yakmesh 2.9.0 → 3.0.0

package/oracle/codebase-lock.js

@@ -8,15 +8,22 @@
  * On Windows: Creates sharing violations for write access
  * On Unix: Removes write permissions during runtime
  * 
+ * v1.3.0 ENHANCEMENTS:
+ * - File system watchdog for tampering detection
+ * - Tampering attempt logging and alerting
+ * - Identity key file protection (chmod 400)
+ * - Secure data directory permissions
+ * 
  * @module CodebaseLock
- * @version 1.2.0
+ * @version 1.3.0
  */
 
-import { openSync, closeSync, readdirSync, statSync, chmodSync } from 'fs';
-import { join, extname } from 'path';
+import { openSync, closeSync, readdirSync, statSync, chmodSync, watch, existsSync } from 'fs';
+import { join, extname, basename } from 'path';
 import { fileURLToPath } from 'url';
 import { dirname } from 'path';
 import { createLogger } from '../utils/logger.js';
+import { EventEmitter } from 'events';
 
 const log = createLogger('oracle:codebase-lock');
 
@@ -53,20 +60,51 @@ const EXCLUDE_FILES = new Set([
   '.env',
 ]);
 
+// Identity/security files that need extra protection (chmod 400)
+const CRITICAL_FILES = [
+  'identity/node-key.json',
+  'identity/private-key.pem',
+  'data/node-identity.json',
+];
+
+// Directories containing sensitive data
+const SECURE_DIRS = [
+  'identity',
+  'data',
+];
+
+/**
+ * TamperEvent - emitted when tampering is detected
+ */
+export class TamperEvent {
+  constructor(type, path, details = {}) {
+    this.type = type;  // 'modify' | 'delete' | 'create' | 'rename'
+    this.path = path;
+    this.details = details;
+    this.timestamp = Date.now();
+    this.isoTime = new Date().toISOString();
+  }
+}
+
 /**
  * CodebaseLock - Runtime file locking for source code protection
+ * Now with tampering detection watchdog
  */
-export class CodebaseLock {
+export class CodebaseLock extends EventEmitter {
   #handles = [];
   #locked = false;
   #rootDir = null;
   #isWindows = process.platform === 'win32';
   #originalPermissions = new Map();
-  
+  #watchers = [];
+  #tamperEvents = [];
+  #watchdogActive = false;
+
   constructor() {
+    super();
     this.#rootDir = join(__dirname, '..');
   }
-  
+
   /**
    * Lock all source files in the codebase
    * @returns {Object} Result with success status and file count
@@ -75,10 +113,10 @@ export class CodebaseLock {
     if (this.#locked) {
       return { success: true, fileCount: this.#handles.length, message: 'Already locked' };
     }
-    
+
     try {
       const sourceFiles = this.#collectSourceFiles(this.#rootDir);
-      
+
       for (const filePath of sourceFiles) {
         try {
           if (this.#isWindows) {
@@ -90,7 +128,7 @@ export class CodebaseLock {
             const stats = statSync(filePath);
             const originalMode = stats.mode;
             this.#originalPermissions.set(filePath, originalMode);
-            
+
             // Remove write permissions (keep read/execute)
             const newMode = originalMode & ~0o222;
             chmodSync(filePath, newMode);
@@ -102,22 +140,30 @@ export class CodebaseLock {
           log.warn('Could not lock file', { path: filePath, error: e.message });
         }
       }
-      
+
       this.#locked = true;
-      return { 
-        success: true, 
+
+      // Start watchdog for tampering detection
+      this.#startWatchdog();
+
+      // Protect critical identity files
+      this.#protectCriticalFiles();
+
+      return {
+        success: true,
         fileCount: this.#handles.length,
         message: `Locked ${this.#handles.length} source files`,
+        watchdogActive: this.#watchdogActive,
       };
     } catch (e) {
-      return { 
-        success: false, 
+      return {
+        success: false,
         error: e.message,
         fileCount: 0,
       };
     }
   }
-  
+
   /**
    * Unlock all source files
    * @returns {Object} Result with success status
@@ -126,9 +172,9 @@ export class CodebaseLock {
     if (!this.#locked) {
       return { success: true, message: 'Not locked' };
     }
-    
+
     let errors = [];
-    
+
     for (const handle of this.#handles) {
       try {
         if (this.#isWindows && handle.fd !== undefined) {
@@ -142,18 +188,21 @@ export class CodebaseLock {
         errors.push(`${handle.path}: ${e.message}`);
       }
     }
-    
+
     this.#handles = [];
     this.#originalPermissions.clear();
     this.#locked = false;
-    
-    return { 
+
+    // Stop watchdog
+    this.#stopWatchdog();
+
+    return {
       success: errors.length === 0,
       errors: errors.length > 0 ? errors : undefined,
       message: 'Codebase unlocked',
     };
   }
-  
+
   /**
    * Check if codebase is currently locked
    * @returns {boolean}
@@ -161,7 +210,30 @@ export class CodebaseLock {
   isLocked() {
     return this.#locked;
   }
-  
+
+  /**
+   * Check if watchdog is active
+   * @returns {boolean}
+   */
+  isWatchdogActive() {
+    return this.#watchdogActive;
+  }
+
+  /**
+   * Get tampering events (if any)
+   * @returns {TamperEvent[]}
+   */
+  getTamperEvents() {
+    return [...this.#tamperEvents];
+  }
+
+  /**
+   * Clear tampering events after review
+   */
+  clearTamperEvents() {
+    this.#tamperEvents = [];
+  }
+
   /**
    * Get count of locked files
    * @returns {number}
@@ -169,7 +241,7 @@ export class CodebaseLock {
   getLockedFileCount() {
     return this.#handles.length;
   }
-  
+
   /**
    * Collect all source files recursively
    * @private
@@ -177,10 +249,10 @@ export class CodebaseLock {
   #collectSourceFiles(dir, results = []) {
     try {
       const entries = readdirSync(dir, { withFileTypes: true });
-      
+
       for (const entry of entries) {
         const fullPath = join(dir, entry.name);
-        
+
         if (entry.isDirectory()) {
           // Skip excluded directories
           if (!EXCLUDE_DIRS.has(entry.name)) {
@@ -188,7 +260,7 @@ export class CodebaseLock {
           }
         } else if (entry.isFile()) {
           const ext = extname(entry.name).toLowerCase();
-          
+
           // Include only source files, exclude specific files
           if (SOURCE_EXTENSIONS.has(ext) && !EXCLUDE_FILES.has(entry.name)) {
             results.push(fullPath);
@@ -198,9 +270,133 @@ export class CodebaseLock {
     } catch (e) {
       // Directory might not be readable
     }
-    
+
     return results;
   }
+
+  /**
+   * Start file system watchdog for tampering detection
+   * @private
+   */
+  #startWatchdog() {
+    if (this.#watchdogActive) return;
+
+    try {
+      // Watch key directories for changes
+      const dirsToWatch = ['server', 'oracle', 'security', 'mesh', 'identity', 'gossip'];
+
+      for (const dirName of dirsToWatch) {
+        const dirPath = join(this.#rootDir, dirName);
+        if (!existsSync(dirPath)) continue;
+
+        try {
+          const watcher = watch(dirPath, { recursive: true }, (eventType, filename) => {
+            if (!filename) return;
+
+            // Only care about source files
+            const ext = extname(filename).toLowerCase();
+            if (!SOURCE_EXTENSIONS.has(ext)) return;
+
+            const event = new TamperEvent(eventType, join(dirPath, filename), {
+              directory: dirName,
+              filename,
+            });
+
+            this.#tamperEvents.push(event);
+
+            // Emit event for external handlers
+            this.emit('tamper', event);
+
+            // Log as critical security event
+            log.error('⚠️ TAMPERING DETECTED', {
+              type: eventType,
+              file: filename,
+              directory: dirName,
+              timestamp: event.isoTime,
+            });
+          });
+
+          this.#watchers.push(watcher);
+        } catch (e) {
+          log.warn('Could not watch directory', { dir: dirName, error: e.message });
+        }
+      }
+
+      this.#watchdogActive = this.#watchers.length > 0;
+
+      if (this.#watchdogActive) {
+        log.info('Watchdog active', { directories: this.#watchers.length });
+      }
+    } catch (e) {
+      log.warn('Watchdog failed to start', { error: e.message });
+    }
+  }
+
+  /**
+   * Stop file system watchdog
+   * @private
+   */
+  #stopWatchdog() {
+    for (const watcher of this.#watchers) {
+      try {
+        watcher.close();
+      } catch (e) {
+        // Ignore close errors
+      }
+    }
+    this.#watchers = [];
+    this.#watchdogActive = false;
+  }
+
+  /**
+   * Protect critical identity and security files
+   * Sets chmod 400 (read-only owner) on sensitive files
+   * @private
+   */
+  #protectCriticalFiles() {
+    if (this.#isWindows) {
+      // Windows doesn't support Unix permissions in the same way
+      // The file handle locking already provides protection
+      return;
+    }
+
+    for (const relPath of CRITICAL_FILES) {
+      const fullPath = join(this.#rootDir, relPath);
+
+      if (!existsSync(fullPath)) continue;
+
+      try {
+        const stats = statSync(fullPath);
+
+        // Store original permissions
+        if (!this.#originalPermissions.has(fullPath)) {
+          this.#originalPermissions.set(fullPath, stats.mode);
+        }
+
+        // Set to 0400 (read-only owner)
+        chmodSync(fullPath, 0o400);
+
+        log.info('Protected critical file', { path: relPath, mode: '0400' });
+      } catch (e) {
+        log.warn('Could not protect critical file', { path: relPath, error: e.message });
+      }
+    }
+
+    // Secure data directories
+    for (const dirName of SECURE_DIRS) {
+      const dirPath = join(this.#rootDir, dirName);
+
+      if (!existsSync(dirPath)) continue;
+
+      try {
+        // Set directory to 0700 (owner only)
+        chmodSync(dirPath, 0o700);
+        log.info('Secured directory', { path: dirName, mode: '0700' });
+      } catch (e) {
+        log.warn('Could not secure directory', { path: dirName, error: e.message });
+      }
+    }
+  }
 }
 
 // Singleton instance
@@ -244,16 +440,49 @@ export function setupUnlockOnExit() {
       lock.unlock();
     }
   };
-  
+
   // Handle various exit signals
   process.on('exit', cleanup);
   process.on('SIGINT', () => { cleanup(); process.exit(0); });
   process.on('SIGTERM', () => { cleanup(); process.exit(0); });
+  // Transient network errors that are safe to ignore in a P2P mesh node.
+  // These bubble up as uncaught exceptions when TCP connections are reset
+  // by remote peers, timeouts occur, or connections are refused — all
+  // normal in a mesh network. Crashing on these kills the node needlessly.
+  const TRANSIENT_NETWORK_ERRORS = new Set([
+    'ECONNRESET', 'EPIPE', 'ECONNREFUSED', 'ETIMEDOUT',
+    'ECONNABORTED', 'EHOSTUNREACH', 'ENETUNREACH', 'EAI_AGAIN',
+  ]);
+
   process.on('uncaughtException', (err) => {
+    // Check if this is a transient network error
+    if (err.code && TRANSIENT_NETWORK_ERRORS.has(err.code)) {
+      log.warn('Transient network error (non-fatal)', { code: err.code, error: err.message });
+      return; // Do NOT exit — these are normal in P2P mesh operation
+    }
     log.error('Uncaught exception', { error: err.message, stack: err.stack });
     cleanup();
     process.exit(1);
   });
 }
 
+/**
+ * Subscribe to tampering events
+ * @param {Function} handler - Called with TamperEvent on tampering
+ * @returns {Function} Unsubscribe function
+ */
+export function onTamper(handler) {
+  const lock = getCodebaseLock();
+  lock.on('tamper', handler);
+  return () => lock.off('tamper', handler);
+}
+
+/**
+ * Get any tampering events that occurred
+ * @returns {TamperEvent[]}
+ */
+export function getTamperEvents() {
+  return getCodebaseLock().getTamperEvents();
+}
+
 export default CodebaseLock;

package/oracle/index.js

@@ -41,27 +41,27 @@
  * @version 1.1.0
  */
 
-export { 
-  ValidationOracle, 
+export {
+  ValidationOracle,
   ValidationResult,
   getOracle,
   contentHash,
   deterministicStringify,
 } from './validation-oracle-hardened.js';
 
-export { 
-  CodeProofProtocol, 
+export {
+  CodeProofProtocol,
   ProofState,
   mutualVerification,
 } from './code-proof-protocol.js';
 
-export { 
-  ConsensusEngine, 
+export {
+  ConsensusEngine,
   ContentState,
 } from './consensus-engine.js';
 
-export { 
-  ModuleSealer, 
+export {
+  ModuleSealer,
   SealedModule,
 } from './module-sealer.js';
 
@@ -88,12 +88,71 @@ export {
 // Codebase lock - prevents source modification during runtime
 export {
   CodebaseLock,
+  TamperEvent,
   getCodebaseLock,
   lockCodebase,
   unlockCodebase,
   setupUnlockOnExit,
+  onTamper,
+  getTamperEvents,
 } from './codebase-lock.js';
 
+// ═══════════════════════════════════════════════════════════════════════════════
+// TRIBHUJ - Balanced Ternary Mathematics
+// The foundational trit operations: {-1, 0, +1}
+// ═══════════════════════════════════════════════════════════════════════════════
+export {
+  POSITIVE, NEUTRAL, NEGATIVE,
+  TritState,
+  TritChars,
+  Trit,
+  TritArray,
+  hexToTrits,
+  hexCompare,
+  calculatePathBalance,
+} from './tribhuj.js';
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SST - Synergy Sequence Theory
+// The mathematical backbone: digital roots, family classification,
+// Fibonacci 24-cycle, trust geometry, hexagonal tessellation
+// ═══════════════════════════════════════════════════════════════════════════════
+export {
+  // Constants
+  SSTFamily,
+  FIBONACCI_CYCLE_24,
+  FAMILY_TO_TRIT,
+  SynergyAngles,
+  TRUST_PROPAGATION,
+  HEX_CELL_SIZES,
+  // Digital root & family
+  digitalRoot,
+  getFamily,
+  getFamilyOf,
+  toFamilyTrit,
+  bytesToFamilyTrits,
+  analyzeBytesFamilies,
+  // Fibonacci analysis
+  fibonacciRoot,
+  fibonacciFamily,
+  fibonacciFamilyTrit,
+  analyzeFibonacciCycle,
+  generateFibonacciSequence,
+  // Synergy matrix
+  generateSynergyMatrix,
+  rowToFamilyPattern,
+  matrixToTritPatterns,
+  // Trust geometry (30-60-90 triangle)
+  propagateTrust,
+  trustHalfLife,
+  decayTrust,
+  // Hex grid
+  HexCoord,
+  hexRing,
+  hexDisk,
+  hexDiskSize,
+} from './sst.js';
+
 /**
  * Create a fully configured oracle system for a Lantern node
  * 
@@ -105,16 +164,16 @@ export function createOracleSystem(nodeIdentity, options = {}) {
   const { getOracle } = require('./validation-oracle-hardened.js');
   const { CodeProofProtocol } = require('./code-proof-protocol.js');
   const { ConsensusEngine } = require('./consensus-engine.js');
-  
+
   const oracle = getOracle();
   const codeProof = new CodeProofProtocol(nodeIdentity);
   const consensus = new ConsensusEngine(nodeIdentity, options);
-  
+
   return {
     oracle,
     codeProof,
     consensus,
-    
+
     // Convenience methods
     validate: (type, content) => {
       switch (type) {
@@ -124,19 +183,19 @@ export function createOracleSystem(nodeIdentity, options = {}) {
         default: return { valid: false, reason: 'UNKNOWN_TYPE' };
       }
     },
-    
+
     submit: (type, content, metadata) => {
       return consensus.submitContent(type, content, metadata);
     },
-    
+
     generateChallenge: (peerId) => {
       return codeProof.generateChallenge(peerId);
     },
-    
+
     verifyPeer: (proof) => {
       return oracle.verifyCodeProof(proof);
     },
-    
+
     getStats: () => ({
       oracle: oracle.getModuleSeal(),
       consensus: consensus.getStats(),