@attest-it/core 0.4.0 → 0.5.0

package/dist/core-alpha.d.ts

@@ -765,6 +765,25 @@ export declare function generateKeyPair(options?: KeygenOptions): Promise<KeyPat
  */
 export declare function getActiveIdentity(config: LocalConfig): Identity | undefined;
 
+/**
+ * Get the attest-it configuration directory.
+ *
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns that directory. Otherwise returns ~/.config/attest-it.
+ *
+ * @returns Path to the configuration directory
+ * @public
+ */
+export declare function getAttestItConfigDir(): string;
+
+/**
+ * Get the current attest-it home directory override.
+ *
+ * @returns The override directory, or null if using default
+ * @public
+ */
+export declare function getAttestItHomeDir(): null | string;
+
 /**
  * Get all team members authorized to sign for a gate.
  *
@@ -802,7 +821,10 @@ export declare function getGate(config: AttestItConfig, gateId: string): GateCon
 /**
  * Get the path to the local config file.
  *
- * @returns Path to ~/.config/attest-it/config.yaml
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns {homeDir}/config.yaml. Otherwise returns ~/.config/attest-it/config.yaml.
+ *
+ * @returns Path to the local config file
  * @public
  */
 export declare function getLocalConfigPath(): string;
@@ -1084,6 +1106,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               constructor(message: string, issues: z.ZodIssue[]);
           }
 
+          /**
+           * Information about a macOS keychain.
+           * @public
+           */
+          export declare interface MacOSKeychain {
+              /** Full path to the keychain file */
+              path: string;
+              /** Display name (filename without extension) */
+              name: string;
+          }
+
           /**
            * Key provider that stores private keys in macOS Keychain.
            *
@@ -1098,6 +1131,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               readonly type = "macos-keychain";
               readonly displayName = "macOS Keychain";
               private readonly itemName;
+              private readonly keychain?;
               private static readonly ACCOUNT;
               /**
                * Create a new MacOSKeychainKeyProvider.
@@ -1109,6 +1143,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
                * Only available on macOS platforms.
                */
               static isAvailable(): boolean;
+              /**
+               * List available keychains on the system.
+               * @returns Array of keychain information
+               */
+              static listKeychains(): Promise<MacOSKeychain[]>;
               /**
                * Check if this provider is available on the current system.
                */
@@ -1144,6 +1183,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare interface MacOSKeychainKeyProviderOptions {
               /** Item name in keychain (e.g., "attest-it-private-key") */
               itemName: string;
+              /** Path to the keychain file (optional, uses default keychain if not specified) */
+              keychain?: string;
           }
 
           /**
@@ -1268,6 +1309,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
            */
           export declare type PrivateKeyRef = {
               account: string;
+              keychain?: string;
               service: string;
               type: 'keychain';
           } | {
@@ -1436,6 +1478,15 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               message?: string;
           }
 
+          /**
+           * Set a custom home directory for attest-it configuration.
+           * This is useful for testing or running with isolated state.
+           *
+           * @param dir - The directory to use, or null to reset to default
+           * @public
+           */
+          export declare function setAttestItHomeDir(dir: null | string): void;
+
           /**
            * Set restrictive permissions on a private key file.
            * @param keyPath - Path to the private key

package/dist/core-beta.d.ts

@@ -765,6 +765,25 @@ export declare function generateKeyPair(options?: KeygenOptions): Promise<KeyPat
  */
 export declare function getActiveIdentity(config: LocalConfig): Identity | undefined;
 
+/**
+ * Get the attest-it configuration directory.
+ *
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns that directory. Otherwise returns ~/.config/attest-it.
+ *
+ * @returns Path to the configuration directory
+ * @public
+ */
+export declare function getAttestItConfigDir(): string;
+
+/**
+ * Get the current attest-it home directory override.
+ *
+ * @returns The override directory, or null if using default
+ * @public
+ */
+export declare function getAttestItHomeDir(): null | string;
+
 /**
  * Get all team members authorized to sign for a gate.
  *
@@ -802,7 +821,10 @@ export declare function getGate(config: AttestItConfig, gateId: string): GateCon
 /**
  * Get the path to the local config file.
  *
- * @returns Path to ~/.config/attest-it/config.yaml
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns {homeDir}/config.yaml. Otherwise returns ~/.config/attest-it/config.yaml.
+ *
+ * @returns Path to the local config file
  * @public
  */
 export declare function getLocalConfigPath(): string;
@@ -1084,6 +1106,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               constructor(message: string, issues: z.ZodIssue[]);
           }
 
+          /**
+           * Information about a macOS keychain.
+           * @public
+           */
+          export declare interface MacOSKeychain {
+              /** Full path to the keychain file */
+              path: string;
+              /** Display name (filename without extension) */
+              name: string;
+          }
+
           /**
            * Key provider that stores private keys in macOS Keychain.
            *
@@ -1098,6 +1131,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               readonly type = "macos-keychain";
               readonly displayName = "macOS Keychain";
               private readonly itemName;
+              private readonly keychain?;
               private static readonly ACCOUNT;
               /**
                * Create a new MacOSKeychainKeyProvider.
@@ -1109,6 +1143,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
                * Only available on macOS platforms.
                */
               static isAvailable(): boolean;
+              /**
+               * List available keychains on the system.
+               * @returns Array of keychain information
+               */
+              static listKeychains(): Promise<MacOSKeychain[]>;
               /**
                * Check if this provider is available on the current system.
                */
@@ -1144,6 +1183,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare interface MacOSKeychainKeyProviderOptions {
               /** Item name in keychain (e.g., "attest-it-private-key") */
               itemName: string;
+              /** Path to the keychain file (optional, uses default keychain if not specified) */
+              keychain?: string;
           }
 
           /**
@@ -1268,6 +1309,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
            */
           export declare type PrivateKeyRef = {
               account: string;
+              keychain?: string;
               service: string;
               type: 'keychain';
           } | {
@@ -1436,6 +1478,15 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               message?: string;
           }
 
+          /**
+           * Set a custom home directory for attest-it configuration.
+           * This is useful for testing or running with isolated state.
+           *
+           * @param dir - The directory to use, or null to reset to default
+           * @public
+           */
+          export declare function setAttestItHomeDir(dir: null | string): void;
+
           /**
            * Set restrictive permissions on a private key file.
            * @param keyPath - Path to the private key

package/dist/core-public.d.ts

@@ -765,6 +765,25 @@ export declare function generateKeyPair(options?: KeygenOptions): Promise<KeyPat
  */
 export declare function getActiveIdentity(config: LocalConfig): Identity | undefined;
 
+/**
+ * Get the attest-it configuration directory.
+ *
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns that directory. Otherwise returns ~/.config/attest-it.
+ *
+ * @returns Path to the configuration directory
+ * @public
+ */
+export declare function getAttestItConfigDir(): string;
+
+/**
+ * Get the current attest-it home directory override.
+ *
+ * @returns The override directory, or null if using default
+ * @public
+ */
+export declare function getAttestItHomeDir(): null | string;
+
 /**
  * Get all team members authorized to sign for a gate.
  *
@@ -802,7 +821,10 @@ export declare function getGate(config: AttestItConfig, gateId: string): GateCon
 /**
  * Get the path to the local config file.
  *
- * @returns Path to ~/.config/attest-it/config.yaml
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns {homeDir}/config.yaml. Otherwise returns ~/.config/attest-it/config.yaml.
+ *
+ * @returns Path to the local config file
  * @public
  */
 export declare function getLocalConfigPath(): string;
@@ -1084,6 +1106,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               constructor(message: string, issues: z.ZodIssue[]);
           }
 
+          /**
+           * Information about a macOS keychain.
+           * @public
+           */
+          export declare interface MacOSKeychain {
+              /** Full path to the keychain file */
+              path: string;
+              /** Display name (filename without extension) */
+              name: string;
+          }
+
           /**
            * Key provider that stores private keys in macOS Keychain.
            *
@@ -1098,6 +1131,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               readonly type = "macos-keychain";
               readonly displayName = "macOS Keychain";
               private readonly itemName;
+              private readonly keychain?;
               private static readonly ACCOUNT;
               /**
                * Create a new MacOSKeychainKeyProvider.
@@ -1109,6 +1143,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
                * Only available on macOS platforms.
                */
               static isAvailable(): boolean;
+              /**
+               * List available keychains on the system.
+               * @returns Array of keychain information
+               */
+              static listKeychains(): Promise<MacOSKeychain[]>;
               /**
                * Check if this provider is available on the current system.
                */
@@ -1144,6 +1183,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare interface MacOSKeychainKeyProviderOptions {
               /** Item name in keychain (e.g., "attest-it-private-key") */
               itemName: string;
+              /** Path to the keychain file (optional, uses default keychain if not specified) */
+              keychain?: string;
           }
 
           /**
@@ -1268,6 +1309,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
            */
           export declare type PrivateKeyRef = {
               account: string;
+              keychain?: string;
               service: string;
               type: 'keychain';
           } | {
@@ -1436,6 +1478,15 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               message?: string;
           }
 
+          /**
+           * Set a custom home directory for attest-it configuration.
+           * This is useful for testing or running with isolated state.
+           *
+           * @param dir - The directory to use, or null to reset to default
+           * @public
+           */
+          export declare function setAttestItHomeDir(dir: null | string): void;
+
           /**
            * Set restrictive permissions on a private key file.
            * @param keyPath - Path to the private key

package/dist/core-unstripped.d.ts

@@ -765,6 +765,25 @@ export declare function generateKeyPair(options?: KeygenOptions): Promise<KeyPat
  */
 export declare function getActiveIdentity(config: LocalConfig): Identity | undefined;
 
+/**
+ * Get the attest-it configuration directory.
+ *
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns that directory. Otherwise returns ~/.config/attest-it.
+ *
+ * @returns Path to the configuration directory
+ * @public
+ */
+export declare function getAttestItConfigDir(): string;
+
+/**
+ * Get the current attest-it home directory override.
+ *
+ * @returns The override directory, or null if using default
+ * @public
+ */
+export declare function getAttestItHomeDir(): null | string;
+
 /**
  * Get all team members authorized to sign for a gate.
  *
@@ -802,7 +821,10 @@ export declare function getGate(config: AttestItConfig, gateId: string): GateCon
 /**
  * Get the path to the local config file.
  *
- * @returns Path to ~/.config/attest-it/config.yaml
+ * If a home directory override is set via setAttestItHomeDir(),
+ * returns {homeDir}/config.yaml. Otherwise returns ~/.config/attest-it/config.yaml.
+ *
+ * @returns Path to the local config file
  * @public
  */
 export declare function getLocalConfigPath(): string;
@@ -1084,6 +1106,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               constructor(message: string, issues: z.ZodIssue[]);
           }
 
+          /**
+           * Information about a macOS keychain.
+           * @public
+           */
+          export declare interface MacOSKeychain {
+              /** Full path to the keychain file */
+              path: string;
+              /** Display name (filename without extension) */
+              name: string;
+          }
+
           /**
            * Key provider that stores private keys in macOS Keychain.
            *
@@ -1098,6 +1131,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               readonly type = "macos-keychain";
               readonly displayName = "macOS Keychain";
               private readonly itemName;
+              private readonly keychain?;
               private static readonly ACCOUNT;
               /**
                * Create a new MacOSKeychainKeyProvider.
@@ -1109,6 +1143,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
                * Only available on macOS platforms.
                */
               static isAvailable(): boolean;
+              /**
+               * List available keychains on the system.
+               * @returns Array of keychain information
+               */
+              static listKeychains(): Promise<MacOSKeychain[]>;
               /**
                * Check if this provider is available on the current system.
                */
@@ -1144,6 +1183,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare interface MacOSKeychainKeyProviderOptions {
               /** Item name in keychain (e.g., "attest-it-private-key") */
               itemName: string;
+              /** Path to the keychain file (optional, uses default keychain if not specified) */
+              keychain?: string;
           }
 
           /**
@@ -1268,6 +1309,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
            */
           export declare type PrivateKeyRef = {
               account: string;
+              keychain?: string;
               service: string;
               type: 'keychain';
           } | {
@@ -1436,6 +1478,15 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               message?: string;
           }
 
+          /**
+           * Set a custom home directory for attest-it configuration.
+           * This is useful for testing or running with isolated state.
+           *
+           * @param dir - The directory to use, or null to reset to default
+           * @public
+           */
+          export declare function setAttestItHomeDir(dir: null | string): void;
+
           /**
            * Set restrictive permissions on a private key file.
            * @param keyPath - Path to the private key

package/dist/index.cjs

@@ -1425,6 +1425,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
   type = "macos-keychain";
   displayName = "macOS Keychain";
   itemName;
+  keychain;
   static ACCOUNT = "attest-it";
   /**
    * Create a new MacOSKeychainKeyProvider.
@@ -1432,6 +1433,9 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
    */
   constructor(options) {
     this.itemName = options.itemName;
+    if (options.keychain !== void 0) {
+      this.keychain = options.keychain;
+    }
   }
   /**
    * Check if this provider is available.
@@ -1440,6 +1444,32 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
   static isAvailable() {
     return process.platform === "darwin";
   }
+  /**
+   * List available keychains on the system.
+   * @returns Array of keychain information
+   */
+  static async listKeychains() {
+    if (!_MacOSKeychainKeyProvider.isAvailable()) {
+      return [];
+    }
+    try {
+      const output = await execCommand2("security", ["list-keychains"]);
+      const keychains = [];
+      const lines = output.split("\n");
+      for (const line of lines) {
+        const match = /"(.+)"/.exec(line.trim());
+        if (match?.[1]) {
+          const fullPath = match[1];
+          const filename = fullPath.split("/").pop() ?? fullPath;
+          const name = filename.replace(/\.keychain(-db)?$/, "");
+          keychains.push({ path: fullPath, name });
+        }
+      }
+      return keychains;
+    } catch {
+      return [];
+    }
+  }
   /**
    * Check if this provider is available on the current system.
    */
@@ -1452,13 +1482,11 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
    */
   async keyExists(keyRef) {
     try {
-      await execCommand2("security", [
-        "find-generic-password",
-        "-a",
-        _MacOSKeychainKeyProvider.ACCOUNT,
-        "-s",
-        keyRef
-      ]);
+      const args = ["find-generic-password", "-a", _MacOSKeychainKeyProvider.ACCOUNT, "-s", keyRef];
+      if (this.keychain) {
+        args.push(this.keychain);
+      }
+      await execCommand2("security", args);
       return true;
     } catch {
       return false;
@@ -1479,14 +1507,18 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
     const tempDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
     const tempKeyPath = path2__namespace.join(tempDir, "private.pem");
     try {
-      const base64Key = await execCommand2("security", [
+      const findArgs = [
         "find-generic-password",
         "-a",
         _MacOSKeychainKeyProvider.ACCOUNT,
         "-s",
         keyRef,
         "-w"
-      ]);
+      ];
+      if (this.keychain) {
+        findArgs.push(this.keychain);
+      }
+      const base64Key = await execCommand2("security", findArgs);
       const keyContent = Buffer.from(base64Key, "base64").toString("utf8");
       await fs2__namespace.writeFile(tempKeyPath, keyContent, { mode: 384 });
       await setKeyPermissions(tempKeyPath);
@@ -1531,7 +1563,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
       });
       const privateKeyContent = await fs2__namespace.readFile(tempPrivateKeyPath, "utf8");
       const base64Key = Buffer.from(privateKeyContent, "utf8").toString("base64");
-      await execCommand2("security", [
+      const addArgs = [
         "add-generic-password",
         "-a",
         _MacOSKeychainKeyProvider.ACCOUNT,
@@ -1542,7 +1574,11 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
         "-T",
         "",
         "-U"
-      ]);
+      ];
+      if (this.keychain) {
+        addArgs.push(this.keychain);
+      }
+      await execCommand2("security", addArgs);
       await fs2__namespace.unlink(tempPrivateKeyPath);
       await fs2__namespace.rmdir(tempDir);
       return {
@@ -1659,6 +1695,13 @@ KeyProviderRegistry.register("macos-keychain", (config) => {
   }
   return new MacOSKeychainKeyProvider({ itemName });
 });
+var homeDirOverride = null;
+function setAttestItHomeDir(dir) {
+  homeDirOverride = dir;
+}
+function getAttestItHomeDir() {
+  return homeDirOverride;
+}
 var privateKeyRefSchema = zod.z.discriminatedUnion("type", [
   zod.z.object({
     type: zod.z.literal("file"),
@@ -1667,7 +1710,8 @@ var privateKeyRefSchema = zod.z.discriminatedUnion("type", [
   zod.z.object({
     type: zod.z.literal("keychain"),
     service: zod.z.string().min(1, "Service name cannot be empty"),
-    account: zod.z.string().min(1, "Account name cannot be empty")
+    account: zod.z.string().min(1, "Account name cannot be empty"),
+    keychain: zod.z.string().optional()
   }),
   zod.z.object({
     type: zod.z.literal("1password"),
@@ -1698,9 +1742,18 @@ var LocalConfigValidationError = class extends Error {
   }
 };
 function getLocalConfigPath() {
+  if (homeDirOverride) {
+    return path2.join(homeDirOverride, "config.yaml");
+  }
   const home = os.homedir();
   return path2.join(home, ".config", "attest-it", "config.yaml");
 }
+function getAttestItConfigDir() {
+  if (homeDirOverride) {
+    return homeDirOverride;
+  }
+  return path2.join(os.homedir(), ".config", "attest-it");
+}
 function parseLocalConfigContent(content) {
   let rawConfig;
   try {
@@ -1731,6 +1784,15 @@ function parseLocalConfigContent(content) {
           },
           ...identity.privateKey.field !== void 0 && { field: identity.privateKey.field }
         };
+      } else if (identity.privateKey.type === "keychain") {
+        privateKey = {
+          type: "keychain",
+          service: identity.privateKey.service,
+          account: identity.privateKey.account,
+          ...identity.privateKey.keychain !== void 0 && {
+            keychain: identity.privateKey.keychain
+          }
+        };
       } else {
         privateKey = identity.privateKey;
       }
@@ -2134,6 +2196,8 @@ exports.findTeamMemberByPublicKey = findTeamMemberByPublicKey;
 exports.generateEd25519KeyPair = generateKeyPair2;
 exports.generateKeyPair = generateKeyPair;
 exports.getActiveIdentity = getActiveIdentity;
+exports.getAttestItConfigDir = getAttestItConfigDir;
+exports.getAttestItHomeDir = getAttestItHomeDir;
 exports.getAuthorizedSignersForGate = getAuthorizedSignersForGate;
 exports.getDefaultPrivateKeyPath = getDefaultPrivateKeyPath;
 exports.getDefaultPublicKeyPath = getDefaultPublicKeyPath;
@@ -2156,6 +2220,7 @@ exports.removeAttestation = removeAttestation;
 exports.resolveConfigPaths = resolveConfigPaths;
 exports.saveLocalConfig = saveLocalConfig;
 exports.saveLocalConfigSync = saveLocalConfigSync;
+exports.setAttestItHomeDir = setAttestItHomeDir;
 exports.setKeyPermissions = setKeyPermissions;
 exports.sign = sign;
 exports.signEd25519 = sign3;