Adds a governance extension that creates verifiable audit trails for agent tool usage using the R6 framework (Rules+Role+Request+Reference+ Resource→Result). Uses the typed after_tool_call hooks wired in #1 to capture every tool invocation with provenance, timing, and hash-linked chain integrity. Includes: - R6 request framework with tool classification - Hash-linked JSONL audit chain with verification - Software-bound session identity tokens (Soft LCT) - Session state tracking with tool/category counts - CLI commands: audit summary, audit verify, audit last - 39 unit tests across all modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
36 lines
885 B
TypeScript
36 lines
885 B
TypeScript
/**
|
|
* Soft LCT - Software-bound Linked Context Token.
|
|
*
|
|
* Generates a session identity token from machine + user context.
|
|
* NOT hardware-bound (no TPM/SE). Trust interpretation is up to
|
|
* the relying party.
|
|
*/
|
|
|
|
import { createHash } from "node:crypto";
|
|
import { hostname, userInfo } from "node:os";
|
|
|
|
export type SoftLCTToken = {
|
|
tokenId: string;
|
|
sessionId: string;
|
|
machineHash: string;
|
|
createdAt: string;
|
|
bindingType: "software";
|
|
};
|
|
|
|
export function createSoftLCT(sessionId: string): SoftLCTToken {
|
|
const machine = hostname();
|
|
const user = userInfo().username;
|
|
const machineHash = createHash("sha256")
|
|
.update(`${machine}:${user}`)
|
|
.digest("hex")
|
|
.slice(0, 8);
|
|
|
|
return {
|
|
tokenId: `web4:session:${machineHash}:${sessionId.slice(0, 8)}`,
|
|
sessionId,
|
|
machineHash,
|
|
createdAt: new Date().toISOString(),
|
|
bindingType: "software",
|
|
};
|
|
}
|