@attest-it/core 0.0.0

package/dist/index.cjs

@@ -0,0 +1,915 @@
+'use strict';
+
+var child_process = require('child_process');
+var fs2 = require('fs/promises');
+var path2 = require('path');
+var os = require('os');
+var fs = require('fs');
+var yaml = require('yaml');
+var zod = require('zod');
+var crypto = require('crypto');
+var tinyglobby = require('tinyglobby');
+var canonicalizeNamespace = require('canonicalize');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var fs2__namespace = /*#__PURE__*/_interopNamespace(fs2);
+var path2__namespace = /*#__PURE__*/_interopNamespace(path2);
+var os__namespace = /*#__PURE__*/_interopNamespace(os);
+var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
+var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
+var canonicalizeNamespace__namespace = /*#__PURE__*/_interopNamespace(canonicalizeNamespace);
+
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/crypto.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  checkOpenSSL: () => checkOpenSSL,
+  generateKeyPair: () => generateKeyPair,
+  getDefaultPrivateKeyPath: () => getDefaultPrivateKeyPath,
+  getDefaultPublicKeyPath: () => getDefaultPublicKeyPath,
+  setKeyPermissions: () => setKeyPermissions,
+  sign: () => sign,
+  verify: () => verify
+});
+async function runOpenSSL(args, stdin) {
+  return new Promise((resolve3, reject) => {
+    const child = child_process.spawn("openssl", args, {
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const stdoutChunks = [];
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdoutChunks.push(chunk);
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn OpenSSL: ${err.message}`));
+    });
+    child.on("close", (code) => {
+      resolve3({
+        exitCode: code ?? 1,
+        stdout: Buffer.concat(stdoutChunks),
+        stderr
+      });
+    });
+    child.stdin.end();
+  });
+}
+async function checkOpenSSL() {
+  const result = await runOpenSSL(["version"]);
+  if (result.exitCode !== 0) {
+    throw new Error(`OpenSSL check failed: ${result.stderr}`);
+  }
+  return result.stdout.toString().trim();
+}
+async function ensureOpenSSLAvailable() {
+  if (openSSLChecked) {
+    return;
+  }
+  try {
+    await checkOpenSSL();
+    openSSLChecked = true;
+  } catch {
+    throw new Error(
+      "OpenSSL is not installed or not in PATH. Please install OpenSSL to use attest-it. On macOS: brew install openssl. On Ubuntu: apt-get install openssl"
+    );
+  }
+}
+function getDefaultPrivateKeyPath() {
+  const homeDir = os__namespace.homedir();
+  if (process.platform === "win32") {
+    const appData = process.env.APPDATA ?? path2__namespace.join(homeDir, "AppData", "Roaming");
+    return path2__namespace.join(appData, "attest-it", "private.pem");
+  }
+  return path2__namespace.join(homeDir, ".config", "attest-it", "private.pem");
+}
+function getDefaultPublicKeyPath() {
+  return path2__namespace.join(process.cwd(), "attest-it-public.pem");
+}
+async function ensureDir(dirPath) {
+  try {
+    await fs2__namespace.mkdir(dirPath, { recursive: true });
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code !== "EEXIST") {
+      throw err;
+    }
+  }
+}
+async function fileExists(filePath) {
+  try {
+    await fs2__namespace.access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function cleanupFiles(...paths) {
+  for (const filePath of paths) {
+    try {
+      await fs2__namespace.unlink(filePath);
+    } catch {
+    }
+  }
+}
+async function generateKeyPair(options = {}) {
+  await ensureOpenSSLAvailable();
+  const {
+    algorithm = "ed25519",
+    privatePath = getDefaultPrivateKeyPath(),
+    publicPath = getDefaultPublicKeyPath(),
+    force = false
+  } = options;
+  const privateExists = await fileExists(privatePath);
+  const publicExists = await fileExists(publicPath);
+  if ((privateExists || publicExists) && !force) {
+    const existing = [privateExists ? privatePath : null, publicExists ? publicPath : null].filter(
+      Boolean
+    );
+    throw new Error(
+      `Key files already exist: ${existing.join(", ")}. Use force: true to overwrite.`
+    );
+  }
+  await ensureDir(path2__namespace.dirname(privatePath));
+  await ensureDir(path2__namespace.dirname(publicPath));
+  try {
+    const genArgs = algorithm === "ed25519" ? ["genpkey", "-algorithm", "Ed25519", "-out", privatePath] : ["genpkey", "-algorithm", "RSA", "-pkeyopt", "rsa_keygen_bits:2048", "-out", privatePath];
+    const genResult = await runOpenSSL(genArgs);
+    if (genResult.exitCode !== 0) {
+      throw new Error(`Failed to generate private key: ${genResult.stderr}`);
+    }
+    await setKeyPermissions(privatePath);
+    const pubResult = await runOpenSSL(["pkey", "-in", privatePath, "-pubout", "-out", publicPath]);
+    if (pubResult.exitCode !== 0) {
+      throw new Error(`Failed to extract public key: ${pubResult.stderr}`);
+    }
+    return {
+      privatePath,
+      publicPath
+    };
+  } catch (err) {
+    await cleanupFiles(privatePath, publicPath);
+    throw err;
+  }
+}
+async function sign(options) {
+  await ensureOpenSSLAvailable();
+  const { privateKeyPath, data } = options;
+  if (!await fileExists(privateKeyPath)) {
+    throw new Error(`Private key not found: ${privateKeyPath}`);
+  }
+  const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+  const processBuffer = dataBuffer.length === 0 ? Buffer.from([0]) : dataBuffer;
+  const tmpDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
+  const dataFile = path2__namespace.join(tmpDir, "data.bin");
+  const sigFile = path2__namespace.join(tmpDir, "sig.bin");
+  try {
+    await fs2__namespace.writeFile(dataFile, processBuffer);
+    const result = await runOpenSSL([
+      "pkeyutl",
+      "-sign",
+      "-inkey",
+      privateKeyPath,
+      "-in",
+      dataFile,
+      "-out",
+      sigFile
+    ]);
+    if (result.exitCode !== 0) {
+      throw new Error(`Failed to sign data: ${result.stderr}`);
+    }
+    const sigBuffer = await fs2__namespace.readFile(sigFile);
+    return sigBuffer.toString("base64");
+  } finally {
+    try {
+      await fs2__namespace.rm(tmpDir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+async function verify(options) {
+  await ensureOpenSSLAvailable();
+  const { publicKeyPath, data, signature } = options;
+  if (!await fileExists(publicKeyPath)) {
+    throw new Error(`Public key not found: ${publicKeyPath}`);
+  }
+  const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+  const processBuffer = dataBuffer.length === 0 ? Buffer.from([0]) : dataBuffer;
+  const sigBuffer = Buffer.from(signature, "base64");
+  const tmpDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
+  const dataFile = path2__namespace.join(tmpDir, "data.bin");
+  const sigFile = path2__namespace.join(tmpDir, "sig.bin");
+  try {
+    await fs2__namespace.writeFile(dataFile, processBuffer);
+    await fs2__namespace.writeFile(sigFile, sigBuffer);
+    const result = await runOpenSSL([
+      "pkeyutl",
+      "-verify",
+      "-pubin",
+      "-inkey",
+      publicKeyPath,
+      "-sigfile",
+      sigFile,
+      "-in",
+      dataFile
+    ]);
+    if (result.exitCode !== 0 && result.exitCode !== 1) {
+      throw new Error(`Verification error: ${result.stderr}`);
+    }
+    return result.exitCode === 0;
+  } finally {
+    try {
+      await fs2__namespace.rm(tmpDir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+async function setKeyPermissions(keyPath) {
+  if (process.platform === "win32") {
+    await fs2__namespace.chmod(keyPath, 384);
+  } else {
+    await fs2__namespace.chmod(keyPath, 384);
+  }
+}
+var openSSLChecked;
+var init_crypto = __esm({
+  "src/crypto.ts"() {
+    openSSLChecked = false;
+  }
+});
+var settingsSchema = zod.z.object({
+  maxAgeDays: zod.z.number().int().positive().default(30),
+  publicKeyPath: zod.z.string().default(".attest-it/pubkey.pem"),
+  attestationsPath: zod.z.string().default(".attest-it/attestations.json"),
+  defaultCommand: zod.z.string().optional(),
+  algorithm: zod.z.enum(["ed25519", "rsa"]).default("ed25519")
+}).strict();
+var suiteSchema = zod.z.object({
+  description: zod.z.string().optional(),
+  packages: zod.z.array(zod.z.string().min(1, "Package path cannot be empty")).min(1, "At least one package pattern is required"),
+  files: zod.z.array(zod.z.string().min(1, "File path cannot be empty")).optional(),
+  ignore: zod.z.array(zod.z.string().min(1, "Ignore pattern cannot be empty")).optional(),
+  command: zod.z.string().optional(),
+  invalidates: zod.z.array(zod.z.string().min(1, "Invalidated suite name cannot be empty")).optional()
+}).strict();
+var configSchema = zod.z.object({
+  version: zod.z.literal(1),
+  settings: settingsSchema.default({}),
+  suites: zod.z.record(zod.z.string(), suiteSchema).refine((suites) => Object.keys(suites).length >= 1, {
+    message: "At least one suite must be defined"
+  })
+}).strict();
+var ConfigValidationError = class extends Error {
+  constructor(message, issues) {
+    super(message);
+    this.issues = issues;
+    this.name = "ConfigValidationError";
+  }
+};
+var ConfigNotFoundError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ConfigNotFoundError";
+  }
+};
+function parseConfigContent(content, format) {
+  let rawConfig;
+  try {
+    if (format === "yaml") {
+      rawConfig = yaml.parse(content);
+    } else {
+      rawConfig = JSON.parse(content);
+    }
+  } catch (error) {
+    throw new ConfigValidationError(
+      `Failed to parse ${format.toUpperCase()}: ${error instanceof Error ? error.message : String(error)}`,
+      []
+    );
+  }
+  const result = configSchema.safeParse(rawConfig);
+  if (!result.success) {
+    throw new ConfigValidationError(
+      "Configuration validation failed:\n" + result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n"),
+      result.error.issues
+    );
+  }
+  return result.data;
+}
+function getConfigFormat(filePath) {
+  const ext = filePath.toLowerCase();
+  if (ext.endsWith(".yaml") || ext.endsWith(".yml")) {
+    return "yaml";
+  }
+  if (ext.endsWith(".json")) {
+    return "json";
+  }
+  return "yaml";
+}
+function findConfigPath(startDir = process.cwd()) {
+  const configDir = path2.join(startDir, ".attest-it");
+  const candidates = ["config.yaml", "config.yml", "config.json"];
+  for (const candidate of candidates) {
+    const configPath = path2.join(configDir, candidate);
+    try {
+      fs.readFileSync(configPath, "utf8");
+      return configPath;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+async function loadConfig(configPath) {
+  const resolvedPath = configPath ?? findConfigPath();
+  if (!resolvedPath) {
+    throw new ConfigNotFoundError(
+      "Configuration file not found. Expected .attest-it/config.yaml, .attest-it/config.yml, or .attest-it/config.json"
+    );
+  }
+  try {
+    const content = await fs2.readFile(resolvedPath, "utf8");
+    const format = getConfigFormat(resolvedPath);
+    return parseConfigContent(content, format);
+  } catch (error) {
+    if (error instanceof ConfigValidationError) {
+      throw error;
+    }
+    throw new ConfigNotFoundError(
+      `Failed to read configuration file at ${resolvedPath}: ${String(error)}`
+    );
+  }
+}
+function loadConfigSync(configPath) {
+  const resolvedPath = configPath ?? findConfigPath();
+  if (!resolvedPath) {
+    throw new ConfigNotFoundError(
+      "Configuration file not found. Expected .attest-it/config.yaml, .attest-it/config.yml, or .attest-it/config.json"
+    );
+  }
+  try {
+    const content = fs.readFileSync(resolvedPath, "utf8");
+    const format = getConfigFormat(resolvedPath);
+    return parseConfigContent(content, format);
+  } catch (error) {
+    if (error instanceof ConfigValidationError) {
+      throw error;
+    }
+    throw new ConfigNotFoundError(
+      `Failed to read configuration file at ${resolvedPath}: ${String(error)}`
+    );
+  }
+}
+function resolveConfigPaths(config, repoRoot) {
+  return {
+    ...config,
+    settings: {
+      ...config.settings,
+      publicKeyPath: path2.resolve(repoRoot, config.settings.publicKeyPath),
+      attestationsPath: path2.resolve(repoRoot, config.settings.attestationsPath)
+    }
+  };
+}
+function toAttestItConfig(config) {
+  return {
+    version: config.version,
+    settings: {
+      maxAgeDays: config.settings.maxAgeDays,
+      publicKeyPath: config.settings.publicKeyPath,
+      attestationsPath: config.settings.attestationsPath,
+      algorithm: config.settings.algorithm,
+      ...config.settings.defaultCommand !== void 0 && {
+        defaultCommand: config.settings.defaultCommand
+      }
+    },
+    suites: Object.fromEntries(
+      Object.entries(config.suites).map(([name, suite]) => [
+        name,
+        {
+          packages: suite.packages,
+          ...suite.description !== void 0 && { description: suite.description },
+          ...suite.files !== void 0 && { files: suite.files },
+          ...suite.ignore !== void 0 && { ignore: suite.ignore },
+          ...suite.command !== void 0 && { command: suite.command },
+          ...suite.invalidates !== void 0 && { invalidates: suite.invalidates }
+        }
+      ])
+    )
+  };
+}
+var LARGE_FILE_THRESHOLD = 50 * 1024 * 1024;
+function sortFiles(files) {
+  return [...files].sort((a, b) => {
+    if (a < b) return -1;
+    if (a > b) return 1;
+    return 0;
+  });
+}
+function normalizePath(filePath) {
+  return filePath.split(path2__namespace.sep).join("/");
+}
+function computeFinalFingerprint(fileHashes) {
+  const sorted = [...fileHashes].sort((a, b) => {
+    if (a.relativePath < b.relativePath) return -1;
+    if (a.relativePath > b.relativePath) return 1;
+    return 0;
+  });
+  const hashes = sorted.map((input) => input.hash);
+  const concatenated = Buffer.concat(hashes);
+  const finalHash = crypto__namespace.createHash("sha256").update(concatenated).digest();
+  return `sha256:${finalHash.toString("hex")}`;
+}
+async function hashFileAsync(realPath, normalizedPath, stats) {
+  if (stats.size > LARGE_FILE_THRESHOLD) {
+    return new Promise((resolve3, reject) => {
+      const hash2 = crypto__namespace.createHash("sha256");
+      hash2.update(normalizedPath);
+      hash2.update("\0");
+      const stream = fs__namespace.createReadStream(realPath);
+      stream.on("data", (chunk) => {
+        hash2.update(chunk);
+      });
+      stream.on("end", () => {
+        resolve3(hash2.digest());
+      });
+      stream.on("error", reject);
+    });
+  }
+  const content = await fs__namespace.promises.readFile(realPath);
+  const hash = crypto__namespace.createHash("sha256");
+  hash.update(normalizedPath);
+  hash.update("\0");
+  hash.update(content);
+  return hash.digest();
+}
+function hashFileSync(realPath, normalizedPath) {
+  const content = fs__namespace.readFileSync(realPath);
+  const hash = crypto__namespace.createHash("sha256");
+  hash.update(normalizedPath);
+  hash.update("\0");
+  hash.update(content);
+  return hash.digest();
+}
+function validateOptions(options) {
+  if (options.packages.length === 0) {
+    throw new Error("packages array must not be empty");
+  }
+  const baseDir = options.baseDir ?? process.cwd();
+  for (const pkg of options.packages) {
+    const pkgPath = path2__namespace.resolve(baseDir, pkg);
+    if (!fs__namespace.existsSync(pkgPath)) {
+      throw new Error(`Package path does not exist: ${pkgPath}`);
+    }
+  }
+  return baseDir;
+}
+async function computeFingerprint(options) {
+  const baseDir = validateOptions(options);
+  const files = await listPackageFiles(options.packages, options.ignore, baseDir);
+  const sortedFiles = sortFiles(files);
+  const fileHashCache = /* @__PURE__ */ new Map();
+  const fileHashInputs = [];
+  for (const file of sortedFiles) {
+    const filePath = path2__namespace.resolve(baseDir, file);
+    let realPath = filePath;
+    let stats = await fs__namespace.promises.lstat(filePath);
+    if (stats.isSymbolicLink()) {
+      try {
+        realPath = await fs__namespace.promises.realpath(filePath);
+      } catch {
+        continue;
+      }
+      try {
+        stats = await fs__namespace.promises.stat(realPath);
+      } catch {
+        continue;
+      }
+    }
+    if (!stats.isFile()) {
+      continue;
+    }
+    const normalizedPath = normalizePath(file);
+    let hash;
+    const cachedHash = fileHashCache.get(realPath);
+    if (cachedHash !== void 0) {
+      hash = cachedHash;
+    } else {
+      hash = await hashFileAsync(realPath, normalizedPath, stats);
+      fileHashCache.set(realPath, hash);
+    }
+    fileHashInputs.push({ relativePath: normalizedPath, hash });
+  }
+  const fingerprint = computeFinalFingerprint(fileHashInputs);
+  return {
+    fingerprint,
+    files: sortedFiles,
+    fileCount: sortedFiles.length
+  };
+}
+function computeFingerprintSync(options) {
+  const baseDir = validateOptions(options);
+  const files = listPackageFilesSync(options.packages, options.ignore, baseDir);
+  const sortedFiles = sortFiles(files);
+  const fileHashCache = /* @__PURE__ */ new Map();
+  const fileHashInputs = [];
+  for (const file of sortedFiles) {
+    const filePath = path2__namespace.resolve(baseDir, file);
+    let realPath = filePath;
+    let stats = fs__namespace.lstatSync(filePath);
+    if (stats.isSymbolicLink()) {
+      try {
+        realPath = fs__namespace.realpathSync(filePath);
+      } catch {
+        continue;
+      }
+      try {
+        stats = fs__namespace.statSync(realPath);
+      } catch {
+        continue;
+      }
+    }
+    if (!stats.isFile()) {
+      continue;
+    }
+    const normalizedPath = normalizePath(file);
+    let hash;
+    const cachedHash = fileHashCache.get(realPath);
+    if (cachedHash !== void 0) {
+      hash = cachedHash;
+    } else {
+      hash = hashFileSync(realPath, normalizedPath);
+      fileHashCache.set(realPath, hash);
+    }
+    fileHashInputs.push({ relativePath: normalizedPath, hash });
+  }
+  const fingerprint = computeFinalFingerprint(fileHashInputs);
+  return {
+    fingerprint,
+    files: sortedFiles,
+    fileCount: sortedFiles.length
+  };
+}
+async function listPackageFiles(packages, ignore = [], baseDir = process.cwd()) {
+  const allFiles = [];
+  for (const pkg of packages) {
+    const patterns = [`${pkg}/**/*`];
+    const files = await tinyglobby.glob(patterns, {
+      cwd: baseDir,
+      ignore,
+      onlyFiles: true,
+      dot: true,
+      // Include dotfiles
+      absolute: false
+      // Return relative paths
+    });
+    allFiles.push(...files);
+  }
+  return allFiles;
+}
+function listPackageFilesSync(packages, ignore = [], baseDir = process.cwd()) {
+  const allFiles = [];
+  for (const pkg of packages) {
+    const patterns = [`${pkg}/**/*`];
+    const files = tinyglobby.globSync(patterns, {
+      cwd: baseDir,
+      ignore,
+      onlyFiles: true,
+      dot: true,
+      // Include dotfiles
+      absolute: false
+      // Return relative paths
+    });
+    allFiles.push(...files);
+  }
+  return allFiles;
+}
+var canonicalize = canonicalizeNamespace__namespace;
+var serialize = canonicalize.default;
+var attestationSchema = zod.z.object({
+  suite: zod.z.string().min(1),
+  fingerprint: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+  attestedAt: zod.z.string().datetime(),
+  attestedBy: zod.z.string().min(1),
+  command: zod.z.string().min(1),
+  exitCode: zod.z.literal(0)
+});
+var attestationsFileSchema = zod.z.object({
+  schemaVersion: zod.z.literal("1"),
+  attestations: zod.z.array(attestationSchema),
+  signature: zod.z.string()
+  // Will be validated by crypto module
+});
+function isNodeError(error) {
+  if (error === null || typeof error !== "object") {
+    return false;
+  }
+  if (!("code" in error)) {
+    return false;
+  }
+  const errorObj = error;
+  return typeof errorObj.code === "string";
+}
+async function readAttestations(filePath) {
+  try {
+    const content = await fs__namespace.promises.readFile(filePath, "utf-8");
+    const parsed = JSON.parse(content);
+    return attestationsFileSchema.parse(parsed);
+  } catch (error) {
+    if (isNodeError(error) && error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+function readAttestationsSync(filePath) {
+  try {
+    const content = fs__namespace.readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(content);
+    return attestationsFileSchema.parse(parsed);
+  } catch (error) {
+    if (isNodeError(error) && error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function writeAttestations(filePath, attestations, signature) {
+  const fileContent = {
+    schemaVersion: "1",
+    attestations,
+    signature
+  };
+  attestationsFileSchema.parse(fileContent);
+  const dir = path2__namespace.dirname(filePath);
+  await fs__namespace.promises.mkdir(dir, { recursive: true });
+  const json = JSON.stringify(fileContent, null, 2);
+  await fs__namespace.promises.writeFile(filePath, json, "utf-8");
+}
+function writeAttestationsSync(filePath, attestations, signature) {
+  const fileContent = {
+    schemaVersion: "1",
+    attestations,
+    signature
+  };
+  attestationsFileSchema.parse(fileContent);
+  const dir = path2__namespace.dirname(filePath);
+  fs__namespace.mkdirSync(dir, { recursive: true });
+  const json = JSON.stringify(fileContent, null, 2);
+  fs__namespace.writeFileSync(filePath, json, "utf-8");
+}
+function findAttestation(attestations, suite) {
+  return attestations.attestations.find((a) => a.suite === suite);
+}
+function upsertAttestation(attestations, newAttestation) {
+  attestationSchema.parse(newAttestation);
+  const existingIndex = attestations.findIndex((a) => a.suite === newAttestation.suite);
+  if (existingIndex === -1) {
+    return [...attestations, newAttestation];
+  } else {
+    const updated = [...attestations];
+    updated[existingIndex] = newAttestation;
+    return updated;
+  }
+}
+function removeAttestation(attestations, suite) {
+  return attestations.filter((a) => a.suite !== suite);
+}
+function canonicalizeAttestations(attestations) {
+  const canonical = serialize(attestations);
+  if (canonical === void 0) {
+    throw new Error("Failed to canonicalize attestations");
+  }
+  return canonical;
+}
+function createAttestation(params) {
+  const attestation = {
+    suite: params.suite,
+    fingerprint: params.fingerprint,
+    attestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    attestedBy: params.attestedBy ?? os__namespace.userInfo().username,
+    command: params.command,
+    exitCode: 0
+  };
+  attestationSchema.parse(attestation);
+  return attestation;
+}
+async function writeSignedAttestations(options) {
+  const { sign: sign2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+  const canonical = canonicalizeAttestations(options.attestations);
+  const signature = await sign2({
+    privateKeyPath: options.privateKeyPath,
+    data: canonical
+  });
+  await writeAttestations(options.filePath, options.attestations, signature);
+}
+async function readAndVerifyAttestations(options) {
+  const { verify: verify2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+  const file = await readAttestations(options.filePath);
+  if (!file) {
+    throw new Error(`Attestations file not found: ${options.filePath}`);
+  }
+  const canonical = canonicalizeAttestations(file.attestations);
+  const isValid = await verify2({
+    publicKeyPath: options.publicKeyPath,
+    data: canonical,
+    signature: file.signature
+  });
+  if (!isValid) {
+    throw new SignatureInvalidError(options.filePath);
+  }
+  return file;
+}
+var SignatureInvalidError = class extends Error {
+  /**
+   * Create a new SignatureInvalidError.
+   * @param filePath - Path to the file that failed verification
+   */
+  constructor(filePath) {
+    super(`Signature verification failed for: ${filePath}`);
+    this.name = "SignatureInvalidError";
+  }
+};
+
+// src/index.ts
+init_crypto();
+async function verifyAttestations(options) {
+  const { config, repoRoot = process.cwd() } = options;
+  const errors = [];
+  const suiteResults = [];
+  let signatureValid = true;
+  let attestationsFile = null;
+  const attestationsPath = resolvePath(config.settings.attestationsPath, repoRoot);
+  const publicKeyPath = resolvePath(config.settings.publicKeyPath, repoRoot);
+  try {
+    if (!fs__namespace.existsSync(attestationsPath)) {
+      attestationsFile = null;
+    } else if (!fs__namespace.existsSync(publicKeyPath)) {
+      errors.push(`Public key not found: ${publicKeyPath}`);
+      signatureValid = false;
+    } else {
+      attestationsFile = await readAndVerifyAttestations({
+        filePath: attestationsPath,
+        publicKeyPath
+      });
+    }
+  } catch (err) {
+    if (err instanceof SignatureInvalidError) {
+      signatureValid = false;
+      errors.push(err.message);
+    } else if (err instanceof Error) {
+      errors.push(err.message);
+    }
+  }
+  const attestations = attestationsFile?.attestations ?? [];
+  for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
+    const result = await verifySuite({
+      suiteName,
+      suiteConfig,
+      attestations,
+      maxAgeDays: config.settings.maxAgeDays,
+      repoRoot
+    });
+    suiteResults.push(result);
+  }
+  checkInvalidationChains(config, suiteResults);
+  const allValid = signatureValid && suiteResults.every((r) => r.status === "VALID") && errors.length === 0;
+  return {
+    success: allValid,
+    signatureValid,
+    suites: suiteResults,
+    errors
+  };
+}
+async function verifySuite(options) {
+  const { suiteName, suiteConfig, attestations, maxAgeDays, repoRoot } = options;
+  const fingerprintOptions = {
+    packages: suiteConfig.packages.map((p) => resolvePath(p, repoRoot)),
+    baseDir: repoRoot,
+    ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+  };
+  const fingerprintResult = await computeFingerprint(fingerprintOptions);
+  const attestation = attestations.find((a) => a.suite === suiteName);
+  if (!attestation) {
+    return {
+      suite: suiteName,
+      status: "NEEDS_ATTESTATION",
+      fingerprint: fingerprintResult.fingerprint,
+      message: "No attestation found for this suite"
+    };
+  }
+  if (attestation.fingerprint !== fingerprintResult.fingerprint) {
+    return {
+      suite: suiteName,
+      status: "FINGERPRINT_CHANGED",
+      fingerprint: fingerprintResult.fingerprint,
+      attestation,
+      message: `Fingerprint changed from ${attestation.fingerprint.slice(0, 20)}... to ${fingerprintResult.fingerprint.slice(0, 20)}...`
+    };
+  }
+  const attestedAt = new Date(attestation.attestedAt);
+  const ageMs = Date.now() - attestedAt.getTime();
+  const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+  if (ageDays > maxAgeDays) {
+    return {
+      suite: suiteName,
+      status: "EXPIRED",
+      fingerprint: fingerprintResult.fingerprint,
+      attestation,
+      age: ageDays,
+      message: `Attestation expired (${String(ageDays)} days old, max ${String(maxAgeDays)} days)`
+    };
+  }
+  return {
+    suite: suiteName,
+    status: "VALID",
+    fingerprint: fingerprintResult.fingerprint,
+    attestation,
+    age: ageDays
+  };
+}
+function checkInvalidationChains(config, results) {
+  for (const [parentName, parentConfig] of Object.entries(config.suites)) {
+    const invalidates = parentConfig.invalidates ?? [];
+    const parentResult = results.find((r) => r.suite === parentName);
+    if (!parentResult?.attestation) continue;
+    const parentTime = new Date(parentResult.attestation.attestedAt).getTime();
+    for (const childName of invalidates) {
+      const childResult = results.find((r) => r.suite === childName);
+      if (!childResult?.attestation) continue;
+      const childTime = new Date(childResult.attestation.attestedAt).getTime();
+      if (parentTime > childTime && childResult.status === "VALID") {
+        childResult.status = "INVALIDATED_BY_PARENT";
+        childResult.message = `Invalidated by ${parentName} (attested later)`;
+      }
+    }
+  }
+}
+function resolvePath(relativePath, baseDir) {
+  if (path2__namespace.isAbsolute(relativePath)) {
+    return relativePath;
+  }
+  return path2__namespace.join(baseDir, relativePath);
+}
+
+// src/index.ts
+var version = "0.0.0";
+
+exports.ConfigNotFoundError = ConfigNotFoundError;
+exports.ConfigValidationError = ConfigValidationError;
+exports.SignatureInvalidError = SignatureInvalidError;
+exports.canonicalizeAttestations = canonicalizeAttestations;
+exports.checkOpenSSL = checkOpenSSL;
+exports.computeFingerprint = computeFingerprint;
+exports.computeFingerprintSync = computeFingerprintSync;
+exports.createAttestation = createAttestation;
+exports.findAttestation = findAttestation;
+exports.findConfigPath = findConfigPath;
+exports.generateKeyPair = generateKeyPair;
+exports.getDefaultPrivateKeyPath = getDefaultPrivateKeyPath;
+exports.getDefaultPublicKeyPath = getDefaultPublicKeyPath;
+exports.listPackageFiles = listPackageFiles;
+exports.loadConfig = loadConfig;
+exports.loadConfigSync = loadConfigSync;
+exports.readAndVerifyAttestations = readAndVerifyAttestations;
+exports.readAttestations = readAttestations;
+exports.readAttestationsSync = readAttestationsSync;
+exports.removeAttestation = removeAttestation;
+exports.resolveConfigPaths = resolveConfigPaths;
+exports.setKeyPermissions = setKeyPermissions;
+exports.sign = sign;
+exports.toAttestItConfig = toAttestItConfig;
+exports.upsertAttestation = upsertAttestation;
+exports.verify = verify;
+exports.verifyAttestations = verifyAttestations;
+exports.version = version;
+exports.writeAttestations = writeAttestations;
+exports.writeAttestationsSync = writeAttestationsSync;
+exports.writeSignedAttestations = writeSignedAttestations;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map