vex-anchor 1.7.0

Public anchoring layer for VEX audit logs - Git, OpenTimestamps, Ethereum, Celestia support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

//! Git-based anchoring backend
//!
//! Commits Merkle roots to a Git repository for tamper-evident timestamping.
//! Each anchor creates a new commit with the root hash in the commit message.

use async_trait::async_trait;
use chrono::Utc;
use std::path::PathBuf;
use std::process::Stdio;
use tokio::process::Command;
use vex_core::Hash;

use crate::backend::{AnchorBackend, AnchorMetadata, AnchorReceipt};
use crate::error::AnchorError;

/// Git-based anchor backend
///
/// Creates commits in a Git repository containing the Merkle root.
/// The commit hash serves as a tamper-evident timestamp.
///
/// ## Security Properties
/// - Git commit hashes are SHA-1 (legacy) or SHA-256 (modern)
/// - Commits can be pushed to remote repositories for redundancy
/// - OpenTimestamps can be added for Bitcoin-backed timestamps
#[derive(Debug, Clone)]
pub struct GitAnchor {
    repo_path: PathBuf,
    branch: String,
}

impl GitAnchor {
    /// Create a new Git anchor
    pub fn new(repo_path: impl Into<PathBuf>) -> Self {
        Self {
            repo_path: repo_path.into(),
            branch: "vex-anchors".to_string(),
        }
    }

    /// Set the branch to use for anchors (Sanitized to prevent injection)
    pub fn with_branch(mut self, branch: impl Into<String>) -> Self {
        let branch_name: String = branch.into();
        self.branch = Self::sanitize_git_message(&branch_name)
            .replace(' ', "-") // Branches cannot have spaces
            .chars()
            .filter(|c| c.is_alphanumeric() || "-_".contains(*c))
            .collect();
        self
    }

    /// Sanitize a string for use in git commit messages
    /// Prevents log injection and potential git hook exploitation (CRITICAL-2 fix)
    fn sanitize_git_message(s: &str) -> String {
        s.chars()
            // Allow alphanumeric, common punctuation, and whitespace
            .filter(|c| c.is_alphanumeric() || " -_:.@/()[]{}".contains(*c))
            // Remove control characters and ANSI escape sequences
            .filter(|c| !c.is_control())
            // Limit length to prevent abuse
            .take(1000)
            .collect()
    }

    /// Run a git command and return stdout
    async fn git(&self, args: &[&str]) -> Result<String, AnchorError> {
        let output = Command::new("git")
            .args(args)
            .current_dir(&self.repo_path)
            .stdout(Stdio::piped())
            .stderr(Stdio::piped())
            .output()
            .await
            .map_err(|e| AnchorError::Git(format!("Failed to run git: {}", e)))?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            return Err(AnchorError::Git(format!("Git command failed: {}", stderr)));
        }

        Ok(String::from_utf8_lossy(&output.stdout).trim().to_string())
    }

    /// Initialize the anchor branch if it doesn't exist
    async fn ensure_branch(&self) -> Result<(), AnchorError> {
        // Check if branch exists
        let branches = self.git(&["branch", "--list", &self.branch]).await?;

        if branches.is_empty() {
            // Create orphan branch for anchors
            self.git(&["checkout", "--orphan", &self.branch]).await?;

            // Create initial commit
            self.git(&[
                "commit",
                "--allow-empty",
                "-m",
                "VEX Anchor Chain Initialized",
            ])
            .await?;
        } else {
            // Switch to the branch
            self.git(&["checkout", &self.branch]).await?;
        }

        Ok(())
    }
}

#[async_trait]
impl AnchorBackend for GitAnchor {
    async fn anchor(
        &self,
        root: &Hash,
        metadata: AnchorMetadata,
    ) -> Result<AnchorReceipt, AnchorError> {
        // Ensure we're on the right branch
        self.ensure_branch().await?;

        // Sanitize user-controlled fields (CRITICAL-2 fix)
        let safe_tenant = Self::sanitize_git_message(&metadata.tenant_id);
        let safe_description =
            Self::sanitize_git_message(metadata.description.as_deref().unwrap_or("N/A"));

        // Create commit message with structured data
        let message = format!(
            "VEX Anchor: {}\n\n\
            Root: {}\n\
            Tenant: {}\n\
            Events: {}\n\
            Timestamp: {}\n\
            Description: {}",
            &root.to_hex()[..16],
            root.to_hex(),
            safe_tenant,
            metadata.event_count,
            metadata.timestamp.to_rfc3339(),
            safe_description
        );

        // Create empty commit with the anchor data
        let commit_hash = self
            .git(&["commit", "--allow-empty", "-m", &message])
            .await?;

        // Get the commit hash
        let anchor_id = self.git(&["rev-parse", "HEAD"]).await?;

        Ok(AnchorReceipt {
            backend: self.name().to_string(),
            root_hash: root.to_hex(),
            anchor_id,
            anchored_at: Utc::now(),
            proof: Some(format!("git:{}:{}", self.branch, commit_hash)),
            metadata,
        })
    }

    async fn verify(&self, receipt: &AnchorReceipt) -> Result<bool, AnchorError> {
        // Switch to anchor branch
        let _ = self.git(&["checkout", &self.branch]).await;

        // Check if commit exists
        let result = self.git(&["cat-file", "-t", &receipt.anchor_id]).await;

        if result.is_err() {
            return Ok(false);
        }

        // Get commit message
        let message = self
            .git(&["log", "-1", "--format=%B", &receipt.anchor_id])
            .await?;

        // Verify root hash is in the commit
        Ok(message.contains(&receipt.root_hash))
    }

    fn name(&self) -> &str {
        "git"
    }

    async fn is_healthy(&self) -> bool {
        // Check if this is a git repository
        self.git(&["status"]).await.is_ok()
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::tempdir;

    async fn init_test_repo(path: &PathBuf) {
        Command::new("git")
            .args(["init"])
            .current_dir(path)
            .output()
            .await
            .unwrap();

        Command::new("git")
            .args(["config", "user.email", "test@test.com"])
            .current_dir(path)
            .output()
            .await
            .unwrap();

        Command::new("git")
            .args(["config", "user.name", "Test"])
            .current_dir(path)
            .output()
            .await
            .unwrap();

        // Initial commit on main
        Command::new("git")
            .args(["commit", "--allow-empty", "-m", "Initial"])
            .current_dir(path)
            .output()
            .await
            .unwrap();
    }

    #[tokio::test]
    async fn test_git_anchor_roundtrip() {
        let dir = tempdir().unwrap();
        let repo_path = dir.path().to_path_buf();
        init_test_repo(&repo_path).await;

        let anchor = GitAnchor::new(&repo_path);

        let root = Hash::digest(b"test_merkle_root");
        let metadata = AnchorMetadata::new("tenant-1", 100);

        // Anchor
        let receipt = anchor.anchor(&root, metadata).await.unwrap();
        assert_eq!(receipt.backend, "git");
        assert_eq!(receipt.root_hash, root.to_hex());
        assert!(!receipt.anchor_id.is_empty());

        // Verify
        let valid = anchor.verify(&receipt).await.unwrap();
        assert!(valid, "Receipt should verify");
    }
}