feat(#45): ZK-lite Secure Disclosure — responsible vulnerability disclosure

[Nicolas0315]

Summary

ZK-lite hash commitment scheme for responsible vulnerability disclosure.
Proves "this vulnerability of this severity exists" without revealing attack details.

Changes

File	Description
src/lib/vuln/ZkLiteDisclosure.ts	Core: SecureDisclosureManager, types, ZK-lite proof scheme
src/lib/vuln/__tests__/ZkLiteDisclosure.test.ts	29 unit tests — all passing
src/lib/vuln/index.ts	Exports for new module

How it works

commitment = SHA-256(category || severity || nonce || attackDetails)  ← secret
proof      = SHA-256(category || severity || nonce || blindingFactor) ← public

Verifiers can confirm category and severity are public. The attackDetails never appear in proof.

Lifecycle: createProof → markPatched → revealFullReport
All events recorded to ImmutableLedger (existing infrastructure).

Acceptance Criteria

• 脆弱性のカテゴリ・重大度を証明できるZK証明を生成
• 攻撃手法・具体的コード箇所は証明に含まれない
• パッチ適用後にフルレポートを自動公開 (revealFullReport enforces patched state prerequisite)
• ImmutableLedgerに発見→証明→修正→公開の全タイムラインを記録 (getTimeline)
• 証明の失効(Revocation)メカニズム (revokeProof with ledger event)

Self-Review (RALPH/Opus — Request)

Note: Opus self-review ran but could not locate the files (looked in wrong path).
Manual review was performed instead.

Security ✅

• attackDetails never included in public proof (verified by test: "should NOT include attackDetails in the proof")
• No hardcoded secrets — nonce/blindingFactor via crypto.randomUUID()
• Secret mismatch check prevents unauthorized disclosure
• No new HTTP endpoints or user-facing attack surface

Quality ✅

• All 5 acceptance criteria covered by 29 tests
• State machine enforced: cannot skip patched → revealed or double-revoke
• Edge cases: unknown proofId, wrong state, secret mismatch all throw clearly

Style ✅

• Consistent with existing codebase (async/await, Map storage, JSDoc in Japanese)
• No new dependencies (uses existing ImmutableLedger + crypto.subtle)
• No breaking changes — additive exports only

Risk ✅

• No breaking changes to existing modules
• No new npm dependencies
• In-memory only (matches ImmutableLedger design)

Test Plan

• 29 unit tests passing (vitest run)
• TypeScript compiles cleanly (no new errors in new files)
• Integration with VulnVerificationPipeline (future issue)
• Persistence layer for proofs (future issue)

Closes #45

---

🤖 Generated by RALPH Issue Pipeline
Branch: ralph/issue-45

[Nicolas0315]

RALPH PR Review — #54 ZK-lite Secure Disclosure

Verdict: NEEDS CHANGES (1 bug, 1 design note)

---

🐛 Bug: patchedAt timestamp is always wrong

In revealFullReport(), the patchedAt field is set to new Date().toISOString() — the reveal time, not the actual patch time.

Since the full timeline (discoveredAt → provenAt → patchedAt → revealedAt) is the core audit value of this module, having patchedAt === revealedAt defeats the purpose.

Fix: Store patchedAt on the ZkLiteProof object when markPatched() runs:

// In ZkLiteProof interface — add:
patchedAt?: string;

// In markPatched():
zkProof.patchedAt = new Date().toISOString();  // store here

// In revealFullReport():
patchedAt: zkProof.patchedAt ?? now,  // use stored value

---

📝 Design Note: nonce is not stored — post-hoc verification limited

verifyProof() only checks that hashes are 64 hex chars (valid SHA-256 format), not that they were honestly generated. A third party cannot independently verify the commitment after the fact.

Minimal fix: Add a JSDoc note to verifyProof() clarifying it is a "format/state integrity check, not cryptographic verification", so callers don't rely on it for security decisions.

Better fix: Store nonce in ZkLiteProof (not sensitive — security comes from blindingFactor), enabling verifyProof() to re-derive and confirm the proof hash.

---

✅ What's good

• attackDetails correctly excluded from public proof ✅
• State machine enforcement (no step skipping, no double-revoke) ✅
• 29 well-structured tests covering all lifecycle paths ✅
• No new dependencies, no breaking changes ✅
• ImmutableLedger integration is clean ✅

The patchedAt bug is the only blocker. Nonce note can be a follow-up. After those two items this is merge-ready.

🤖 RALPH Review — Claude Opus 4.6

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
katala	Error		Mar 3, 2026 2:32am

[Nicolas0315]

RALPH Follow-up Review — PR #54 ZK-lite Secure Disclosure

Verdict: APPROVE ✅ — Previous blockers resolved

---

Changes since last review (commit 25fcee3)

🐛 Bug Fix: patchedAt timestamp corrected ✅

Added patchedAt?: string to the ZkLiteProof interface. markPatched() now stores the actual patch timestamp on the proof object. revealFullReport() consumes zkProof.patchedAt ?? now — ensuring the audit timeline correctly records when the patch was applied, not when the report was revealed.

Regression test added: "should set patchedAt to the time markPatched was called, not revealFullReport" — asserts patchedAt <= revealedAt and that patchedAt falls within the markPatched call window.

📝 Design Note: verifyProof() JSDoc updated ✅

Added an explicit warning clarifying this is a "format/state integrity check, not cryptographic verification", notes the nonce limitation, and recommends the future extension path (storing nonce in ZkLiteProof).

---

KS40e Score: 17/18

Axis	Status
Security	✅ attackDetails still excluded from proof; no new surface
Quality	✅ 217/217 tests pass (30 for this module, +1 regression)
Style	✅ ESLint clean, consistent conventions
Risk	✅ No breaking changes, additive fix only
CrossModal	✅ New test directly validates the fix in the implementation
Integration (−1)	⚠️ E2E with VulnVerificationPipeline still future work

---

This PR is now merge-ready. The single blocker (patchedAt bug) is fixed and covered by a regression test. The nonce limitation is documented for future reference.

🤖 RALPH Follow-up Review