# BLADE-AGENT-HSM Emulator — Validation & Reproduction Guide

Version 2.6 (adversarial high-assurance research emulator). This document explains
how to independently reproduce every verification claim made by the artifact.

## What this is

A browser-local emulator of a hardware-root-of-trust for autonomous-agent
authority governance. It runs real Web Crypto (ECDSA P-256 / P-384, SHA-256 PCR
chains, HKDF tokens) entirely in the browser. It is a research demonstrator, not
certified hardware. See ASSURANCE_BOUNDARY.md for the full list of what is and is
not claimed.

## Reproduce the verification (275 checks, deterministic)

Requires Node.js 19+ (tested on v22).

    cd tests
    for t in test-harness.mjs test-harness-v25.mjs test-embedded-v25.mjs \
             test-redteam.mjs test-redteam-embedded.mjs \
             test-v26-embedded.mjs test-pinning.mjs; do
      echo "== $t =="; node "$t"; done

Expected: 275 / 275 pass. The suite is deterministic (seeded PRNG + monotonic
simulation clock), so the totals are identical on every run. The machine-readable
summary is in test-report.json.

## Suite map

| Suite | File | Checks |
|-------|------|-------:|
| Round 1+2 core behavior | tests/test-harness.mjs | 105 |
| Round 3 adversarial hardening | tests/test-harness-v25.mjs | 106 |
| Embedded core extracted from HTML | tests/test-embedded-v25.mjs | 15 |
| Red-team attack-primitive logic | tests/test-redteam.mjs | 15 |
| Red-team verdicts extracted from HTML | tests/test-redteam-embedded.mjs | 11 |
| v2.6 defect fixes extracted from HTML | tests/test-v26-embedded.mjs | 10 |
| Trust-root pinning | tests/test-pinning.mjs | 13 |

The "extracted from HTML" suites parse the embedded core out of
blade-agent-hsm-sim.html and drive it directly, proving the shipped artifact
behaves identically to the source.

## Golden trace

golden-traces/normal-flow.jsonl is a deterministic 5-operation audit trace
produced with seed 0xB1ADE25, plus its P-384 signed anchor
(normal-flow.anchor.json). Load the pair through the in-app "Verify Trace"
control, or verify programmatically:

    cd tests
    node -e "import('./hsm-core.mjs').then(async C=>{ \
      const fs=await import('fs'); const h=new C.HSM(); await h.provision(); \
      const t=fs.readFileSync('../golden-traces/normal-flow.jsonl','utf8'); \
      const a=JSON.parse(fs.readFileSync('../golden-traces/normal-flow.anchor.json','utf8')); \
      console.log(await h.verifyTrace(t,a)); })"

## Trust model (read this before claiming forgery resistance)

The verifier reports one of three trust levels:

- adversarial-forgery-resistant — only when the attestation identity is pinned
  out-of-band and matches. An attacker who controls the evidence file and
  re-keys the anchor with their own keypair is rejected.
- integrity-and-same-session — anchor present but no out-of-band pin supplied;
  detects accidental corruption and same-session tampering only.
- pcr-chain-only — no anchor supplied.

The distinction is deliberate and surfaced in the UI. The artifact does not claim
adversarial forgery resistance unless an out-of-band identity pin is provided.