js
+```
+## macOS Sandboxing
+### Option 1: App Sandbox (sandbox-exec)
+Create `yakmesh.sb`:
+```scheme
+(version 1)
+(deny default)
+; Allow basic operations
+(allow process-exec)
+(allow process-fork)
+(allow signal (target self))
+; Network access
+(allow network*)
+; File access - read-only for code
+(allow file-read* (subpath "/opt/yakmesh"))
+(allow file-read* (subpath "/usr/local/lib/node_modules"))
+; File access - read-write for data
+(allow file-read* file-write* (subpath "/opt/yakmesh/data"))
+; System libraries
+(allow file-read* (subpath "/usr/lib"))
+(allow file-read* (subpath "/System/Library"))
+; Sysctl for system info
+(allow sysctl-read)
+; Mach IPC for Node.js
+(allow mach-lookup)
+```
+Run:
+```bash
+sandbox-exec -f yakmesh.sb node /opt/yakmesh/server/index.js
+```
+### Option 2: launchd with sandboxing
+Create `/Library/LaunchDaemons/com.yakmesh.node.plist`:
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>com.yakmesh.node</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/usr/local/bin/node</string>
+        <string>/opt/yakmesh/server/index.js</string>
+    </array>
+    <key>WorkingDirectory</key>
+    <string>/opt/yakmesh</string>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+    <key>UserName</key>
+    <string>yakmesh</string>
+    <key>GroupName</key>
+    <string>yakmesh</string>
+    <key>SandboxProfile</key>
+    <string>/opt/yakmesh/yakmesh.sb</string>
+</dict>
+</plist>
+```
+Load:
+```bash
+sudo launchctl load /Library/LaunchDaemons/com.yakmesh.node.plist
+```
+## Best Practices
+### 1. Create Dedicated User
+```bash
+# Linux
+sudo useradd -r -s /bin/false -d /opt/yakmesh yakmesh
+sudo chown -R yakmesh:yakmesh /opt/yakmesh
+# macOS
+sudo dscl . -create /Users/yakmesh
+sudo dscl . -create /Users/yakmesh UserShell /usr/bin/false
+```
+### 2. Filesystem Permissions
+```bash
+# Code: read-only
+chmod -R 555 /opt/yakmesh
+chmod 755 /opt/yakmesh
+# Data: read-write for service user only
+chmod 700 /opt/yakmesh/data
+chown yakmesh:yakmesh /opt/yakmesh/data
+# Identity files: restrictive
+chmod 400 /opt/yakmesh/data/machine-seed.json
+chmod 600 /opt/yakmesh/data/node-key.json
+```
+### 3. Network Restrictions
+Use iptables/nftables (Linux) or pf (macOS) to restrict network:
+```bash
+# Linux iptables - allow only HTTP, WebSocket, and bootstrap
+iptables -A OUTPUT -p tcp --dport 3080 -j ACCEPT  # HTTP
+iptables -A OUTPUT -p tcp --dport 9080 -j ACCEPT  # WebSocket
+iptables -A OUTPUT -p tcp --dport 9081 -j ACCEPT  # LAN node
+iptables -A OUTPUT -p udp --dport 123 -j ACCEPT   # NTP
+iptables -A OUTPUT -p tcp -j DROP                  # Block other TCP
+```
+### 4. Resource Limits
+Use cgroups v2 (Linux) for fine-grained resource control:
+```bash
+# Create cgroup
+sudo mkdir /sys/fs/cgroup/yakmesh
+echo "+cpu +memory +io" | sudo tee /sys/fs/cgroup/cgroup.subtree_control
+# Set limits
+echo 200000 | sudo tee /sys/fs/cgroup/yakmesh/cpu.max  # 200% CPU
+echo 2G | sudo tee /sys/fs/cgroup/yakmesh/memory.max   # 2GB RAM
+```
+## Integration with SANGHA
+The sandboxing layer works WITH Yakmesh's built-in security:
+| Layer | Responsibility |
+|-------|----------------|
+| **OS Sandbox** | Process isolation, syscall filtering, capability dropping |
+| **SANGHA** | Collective attestation, anomaly detection |
+| **FS Hardening** | File integrity, lock critical files |
+| **Memory Safety** | Canary-based corruption detection |
+| **Secure Config** | Oracle-attested configuration |
+The OS sandbox is the outermost ring. If an attacker bypasses SANGHA and exploits a Node.js vulnerability, the OS sandbox prevents:
+- Privilege escalation
+- Access to system files
+- Network pivoting
+- Spawning new processes
+## Monitoring
+### Check sandbox status (Linux)
+```bash
+# systemd
+systemctl status yakmesh
+journalctl -u yakmesh -f
+# Check security context
+cat /proc/$(pgrep -f yakmesh)/status | grep -E 'Seccomp|Cap'
+```
+### Check sandbox status (macOS)
+```bash
+# launchd
+sudo launchctl list | grep yakmesh
+# Check sandbox violations
+log show --predicate 'process == "sandboxd"' --last 1h
+```
+## Troubleshooting
+### "Permission denied" errors
+- Check file permissions: `ls -la /opt/yakmesh/data`
+- Verify user context: `whoami` within sandbox
+- Check seccomp logs: `dmesg | grep seccomp`
+### Network connectivity issues
+- Verify sandbox allows network: check profile allows `AF_INET`
+- Check firewall rules: `iptables -L` or `pfctl -sr`
+### Node.js features not working
+- Some features require syscalls blocked by sandbox
+- Adjust seccomp profile or sandbox rules as needed
+- Test incrementally: start permissive, then restrict
+## Recommended Configuration
+For production deployment, combine:
+1. **systemd sandboxing** (Linux) or **launchd + sandbox-exec** (macOS)
+2. **Dedicated non-root user**
+3. **Read-only filesystem** except `/data`
+4. **Network firewall** limiting outbound
+5. **Resource limits** via cgroups/launchd
+This provides defense-in-depth when combined with Yakmesh's SANGHA collective security.