@attest-it/core 0.6.0 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-VC3BBBBO.js → chunk-FGYLU2HL.js} +47 -9
- package/dist/chunk-FGYLU2HL.js.map +1 -0
- package/dist/core-alpha.d.ts +117 -6
- package/dist/core-beta.d.ts +117 -6
- package/dist/core-public.d.ts +117 -6
- package/dist/core-unstripped.d.ts +117 -6
- package/dist/crypto-SSL7OBY2.js +3 -0
- package/dist/{crypto-CE2YISRD.js.map → crypto-SSL7OBY2.js.map} +1 -1
- package/dist/index.cjs +163 -37
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +111 -7
- package/dist/index.d.ts +111 -7
- package/dist/index.js +141 -60
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/dist/chunk-VC3BBBBO.js.map +0 -1
- package/dist/crypto-CE2YISRD.js +0 -3
|
@@ -62,6 +62,8 @@ export declare interface AttestItSettings {
|
|
|
62
62
|
publicKeyPath: string;
|
|
63
63
|
/** Path to the attestations file */
|
|
64
64
|
attestationsPath: string;
|
|
65
|
+
/** Path to the seals file */
|
|
66
|
+
sealsPath: string;
|
|
65
67
|
/** Default command to execute for attestation (can be overridden per suite) */
|
|
66
68
|
defaultCommand?: string;
|
|
67
69
|
/** Key provider configuration for signing attestations */
|
|
@@ -226,6 +228,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
226
228
|
}>>;
|
|
227
229
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
228
230
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
231
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
229
232
|
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
|
230
233
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
231
234
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -266,6 +269,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
266
269
|
}>>;
|
|
267
270
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
268
271
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
272
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
269
273
|
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
|
270
274
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
271
275
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -306,6 +310,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
306
310
|
}>>;
|
|
307
311
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
308
312
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
313
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
309
314
|
}, z.ZodTypeAny, "passthrough">>>;
|
|
310
315
|
suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
|
|
311
316
|
command: z.ZodOptional<z.ZodString>;
|
|
@@ -428,6 +433,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
428
433
|
} | undefined;
|
|
429
434
|
maxAgeDays: number;
|
|
430
435
|
publicKeyPath: string;
|
|
436
|
+
sealsPath: string;
|
|
431
437
|
} & { [k: string]: unknown };
|
|
432
438
|
suites: Record<string, {
|
|
433
439
|
command?: string | undefined;
|
|
@@ -500,6 +506,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
500
506
|
}>>;
|
|
501
507
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
502
508
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
509
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
503
510
|
}, z.ZodTypeAny, "passthrough">;
|
|
504
511
|
suites: Record<string, {
|
|
505
512
|
command?: string | undefined;
|
|
@@ -817,6 +824,14 @@ export declare function getDefaultPrivateKeyPath(): string;
|
|
|
817
824
|
*/
|
|
818
825
|
export declare function getDefaultPublicKeyPath(): string;
|
|
819
826
|
|
|
827
|
+
/**
|
|
828
|
+
* Get the default YubiKey encrypted key path based on OS.
|
|
829
|
+
* - macOS/Linux: ~/.config/attest-it/yubikey-private.enc
|
|
830
|
+
* - Windows: %APPDATA%\attest-it\yubikey-private.enc
|
|
831
|
+
* @public
|
|
832
|
+
*/
|
|
833
|
+
export declare function getDefaultYubiKeyEncryptedKeyPath(): string;
|
|
834
|
+
|
|
820
835
|
/**
|
|
821
836
|
* Get the gate configuration for a given gate ID.
|
|
822
837
|
*
|
|
@@ -827,6 +842,18 @@ export declare function getDefaultPublicKeyPath(): string;
|
|
|
827
842
|
*/
|
|
828
843
|
export declare function getGate(config: AttestItConfig, gateId: string): GateConfig | undefined;
|
|
829
844
|
|
|
845
|
+
/**
|
|
846
|
+
* Get the user's home public keys directory.
|
|
847
|
+
*
|
|
848
|
+
* This returns ~/.attest-it/public-keys, which is different from the
|
|
849
|
+
* config directory (~/.config/attest-it). The public keys directory
|
|
850
|
+
* is designed to be easily shareable and discoverable.
|
|
851
|
+
*
|
|
852
|
+
* @returns Path to the user's home public keys directory
|
|
853
|
+
* @public
|
|
854
|
+
*/
|
|
855
|
+
export declare function getHomePublicKeysDir(): string;
|
|
856
|
+
|
|
830
857
|
/**
|
|
831
858
|
* Get the path to the local config file.
|
|
832
859
|
*
|
|
@@ -855,6 +882,19 @@ export declare function getPreference<K extends keyof UserPreferences>(key: K):
|
|
|
855
882
|
*/
|
|
856
883
|
export declare function getPreferencesPath(): string;
|
|
857
884
|
|
|
885
|
+
/**
|
|
886
|
+
* Get the project public keys directory.
|
|
887
|
+
*
|
|
888
|
+
* This returns .attest-it/public-keys relative to the given project root.
|
|
889
|
+
* The project public keys directory is used for CI/GitHub Actions to
|
|
890
|
+
* verify attestation seals.
|
|
891
|
+
*
|
|
892
|
+
* @param projectRoot - The project root directory (defaults to cwd)
|
|
893
|
+
* @returns Path to the project public keys directory
|
|
894
|
+
* @public
|
|
895
|
+
*/
|
|
896
|
+
export declare function getProjectPublicKeysDir(projectRoot?: string): string;
|
|
897
|
+
|
|
858
898
|
/**
|
|
859
899
|
* Extract the public key from an Ed25519 private key.
|
|
860
900
|
*
|
|
@@ -865,6 +905,15 @@ export declare function getPreferencesPath(): string;
|
|
|
865
905
|
*/
|
|
866
906
|
export declare function getPublicKeyFromPrivate(privateKeyPem: string): string;
|
|
867
907
|
|
|
908
|
+
/**
|
|
909
|
+
* Check if a project has attest-it configuration.
|
|
910
|
+
*
|
|
911
|
+
* @param projectRoot - The project root directory (defaults to cwd)
|
|
912
|
+
* @returns True if the project has .attest-it/config.yaml or similar
|
|
913
|
+
* @public
|
|
914
|
+
*/
|
|
915
|
+
export declare function hasProjectConfig(projectRoot?: string): boolean;
|
|
916
|
+
|
|
868
917
|
/**
|
|
869
918
|
* A single identity configuration.
|
|
870
919
|
* @public
|
|
@@ -904,6 +953,8 @@ export declare interface KeyGenerationResult {
|
|
|
904
953
|
publicKeyPath: string;
|
|
905
954
|
/** Human-readable storage location description */
|
|
906
955
|
storageDescription: string;
|
|
956
|
+
/** Whether the private key is encrypted with a passphrase */
|
|
957
|
+
encrypted?: boolean;
|
|
907
958
|
}
|
|
908
959
|
|
|
909
960
|
/**
|
|
@@ -917,6 +968,8 @@ export declare interface KeygenOptions {
|
|
|
917
968
|
publicPath?: string;
|
|
918
969
|
/** Overwrite existing keys (default: false) */
|
|
919
970
|
force?: boolean;
|
|
971
|
+
/** Passphrase to encrypt the private key with AES-256 (optional) */
|
|
972
|
+
passphrase?: string;
|
|
920
973
|
}
|
|
921
974
|
|
|
922
975
|
/**
|
|
@@ -928,6 +981,8 @@ export declare interface KeygenProviderOptions {
|
|
|
928
981
|
publicKeyPath: string;
|
|
929
982
|
/** Overwrite existing keys */
|
|
930
983
|
force?: boolean;
|
|
984
|
+
/** Passphrase to encrypt the private key (filesystem provider only) */
|
|
985
|
+
passphrase?: string;
|
|
931
986
|
}
|
|
932
987
|
|
|
933
988
|
/**
|
|
@@ -1229,7 +1284,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1229
1284
|
* The merge strategy prioritizes security-critical fields from the policy
|
|
1230
1285
|
* configuration while combining operational fields from both sources:
|
|
1231
1286
|
*
|
|
1232
|
-
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
|
|
1287
|
+
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
|
|
1233
1288
|
* - **Operational settings** (defaultCommand, keyProvider) are added from operational config
|
|
1234
1289
|
* - **Team and gates** come exclusively from policy config
|
|
1235
1290
|
* - **Suites and groups** come exclusively from operational config
|
|
@@ -1262,6 +1317,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1262
1317
|
url: string;
|
|
1263
1318
|
/** User UUID */
|
|
1264
1319
|
user_uuid: string;
|
|
1320
|
+
/** Human-readable account name (e.g., "North Family") */
|
|
1321
|
+
name?: string;
|
|
1265
1322
|
}
|
|
1266
1323
|
|
|
1267
1324
|
/**
|
|
@@ -1292,7 +1349,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1292
1349
|
static isInstalled(): Promise<boolean>;
|
|
1293
1350
|
/**
|
|
1294
1351
|
* List all 1Password accounts.
|
|
1295
|
-
* @returns Array of account information
|
|
1352
|
+
* @returns Array of account information including human-readable names
|
|
1296
1353
|
*/
|
|
1297
1354
|
static listAccounts(): Promise<OnePasswordAccount[]>;
|
|
1298
1355
|
/**
|
|
@@ -1664,14 +1721,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1664
1721
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
1665
1722
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
1666
1723
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
1724
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
1667
1725
|
}, "strict", z.ZodTypeAny, {
|
|
1668
1726
|
attestationsPath: string;
|
|
1669
1727
|
maxAgeDays: number;
|
|
1670
1728
|
publicKeyPath: string;
|
|
1729
|
+
sealsPath: string;
|
|
1671
1730
|
}, {
|
|
1672
1731
|
attestationsPath?: string | undefined;
|
|
1673
1732
|
maxAgeDays?: number | undefined;
|
|
1674
1733
|
publicKeyPath?: string | undefined;
|
|
1734
|
+
sealsPath?: string | undefined;
|
|
1675
1735
|
}>>;
|
|
1676
1736
|
team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
1677
1737
|
email: z.ZodOptional<z.ZodString>;
|
|
@@ -1705,6 +1765,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1705
1765
|
attestationsPath: string;
|
|
1706
1766
|
maxAgeDays: number;
|
|
1707
1767
|
publicKeyPath: string;
|
|
1768
|
+
sealsPath: string;
|
|
1708
1769
|
};
|
|
1709
1770
|
team?: Record<string, {
|
|
1710
1771
|
email?: string | undefined;
|
|
@@ -1728,6 +1789,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1728
1789
|
attestationsPath?: string | undefined;
|
|
1729
1790
|
maxAgeDays?: number | undefined;
|
|
1730
1791
|
publicKeyPath?: string | undefined;
|
|
1792
|
+
sealsPath?: string | undefined;
|
|
1731
1793
|
} | undefined;
|
|
1732
1794
|
team?: Record<string, {
|
|
1733
1795
|
email?: string | undefined;
|
|
@@ -1811,21 +1873,23 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1811
1873
|
* Read seals from the seals.json file (async).
|
|
1812
1874
|
*
|
|
1813
1875
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1876
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1814
1877
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1815
1878
|
* @throws Error if file exists but cannot be read or parsed
|
|
1816
1879
|
* @public
|
|
1817
1880
|
*/
|
|
1818
|
-
export declare function readSeals(dir: string): Promise<SealsFile>;
|
|
1881
|
+
export declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
|
|
1819
1882
|
|
|
1820
1883
|
/**
|
|
1821
1884
|
* Read seals from the seals.json file (sync).
|
|
1822
1885
|
*
|
|
1823
1886
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1887
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1824
1888
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1825
1889
|
* @throws Error if file exists but cannot be read or parsed
|
|
1826
1890
|
* @public
|
|
1827
1891
|
*/
|
|
1828
|
-
export declare function readSealsSync(dir: string): SealsFile;
|
|
1892
|
+
export declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
|
|
1829
1893
|
|
|
1830
1894
|
/**
|
|
1831
1895
|
* Options for reading and verifying signed attestations.
|
|
@@ -1891,6 +1955,49 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1891
1955
|
*/
|
|
1892
1956
|
export declare function savePreferences(preferences: UserPreferences): Promise<void>;
|
|
1893
1957
|
|
|
1958
|
+
/**
|
|
1959
|
+
* Save a public key to the user's home directory and optionally to the project directory.
|
|
1960
|
+
*
|
|
1961
|
+
* This saves the public key as a base64-encoded string (matching the format in config.yaml)
|
|
1962
|
+
* to:
|
|
1963
|
+
* 1. ~/.attest-it/public-keys/<slug>.pem (always)
|
|
1964
|
+
* 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
|
|
1965
|
+
*
|
|
1966
|
+
* @param slug - The identity slug (used for the filename)
|
|
1967
|
+
* @param publicKey - The base64-encoded public key
|
|
1968
|
+
* @param projectRoot - The project root directory (defaults to cwd)
|
|
1969
|
+
* @returns Paths where the key was saved
|
|
1970
|
+
* @public
|
|
1971
|
+
*/
|
|
1972
|
+
export declare function savePublicKey(slug: string, publicKey: string, projectRoot?: string): Promise<SavePublicKeyResult>;
|
|
1973
|
+
|
|
1974
|
+
/**
|
|
1975
|
+
* Result from saving public keys.
|
|
1976
|
+
* @public
|
|
1977
|
+
*/
|
|
1978
|
+
export declare interface SavePublicKeyResult {
|
|
1979
|
+
/** Path where the key was saved in the user's home directory */
|
|
1980
|
+
homePath: string;
|
|
1981
|
+
/** Path where the key was saved in the project directory, if applicable */
|
|
1982
|
+
projectPath?: string;
|
|
1983
|
+
}
|
|
1984
|
+
|
|
1985
|
+
/**
|
|
1986
|
+
* Save a public key to the user's home directory and optionally to the project directory (sync).
|
|
1987
|
+
*
|
|
1988
|
+
* This saves the public key as a base64-encoded string (matching the format in config.yaml)
|
|
1989
|
+
* to:
|
|
1990
|
+
* 1. ~/.attest-it/public-keys/<slug>.pem (always)
|
|
1991
|
+
* 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
|
|
1992
|
+
*
|
|
1993
|
+
* @param slug - The identity slug (used for the filename)
|
|
1994
|
+
* @param publicKey - The base64-encoded public key
|
|
1995
|
+
* @param projectRoot - The project root directory (defaults to cwd)
|
|
1996
|
+
* @returns Paths where the key was saved
|
|
1997
|
+
* @public
|
|
1998
|
+
*/
|
|
1999
|
+
export declare function savePublicKeySync(slug: string, publicKey: string, projectRoot?: string): SavePublicKeyResult;
|
|
2000
|
+
|
|
1894
2001
|
/**
|
|
1895
2002
|
* A seal represents a cryptographic attestation that a gate's fingerprint
|
|
1896
2003
|
* was signed by an authorized team member.
|
|
@@ -2020,6 +2127,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2020
2127
|
keyRef?: string;
|
|
2021
2128
|
/** Data to sign (string or Buffer) */
|
|
2022
2129
|
data: Buffer | string;
|
|
2130
|
+
/** Passphrase for encrypted private keys (optional) */
|
|
2131
|
+
passphrase?: string;
|
|
2023
2132
|
}
|
|
2024
2133
|
|
|
2025
2134
|
/**
|
|
@@ -2332,20 +2441,22 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2332
2441
|
*
|
|
2333
2442
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2334
2443
|
* @param sealsFile - The seals file to write
|
|
2444
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2335
2445
|
* @throws Error if file cannot be written
|
|
2336
2446
|
* @public
|
|
2337
2447
|
*/
|
|
2338
|
-
export declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
|
|
2448
|
+
export declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
|
|
2339
2449
|
|
|
2340
2450
|
/**
|
|
2341
2451
|
* Write seals to the seals.json file (sync).
|
|
2342
2452
|
*
|
|
2343
2453
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2344
2454
|
* @param sealsFile - The seals file to write
|
|
2455
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2345
2456
|
* @throws Error if file cannot be written
|
|
2346
2457
|
* @public
|
|
2347
2458
|
*/
|
|
2348
|
-
export declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
|
|
2459
|
+
export declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
|
|
2349
2460
|
|
|
2350
2461
|
/**
|
|
2351
2462
|
* Write attestations with a cryptographic signature.
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, getDefaultYubiKeyEncryptedKeyPath, setKeyPermissions, sign, verify } from './chunk-FGYLU2HL.js';
|
|
2
|
+
//# sourceMappingURL=crypto-SSL7OBY2.js.map
|
|
3
|
+
//# sourceMappingURL=crypto-SSL7OBY2.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-
|
|
1
|
+
{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-SSL7OBY2.js"}
|