yakmesh 2.9.0 → 3.0.0

package/Caddyfile

@@ -0,0 +1,77 @@
+# ═══════════════════════════════════════════════════════════════
+# Yakmesh Caddy Configuration — WSS Reverse Proxy
+# ═══════════════════════════════════════════════════════════════
+#
+# Use this Caddyfile to expose your yakmesh node via WSS (HTTPS/WebSocket).
+# Caddy handles automatic TLS via Let's Encrypt and reverse-proxies
+# WebSocket connections to the local yakmesh WS server.
+#
+# SHERPA will advertise this endpoint in beacons, allowing other nodes
+# (even those behind firewalls) to discover and OUTBOUND connect to you.
+#
+# Prerequisites:
+#   1. Domain pointing to this machine (e.g., mesh.yakmesh.dev)
+#   2. Port 443 and 80 accessible (port 80 needed for ACME challenge)
+#   3. Caddy installed: https://caddyserver.com/docs/install
+#
+# Usage:
+#   caddy run --config Caddyfile
+#
+# Set env var so SHERPA advertises this WSS endpoint:
+#   YAKMESH_WS_ENDPOINT=wss://mesh.yakmesh.dev
+#   YAKMESH_SELF_ENDPOINT=https://mesh.yakmesh.dev
+# ═══════════════════════════════════════════════════════════════
+
+# Replace with your domain
+mesh.yakmesh.dev {
+    # WebSocket reverse proxy — mesh peering
+    # Matches WebSocket upgrade requests
+    @websocket {
+        header Connection *Upgrade*
+        header Upgrade websocket
+    }
+    handle @websocket {
+        reverse_proxy localhost:9080
+    }
+
+    # SHERPA beacon — live peer discovery data
+    handle /.well-known/yakmesh/beacon {
+        reverse_proxy localhost:3080
+    }
+
+    # Mesh relay — HTTP message bridge
+    handle /mesh/relay* {
+        reverse_proxy localhost:3080
+    }
+
+    # Health endpoint
+    handle /mesh/health {
+        reverse_proxy localhost:3080/health
+    }
+
+    # Dashboard (optional — remove in production)
+    handle /dashboard* {
+        reverse_proxy localhost:3080
+    }
+
+    # Default: serve documentation
+    handle {
+        reverse_proxy localhost:3080
+    }
+
+    # Logging
+    log {
+        output file /var/log/caddy/yakmesh.log {
+            roll_size 10mb
+            roll_keep 5
+        }
+    }
+
+    # Security headers
+    header {
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Referrer-Policy strict-origin-when-cross-origin
+        -Server
+    }
+}

package/README.md

@@ -1,7 +1,7 @@
 <div align="center">
   <img src="https://yakmesh.dev/assets/yakmesh-logo2.png" alt="YAKMESH" width="200">
 
-  <h1>🏔️ YAKMESH™: Sturdy & Secure</h1>
+  <h1>🏔️ YAKMESH™ v3.0.0 — The Summit Release</h1>
 
   <p><strong>Yielding Atomic Kernel Modular Encryption Secured Hub</strong></p>
 
@@ -10,12 +10,14 @@
     <a href="https://nodejs.org"><img src="https://img.shields.io/badge/Node.js-18+-green.svg" alt="Node.js"></a>
     <a href="https://csrc.nist.gov/projects/post-quantum-cryptography"><img src="https://img.shields.io/badge/Crypto-Post--Quantum-blue.svg" alt="Post-Quantum"></a>
     <a href="https://www.npmjs.com/package/yakmesh"><img src="https://img.shields.io/npm/v/yakmesh.svg" alt="npm version"></a>
+    <img src="https://img.shields.io/badge/version-3.0.0-purple.svg" alt="v3.0.0">
+    <img src="https://img.shields.io/badge/Protocol_Layers-30-orange.svg" alt="30-Layer Stack">
   </p>
 </div>
 
 ---
 
-YAKMESH is a high-resiliency, decentralized networking layer designed for the 2026 threat landscape. Built with quantum-resistant cryptography at its core and anchored by PCIe atomic timing synchronization, YAKMESH provides a "sturdy" substrate for distributed systems that cannot afford to fail.
+YAKMESH is a post-quantum secure P2P mesh network with a 30-layer protocol stack, heterogeneous GPU+NPU compute scheduling, and hardware-anchored precision timing. Built for the 2026 threat landscape with NIST FIPS 204/203 cryptography at every layer, YAKMESH provides a "sturdy" substrate for distributed systems that cannot afford to fail.
 
 > **📚 Full documentation: [yakmesh.dev](https://yakmesh.dev)** | **[docs/](docs/)** for specifications
 
@@ -38,29 +40,66 @@ await node.start();
 
 ## Features
 
-- 🔒 **Post-Quantum Secure** - ML-DSA-65 (NIST FIPS 204) signatures
-- 🔮 **TATTVA Oracle** - Self-verifying validation without external trust
-- 🌐 **Mesh Networking** - P2P WebSocket communication with gossip protocol
-- ⏱️ **Precision Timing** - Support for atomic clocks, GPS, PTP, NTP
-- 🧭 **NAMCHE Gateway** - 7-gate mathematical identity verification
-- 🏔️ **SHERPA Discovery** - Decentralized peer discovery
-- 🔐 **ANNEX Channels** - ML-KEM768 encrypted P2P with forward secrecy
-- 🌍 **Geographic Proof** - Speed-of-light exclusion zones
+### Cryptography & Identity
 
-> See [yakmesh.dev](https://yakmesh.dev) for complete feature documentation
+- 🔒 **Post-Quantum Secure** — ML-DSA-65 (FIPS 204) signatures, ML-KEM-768 (FIPS 203) key encapsulation
+- 🧬 **144-Trit Identity** — Ternary identity system with balanced-ternary encoding (YPC-27)
+- 🔐 **ANNEX Channels** — ML-KEM-768 encrypted P2P sessions with forward secrecy (TRIBHUJ ratchet)
+- 🧭 **NAMCHE Gateway** — 7-gate mathematical identity verification
+
+### Networking & Discovery
+
+- 🌐 **Mesh Networking** — P2P WebSocket mesh with epidemic gossip protocol
+- 🏔️ **SHERPA Discovery** — Decentralized peer discovery with DNS beacon broadcast
+- 📦 **NAKPAK Routing** — Efficient binary message routing with checksum verification
+- 💬 **KOMM Stack** — Real-time communication layer (VANI messaging, GUMBA channels, KATHA sessions)
+
+### Validation & Consensus
+
+- 🔮 **TATTVA Oracle** — Self-verifying codebase validation; the code IS the network identity
+- 📜 **DHARMA Consensus** — Multi-phase consensus engine with phase-epoch timing
+- 👁️ **SAKSHI Witness** — Distributed witness protocol for transaction attestation
+- 🌍 **Geographic Proof** — Speed-of-light exclusion zones for physical locality verification
+
+### Compute & Acceleration
+
+- ⚡ **GPU+NPU Acceleration** — Heterogeneous compute via ONNX Runtime (DirectML, CUDA, CPU fallback)
+- 📊 **ComputeScheduler** — Priority-based task scheduling (CRITICAL → HIGH → NORMAL → LOW)
+- 🧠 **SEVA Compute** — Distributed ML inference mesh across network peers
+
+### Security & Monitoring
+
+- 🛡️ **SANGHA Security** — Community-driven threat circulation and collective defense
+- ⏱️ **Precision Timing** — GPS atomic clocks (MA-902), PTP, NTP with sub-millisecond sync
+- 📡 **DARSHAN Telemetry** — Real-time network visibility and diagnostics
+- 🔍 **STEADYWATCH** — Continuous uptime and integrity monitoring
+- ⚖️ **KARMA Rate Limiter** — Behavior-based reputation rate limiting
+
+> See [yakmesh.dev](https://yakmesh.dev) for the complete 30-layer protocol documentation
 
 ## Architecture
 
 ```
-yakmesh/
-├── security/         # NAMCHE gateway, DOKO identity, trust models
-├── oracle/           # TATTVA self-verifying validation engine
-├── mesh/             # SHERPA, NAKPAK, ANNEX networking
+yakmesh-node/
+├── server/           # HTTP/WS server (~3,300 lines), all API routes
+├── security/         # NAMCHE gateway, SANGHA, SAKSHI, trust models, geo-proof
+├── oracle/           # TATTVA validation, consensus engine, code-proof, phase-epoch
+├── identity/         # PQ key management, TRIBHUJ ratchet, 144T identity
+├── mesh/             # SHERPA discovery, NAKPAK routing, ANNEX sessions, pulse-sync
 ├── gossip/           # Epidemic-style message propagation
-├── protocol/         # STUPA, LAMA, MANI, KARMA, MANDALA
-├── adapters/         # Platform integration plugins
-├── embedded-docs/    # GRANTH documentation bundle
-└── server/           # HTTP/WS server
+├── protocol/         # STUPA, LAMA, MANI, KARMA, MANDALA protocol layers
+├── utils/            # Hardware acceleration, ComputeScheduler (GPU+NPU)
+├── cli/              # Command-line interface
+├── dashboard/        # Web-based monitoring UI
+├── database/         # SQLite persistence layer
+├── content/          # Distributed content system
+├── models/           # ONNX ML models for inference
+├── embedded-docs/    # GRANTH documentation bundle (served at /docs)
+├── adapters/         # Platform integration plugins (BYOND, etc.)
+├── templates/        # Configuration templates
+├── launcher/         # Process management and startup
+├── webserver/        # Static web serving
+└── yakbot/           # Bot integration
 ```
 
 ## Network Identity
@@ -78,16 +117,68 @@ import { deriveNetworkName, deriveVerificationPhrase } from 'yakmesh/oracle/netw
 
 Full API documentation at [yakmesh.dev/docs/api](https://yakmesh.dev/docs/api)
 
+### Core
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /health` | Node health status |
+| `GET /node` | Node identity info |
+| `GET /peers` | Connected peers |
+| `GET /metrics` | Prometheus-compatible metrics |
+| `GET /dashboard` | Web monitoring UI |
+
+### Oracle & Consensus
+
 | Endpoint | Description |
 |----------|-------------|
-| `/health` | Node health status |
-| `/node` | Node identity info |
-| `/peers` | Connected peers |
-| `/oracle/status` | Oracle integrity check |
-| `/network/identity` | Network identity |
-| `/time/status` | Time source detection |
-| `/security/namche/gates` | Gateway verification status |
-| `/geo/status` | Geographic proof status |
+| `GET /oracle/status` | Oracle integrity check |
+| `GET /oracle/consensus` | Consensus state |
+| `GET /oracle/peers` | Oracle peer list |
+| `POST /oracle/challenge` | Challenge-response verification |
+| `POST /oracle/submit` | Submit oracle data |
+
+### Network & Mesh
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /network/identity` | Network identity |
+| `GET /network/status` | Network state |
+| `GET /network/handshake` | Handshake data |
+| `POST /connect` | Initiate peer connection |
+| `POST /mesh/relay` | Relay message to peers |
+| `GET /gossip` | Gossip state |
+| `GET /discovered` | Discovered nodes |
+
+### Protocol Subsystems
+
+| Endpoint | Description |
+|----------|-------------|
+| `/komm/*` | KOMM real-time communication |
+| `/darshan/*` | DARSHAN network telemetry |
+| `GET /sherpa/status` | SHERPA peer discovery status |
+| `GET /nakpak/status` | NAKPAK routing status |
+| `GET /annex/status` | ANNEX encrypted channel status |
+| `GET /sakshi/status` | SAKSHI witness protocol status |
+| `GET /api/sangha` | SANGHA community security |
+| `/content/*` | Content API |
+
+### Timing & Compute
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /time/status` | Time source detection |
+| `GET /time/capabilities` | Timing hardware capabilities |
+| `GET /api/time` | Full time data |
+| `GET /accel` | Hardware acceleration status |
+| `GET /accel/telemetry` | GPU/NPU telemetry |
+| `GET /scheduler` | ComputeScheduler state |
+| `GET /steadywatch` | Uptime monitoring |
+
+### Security
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /security/namche/gates` | Gateway verification status |
 
 ## License
 
@@ -99,7 +190,7 @@ See [TRADEMARK.md](TRADEMARK.md) for trademark usage policy.
 ---
 
 <div align="center">
-  <sub>Built with quantum principles. Secured by math.</sub>
+  <sub>Built with quantum principles. Secured by math. 30 layers deep.</sub>
   <br><br>
   <strong><a href="https://yakmesh.dev">yakmesh.dev</a></strong>
   <br><br>
@@ -114,4 +205,3 @@ See [TRADEMARK.md](TRADEMARK.md) for trademark usage policy.
   <br>
   <sub>YAKMESH™ is a trademark of PeerQuanta, application pending (Serial No. 99594620).</sub>
 </div>
-

package/content/api.js

@@ -2,10 +2,14 @@
  * YAKMESH™ Public Content API
  * HTTP endpoints for public content delivery
  * 
+ * Content integrity = SHA3-256 hash match.
+ * Content authorship = publisher ML-DSA-65 signature.
+ * No voting, no quorum, no consensus proofs.
+ * 
  * Public (no auth required):
  * - GET /content/:hash - Fetch content by hash
  * - GET /content/:hash/meta - Fetch metadata only
- * - GET /content/:hash/proof - Fetch consensus proof
+ * - GET /content/:hash/integrity - Fetch integrity info (hash + publisher sig)
  * - GET /content/list - List available content
  * 
  * Authenticated (rate limited):
@@ -18,18 +22,19 @@
  */
 
 import { Router } from 'express';
-import { ContentStore, ContentType, ContentStatus, computeContentHash } from './store.js';
+import { ContentStore, ContentType, ContentStatus, computeContentHash, isTritAddress } from './store.js';
 
 /**
  * Create content API router
  */
 export function createContentAPI(contentStore, options = {}) {
   const router = Router();
-  
+
   const {
     writeLimiter,
     readLimiter,
     validateString,
+    requirePeerAuth,
   } = options;
 
   // =========================================
@@ -38,22 +43,20 @@ export function createContentAPI(contentStore, options = {}) {
 
   /**
    * GET /content/:hash
-   * Fetch content by hash with optional proof
+   * Fetch content by hash
    * 
    * Query params:
-   * - proof=1 : Include consensus proof in response headers
    * - download=1 : Force download (Content-Disposition)
    */
   router.get('/:hash', readLimiter, (req, res) => {
     const { hash } = req.params;
-    const includeProof = req.query.proof === '1';
     const download = req.query.download === '1';
 
     // Get content with metadata
     const result = contentStore.getWithProof(hash);
-    
+
     if (!result) {
-      return res.status(404).json({ 
+      return res.status(404).json({
         error: 'Content not found',
         hash,
         hint: 'Content may not have synced yet. Try again later.',
@@ -64,19 +67,22 @@ export function createContentAPI(contentStore, options = {}) {
     res.setHeader('Content-Type', result.meta?.contentType || 'application/octet-stream');
     res.setHeader('Content-Length', result.meta?.size || result.content.length);
     res.setHeader('X-Content-Hash', result.hash);
+    res.setHeader('X-Content-Hash-144T', result.hash144t || result.meta?.hash144t || '');
     res.setHeader('X-Content-Status', result.meta?.status || 'unknown');
-    
-    // Cache headers (immutable content = cache forever)
+
+    // Cache headers (verified content = cache forever)
     if (result.verified) {
       res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+      res.setHeader('X-Verified', 'true');
     } else {
       res.setHeader('Cache-Control', 'public, max-age=60');
+      res.setHeader('X-Verified', 'false');
     }
 
-    // Include proof in headers if requested
-    if (includeProof && result.proof) {
-      res.setHeader('X-Consensus-Proof', JSON.stringify(result.proof));
-      res.setHeader('X-Verified', result.verified ? 'true' : 'false');
+    // Publisher signature header
+    if (result.meta?.publisherSignature) {
+      res.setHeader('X-Publisher-Signature', result.meta.publisherSignature);
+      res.setHeader('X-Published-By', result.meta.publishedBy || 'unknown');
     }
 
     // Download disposition
@@ -95,7 +101,7 @@ export function createContentAPI(contentStore, options = {}) {
   router.get('/:hash/meta', readLimiter, (req, res) => {
     const { hash } = req.params;
     const meta = contentStore.getMeta(hash);
-    
+
     if (!meta) {
       return res.status(404).json({ error: 'Content not found', hash });
     }
@@ -104,30 +110,31 @@ export function createContentAPI(contentStore, options = {}) {
   });
 
   /**
-   * GET /content/:hash/proof
-   * Fetch consensus proof for light client verification
+   * GET /content/:hash/integrity
+   * Fetch integrity info for content verification
+   * Returns hash, publisher identity, publisher signature, and verification status.
+   * Any client can independently verify: hash(content) === hash AND
+   * verify(hash, publisherSignature, publisherPubKey) === true.
    */
-  router.get('/:hash/proof', readLimiter, (req, res) => {
+  router.get('/:hash/integrity', readLimiter, (req, res) => {
     const { hash } = req.params;
     const meta = contentStore.getMeta(hash);
-    
+
     if (!meta) {
       return res.status(404).json({ error: 'Content not found', hash });
     }
 
-    if (!meta.consensusProof) {
-      return res.status(404).json({ 
-        error: 'No consensus proof yet',
-        hash,
-        status: meta.status,
-        hint: 'Content may still be pending consensus.',
-      });
-    }
-
     res.json({
-      hash,
+      hash: meta.hash,
+      hash144t: meta.hash144t,
+      ioName: meta.ioName,
       verified: meta.status === ContentStatus.VERIFIED,
-      proof: meta.consensusProof.toJSON ? meta.consensusProof.toJSON() : meta.consensusProof,
+      status: meta.status,
+      publishedBy: meta.publishedBy,
+      publisherSignature: meta.publisherSignature || null,
+      contentType: meta.contentType,
+      size: meta.size,
+      createdAt: meta.createdAt,
     });
   });
 
@@ -143,7 +150,7 @@ export function createContentAPI(contentStore, options = {}) {
    */
   router.get('/', readLimiter, (req, res) => {
     const { tag, status, limit = 100, offset = 0 } = req.query;
-    
+
     const items = contentStore.list({
       tag,
       status,
@@ -164,7 +171,7 @@ export function createContentAPI(contentStore, options = {}) {
    */
   router.head('/:hash', readLimiter, (req, res) => {
     const { hash } = req.params;
-    
+
     if (contentStore.has(hash)) {
       const meta = contentStore.getMeta(hash);
       res.setHeader('Content-Type', meta?.contentType || 'application/octet-stream');
@@ -199,7 +206,7 @@ export function createContentAPI(contentStore, options = {}) {
    * - name: optional name
    * - tags: comma-separated tags
    */
-  router.post('/publish', writeLimiter, async (req, res) => {
+  router.post('/publish', writeLimiter, requirePeerAuth, async (req, res) => {
     try {
       let content;
       let options = {};
@@ -216,7 +223,7 @@ export function createContentAPI(contentStore, options = {}) {
           tags: req.body.tags || [],
           ttl: req.body.ttl || 0,
         };
-      } 
+      }
       // Handle raw body
       else if (req.body && Buffer.isBuffer(req.body)) {
         content = req.body;
@@ -245,9 +252,11 @@ export function createContentAPI(contentStore, options = {}) {
       res.status(201).json({
         success: true,
         hash: result.hash,
+        hash144t: result.hash144t,
+        ioName: result.ioName,
         status: result.status,
         meta: result.meta?.toJSON ? result.meta.toJSON() : result.meta,
-        url: `/content/${result.hash}`,
+        url: `/content/${result.hash144t || result.hash}`,
       });
     } catch (error) {
       res.status(500).json({ error: error.message });
@@ -260,7 +269,7 @@ export function createContentAPI(contentStore, options = {}) {
    */
   router.post('/request', writeLimiter, async (req, res) => {
     const { hash } = req.body;
-    
+
     if (!hash) {
       return res.status(400).json({ error: 'Hash required' });
     }
@@ -277,7 +286,7 @@ export function createContentAPI(contentStore, options = {}) {
 
       // Request from mesh
       const result = await contentStore.request(hash);
-      
+
       res.json({
         found: true,
         local: false,
@@ -297,9 +306,9 @@ export function createContentAPI(contentStore, options = {}) {
    * DELETE /content/:hash
    * Remove content (local only - cannot remove from mesh)
    */
-  router.delete('/:hash', writeLimiter, (req, res) => {
+  router.delete('/:hash', writeLimiter, requirePeerAuth, (req, res) => {
     const { hash } = req.params;
-    
+
     if (!contentStore.has(hash)) {
       return res.status(404).json({ error: 'Content not found', hash });
     }
@@ -329,13 +338,13 @@ export function createContentAPI(contentStore, options = {}) {
    */
   router.post('/verify', readLimiter, (req, res) => {
     const content = req.body.content || req.body;
-    
+
     if (!content) {
       return res.status(400).json({ error: 'Content required' });
     }
 
     const hash = computeContentHash(content);
-    
+
     res.json({
       hash,
       exists: contentStore.has(hash),

package/content/index.js

@@ -1,6 +1,6 @@
 /**
  * YAKMESH™ Content Module
- * Content-addressed storage with public delivery
+ * Content-addressed storage with integrity verification
  * 
  * @module content
  * @license MIT
@@ -12,7 +12,6 @@ export {
   ContentType, 
   ContentStatus, 
   ContentMetadata,
-  ConsensusProof,
   computeContentHash,
   deriveContentName,
 } from './store.js';