gem-guardian 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7e343f954f0d514206e5bcc10d935a094d916ee1456cbb4774a113c909e879dc
+  data.tar.gz: 2230036e48e13af43b32090d1cbe4b933785b5407fda0f8376bebd41763615fe
+SHA512:
+  metadata.gz: 36bf27a64fb281d8e50a81a9efdadc5e83ee694e81e79cb46c36799f443568f917934001f10568a1f417740688cabd204aa26154fd791145416b7d25c3d837dc
+  data.tar.gz: 9e5331025935a3a5d007b2f684e59110cf0bbe79deaacb1e93b976aa06075ea9e52f7199c3ff92b2c90c5317b9da7c5eb03e796724b2966a1f23c37c738426e3

data/.github/workflows/main.yml

@@ -0,0 +1,32 @@
+name: Ruby
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Ruby ${{ matrix.ruby }}
+    strategy:
+      matrix:
+        ruby:
+          - '3.2.11'
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - name: Run the default task
+        run: bundle exec rake

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+Gemfile.lock
+*.gem

data/.rubocop.yml

@@ -0,0 +1,8 @@
+AllCops:
+  TargetRubyVersion: 3.2
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes

data/.ruby-version

@@ -0,0 +1 @@
+3.2

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+## 0.1.0
+
+- Initial MVP codebase.
+- Verify explicit gems or all gems in `Gemfile.lock`.
+- Fetch expected SHA256 checksums from RubyGems.org versions API.
+- Fetch `.gem` artifacts from RubyGems.org and verify SHA256 locally.

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,14 @@
+# Code of Conduct
+
+"cdc-parallel" follows [The Ruby Community Conduct Guideline](https://www.ruby-lang.org/en/conduct) in all "collaborative space", which is defined as community communications channels (such as mailing lists, submitted patches, commit comments, etc.):
+
+* Participants will be tolerant of opposing views.
+* Participants must ensure that their language and actions are free of personal attacks and disparaging personal remarks.
+* When interpreting the words and actions of others, participants should always assume good intentions.
+* Behaviour which can be reasonably considered harassment will not be tolerated.
+
+If you have concerns about behaviour within this project, please open an issue at:
+
+https://github.com/kanutocd/gem-guardian/issues/new
+
+Please note that GitHub issues are public. Do not include sensitive personal information in your report.

data/Gemfile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec
+
+gem "pry", "~> 0.16.0"
+gem "rake", "~> 13.4"
+gem "minitest", "~> 6.0"
+gem "rubocop", "~> 1.87"
+gem "simplecov", "~> 0.22.0"
+gem "steep", "~> 2.0"
+gem "yard", "~> 0.9.44"
+gem "rubocop-minitest", "~> 0.39.1"
+gem "rubocop-rake", "~> 0.7.1"

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Ken C. Demanawa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,97 @@
+# gem-guardian
+
+[![Gem Version](https://badge.fury.io/rb/gem-guardian.svg)](https://badge.fury.io/rb/gem-guardian)
+[![CI](https://github.com/kanutocd/gem-guardian/workflows/CI/badge.svg)](https://github.com/kanutocd/gem-guardian/actions)
+[![Ruby Version](https://img.shields.io/badge/ruby-%3E%3D%203.2-ruby.svg)](https://www.ruby-lang.org/en/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+
+Consumer-side integrity verification for Ruby gems.
+
+`gem-guardian` verifies downloaded `.gem` artifacts against the SHA256 checksum reported by RubyGems.org. It is intentionally small: no Bundler monkeypatching, no install hooks, and no custom publishing flow required.
+
+## Why
+
+RubyGems.org displays SHA256 checksums for published gem artifacts, and modern Bundler can store checksums in `Gemfile.lock`. But there is still room for a simple consumer-side verification workflow that can be run explicitly in CI or locally.
+
+This MVP verifies:
+
+```text
+Gemfile.lock / explicit gem version
+    ↓
+RubyGems.org expected SHA256
+    ↓
+Downloaded .gem artifact
+    ↓
+Local SHA256 comparison
+```
+
+This proves that the local artifact matches what RubyGems.org serves. It does **not** yet prove source provenance such as signed tag → CI build → published gem.
+
+## Installation
+
+From a local checkout:
+
+```bash
+gem build gem-guardian.gemspec
+gem install ./gem-guardian-0.1.0.gem
+```
+
+## Usage
+
+Verify all gems in `Gemfile.lock`:
+
+```bash
+gem-guardian verify
+```
+
+Verify a specific gem version:
+
+```bash
+gem-guardian verify cdc-sidekiq:0.1.1
+gem-guardian verify ratomic:0.4.1
+```
+
+Verify a platform gem:
+
+```bash
+gem-guardian verify nokogiri:1.18.9:x86_64-linux
+```
+
+Use a non-default lockfile:
+
+```bash
+gem-guardian verify --lockfile path/to/Gemfile.lock
+```
+
+## Exit codes
+
+- `0` — all verified artifacts matched
+- `1` — mismatch, missing checksum, fetch error, or lockfile error
+- `2` — CLI usage error
+
+## MVP constraints
+
+- Uses RubyGems.org as the checksum source of truth.
+- Downloads artifacts from RubyGems.org `/downloads/<gem-file>.gem`.
+- Caches downloaded artifacts under the system temp directory.
+- Does not integrate into Bundler install hooks.
+- Does not yet verify Sigstore, SLSA, GitHub Actions provenance, or signed git tags.
+
+## Roadmap
+
+- `gem-guardian lock` to emit or update checksum metadata.
+- Support Bundler 2.6 `CHECKSUMS` sections as an offline expected-checksum source.
+- Provenance verification for gems published through Trusted Publishing.
+- GitHub Release checksum/signature discovery.
+- Machine-readable JSON output for CI.
+
+
+## License
+
+[MIT](./LICENSE.txt)
+
+
+## Code of Conduct
+
+Everyone interacting in the Gem::Guardian project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/kanutocd/gem-guardian/blob/main/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+end
+
+task default: :test
+
+namespace :rbs do
+  desc "Remove generated RBS prototype files"
+  task :clobber do
+    sh "rm -rf tmp/sig"
+  end
+
+  desc "Generate disposable RBS prototypes into tmp/sig"
+  task :prototype do
+    sh "rm -rf tmp/sig"
+    sh "mkdir -p tmp/sig"
+    sh "bundle exec rbs prototype rb --out-dir=tmp/sig --base-dir=lib lib"
+
+    unless Dir.exist?("sig")
+      puts "sig/ does not exist; seeding curated signatures from tmp/sig"
+      sh "cp -R tmp/sig sig"
+    end
+  end
+
+  desc "Validate curated RBS signatures with Steep"
+  task :validate do
+    sh "bundle exec steep check"
+  end
+
+  desc "Open diff between curated and generated signatures"
+  task :diff do
+    sh "diff -ru sig tmp/sig || true"
+  end
+
+  desc "Generate disposable RBS prototypes and validate curated signatures"
+  task check: %i[prototype validate]
+end

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "gem/guardian"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/gem-guardian

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "gem/guardian"
+
+exit Gem::Guardian::CLI.start(ARGV)

data/gem-guardian.gemspec

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_relative "lib/gem/guardian/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "gem-guardian"
+  spec.version = Gem::Guardian::VERSION
+  spec.authors = ["Kenneth Demanawa"]
+  spec.email = ["kenneth.c.demanawa@gmail.com"]
+
+  spec.summary = "Consumer-side integrity verification for Ruby gems."
+  spec.description = "Verifies Ruby gem artifacts against RubyGems SHA256 checksums using Gemfile.lock or explicit gem names."
+  spec.homepage = "https://github.com/kanutocd/gem-guardian"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 3.2"
+
+  spec.metadata = {
+    "homepage_uri" => spec.homepage,
+    "source_code_uri" => spec.homepage,
+    "changelog_uri" => "#{spec.homepage}/blob/main/CHANGELOG.md",
+    "rubygems_mfa_required" => "true"
+  }
+
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.match(%r{\A(?:test|spec|features)/})
+    end
+  rescue StandardError
+    Dir["lib/**/*", "exe/*", "README.md", "LICENSE.txt", "CHANGELOG.md"]
+  end
+
+  spec.bindir = "exe"
+  spec.executables = ["gem-guardian"]
+  spec.require_paths = ["lib"]
+end

data/lib/gem/guardian/artifact_store.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "tmpdir"
+
+module Gem
+  module Guardian
+    class ArtifactStore
+      def initialize(client:, cache_dir: File.join(Dir.tmpdir, "gem-guardian"))
+        @client = client
+        @cache_dir = cache_dir
+      end
+
+      def path_for(dependency)
+        FileUtils.mkdir_p(@cache_dir)
+        path = File.join(@cache_dir, dependency.gem_filename)
+        return path if File.file?(path)
+
+        @client.download_gem(dependency, path)
+      end
+    end
+  end
+end

data/lib/gem/guardian/checksum.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "digest"
+
+module Gem
+  module Guardian
+    module Checksum
+      module_function
+
+      def sha256_file(path)
+        Digest::SHA256.file(path).hexdigest
+      end
+    end
+  end
+end

data/lib/gem/guardian/cli.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+module Gem
+  module Guardian
+    class CLI
+      def self.start(argv)
+        new(argv).run
+      end
+
+      def initialize(argv, stdout: $stdout, stderr: $stderr)
+        @argv = argv.dup
+        @stdout = stdout
+        @stderr = stderr
+      end
+
+      def run
+        command = @argv.shift
+        case command
+        when "verify"
+          verify
+        when "version", "--version", "-v"
+          @stdout.puts VERSION
+          0
+        when "help", "--help", "-h", nil
+          usage
+          0
+        else
+          @stderr.puts "Unknown command: #{command}"
+          usage(@stderr)
+          2
+        end
+      end
+
+      private
+
+      def verify
+        lockfile = option_value("--lockfile") || "Gemfile.lock"
+        gems = @argv
+        dependencies = if gems.empty?
+                         LockfileParser.new(lockfile).dependencies
+                       else
+                         gems.map { |spec| parse_gem_spec(spec) }
+                       end
+
+        if dependencies.empty?
+          @stderr.puts "No gems found to verify."
+          return 1
+        end
+
+        results = Verifier.new.verify_all(dependencies)
+        print_results(results)
+        results.all?(&:ok?) ? 0 : 1
+      rescue Error => e
+        @stderr.puts e.message
+        1
+      end
+
+      def parse_gem_spec(spec)
+        name, version, platform = spec.split(":", 3)
+        raise Error, "Expected GEM:VERSION[:PLATFORM], got: #{spec}" if name.to_s.empty? || version.to_s.empty?
+
+        Dependency.new(name:, version:, platform: platform || "ruby")
+      end
+
+      def option_value(name)
+        index = @argv.index(name)
+        return unless index
+
+        value = @argv[index + 1]
+        raise Error, "#{name} requires a value" unless value
+
+        @argv.slice!(index, 2)
+        value
+      end
+
+      def print_results(results)
+        results.each do |result|
+          dependency = result.dependency
+          label = "#{dependency.name} #{dependency.version} #{dependency.platform}"
+          case result.status
+          when :ok
+            @stdout.puts "PASS #{label}"
+            @stdout.puts "     sha256 #{result.actual_sha256}"
+          when :mismatch
+            @stdout.puts "FAIL #{label}"
+            @stdout.puts "     expected #{result.expected_sha256}"
+            @stdout.puts "     actual   #{result.actual_sha256}"
+          else
+            @stdout.puts "ERROR #{label}"
+            @stdout.puts "      #{result.error.class}: #{result.error.message}"
+          end
+        end
+      end
+
+      def usage(io = @stdout)
+        io.puts <<~USAGE
+          gem-guardian #{VERSION}
+
+          Usage:
+            gem-guardian verify [--lockfile Gemfile.lock]
+            gem-guardian verify GEM:VERSION[:PLATFORM] [GEM:VERSION[:PLATFORM] ...]
+            gem-guardian version
+
+          Examples:
+            gem-guardian verify
+            gem-guardian verify sidekiq:8.0.8
+            gem-guardian verify nokogiri:1.18.9:x86_64-linux
+        USAGE
+      end
+    end
+  end
+end

data/lib/gem/guardian/dependency.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Gem
+  module Guardian
+    Dependency = Data.define(:name, :version, :platform) do
+      def gem_filename
+        platform_suffix = platform && platform != "ruby" ? "-#{platform}" : ""
+        "#{name}-#{version}#{platform_suffix}.gem"
+      end
+    end
+  end
+end

data/lib/gem/guardian/error.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Gem
+  module Guardian
+    Error = Class.new(StandardError)
+    ChecksumNotFound = Class.new(Error)
+    ArtifactFetchError = Class.new(Error)
+    LockfileError = Class.new(Error)
+  end
+end

data/lib/gem/guardian/lockfile_parser.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Gem
+  module Guardian
+    class LockfileParser
+      GEM_LINE = /^ {4}([A-Za-z0-9_.-]+) \(([^)]+)\)/
+
+      def initialize(path = "Gemfile.lock")
+        @path = path
+      end
+
+      def dependencies
+        raise LockfileError, "Lockfile not found: #{@path}" unless File.file?(@path)
+
+        specs_section = false
+        File.readlines(@path, chomp: true).filter_map do |line|
+          specs_section = true if line == "  specs:"
+          specs_section = false if specs_section && line.match?(/^[A-Z]/)
+          next unless specs_section
+
+          match = GEM_LINE.match(line)
+          next unless match
+
+          name = match[1]
+          version_and_platform = match[2]
+          version, platform = split_version_and_platform(version_and_platform)
+          Dependency.new(name:, version:, platform:)
+        end
+      end
+
+      private
+
+      # Bundler renders native platforms as `1.2.3-x86_64-linux` in the spec line.
+      # Ruby versions remain plain, for example `1.2.3`.
+      def split_version_and_platform(value)
+        version, platform = value.split("-", 2)
+        [version, platform || "ruby"]
+      end
+    end
+  end
+end

data/lib/gem/guardian/rubygems_client.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+
+module Gem
+  module Guardian
+    class RubygemsClient
+      DEFAULT_HOST = "https://rubygems.org"
+
+      def initialize(host: DEFAULT_HOST, http: Net::HTTP)
+        @host = host.delete_suffix("/")
+        @http = http
+      end
+
+      def expected_sha256(dependency)
+        versions = JSON.parse(get("/api/v1/versions/#{dependency.name}.json"))
+        version = versions.find do |item|
+          item["number"] == dependency.version && platform_matches?(item["platform"], dependency.platform)
+        end
+
+        sha = version && (version["sha"] || version["sha256"] || version["checksum"])
+        raise ChecksumNotFound, "No SHA256 found for #{dependency.name} #{dependency.version} #{dependency.platform}" if blank?(sha)
+
+        sha.downcase
+      end
+
+      def download_gem(dependency, destination)
+        body = get("/downloads/#{dependency.gem_filename}")
+        File.binwrite(destination, body)
+        destination
+      rescue StandardError => e
+        raise ArtifactFetchError, "Could not fetch #{dependency.gem_filename}: #{e.message}"
+      end
+
+      private
+
+      def get(path)
+        uri = URI("#{@host}#{path}")
+        response = @http.get_response(uri)
+        return response.body if response.is_a?(Net::HTTPSuccess)
+
+        raise Error, "GET #{uri} failed with #{response.code} #{response.message}"
+      end
+
+      def platform_matches?(remote_platform, wanted_platform)
+        normalized_remote = remote_platform.to_s.empty? ? "ruby" : remote_platform.to_s
+        normalized_wanted = wanted_platform.to_s.empty? ? "ruby" : wanted_platform.to_s
+        normalized_remote == normalized_wanted
+      end
+
+      def blank?(value)
+        value.nil? || value.to_s.empty?
+      end
+    end
+  end
+end

data/lib/gem/guardian/verifier.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Gem
+  module Guardian
+    VerificationResult = Data.define(:dependency, :expected_sha256, :actual_sha256, :artifact_path, :status, :error) do
+      def ok?
+        status == :ok
+      end
+    end
+
+    class Verifier
+      def initialize(client: RubygemsClient.new, artifact_store: nil)
+        @client = client
+        @artifact_store = artifact_store || ArtifactStore.new(client: @client)
+      end
+
+      def verify(dependency)
+        expected = @client.expected_sha256(dependency)
+        artifact_path = @artifact_store.path_for(dependency)
+        actual = Checksum.sha256_file(artifact_path)
+        status = secure_compare(expected, actual) ? :ok : :mismatch
+
+        VerificationResult.new(
+          dependency:,
+          expected_sha256: expected,
+          actual_sha256: actual,
+          artifact_path:,
+          status:,
+          error: nil
+        )
+      rescue StandardError => e
+        VerificationResult.new(
+          dependency:,
+          expected_sha256: nil,
+          actual_sha256: nil,
+          artifact_path: nil,
+          status: :error,
+          error: e
+        )
+      end
+
+      def verify_all(dependencies)
+        dependencies.map { |dependency| verify(dependency) }
+      end
+
+      private
+
+      def secure_compare(left, right)
+        left = left.to_s
+        right = right.to_s
+        return false unless left.bytesize == right.bytesize
+
+        left.bytes.zip(right.bytes).reduce(0) { |memo, (a, b)| memo | (a ^ b) }.zero?
+      end
+    end
+  end
+end

data/lib/gem/guardian/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Gem
+  module Guardian
+    VERSION = "0.1.0"
+  end
+end

data/lib/gem/guardian.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative "guardian/version"
+require_relative "guardian/error"
+require_relative "guardian/checksum"
+require_relative "guardian/dependency"
+require_relative "guardian/lockfile_parser"
+require_relative "guardian/rubygems_client"
+require_relative "guardian/artifact_store"
+require_relative "guardian/verifier"
+require_relative "guardian/cli"

data/mise.toml

@@ -0,0 +1,2 @@
+[tools]
+ruby = "3.2"

data/sig/gem/guardian/artifact_store.rbs

@@ -0,0 +1,13 @@
+module Gem
+  module Guardian
+    class ArtifactStore
+      @client: untyped
+
+      @cache_dir: untyped
+
+      def initialize: (client: untyped, ?cache_dir: untyped) -> void
+
+      def path_for: (untyped dependency) -> untyped
+    end
+  end
+end

data/sig/gem/guardian/checksum.rbs

@@ -0,0 +1,7 @@
+module Gem
+  module Guardian
+    module Checksum
+      def self?.sha256_file: (untyped path) -> untyped
+    end
+  end
+end

data/sig/gem/guardian/cli.rbs

@@ -0,0 +1,29 @@
+module Gem
+  module Guardian
+    class CLI
+      @argv: untyped
+
+      @stdout: untyped
+
+      @stderr: untyped
+
+      def self.start: (untyped argv) -> untyped
+
+      def initialize: (untyped argv, ?stdout: untyped, ?stderr: untyped) -> void
+
+      def run: () -> untyped
+
+      private
+
+      def verify: () -> untyped
+
+      def parse_gem_spec: (untyped spec) -> untyped
+
+      def option_value: (untyped name) -> (nil | untyped)
+
+      def print_results: (untyped results) -> untyped
+
+      def usage: (?untyped io) -> untyped
+    end
+  end
+end

data/sig/gem/guardian/dependency.rbs

@@ -0,0 +1,5 @@
+module Gem
+  module Guardian
+    Dependency: untyped
+  end
+end

data/sig/gem/guardian/error.rbs

@@ -0,0 +1,11 @@
+module Gem
+  module Guardian
+    Error: untyped
+
+    ChecksumNotFound: untyped
+
+    ArtifactFetchError: untyped
+
+    LockfileError: untyped
+  end
+end

data/sig/gem/guardian/lockfile_parser.rbs

@@ -0,0 +1,19 @@
+module Gem
+  module Guardian
+    class LockfileParser
+      @path: untyped
+
+      GEM_LINE: ::Regexp
+
+      def initialize: (?::String path) -> void
+
+      def dependencies: () -> untyped
+
+      private
+
+      # Bundler renders native platforms as `1.2.3-x86_64-linux` in the spec line.
+      # Ruby versions remain plain, for example `1.2.3`.
+      def split_version_and_platform: (untyped value) -> ::Array[untyped]
+    end
+  end
+end

data/sig/gem/guardian/rubygems_client.rbs

@@ -0,0 +1,25 @@
+module Gem
+  module Guardian
+    class RubygemsClient
+      @host: untyped
+
+      @http: untyped
+
+      DEFAULT_HOST: "https://rubygems.org"
+
+      def initialize: (?host: untyped, ?http: untyped) -> void
+
+      def expected_sha256: (untyped dependency) -> untyped
+
+      def download_gem: (untyped dependency, untyped destination) -> untyped
+
+      private
+
+      def get: (untyped path) -> untyped
+
+      def platform_matches?: (untyped remote_platform, untyped wanted_platform) -> untyped
+
+      def blank?: (untyped value) -> untyped
+    end
+  end
+end

data/sig/gem/guardian/verifier.rbs

@@ -0,0 +1,21 @@
+module Gem
+  module Guardian
+    VerificationResult: untyped
+
+    class Verifier
+      @client: untyped
+
+      @artifact_store: untyped
+
+      def initialize: (?client: untyped, ?artifact_store: untyped?) -> void
+
+      def verify: (untyped dependency) -> untyped
+
+      def verify_all: (untyped dependencies) -> untyped
+
+      private
+
+      def secure_compare: (untyped left, untyped right) -> (false | untyped)
+    end
+  end
+end

data/sig/gem/guardian/version.rbs

@@ -0,0 +1,5 @@
+module Gem
+  module Guardian
+    VERSION: "0.1.0"
+  end
+end

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification
+name: gem-guardian
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Kenneth Demanawa
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2026-06-12 00:00:00.000000000 Z
+dependencies: []
+description: Verifies Ruby gem artifacts against RubyGems SHA256 checksums using Gemfile.lock
+  or explicit gem names.
+email:
+- kenneth.c.demanawa@gmail.com
+executables:
+- gem-guardian
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- ".ruby-version"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/gem-guardian
+- gem-guardian.gemspec
+- lib/gem/guardian.rb
+- lib/gem/guardian/artifact_store.rb
+- lib/gem/guardian/checksum.rb
+- lib/gem/guardian/cli.rb
+- lib/gem/guardian/dependency.rb
+- lib/gem/guardian/error.rb
+- lib/gem/guardian/lockfile_parser.rb
+- lib/gem/guardian/rubygems_client.rb
+- lib/gem/guardian/verifier.rb
+- lib/gem/guardian/version.rb
+- mise.toml
+- sig/gem/guardian.rbs
+- sig/gem/guardian/artifact_store.rbs
+- sig/gem/guardian/checksum.rbs
+- sig/gem/guardian/cli.rbs
+- sig/gem/guardian/dependency.rbs
+- sig/gem/guardian/error.rbs
+- sig/gem/guardian/lockfile_parser.rbs
+- sig/gem/guardian/rubygems_client.rbs
+- sig/gem/guardian/verifier.rbs
+- sig/gem/guardian/version.rbs
+homepage: https://github.com/kanutocd/gem-guardian
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/kanutocd/gem-guardian
+  source_code_uri: https://github.com/kanutocd/gem-guardian
+  changelog_uri: https://github.com/kanutocd/gem-guardian/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.19
+signing_key:
+specification_version: 4
+summary: Consumer-side integrity verification for Ruby gems.
+test_files: []