@ar.io/wayfinder-core 0.0.1

package/dist/utils/base64.d.ts

@@ -0,0 +1,21 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+export declare function fromB64Url(str: string): Uint8Array;
+export declare function toB64Url(bytes: Uint8Array): string;
+export declare function sha256B64Url(input: Uint8Array): string;
+//# sourceMappingURL=base64.d.ts.map

package/dist/utils/base64.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64.d.ts","sourceRoot":"","sources":["../../src/utils/base64.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAsBH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAIlD;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAGlD;AASD,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEtD"}

package/dist/utils/base64.js

@@ -0,0 +1,51 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+import { createHash } from 'crypto';
+// safely encodes and decodes base64url strings to and from buffers
+const BASE64_CHAR_62 = '+';
+const BASE64_CHAR_63 = '/';
+const BASE64URL_CHAR_62 = '-';
+const BASE64URL_CHAR_63 = '_';
+const BASE64_PADDING = '=';
+function base64urlToBase64(str) {
+    const padLength = str.length % 4;
+    if (padLength) {
+        str += BASE64_PADDING.repeat(4 - padLength);
+    }
+    return str
+        .replaceAll(BASE64URL_CHAR_62, BASE64_CHAR_62)
+        .replaceAll(BASE64URL_CHAR_63, BASE64_CHAR_63);
+}
+export function fromB64Url(str) {
+    const b64Str = base64urlToBase64(str);
+    const binaryStr = atob(b64Str);
+    return new Uint8Array([...binaryStr].map((c) => c.charCodeAt(0)));
+}
+export function toB64Url(bytes) {
+    const b64Str = btoa(String.fromCharCode(...bytes));
+    return base64urlFromBase64(b64Str);
+}
+function base64urlFromBase64(str) {
+    return str
+        .replaceAll(BASE64_CHAR_62, BASE64URL_CHAR_62)
+        .replaceAll(BASE64_CHAR_63, BASE64URL_CHAR_63)
+        .replaceAll(BASE64_PADDING, '');
+}
+export function sha256B64Url(input) {
+    return toB64Url(new Uint8Array(createHash('sha256').update(input).digest()));
+}

package/dist/utils/hash.d.ts

@@ -0,0 +1,10 @@
+import { DataStream } from '../../types/wayfinder.js';
+import { Logger } from '../wayfinder.js';
+export declare function isAsyncIterable(obj: unknown): obj is AsyncIterable<Uint8Array>;
+export declare function readableStreamToAsyncIterable(stream: ReadableStream<Uint8Array>): AsyncIterable<Uint8Array>;
+export declare function hashDataStreamToB64Url({ stream, algorithm, logger, }: {
+    stream: DataStream;
+    algorithm?: string;
+    logger?: Logger;
+}): Promise<string | undefined>;
+//# sourceMappingURL=hash.d.ts.map

package/dist/utils/hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/utils/hash.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAiB,MAAM,iBAAiB,CAAC;AAGxD,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,GACX,GAAG,IAAI,aAAa,CAAC,UAAU,CAAC,CAQlC;AAED,wBAAuB,6BAA6B,CAClD,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,GACjC,aAAa,CAAC,UAAU,CAAC,CAa3B;AAED,wBAAsB,sBAAsB,CAAC,EAC3C,MAAM,EACN,SAAqB,EACrB,MAAsB,GACvB,EAAE;IACD,MAAM,EAAE,UAAU,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA2C9B"}

package/dist/utils/hash.js

@@ -0,0 +1,81 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+import { createHash } from 'crypto';
+import { defaultLogger } from '../wayfinder.js';
+import { toB64Url } from './base64.js';
+export function isAsyncIterable(obj) {
+    return (obj !== null &&
+        typeof obj === 'object' &&
+        Symbol.asyncIterator in obj &&
+        typeof obj[Symbol.asyncIterator] ===
+            'function');
+}
+export async function* readableStreamToAsyncIterable(stream) {
+    const reader = stream.getReader();
+    try {
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done) {
+                return;
+            }
+            yield value;
+        }
+    }
+    finally {
+        reader.releaseLock();
+    }
+}
+export async function hashDataStreamToB64Url({ stream, algorithm = 'SHA-256', logger = defaultLogger, }) {
+    try {
+        logger.debug('Starting to hash data stream', {
+            algorithm,
+            streamType: isAsyncIterable(stream) ? 'AsyncIterable' : 'ReadableStream',
+        });
+        const asyncIterable = isAsyncIterable(stream)
+            ? stream
+            : readableStreamToAsyncIterable(stream);
+        const hash = createHash(algorithm);
+        let bytesProcessed = 0;
+        for await (const chunk of asyncIterable) {
+            hash.update(chunk);
+            bytesProcessed += chunk.length;
+            // Log progress occasionally (every ~1MB)
+            if (bytesProcessed % (1024 * 1024) < chunk.length) {
+                logger.debug('Hashing progress', {
+                    bytesProcessed,
+                    algorithm,
+                });
+            }
+        }
+        const hashResult = toB64Url(new Uint8Array(hash.digest()));
+        logger.debug('Finished hashing data stream', {
+            bytesProcessed,
+            algorithm,
+            hashResult,
+        });
+        return hashResult;
+    }
+    catch (error) {
+        logger.error('Error hashing data stream', {
+            error: error.message,
+            stack: error.stack,
+            algorithm,
+        });
+        return undefined;
+    }
+}

package/dist/utils/random.d.ts

@@ -0,0 +1,25 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+/**
+ * Returns a random integer between min (inclusive) and max (exclusive)
+ * @param min - The minimum value (inclusive)
+ * @param max - The maximum value (exclusive)
+ * @returns A random integer between min and max
+ */
+export declare function randomInt(min: number, max: number): number;
+//# sourceMappingURL=random.d.ts.map

package/dist/utils/random.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"random.d.ts","sourceRoot":"","sources":["../../src/utils/random.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAE1D"}

package/dist/utils/random.js

@@ -0,0 +1,26 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+/**
+ * Returns a random integer between min (inclusive) and max (exclusive)
+ * @param min - The minimum value (inclusive)
+ * @param max - The maximum value (exclusive)
+ * @returns A random integer between min and max
+ */
+export function randomInt(min, max) {
+    return Math.floor(Math.random() * (max - min)) + min;
+}

package/dist/verification/data-root-verifier.d.ts

@@ -0,0 +1,28 @@
+import { DataStream, VerificationStrategy } from '../../types/wayfinder.js';
+import { Logger } from '../wayfinder.js';
+export declare const convertDataStreamToDataRoot: ({ stream, }: {
+    stream: DataStream;
+}) => Promise<string>;
+export declare class DataRootVerificationStrategy implements VerificationStrategy {
+    private readonly trustedGateways;
+    private readonly maxConcurrency;
+    private readonly logger;
+    constructor({ trustedGateways, maxConcurrency, logger, }: {
+        trustedGateways: URL[];
+        maxConcurrency?: number;
+        logger?: Logger;
+    });
+    /**
+     * Get the data root for a given txId from all trusted gateways and ensure they all match.
+     * @param txId - The txId to get the data root for.
+     * @returns The data root for the given txId.
+     */
+    getDataRoot({ txId }: {
+        txId: string;
+    }): Promise<string>;
+    verifyData({ data, txId, }: {
+        data: DataStream;
+        txId: string;
+    }): Promise<void>;
+}
+//# sourceMappingURL=data-root-verifier.d.ts.map

package/dist/verification/data-root-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-root-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/data-root-verifier.ts"],"names":[],"mappings":"AA2BA,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAM5E,OAAO,EAAE,MAAM,EAAiB,MAAM,iBAAiB,CAAC;AAExD,eAAO,MAAM,2BAA2B,GAAU,aAE/C;IACD,MAAM,EAAE,UAAU,CAAC;CACpB,KAAG,OAAO,CAAC,MAAM,CAwDjB,CAAC;AAEF,qBAAa,4BAA6B,YAAW,oBAAoB;IACvE,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAQ;IACxC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBACpB,EACV,eAAe,EACf,cAAkB,EAClB,MAAsB,GACvB,EAAE;QACD,eAAe,EAAE,GAAG,EAAE,CAAC;QACvB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;IAMD;;;;OAIG;IACG,WAAW,CAAC,EAAE,IAAI,EAAE,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAuCxD,UAAU,CAAC,EACf,IAAI,EACJ,IAAI,GACL,EAAE;QACD,IAAI,EAAE,UAAU,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;KACd,GAAG,OAAO,CAAC,IAAI,CAAC;CAelB"}

package/dist/verification/data-root-verifier.js

@@ -0,0 +1,129 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+import Arweave from 'arweave';
+import { MAX_CHUNK_SIZE, MIN_CHUNK_SIZE, buildLayers, generateLeaves, } from 'arweave/node/lib/merkle.js';
+import { pLimit } from 'plimit-lit';
+import { toB64Url } from '../utils/base64.js';
+import { isAsyncIterable, readableStreamToAsyncIterable, } from '../utils/hash.js';
+import { defaultLogger } from '../wayfinder.js';
+export const convertDataStreamToDataRoot = async ({ stream, }) => {
+    const chunks = [];
+    let leftover = new Uint8Array(0);
+    let cursor = 0;
+    const asyncIterable = isAsyncIterable(stream)
+        ? stream
+        : readableStreamToAsyncIterable(stream);
+    for await (const data of asyncIterable) {
+        const inputChunk = new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
+        const combined = new Uint8Array(leftover.length + inputChunk.length);
+        combined.set(leftover, 0);
+        combined.set(inputChunk, leftover.length);
+        let startIndex = 0;
+        while (combined.length - startIndex >= MAX_CHUNK_SIZE) {
+            let chunkSize = MAX_CHUNK_SIZE;
+            const remainderAfterThis = combined.length - startIndex - MAX_CHUNK_SIZE;
+            if (remainderAfterThis > 0 && remainderAfterThis < MIN_CHUNK_SIZE) {
+                chunkSize = Math.ceil((combined.length - startIndex) / 2);
+            }
+            const chunkData = combined.slice(startIndex, startIndex + chunkSize);
+            const dataHash = await Arweave.crypto.hash(chunkData);
+            chunks.push({
+                dataHash,
+                minByteRange: cursor,
+                maxByteRange: cursor + chunkSize,
+            });
+            cursor += chunkSize;
+            startIndex += chunkSize;
+        }
+        leftover = combined.slice(startIndex);
+    }
+    if (leftover.length > 0) {
+        // TODO: ensure a web friendly crypto hash function is used in web
+        const dataHash = await Arweave.crypto.hash(leftover);
+        chunks.push({
+            dataHash,
+            minByteRange: cursor,
+            maxByteRange: cursor + leftover.length,
+        });
+    }
+    const leaves = await generateLeaves(chunks);
+    const root = await buildLayers(leaves);
+    return toB64Url(new Uint8Array(root.id));
+};
+export class DataRootVerificationStrategy {
+    trustedGateways;
+    maxConcurrency;
+    logger;
+    constructor({ trustedGateways, maxConcurrency = 1, logger = defaultLogger, }) {
+        this.trustedGateways = trustedGateways;
+        this.maxConcurrency = maxConcurrency;
+        this.logger = logger;
+    }
+    /**
+     * Get the data root for a given txId from all trusted gateways and ensure they all match.
+     * @param txId - The txId to get the data root for.
+     * @returns The data root for the given txId.
+     */
+    async getDataRoot({ txId }) {
+        this.logger.debug('Getting data root for txId', {
+            txId,
+            maxConcurrency: this.maxConcurrency,
+            trustedGateways: this.trustedGateways,
+        });
+        // TODO: shuffle gateways to avoid bias
+        const throttle = pLimit(this.maxConcurrency);
+        const dataRootPromises = this.trustedGateways.map(async (gateway) => {
+            return throttle(async () => {
+                const response = await fetch(`${gateway.toString()}tx/${txId}/data_root`);
+                if (!response.ok) {
+                    // skip this gateway
+                    throw new Error('Failed to fetch data root for txId', {
+                        cause: {
+                            txId,
+                            gateway: gateway.toString(),
+                        },
+                    });
+                }
+                const dataRoot = await response.text();
+                return { dataRoot, gateway };
+            });
+        });
+        const { dataRoot, gateway } = await Promise.any(dataRootPromises);
+        this.logger.debug('Successfully fetched data root for txId', {
+            txId,
+            dataRoot,
+            gateway: gateway.toString(),
+        });
+        return dataRoot;
+    }
+    async verifyData({ data, txId, }) {
+        const [computedDataRoot, trustedDataRoot] = await Promise.all([
+            convertDataStreamToDataRoot({
+                stream: data,
+            }),
+            this.getDataRoot({
+                txId,
+            }),
+        ]);
+        if (computedDataRoot !== trustedDataRoot) {
+            throw new Error('Data root does not match', {
+                cause: { computedDataRoot, trustedDataRoot },
+            });
+        }
+    }
+}

package/dist/verification/hash-verifier.d.ts

@@ -0,0 +1,28 @@
+import { DataStream, VerificationStrategy } from '../../types/wayfinder.js';
+import { Logger } from '../wayfinder.js';
+export declare class HashVerificationStrategy implements VerificationStrategy {
+    private readonly trustedGateways;
+    private readonly maxConcurrency;
+    private readonly logger;
+    constructor({ trustedGateways, maxConcurrency, logger, }: {
+        trustedGateways: URL[];
+        maxConcurrency?: number;
+        logger?: Logger;
+    });
+    /**
+     * Gets the digest for a given txId from all trusted gateways and ensures they all match.
+     * @param txId - The txId to get the digest for.
+     * @returns The digest for the given txId.
+     */
+    getDigest({ txId, }: {
+        txId: string;
+    }): Promise<{
+        hash: string;
+        algorithm: 'sha256';
+    }>;
+    verifyData({ data, txId, }: {
+        data: DataStream;
+        txId: string;
+    }): Promise<void>;
+}
+//# sourceMappingURL=hash-verifier.d.ts.map

package/dist/verification/hash-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/hash-verifier.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG5E,OAAO,EAAE,MAAM,EAAgC,MAAM,iBAAiB,CAAC;AAEvE,qBAAa,wBAAyB,YAAW,oBAAoB;IACnE,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAQ;IACxC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBACpB,EACV,eAAe,EACf,cAAkB,EAClB,MAAsB,GACvB,EAAE;QACD,eAAe,EAAE,GAAG,EAAE,CAAC;QACvB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;IAMD;;;;OAIG;IACG,SAAS,CAAC,EACd,IAAI,GACL,EAAE;QACD,IAAI,EAAE,MAAM,CAAC;KACd,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,QAAQ,CAAA;KAAE,CAAC;IAqE5C,UAAU,CAAC,EACf,IAAI,EACJ,IAAI,GACL,EAAE;QACD,IAAI,EAAE,UAAU,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;KACd,GAAG,OAAO,CAAC,IAAI,CAAC;CAgBlB"}

package/dist/verification/hash-verifier.js

@@ -0,0 +1,108 @@
+/**
+ * WayFinder
+ * Copyright (C) 2022-2025 Permanent Data Solutions, Inc. All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+import { pLimit } from 'plimit-lit';
+import { arioGatewayHeaders } from '../utils/ario.js';
+import { hashDataStreamToB64Url } from '../utils/hash.js';
+import { defaultLogger, sandboxFromId } from '../wayfinder.js';
+export class HashVerificationStrategy {
+    trustedGateways;
+    maxConcurrency;
+    logger;
+    constructor({ trustedGateways, maxConcurrency = 1, logger = defaultLogger, }) {
+        this.trustedGateways = trustedGateways;
+        this.maxConcurrency = maxConcurrency;
+        this.logger = logger;
+    }
+    /**
+     * Gets the digest for a given txId from all trusted gateways and ensures they all match.
+     * @param txId - The txId to get the digest for.
+     * @returns The digest for the given txId.
+     */
+    async getDigest({ txId, }) {
+        this.logger.debug('Getting digest for txId', {
+            txId,
+            maxConcurrency: this.maxConcurrency,
+            trustedGateways: this.trustedGateways,
+        });
+        // TODO: shuffle gateways to avoid bias
+        const throttle = pLimit(this.maxConcurrency);
+        const hashPromises = this.trustedGateways.map(async (gateway) => {
+            return throttle(async () => {
+                const sandbox = sandboxFromId(txId);
+                const urlWithSandbox = `${gateway.protocol}//${sandbox}.${gateway.hostname}/${txId}`;
+                /**
+                 * This is a problem because we're not able to verify the hash of the data item if the gateway doesn't have the data in its cache. We start with a HEAD request, if it fails, we do a GET request to hydrate the cache and then a HEAD request again to get the cached digest.
+                 */
+                for (const method of ['HEAD', 'GET', 'HEAD']) {
+                    const response = await fetch(urlWithSandbox, {
+                        method,
+                        redirect: 'follow',
+                        mode: 'cors',
+                        headers: {
+                            'Cache-Control': 'no-cache',
+                        },
+                    });
+                    if (!response.ok) {
+                        // skip if the request failed or the digest is not present
+                        throw new Error('Failed to fetch digest for txId', {
+                            cause: {
+                                txId,
+                                gateway: gateway.toString(),
+                            },
+                        });
+                    }
+                    const fetchedTxIdHash = response.headers.get(arioGatewayHeaders.digest);
+                    if (fetchedTxIdHash) {
+                        // avoid hitting other gateways if we've found the hash
+                        throttle.clearQueue();
+                        return { hash: fetchedTxIdHash, gateway };
+                    }
+                }
+                throw new Error('No hash found for txId', {
+                    cause: {
+                        txId,
+                        gateway: gateway.toString(),
+                    },
+                });
+            });
+        });
+        const { hash, gateway } = await Promise.any(hashPromises);
+        this.logger.debug('Successfully fetched digest for txId from trusted gateway', {
+            txId,
+            hash,
+            gateway: gateway.toString(),
+        });
+        return { hash, algorithm: 'sha256' };
+    }
+    async verifyData({ data, txId, }) {
+        // kick off the hash computation, but don't wait for it until we compute our own hash
+        const [computedHash, fetchedHash] = await Promise.all([
+            hashDataStreamToB64Url({ stream: data }),
+            this.getDigest({ txId }),
+        ]);
+        // await on the hash promise and compare to get a little concurrency when computing hashes over larger data
+        if (computedHash === undefined) {
+            throw new Error('Hash could not be computed');
+        }
+        if (computedHash !== fetchedHash.hash) {
+            throw new Error('Hash does not match', {
+                cause: { computedHash, trustedHash: fetchedHash },
+            });
+        }
+    }
+}