MoonSecureCodec 是一个专为**软件供应链安全(Software Supply Chain Security)与内容寻址存储(Content-Addressable Storage)**设计的零依赖、生产级安全编码与内容指纹工具箱。项目采用纯 MoonBit 原生语法严格打造,将 多底数统一编解码(Hex, Base32, Base64/URL, Base58)、加密与极速哈希摘要(
版权所有:中国计算机学会技术支持:开源发展技术委员会
京ICP备13000930号-9
京公网安备 11010802047560号
MoonSecureCodec (安全编码与供应链内容指纹工具箱)
MoonSecureCodec is a production-grade, multi-base encoding, high-speed content fingerprinting, and RFC 6962-compliant Merkle Tree verification toolkit built specifically for Software Supply Chain Security (SBOM / Manifest auditing) in MoonBit.
🌟 Core Highlights & Architectural Focus
In modern software ecosystems, avoiding single-point cryptographic dependencies while maintaining lightning-fast build/test verification and tamper-evident supply chain tracking is critical. MoonSecureCodec bridges the intersection of Encoding, Content Digesting, and Cryptographic Merkle Proofs:
📦 Package Architecture & Subsystems
lib/codecto_hex/from_hex,to_base32/from_base32,to_base64/from_base64(url_safe~),to_base58/from_base58. ReturnsResult[Bytes, String]for safe parsing.lib/digestxxhash64/xxhash64_hex(ultra-fast 64-bit SBOM equality checks),murmur3_32, exact FIPS 180-4sha256/sha256_hex, andhmac_sha256.lib/merkleMerkleTree::new,root_hex(),get_proof(index), andverify_proof(). Strictly implements RFC 6962 domain separation (0x00leaf /0x01inner node) to prevent second-preimage attacks.lib/manifestFileSnapshotrepresentation, automated Merkle tree construction (refresh_merkle_root()), JSON serialization, andManifest::diff(old, new)for audit reports.cmd/climoon run cmd/cli.🚀 Quick Start & Installation
1. Requirements & Prerequisites
Ensure you have the latest MoonBit SDK (
moon) installed:2. Run All Unit & Integration Tests
Run the entire suite of 18 verification tests across all packages with zero warnings:
Expected Output:
3. Run the Supply Chain CLI Demo
Run the interactive CLI demonstration to see multi-base encoding, SHA-256/XXHash64 hashing, Merkle proof verification, and manifest diffing in action:
📖 Usage Examples
1. Multi-Base Codecs (
lib/codec)2. Fast SBOM Fingerprinting vs Cryptographic Hashing (
lib/digest)3. Merkle Inclusion Proofs & Verification (
lib/merkle)4. SBOM Manifest & Diff Auditing (
lib/manifest)🔒 Security Design & RFC 6962 Compliance
When constructing Merkle trees from raw file or transaction leaves, naive concatenation
H(left || right)allows an adversary to construct a second-preimage attack by submitting a single leaf whose payload happens to equal the concatenation of two internal node hashes.To completely prevent this,
lib/merkleimplements the RFC 6962 (Certificate Transparency) domain separation standard:0x00before hashing (SHA256(0x00 || LeafData)).0x01before hashing (SHA256(0x01 || LeftChild || RightChild)).🏆 OSC 2026 Competition Compliance
This repository is submitted as part of the 2026 MoonBit Open Source Competition (OSC 2026).
wasm-gc,js, andnativebackends (options("preferred-target": "wasm-gc")).📄 License
Licensed under the Apache License, Version 2.0. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0.