@attest-it/core 0.0.0

package/dist/index.js

@@ -0,0 +1,629 @@
+export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-UWYR7JNE.js';
+import * as fs from 'fs';
+import { readFileSync } from 'fs';
+import { readFile } from 'fs/promises';
+import * as path from 'path';
+import { join, resolve } from 'path';
+import { parse } from 'yaml';
+import { z } from 'zod';
+import * as crypto from 'crypto';
+import { glob, globSync } from 'tinyglobby';
+import * as os from 'os';
+import * as canonicalizeNamespace from 'canonicalize';
+
+var settingsSchema = z.object({
+  maxAgeDays: z.number().int().positive().default(30),
+  publicKeyPath: z.string().default(".attest-it/pubkey.pem"),
+  attestationsPath: z.string().default(".attest-it/attestations.json"),
+  defaultCommand: z.string().optional(),
+  algorithm: z.enum(["ed25519", "rsa"]).default("ed25519")
+}).strict();
+var suiteSchema = z.object({
+  description: z.string().optional(),
+  packages: z.array(z.string().min(1, "Package path cannot be empty")).min(1, "At least one package pattern is required"),
+  files: z.array(z.string().min(1, "File path cannot be empty")).optional(),
+  ignore: z.array(z.string().min(1, "Ignore pattern cannot be empty")).optional(),
+  command: z.string().optional(),
+  invalidates: z.array(z.string().min(1, "Invalidated suite name cannot be empty")).optional()
+}).strict();
+var configSchema = z.object({
+  version: z.literal(1),
+  settings: settingsSchema.default({}),
+  suites: z.record(z.string(), suiteSchema).refine((suites) => Object.keys(suites).length >= 1, {
+    message: "At least one suite must be defined"
+  })
+}).strict();
+var ConfigValidationError = class extends Error {
+  constructor(message, issues) {
+    super(message);
+    this.issues = issues;
+    this.name = "ConfigValidationError";
+  }
+};
+var ConfigNotFoundError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ConfigNotFoundError";
+  }
+};
+function parseConfigContent(content, format) {
+  let rawConfig;
+  try {
+    if (format === "yaml") {
+      rawConfig = parse(content);
+    } else {
+      rawConfig = JSON.parse(content);
+    }
+  } catch (error) {
+    throw new ConfigValidationError(
+      `Failed to parse ${format.toUpperCase()}: ${error instanceof Error ? error.message : String(error)}`,
+      []
+    );
+  }
+  const result = configSchema.safeParse(rawConfig);
+  if (!result.success) {
+    throw new ConfigValidationError(
+      "Configuration validation failed:\n" + result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n"),
+      result.error.issues
+    );
+  }
+  return result.data;
+}
+function getConfigFormat(filePath) {
+  const ext = filePath.toLowerCase();
+  if (ext.endsWith(".yaml") || ext.endsWith(".yml")) {
+    return "yaml";
+  }
+  if (ext.endsWith(".json")) {
+    return "json";
+  }
+  return "yaml";
+}
+function findConfigPath(startDir = process.cwd()) {
+  const configDir = join(startDir, ".attest-it");
+  const candidates = ["config.yaml", "config.yml", "config.json"];
+  for (const candidate of candidates) {
+    const configPath = join(configDir, candidate);
+    try {
+      readFileSync(configPath, "utf8");
+      return configPath;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+async function loadConfig(configPath) {
+  const resolvedPath = configPath ?? findConfigPath();
+  if (!resolvedPath) {
+    throw new ConfigNotFoundError(
+      "Configuration file not found. Expected .attest-it/config.yaml, .attest-it/config.yml, or .attest-it/config.json"
+    );
+  }
+  try {
+    const content = await readFile(resolvedPath, "utf8");
+    const format = getConfigFormat(resolvedPath);
+    return parseConfigContent(content, format);
+  } catch (error) {
+    if (error instanceof ConfigValidationError) {
+      throw error;
+    }
+    throw new ConfigNotFoundError(
+      `Failed to read configuration file at ${resolvedPath}: ${String(error)}`
+    );
+  }
+}
+function loadConfigSync(configPath) {
+  const resolvedPath = configPath ?? findConfigPath();
+  if (!resolvedPath) {
+    throw new ConfigNotFoundError(
+      "Configuration file not found. Expected .attest-it/config.yaml, .attest-it/config.yml, or .attest-it/config.json"
+    );
+  }
+  try {
+    const content = readFileSync(resolvedPath, "utf8");
+    const format = getConfigFormat(resolvedPath);
+    return parseConfigContent(content, format);
+  } catch (error) {
+    if (error instanceof ConfigValidationError) {
+      throw error;
+    }
+    throw new ConfigNotFoundError(
+      `Failed to read configuration file at ${resolvedPath}: ${String(error)}`
+    );
+  }
+}
+function resolveConfigPaths(config, repoRoot) {
+  return {
+    ...config,
+    settings: {
+      ...config.settings,
+      publicKeyPath: resolve(repoRoot, config.settings.publicKeyPath),
+      attestationsPath: resolve(repoRoot, config.settings.attestationsPath)
+    }
+  };
+}
+function toAttestItConfig(config) {
+  return {
+    version: config.version,
+    settings: {
+      maxAgeDays: config.settings.maxAgeDays,
+      publicKeyPath: config.settings.publicKeyPath,
+      attestationsPath: config.settings.attestationsPath,
+      algorithm: config.settings.algorithm,
+      ...config.settings.defaultCommand !== void 0 && {
+        defaultCommand: config.settings.defaultCommand
+      }
+    },
+    suites: Object.fromEntries(
+      Object.entries(config.suites).map(([name, suite]) => [
+        name,
+        {
+          packages: suite.packages,
+          ...suite.description !== void 0 && { description: suite.description },
+          ...suite.files !== void 0 && { files: suite.files },
+          ...suite.ignore !== void 0 && { ignore: suite.ignore },
+          ...suite.command !== void 0 && { command: suite.command },
+          ...suite.invalidates !== void 0 && { invalidates: suite.invalidates }
+        }
+      ])
+    )
+  };
+}
+var LARGE_FILE_THRESHOLD = 50 * 1024 * 1024;
+function sortFiles(files) {
+  return [...files].sort((a, b) => {
+    if (a < b) return -1;
+    if (a > b) return 1;
+    return 0;
+  });
+}
+function normalizePath(filePath) {
+  return filePath.split(path.sep).join("/");
+}
+function computeFinalFingerprint(fileHashes) {
+  const sorted = [...fileHashes].sort((a, b) => {
+    if (a.relativePath < b.relativePath) return -1;
+    if (a.relativePath > b.relativePath) return 1;
+    return 0;
+  });
+  const hashes = sorted.map((input) => input.hash);
+  const concatenated = Buffer.concat(hashes);
+  const finalHash = crypto.createHash("sha256").update(concatenated).digest();
+  return `sha256:${finalHash.toString("hex")}`;
+}
+async function hashFileAsync(realPath, normalizedPath, stats) {
+  if (stats.size > LARGE_FILE_THRESHOLD) {
+    return new Promise((resolve3, reject) => {
+      const hash2 = crypto.createHash("sha256");
+      hash2.update(normalizedPath);
+      hash2.update("\0");
+      const stream = fs.createReadStream(realPath);
+      stream.on("data", (chunk) => {
+        hash2.update(chunk);
+      });
+      stream.on("end", () => {
+        resolve3(hash2.digest());
+      });
+      stream.on("error", reject);
+    });
+  }
+  const content = await fs.promises.readFile(realPath);
+  const hash = crypto.createHash("sha256");
+  hash.update(normalizedPath);
+  hash.update("\0");
+  hash.update(content);
+  return hash.digest();
+}
+function hashFileSync(realPath, normalizedPath) {
+  const content = fs.readFileSync(realPath);
+  const hash = crypto.createHash("sha256");
+  hash.update(normalizedPath);
+  hash.update("\0");
+  hash.update(content);
+  return hash.digest();
+}
+function validateOptions(options) {
+  if (options.packages.length === 0) {
+    throw new Error("packages array must not be empty");
+  }
+  const baseDir = options.baseDir ?? process.cwd();
+  for (const pkg of options.packages) {
+    const pkgPath = path.resolve(baseDir, pkg);
+    if (!fs.existsSync(pkgPath)) {
+      throw new Error(`Package path does not exist: ${pkgPath}`);
+    }
+  }
+  return baseDir;
+}
+async function computeFingerprint(options) {
+  const baseDir = validateOptions(options);
+  const files = await listPackageFiles(options.packages, options.ignore, baseDir);
+  const sortedFiles = sortFiles(files);
+  const fileHashCache = /* @__PURE__ */ new Map();
+  const fileHashInputs = [];
+  for (const file of sortedFiles) {
+    const filePath = path.resolve(baseDir, file);
+    let realPath = filePath;
+    let stats = await fs.promises.lstat(filePath);
+    if (stats.isSymbolicLink()) {
+      try {
+        realPath = await fs.promises.realpath(filePath);
+      } catch {
+        continue;
+      }
+      try {
+        stats = await fs.promises.stat(realPath);
+      } catch {
+        continue;
+      }
+    }
+    if (!stats.isFile()) {
+      continue;
+    }
+    const normalizedPath = normalizePath(file);
+    let hash;
+    const cachedHash = fileHashCache.get(realPath);
+    if (cachedHash !== void 0) {
+      hash = cachedHash;
+    } else {
+      hash = await hashFileAsync(realPath, normalizedPath, stats);
+      fileHashCache.set(realPath, hash);
+    }
+    fileHashInputs.push({ relativePath: normalizedPath, hash });
+  }
+  const fingerprint = computeFinalFingerprint(fileHashInputs);
+  return {
+    fingerprint,
+    files: sortedFiles,
+    fileCount: sortedFiles.length
+  };
+}
+function computeFingerprintSync(options) {
+  const baseDir = validateOptions(options);
+  const files = listPackageFilesSync(options.packages, options.ignore, baseDir);
+  const sortedFiles = sortFiles(files);
+  const fileHashCache = /* @__PURE__ */ new Map();
+  const fileHashInputs = [];
+  for (const file of sortedFiles) {
+    const filePath = path.resolve(baseDir, file);
+    let realPath = filePath;
+    let stats = fs.lstatSync(filePath);
+    if (stats.isSymbolicLink()) {
+      try {
+        realPath = fs.realpathSync(filePath);
+      } catch {
+        continue;
+      }
+      try {
+        stats = fs.statSync(realPath);
+      } catch {
+        continue;
+      }
+    }
+    if (!stats.isFile()) {
+      continue;
+    }
+    const normalizedPath = normalizePath(file);
+    let hash;
+    const cachedHash = fileHashCache.get(realPath);
+    if (cachedHash !== void 0) {
+      hash = cachedHash;
+    } else {
+      hash = hashFileSync(realPath, normalizedPath);
+      fileHashCache.set(realPath, hash);
+    }
+    fileHashInputs.push({ relativePath: normalizedPath, hash });
+  }
+  const fingerprint = computeFinalFingerprint(fileHashInputs);
+  return {
+    fingerprint,
+    files: sortedFiles,
+    fileCount: sortedFiles.length
+  };
+}
+async function listPackageFiles(packages, ignore = [], baseDir = process.cwd()) {
+  const allFiles = [];
+  for (const pkg of packages) {
+    const patterns = [`${pkg}/**/*`];
+    const files = await glob(patterns, {
+      cwd: baseDir,
+      ignore,
+      onlyFiles: true,
+      dot: true,
+      // Include dotfiles
+      absolute: false
+      // Return relative paths
+    });
+    allFiles.push(...files);
+  }
+  return allFiles;
+}
+function listPackageFilesSync(packages, ignore = [], baseDir = process.cwd()) {
+  const allFiles = [];
+  for (const pkg of packages) {
+    const patterns = [`${pkg}/**/*`];
+    const files = globSync(patterns, {
+      cwd: baseDir,
+      ignore,
+      onlyFiles: true,
+      dot: true,
+      // Include dotfiles
+      absolute: false
+      // Return relative paths
+    });
+    allFiles.push(...files);
+  }
+  return allFiles;
+}
+var canonicalize = canonicalizeNamespace;
+var serialize = canonicalize.default;
+var attestationSchema = z.object({
+  suite: z.string().min(1),
+  fingerprint: z.string().regex(/^sha256:[a-f0-9]{64}$/),
+  attestedAt: z.string().datetime(),
+  attestedBy: z.string().min(1),
+  command: z.string().min(1),
+  exitCode: z.literal(0)
+});
+var attestationsFileSchema = z.object({
+  schemaVersion: z.literal("1"),
+  attestations: z.array(attestationSchema),
+  signature: z.string()
+  // Will be validated by crypto module
+});
+function isNodeError(error) {
+  if (error === null || typeof error !== "object") {
+    return false;
+  }
+  if (!("code" in error)) {
+    return false;
+  }
+  const errorObj = error;
+  return typeof errorObj.code === "string";
+}
+async function readAttestations(filePath) {
+  try {
+    const content = await fs.promises.readFile(filePath, "utf-8");
+    const parsed = JSON.parse(content);
+    return attestationsFileSchema.parse(parsed);
+  } catch (error) {
+    if (isNodeError(error) && error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+function readAttestationsSync(filePath) {
+  try {
+    const content = fs.readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(content);
+    return attestationsFileSchema.parse(parsed);
+  } catch (error) {
+    if (isNodeError(error) && error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function writeAttestations(filePath, attestations, signature) {
+  const fileContent = {
+    schemaVersion: "1",
+    attestations,
+    signature
+  };
+  attestationsFileSchema.parse(fileContent);
+  const dir = path.dirname(filePath);
+  await fs.promises.mkdir(dir, { recursive: true });
+  const json = JSON.stringify(fileContent, null, 2);
+  await fs.promises.writeFile(filePath, json, "utf-8");
+}
+function writeAttestationsSync(filePath, attestations, signature) {
+  const fileContent = {
+    schemaVersion: "1",
+    attestations,
+    signature
+  };
+  attestationsFileSchema.parse(fileContent);
+  const dir = path.dirname(filePath);
+  fs.mkdirSync(dir, { recursive: true });
+  const json = JSON.stringify(fileContent, null, 2);
+  fs.writeFileSync(filePath, json, "utf-8");
+}
+function findAttestation(attestations, suite) {
+  return attestations.attestations.find((a) => a.suite === suite);
+}
+function upsertAttestation(attestations, newAttestation) {
+  attestationSchema.parse(newAttestation);
+  const existingIndex = attestations.findIndex((a) => a.suite === newAttestation.suite);
+  if (existingIndex === -1) {
+    return [...attestations, newAttestation];
+  } else {
+    const updated = [...attestations];
+    updated[existingIndex] = newAttestation;
+    return updated;
+  }
+}
+function removeAttestation(attestations, suite) {
+  return attestations.filter((a) => a.suite !== suite);
+}
+function canonicalizeAttestations(attestations) {
+  const canonical = serialize(attestations);
+  if (canonical === void 0) {
+    throw new Error("Failed to canonicalize attestations");
+  }
+  return canonical;
+}
+function createAttestation(params) {
+  const attestation = {
+    suite: params.suite,
+    fingerprint: params.fingerprint,
+    attestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    attestedBy: params.attestedBy ?? os.userInfo().username,
+    command: params.command,
+    exitCode: 0
+  };
+  attestationSchema.parse(attestation);
+  return attestation;
+}
+async function writeSignedAttestations(options) {
+  const { sign: sign2 } = await import('./crypto-ITLMIMRJ.js');
+  const canonical = canonicalizeAttestations(options.attestations);
+  const signature = await sign2({
+    privateKeyPath: options.privateKeyPath,
+    data: canonical
+  });
+  await writeAttestations(options.filePath, options.attestations, signature);
+}
+async function readAndVerifyAttestations(options) {
+  const { verify: verify2 } = await import('./crypto-ITLMIMRJ.js');
+  const file = await readAttestations(options.filePath);
+  if (!file) {
+    throw new Error(`Attestations file not found: ${options.filePath}`);
+  }
+  const canonical = canonicalizeAttestations(file.attestations);
+  const isValid = await verify2({
+    publicKeyPath: options.publicKeyPath,
+    data: canonical,
+    signature: file.signature
+  });
+  if (!isValid) {
+    throw new SignatureInvalidError(options.filePath);
+  }
+  return file;
+}
+var SignatureInvalidError = class extends Error {
+  /**
+   * Create a new SignatureInvalidError.
+   * @param filePath - Path to the file that failed verification
+   */
+  constructor(filePath) {
+    super(`Signature verification failed for: ${filePath}`);
+    this.name = "SignatureInvalidError";
+  }
+};
+async function verifyAttestations(options) {
+  const { config, repoRoot = process.cwd() } = options;
+  const errors = [];
+  const suiteResults = [];
+  let signatureValid = true;
+  let attestationsFile = null;
+  const attestationsPath = resolvePath(config.settings.attestationsPath, repoRoot);
+  const publicKeyPath = resolvePath(config.settings.publicKeyPath, repoRoot);
+  try {
+    if (!fs.existsSync(attestationsPath)) {
+      attestationsFile = null;
+    } else if (!fs.existsSync(publicKeyPath)) {
+      errors.push(`Public key not found: ${publicKeyPath}`);
+      signatureValid = false;
+    } else {
+      attestationsFile = await readAndVerifyAttestations({
+        filePath: attestationsPath,
+        publicKeyPath
+      });
+    }
+  } catch (err) {
+    if (err instanceof SignatureInvalidError) {
+      signatureValid = false;
+      errors.push(err.message);
+    } else if (err instanceof Error) {
+      errors.push(err.message);
+    }
+  }
+  const attestations = attestationsFile?.attestations ?? [];
+  for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
+    const result = await verifySuite({
+      suiteName,
+      suiteConfig,
+      attestations,
+      maxAgeDays: config.settings.maxAgeDays,
+      repoRoot
+    });
+    suiteResults.push(result);
+  }
+  checkInvalidationChains(config, suiteResults);
+  const allValid = signatureValid && suiteResults.every((r) => r.status === "VALID") && errors.length === 0;
+  return {
+    success: allValid,
+    signatureValid,
+    suites: suiteResults,
+    errors
+  };
+}
+async function verifySuite(options) {
+  const { suiteName, suiteConfig, attestations, maxAgeDays, repoRoot } = options;
+  const fingerprintOptions = {
+    packages: suiteConfig.packages.map((p) => resolvePath(p, repoRoot)),
+    baseDir: repoRoot,
+    ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+  };
+  const fingerprintResult = await computeFingerprint(fingerprintOptions);
+  const attestation = attestations.find((a) => a.suite === suiteName);
+  if (!attestation) {
+    return {
+      suite: suiteName,
+      status: "NEEDS_ATTESTATION",
+      fingerprint: fingerprintResult.fingerprint,
+      message: "No attestation found for this suite"
+    };
+  }
+  if (attestation.fingerprint !== fingerprintResult.fingerprint) {
+    return {
+      suite: suiteName,
+      status: "FINGERPRINT_CHANGED",
+      fingerprint: fingerprintResult.fingerprint,
+      attestation,
+      message: `Fingerprint changed from ${attestation.fingerprint.slice(0, 20)}... to ${fingerprintResult.fingerprint.slice(0, 20)}...`
+    };
+  }
+  const attestedAt = new Date(attestation.attestedAt);
+  const ageMs = Date.now() - attestedAt.getTime();
+  const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+  if (ageDays > maxAgeDays) {
+    return {
+      suite: suiteName,
+      status: "EXPIRED",
+      fingerprint: fingerprintResult.fingerprint,
+      attestation,
+      age: ageDays,
+      message: `Attestation expired (${String(ageDays)} days old, max ${String(maxAgeDays)} days)`
+    };
+  }
+  return {
+    suite: suiteName,
+    status: "VALID",
+    fingerprint: fingerprintResult.fingerprint,
+    attestation,
+    age: ageDays
+  };
+}
+function checkInvalidationChains(config, results) {
+  for (const [parentName, parentConfig] of Object.entries(config.suites)) {
+    const invalidates = parentConfig.invalidates ?? [];
+    const parentResult = results.find((r) => r.suite === parentName);
+    if (!parentResult?.attestation) continue;
+    const parentTime = new Date(parentResult.attestation.attestedAt).getTime();
+    for (const childName of invalidates) {
+      const childResult = results.find((r) => r.suite === childName);
+      if (!childResult?.attestation) continue;
+      const childTime = new Date(childResult.attestation.attestedAt).getTime();
+      if (parentTime > childTime && childResult.status === "VALID") {
+        childResult.status = "INVALIDATED_BY_PARENT";
+        childResult.message = `Invalidated by ${parentName} (attested later)`;
+      }
+    }
+  }
+}
+function resolvePath(relativePath, baseDir) {
+  if (path.isAbsolute(relativePath)) {
+    return relativePath;
+  }
+  return path.join(baseDir, relativePath);
+}
+
+// src/index.ts
+var version = "0.0.0";
+
+export { ConfigNotFoundError, ConfigValidationError, SignatureInvalidError, canonicalizeAttestations, computeFingerprint, computeFingerprintSync, createAttestation, findAttestation, findConfigPath, listPackageFiles, loadConfig, loadConfigSync, readAndVerifyAttestations, readAttestations, readAttestationsSync, removeAttestation, resolveConfigPaths, toAttestItConfig, upsertAttestation, verifyAttestations, version, writeAttestations, writeAttestationsSync, writeSignedAttestations };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map