feat: Rust and Java SDKs, TypeScript SDK, browser demo refactor#2
Merged
feat: Rust and Java SDKs, TypeScript SDK, browser demo refactor#2
Conversation
added 2 commits
March 15, 2026 02:24
MTA-2026-01 [HIGH] Witness quorum bypass A trust config with witness_quorum=0 was accepted without validation. The subsequent check (verified < quorum) evaluates to false for any non-negative count, bypassing all cosignature verification entirely. Fix: validate witness_quorum >= 1 and witness_quorum <= len(witnesses) at load time in both Go (loadTrustConfigFromBytes) and TS (/load-trust-config). MTA-2026-02 [MEDIUM] Variable-time Merkle root comparison Both verifiers compared the computed Merkle root against the expected root by converting to hex strings and using != / !==, which short-circuits at the first differing byte and leaks timing information. Fix: subtle.ConstantTimeCompare (Go), crypto.timingSafeEqual (TypeScript). MTA-2026-03 [LOW] Unbounded checkpoint cache The checkpoint cache (keyed by origin:treeSize) had no size limit. Payloads with rapidly incrementing tree_size values could exhaust heap. Fix: cap at 1000 entries with insertion-order eviction in both languages. Note: trailing byte rejection (MTA-2026-04) was already correctly implemented in both Go and TypeScript — no change required. Reviewed-by: Ryan Hurst <ryan@peculiarventures.com>
Rust SDK (rust/) Supports Ed25519, ECDSA P-256, ML-DSA-44 (FIPS 204). Passes 96-cell cross-language interop matrix. Security fixes applied: constant-time Merkle root, quorum validation, bounded cache, trailing byte rejection. Java SDK (java/) BouncyCastle 1.79+ MLDSAKeyPairGenerator (FIPS 204 compliant). CBOR decoder handles string and integer claim values. TypeScript SDK (ts/sdk/) Standalone library with Issuer, Verifier, injectable signers, browser bundle. Mode 2 support and VerifyOk.mode field. Browser demo (browser-demo/) -306 lines: inline protocol code replaced by SDK bundle injection. Two bugs fixed: selfDescribing bit always set, mode hardcoded MODE_CACHED. README updated: 96-cell matrix, Mode 2 docs, known limitations.
Contributor
Author
CI workflow update neededThe updated To add the CI file: Option A — Regenerate the token with git clone https://<new-token>@github.com/PeculiarVentures/mta-qr-demo.git
cd mta-qr-demo
git checkout feat/rust-java-sdk-browser-demoThe file is already committed locally at Option B — Edit directly in GitHub:
The new CI adds these jobs:
The existing jobs ( |
added 2 commits
March 15, 2026 02:54
Adds four new CI jobs: typescript-sdk — npm install && npm test in ts/sdk/ rust — cargo test in rust/ java — mvn test -B in java/ browser-demo — builds SDK bundle from source, then runs build.py Existing jobs (go, typescript, interop) unchanged.
…t path MlDsaVerifyTest.verifyTsIssuedNote read fixture files from an absolute path that only exists on the development machine. Remove it. The round-trip sign/verify test covers the same ML-DSA-44 verification logic without any external file dependencies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
Builds on #1 (security fixes) — merge that first.
Rust SDK (
rust/)Java SDK (
java/)MLDSAKeyPairGenerator(FIPS 204 compliant)TypeScript SDK (
ts/sdk/)ts/HTTP serviceIssuerConfig.mode: 1 | 2,VerifyOk.modefield populatedBrowser demo (
browser-demo/)build.pyselfDescribingbit always set, mode hardcoded toMODE_CACHEDREADME
CI note
.github/workflows/ci.ymlcontains updated jobs (addstypescript-sdk,rust,java,browser-demo) but could not be pushed because the current token lacks theworkflowscope. The updated CI file is committed locally. To include it:repo+workflowscopes.github/workflows/ci.ymlmanually in the GitHub editor using the content from the branch'sci.ymlThe existing CI jobs (Go, TypeScript service, interop matrix) are unaffected and will pass.
Test results
go test ./...— cleannpm run test:all— 10/10npx tsx src/test/all.test.ts— 6/6cargo test— 2/2 integration testsmvn test— 10/10