@attest-it/core 0.7.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-T3NLSO5B.js → chunk-FGYLU2HL.js} +38 -8
- package/dist/chunk-FGYLU2HL.js.map +1 -0
- package/dist/core-alpha.d.ts +58 -18
- package/dist/core-beta.d.ts +58 -18
- package/dist/core-public.d.ts +58 -18
- package/dist/core-unstripped.d.ts +58 -18
- package/dist/crypto-SSL7OBY2.js +3 -0
- package/dist/{crypto-VT6YNHUE.js.map → crypto-SSL7OBY2.js.map} +1 -1
- package/dist/index.cjs +85 -53
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +58 -18
- package/dist/index.d.ts +58 -18
- package/dist/index.js +76 -74
- package/dist/index.js.map +1 -1
- package/package.json +3 -1
- package/dist/chunk-T3NLSO5B.js.map +0 -1
- package/dist/crypto-VT6YNHUE.js +0 -3
package/dist/core-beta.d.ts
CHANGED
|
@@ -62,6 +62,8 @@ export declare interface AttestItSettings {
|
|
|
62
62
|
publicKeyPath: string;
|
|
63
63
|
/** Path to the attestations file */
|
|
64
64
|
attestationsPath: string;
|
|
65
|
+
/** Path to the seals file */
|
|
66
|
+
sealsPath: string;
|
|
65
67
|
/** Default command to execute for attestation (can be overridden per suite) */
|
|
66
68
|
defaultCommand?: string;
|
|
67
69
|
/** Key provider configuration for signing attestations */
|
|
@@ -226,6 +228,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
226
228
|
}>>;
|
|
227
229
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
228
230
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
231
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
229
232
|
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
|
230
233
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
231
234
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -266,6 +269,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
266
269
|
}>>;
|
|
267
270
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
268
271
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
272
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
269
273
|
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
|
270
274
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
271
275
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -306,6 +310,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
306
310
|
}>>;
|
|
307
311
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
308
312
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
313
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
309
314
|
}, z.ZodTypeAny, "passthrough">>>;
|
|
310
315
|
suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
|
|
311
316
|
command: z.ZodOptional<z.ZodString>;
|
|
@@ -390,16 +395,19 @@ declare const configSchema: z.ZodObject<{
|
|
|
390
395
|
github: z.ZodOptional<z.ZodString>;
|
|
391
396
|
name: z.ZodString;
|
|
392
397
|
publicKey: z.ZodString;
|
|
398
|
+
publicKeyAlgorithm: z.ZodOptional<z.ZodEnum<["ed25519"]>>;
|
|
393
399
|
}, "strict", z.ZodTypeAny, {
|
|
394
400
|
email?: string | undefined;
|
|
395
401
|
github?: string | undefined;
|
|
396
402
|
name: string;
|
|
397
403
|
publicKey: string;
|
|
404
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
398
405
|
}, {
|
|
399
406
|
email?: string | undefined;
|
|
400
407
|
github?: string | undefined;
|
|
401
408
|
name: string;
|
|
402
409
|
publicKey: string;
|
|
410
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
403
411
|
}>>>;
|
|
404
412
|
version: z.ZodLiteral<1>;
|
|
405
413
|
}, "strict", z.ZodTypeAny, {
|
|
@@ -428,6 +436,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
428
436
|
} | undefined;
|
|
429
437
|
maxAgeDays: number;
|
|
430
438
|
publicKeyPath: string;
|
|
439
|
+
sealsPath: string;
|
|
431
440
|
} & { [k: string]: unknown };
|
|
432
441
|
suites: Record<string, {
|
|
433
442
|
command?: string | undefined;
|
|
@@ -446,6 +455,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
446
455
|
github?: string | undefined;
|
|
447
456
|
name: string;
|
|
448
457
|
publicKey: string;
|
|
458
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
449
459
|
}> | undefined;
|
|
450
460
|
version: 1;
|
|
451
461
|
}, {
|
|
@@ -500,6 +510,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
500
510
|
}>>;
|
|
501
511
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
502
512
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
513
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
503
514
|
}, z.ZodTypeAny, "passthrough">;
|
|
504
515
|
suites: Record<string, {
|
|
505
516
|
command?: string | undefined;
|
|
@@ -518,6 +529,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
518
529
|
github?: string | undefined;
|
|
519
530
|
name: string;
|
|
520
531
|
publicKey: string;
|
|
532
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
521
533
|
}> | undefined;
|
|
522
534
|
version: 1;
|
|
523
535
|
}>;
|
|
@@ -878,9 +890,8 @@ export declare function getPreferencesPath(): string;
|
|
|
878
890
|
/**
|
|
879
891
|
* Get the project public keys directory.
|
|
880
892
|
*
|
|
881
|
-
*
|
|
882
|
-
*
|
|
883
|
-
* verify attestation seals.
|
|
893
|
+
* @deprecated Public keys are now stored inline in the team section of config.yaml.
|
|
894
|
+
* This function is kept for backward compatibility but should not be used in new code.
|
|
884
895
|
*
|
|
885
896
|
* @param projectRoot - The project root directory (defaults to cwd)
|
|
886
897
|
* @returns Path to the project public keys directory
|
|
@@ -901,6 +912,9 @@ export declare function getPublicKeyFromPrivate(privateKeyPem: string): string;
|
|
|
901
912
|
/**
|
|
902
913
|
* Check if a project has attest-it configuration.
|
|
903
914
|
*
|
|
915
|
+
* @deprecated This function is kept for backward compatibility but is no longer used
|
|
916
|
+
* by the core library. Public keys are now stored inline in config.yaml.
|
|
917
|
+
*
|
|
904
918
|
* @param projectRoot - The project root directory (defaults to cwd)
|
|
905
919
|
* @returns True if the project has .attest-it/config.yaml or similar
|
|
906
920
|
* @public
|
|
@@ -946,6 +960,8 @@ export declare interface KeyGenerationResult {
|
|
|
946
960
|
publicKeyPath: string;
|
|
947
961
|
/** Human-readable storage location description */
|
|
948
962
|
storageDescription: string;
|
|
963
|
+
/** Whether the private key is encrypted with a passphrase */
|
|
964
|
+
encrypted?: boolean;
|
|
949
965
|
}
|
|
950
966
|
|
|
951
967
|
/**
|
|
@@ -959,6 +975,8 @@ export declare interface KeygenOptions {
|
|
|
959
975
|
publicPath?: string;
|
|
960
976
|
/** Overwrite existing keys (default: false) */
|
|
961
977
|
force?: boolean;
|
|
978
|
+
/** Passphrase to encrypt the private key with AES-256 (optional) */
|
|
979
|
+
passphrase?: string;
|
|
962
980
|
}
|
|
963
981
|
|
|
964
982
|
/**
|
|
@@ -970,6 +988,8 @@ export declare interface KeygenProviderOptions {
|
|
|
970
988
|
publicKeyPath: string;
|
|
971
989
|
/** Overwrite existing keys */
|
|
972
990
|
force?: boolean;
|
|
991
|
+
/** Passphrase to encrypt the private key (filesystem provider only) */
|
|
992
|
+
passphrase?: string;
|
|
973
993
|
}
|
|
974
994
|
|
|
975
995
|
/**
|
|
@@ -1271,7 +1291,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1271
1291
|
* The merge strategy prioritizes security-critical fields from the policy
|
|
1272
1292
|
* configuration while combining operational fields from both sources:
|
|
1273
1293
|
*
|
|
1274
|
-
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
|
|
1294
|
+
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
|
|
1275
1295
|
* - **Operational settings** (defaultCommand, keyProvider) are added from operational config
|
|
1276
1296
|
* - **Team and gates** come exclusively from policy config
|
|
1277
1297
|
* - **Suites and groups** come exclusively from operational config
|
|
@@ -1708,30 +1728,36 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1708
1728
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
1709
1729
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
1710
1730
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
1731
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
1711
1732
|
}, "strict", z.ZodTypeAny, {
|
|
1712
1733
|
attestationsPath: string;
|
|
1713
1734
|
maxAgeDays: number;
|
|
1714
1735
|
publicKeyPath: string;
|
|
1736
|
+
sealsPath: string;
|
|
1715
1737
|
}, {
|
|
1716
1738
|
attestationsPath?: string | undefined;
|
|
1717
1739
|
maxAgeDays?: number | undefined;
|
|
1718
1740
|
publicKeyPath?: string | undefined;
|
|
1741
|
+
sealsPath?: string | undefined;
|
|
1719
1742
|
}>>;
|
|
1720
1743
|
team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
1721
1744
|
email: z.ZodOptional<z.ZodString>;
|
|
1722
1745
|
github: z.ZodOptional<z.ZodString>;
|
|
1723
1746
|
name: z.ZodString;
|
|
1724
1747
|
publicKey: z.ZodString;
|
|
1748
|
+
publicKeyAlgorithm: z.ZodOptional<z.ZodLiteral<"ed25519">>;
|
|
1725
1749
|
}, "strict", z.ZodTypeAny, {
|
|
1726
1750
|
email?: string | undefined;
|
|
1727
1751
|
github?: string | undefined;
|
|
1728
1752
|
name: string;
|
|
1729
1753
|
publicKey: string;
|
|
1754
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1730
1755
|
}, {
|
|
1731
1756
|
email?: string | undefined;
|
|
1732
1757
|
github?: string | undefined;
|
|
1733
1758
|
name: string;
|
|
1734
1759
|
publicKey: string;
|
|
1760
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1735
1761
|
}>>>;
|
|
1736
1762
|
version: z.ZodLiteral<1>;
|
|
1737
1763
|
}, "strict", z.ZodTypeAny, {
|
|
@@ -1749,12 +1775,14 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1749
1775
|
attestationsPath: string;
|
|
1750
1776
|
maxAgeDays: number;
|
|
1751
1777
|
publicKeyPath: string;
|
|
1778
|
+
sealsPath: string;
|
|
1752
1779
|
};
|
|
1753
1780
|
team?: Record<string, {
|
|
1754
1781
|
email?: string | undefined;
|
|
1755
1782
|
github?: string | undefined;
|
|
1756
1783
|
name: string;
|
|
1757
1784
|
publicKey: string;
|
|
1785
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1758
1786
|
}> | undefined;
|
|
1759
1787
|
version: 1;
|
|
1760
1788
|
}, {
|
|
@@ -1772,12 +1800,14 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1772
1800
|
attestationsPath?: string | undefined;
|
|
1773
1801
|
maxAgeDays?: number | undefined;
|
|
1774
1802
|
publicKeyPath?: string | undefined;
|
|
1803
|
+
sealsPath?: string | undefined;
|
|
1775
1804
|
} | undefined;
|
|
1776
1805
|
team?: Record<string, {
|
|
1777
1806
|
email?: string | undefined;
|
|
1778
1807
|
github?: string | undefined;
|
|
1779
1808
|
name: string;
|
|
1780
1809
|
publicKey: string;
|
|
1810
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1781
1811
|
}> | undefined;
|
|
1782
1812
|
version: 1;
|
|
1783
1813
|
}>;
|
|
@@ -1855,21 +1885,23 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1855
1885
|
* Read seals from the seals.json file (async).
|
|
1856
1886
|
*
|
|
1857
1887
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1888
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1858
1889
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1859
1890
|
* @throws Error if file exists but cannot be read or parsed
|
|
1860
1891
|
* @public
|
|
1861
1892
|
*/
|
|
1862
|
-
export declare function readSeals(dir: string): Promise<SealsFile>;
|
|
1893
|
+
export declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
|
|
1863
1894
|
|
|
1864
1895
|
/**
|
|
1865
1896
|
* Read seals from the seals.json file (sync).
|
|
1866
1897
|
*
|
|
1867
1898
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1899
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1868
1900
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1869
1901
|
* @throws Error if file exists but cannot be read or parsed
|
|
1870
1902
|
* @public
|
|
1871
1903
|
*/
|
|
1872
|
-
export declare function readSealsSync(dir: string): SealsFile;
|
|
1904
|
+
export declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
|
|
1873
1905
|
|
|
1874
1906
|
/**
|
|
1875
1907
|
* Options for reading and verifying signed attestations.
|
|
@@ -1936,16 +1968,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1936
1968
|
export declare function savePreferences(preferences: UserPreferences): Promise<void>;
|
|
1937
1969
|
|
|
1938
1970
|
/**
|
|
1939
|
-
* Save a public key to the user's home directory
|
|
1971
|
+
* Save a public key to the user's home directory.
|
|
1940
1972
|
*
|
|
1941
1973
|
* This saves the public key as a base64-encoded string (matching the format in config.yaml)
|
|
1942
|
-
* to
|
|
1943
|
-
*
|
|
1944
|
-
*
|
|
1974
|
+
* to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
|
|
1975
|
+
*
|
|
1976
|
+
* Public keys are now stored inline in the team section of config.yaml and no longer
|
|
1977
|
+
* written to the project directory.
|
|
1945
1978
|
*
|
|
1946
1979
|
* @param slug - The identity slug (used for the filename)
|
|
1947
1980
|
* @param publicKey - The base64-encoded public key
|
|
1948
|
-
* @param projectRoot - The project root directory (
|
|
1981
|
+
* @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
|
|
1949
1982
|
* @returns Paths where the key was saved
|
|
1950
1983
|
* @public
|
|
1951
1984
|
*/
|
|
@@ -1963,16 +1996,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1963
1996
|
}
|
|
1964
1997
|
|
|
1965
1998
|
/**
|
|
1966
|
-
* Save a public key to the user's home directory
|
|
1999
|
+
* Save a public key to the user's home directory (sync).
|
|
1967
2000
|
*
|
|
1968
2001
|
* This saves the public key as a base64-encoded string (matching the format in config.yaml)
|
|
1969
|
-
* to
|
|
1970
|
-
*
|
|
1971
|
-
*
|
|
2002
|
+
* to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
|
|
2003
|
+
*
|
|
2004
|
+
* Public keys are now stored inline in the team section of config.yaml and no longer
|
|
2005
|
+
* written to the project directory.
|
|
1972
2006
|
*
|
|
1973
2007
|
* @param slug - The identity slug (used for the filename)
|
|
1974
2008
|
* @param publicKey - The base64-encoded public key
|
|
1975
|
-
* @param projectRoot - The project root directory (
|
|
2009
|
+
* @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
|
|
1976
2010
|
* @returns Paths where the key was saved
|
|
1977
2011
|
* @public
|
|
1978
2012
|
*/
|
|
@@ -2107,6 +2141,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2107
2141
|
keyRef?: string;
|
|
2108
2142
|
/** Data to sign (string or Buffer) */
|
|
2109
2143
|
data: Buffer | string;
|
|
2144
|
+
/** Passphrase for encrypted private keys (optional) */
|
|
2145
|
+
passphrase?: string;
|
|
2110
2146
|
}
|
|
2111
2147
|
|
|
2112
2148
|
/**
|
|
@@ -2171,6 +2207,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2171
2207
|
github?: string | undefined;
|
|
2172
2208
|
/** Base64-encoded Ed25519 public key */
|
|
2173
2209
|
publicKey: string;
|
|
2210
|
+
/** Public key algorithm (optional, for future-proofing format changes) */
|
|
2211
|
+
publicKeyAlgorithm?: 'ed25519' | undefined;
|
|
2174
2212
|
}
|
|
2175
2213
|
|
|
2176
2214
|
/**
|
|
@@ -2419,20 +2457,22 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2419
2457
|
*
|
|
2420
2458
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2421
2459
|
* @param sealsFile - The seals file to write
|
|
2460
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2422
2461
|
* @throws Error if file cannot be written
|
|
2423
2462
|
* @public
|
|
2424
2463
|
*/
|
|
2425
|
-
export declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
|
|
2464
|
+
export declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
|
|
2426
2465
|
|
|
2427
2466
|
/**
|
|
2428
2467
|
* Write seals to the seals.json file (sync).
|
|
2429
2468
|
*
|
|
2430
2469
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2431
2470
|
* @param sealsFile - The seals file to write
|
|
2471
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2432
2472
|
* @throws Error if file cannot be written
|
|
2433
2473
|
* @public
|
|
2434
2474
|
*/
|
|
2435
|
-
export declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
|
|
2475
|
+
export declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
|
|
2436
2476
|
|
|
2437
2477
|
/**
|
|
2438
2478
|
* Write attestations with a cryptographic signature.
|
package/dist/core-public.d.ts
CHANGED
|
@@ -62,6 +62,8 @@ export declare interface AttestItSettings {
|
|
|
62
62
|
publicKeyPath: string;
|
|
63
63
|
/** Path to the attestations file */
|
|
64
64
|
attestationsPath: string;
|
|
65
|
+
/** Path to the seals file */
|
|
66
|
+
sealsPath: string;
|
|
65
67
|
/** Default command to execute for attestation (can be overridden per suite) */
|
|
66
68
|
defaultCommand?: string;
|
|
67
69
|
/** Key provider configuration for signing attestations */
|
|
@@ -226,6 +228,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
226
228
|
}>>;
|
|
227
229
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
228
230
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
231
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
229
232
|
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
|
230
233
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
231
234
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -266,6 +269,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
266
269
|
}>>;
|
|
267
270
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
268
271
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
272
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
269
273
|
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
|
270
274
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
271
275
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -306,6 +310,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
306
310
|
}>>;
|
|
307
311
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
308
312
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
313
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
309
314
|
}, z.ZodTypeAny, "passthrough">>>;
|
|
310
315
|
suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
|
|
311
316
|
command: z.ZodOptional<z.ZodString>;
|
|
@@ -390,16 +395,19 @@ declare const configSchema: z.ZodObject<{
|
|
|
390
395
|
github: z.ZodOptional<z.ZodString>;
|
|
391
396
|
name: z.ZodString;
|
|
392
397
|
publicKey: z.ZodString;
|
|
398
|
+
publicKeyAlgorithm: z.ZodOptional<z.ZodEnum<["ed25519"]>>;
|
|
393
399
|
}, "strict", z.ZodTypeAny, {
|
|
394
400
|
email?: string | undefined;
|
|
395
401
|
github?: string | undefined;
|
|
396
402
|
name: string;
|
|
397
403
|
publicKey: string;
|
|
404
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
398
405
|
}, {
|
|
399
406
|
email?: string | undefined;
|
|
400
407
|
github?: string | undefined;
|
|
401
408
|
name: string;
|
|
402
409
|
publicKey: string;
|
|
410
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
403
411
|
}>>>;
|
|
404
412
|
version: z.ZodLiteral<1>;
|
|
405
413
|
}, "strict", z.ZodTypeAny, {
|
|
@@ -428,6 +436,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
428
436
|
} | undefined;
|
|
429
437
|
maxAgeDays: number;
|
|
430
438
|
publicKeyPath: string;
|
|
439
|
+
sealsPath: string;
|
|
431
440
|
} & { [k: string]: unknown };
|
|
432
441
|
suites: Record<string, {
|
|
433
442
|
command?: string | undefined;
|
|
@@ -446,6 +455,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
446
455
|
github?: string | undefined;
|
|
447
456
|
name: string;
|
|
448
457
|
publicKey: string;
|
|
458
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
449
459
|
}> | undefined;
|
|
450
460
|
version: 1;
|
|
451
461
|
}, {
|
|
@@ -500,6 +510,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
500
510
|
}>>;
|
|
501
511
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
502
512
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
513
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
503
514
|
}, z.ZodTypeAny, "passthrough">;
|
|
504
515
|
suites: Record<string, {
|
|
505
516
|
command?: string | undefined;
|
|
@@ -518,6 +529,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
518
529
|
github?: string | undefined;
|
|
519
530
|
name: string;
|
|
520
531
|
publicKey: string;
|
|
532
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
521
533
|
}> | undefined;
|
|
522
534
|
version: 1;
|
|
523
535
|
}>;
|
|
@@ -878,9 +890,8 @@ export declare function getPreferencesPath(): string;
|
|
|
878
890
|
/**
|
|
879
891
|
* Get the project public keys directory.
|
|
880
892
|
*
|
|
881
|
-
*
|
|
882
|
-
*
|
|
883
|
-
* verify attestation seals.
|
|
893
|
+
* @deprecated Public keys are now stored inline in the team section of config.yaml.
|
|
894
|
+
* This function is kept for backward compatibility but should not be used in new code.
|
|
884
895
|
*
|
|
885
896
|
* @param projectRoot - The project root directory (defaults to cwd)
|
|
886
897
|
* @returns Path to the project public keys directory
|
|
@@ -901,6 +912,9 @@ export declare function getPublicKeyFromPrivate(privateKeyPem: string): string;
|
|
|
901
912
|
/**
|
|
902
913
|
* Check if a project has attest-it configuration.
|
|
903
914
|
*
|
|
915
|
+
* @deprecated This function is kept for backward compatibility but is no longer used
|
|
916
|
+
* by the core library. Public keys are now stored inline in config.yaml.
|
|
917
|
+
*
|
|
904
918
|
* @param projectRoot - The project root directory (defaults to cwd)
|
|
905
919
|
* @returns True if the project has .attest-it/config.yaml or similar
|
|
906
920
|
* @public
|
|
@@ -946,6 +960,8 @@ export declare interface KeyGenerationResult {
|
|
|
946
960
|
publicKeyPath: string;
|
|
947
961
|
/** Human-readable storage location description */
|
|
948
962
|
storageDescription: string;
|
|
963
|
+
/** Whether the private key is encrypted with a passphrase */
|
|
964
|
+
encrypted?: boolean;
|
|
949
965
|
}
|
|
950
966
|
|
|
951
967
|
/**
|
|
@@ -959,6 +975,8 @@ export declare interface KeygenOptions {
|
|
|
959
975
|
publicPath?: string;
|
|
960
976
|
/** Overwrite existing keys (default: false) */
|
|
961
977
|
force?: boolean;
|
|
978
|
+
/** Passphrase to encrypt the private key with AES-256 (optional) */
|
|
979
|
+
passphrase?: string;
|
|
962
980
|
}
|
|
963
981
|
|
|
964
982
|
/**
|
|
@@ -970,6 +988,8 @@ export declare interface KeygenProviderOptions {
|
|
|
970
988
|
publicKeyPath: string;
|
|
971
989
|
/** Overwrite existing keys */
|
|
972
990
|
force?: boolean;
|
|
991
|
+
/** Passphrase to encrypt the private key (filesystem provider only) */
|
|
992
|
+
passphrase?: string;
|
|
973
993
|
}
|
|
974
994
|
|
|
975
995
|
/**
|
|
@@ -1271,7 +1291,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1271
1291
|
* The merge strategy prioritizes security-critical fields from the policy
|
|
1272
1292
|
* configuration while combining operational fields from both sources:
|
|
1273
1293
|
*
|
|
1274
|
-
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
|
|
1294
|
+
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
|
|
1275
1295
|
* - **Operational settings** (defaultCommand, keyProvider) are added from operational config
|
|
1276
1296
|
* - **Team and gates** come exclusively from policy config
|
|
1277
1297
|
* - **Suites and groups** come exclusively from operational config
|
|
@@ -1708,30 +1728,36 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1708
1728
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
1709
1729
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
1710
1730
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
1731
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
1711
1732
|
}, "strict", z.ZodTypeAny, {
|
|
1712
1733
|
attestationsPath: string;
|
|
1713
1734
|
maxAgeDays: number;
|
|
1714
1735
|
publicKeyPath: string;
|
|
1736
|
+
sealsPath: string;
|
|
1715
1737
|
}, {
|
|
1716
1738
|
attestationsPath?: string | undefined;
|
|
1717
1739
|
maxAgeDays?: number | undefined;
|
|
1718
1740
|
publicKeyPath?: string | undefined;
|
|
1741
|
+
sealsPath?: string | undefined;
|
|
1719
1742
|
}>>;
|
|
1720
1743
|
team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
1721
1744
|
email: z.ZodOptional<z.ZodString>;
|
|
1722
1745
|
github: z.ZodOptional<z.ZodString>;
|
|
1723
1746
|
name: z.ZodString;
|
|
1724
1747
|
publicKey: z.ZodString;
|
|
1748
|
+
publicKeyAlgorithm: z.ZodOptional<z.ZodLiteral<"ed25519">>;
|
|
1725
1749
|
}, "strict", z.ZodTypeAny, {
|
|
1726
1750
|
email?: string | undefined;
|
|
1727
1751
|
github?: string | undefined;
|
|
1728
1752
|
name: string;
|
|
1729
1753
|
publicKey: string;
|
|
1754
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1730
1755
|
}, {
|
|
1731
1756
|
email?: string | undefined;
|
|
1732
1757
|
github?: string | undefined;
|
|
1733
1758
|
name: string;
|
|
1734
1759
|
publicKey: string;
|
|
1760
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1735
1761
|
}>>>;
|
|
1736
1762
|
version: z.ZodLiteral<1>;
|
|
1737
1763
|
}, "strict", z.ZodTypeAny, {
|
|
@@ -1749,12 +1775,14 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1749
1775
|
attestationsPath: string;
|
|
1750
1776
|
maxAgeDays: number;
|
|
1751
1777
|
publicKeyPath: string;
|
|
1778
|
+
sealsPath: string;
|
|
1752
1779
|
};
|
|
1753
1780
|
team?: Record<string, {
|
|
1754
1781
|
email?: string | undefined;
|
|
1755
1782
|
github?: string | undefined;
|
|
1756
1783
|
name: string;
|
|
1757
1784
|
publicKey: string;
|
|
1785
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1758
1786
|
}> | undefined;
|
|
1759
1787
|
version: 1;
|
|
1760
1788
|
}, {
|
|
@@ -1772,12 +1800,14 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1772
1800
|
attestationsPath?: string | undefined;
|
|
1773
1801
|
maxAgeDays?: number | undefined;
|
|
1774
1802
|
publicKeyPath?: string | undefined;
|
|
1803
|
+
sealsPath?: string | undefined;
|
|
1775
1804
|
} | undefined;
|
|
1776
1805
|
team?: Record<string, {
|
|
1777
1806
|
email?: string | undefined;
|
|
1778
1807
|
github?: string | undefined;
|
|
1779
1808
|
name: string;
|
|
1780
1809
|
publicKey: string;
|
|
1810
|
+
publicKeyAlgorithm?: "ed25519" | undefined;
|
|
1781
1811
|
}> | undefined;
|
|
1782
1812
|
version: 1;
|
|
1783
1813
|
}>;
|
|
@@ -1855,21 +1885,23 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1855
1885
|
* Read seals from the seals.json file (async).
|
|
1856
1886
|
*
|
|
1857
1887
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1888
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1858
1889
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1859
1890
|
* @throws Error if file exists but cannot be read or parsed
|
|
1860
1891
|
* @public
|
|
1861
1892
|
*/
|
|
1862
|
-
export declare function readSeals(dir: string): Promise<SealsFile>;
|
|
1893
|
+
export declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
|
|
1863
1894
|
|
|
1864
1895
|
/**
|
|
1865
1896
|
* Read seals from the seals.json file (sync).
|
|
1866
1897
|
*
|
|
1867
1898
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1899
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1868
1900
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1869
1901
|
* @throws Error if file exists but cannot be read or parsed
|
|
1870
1902
|
* @public
|
|
1871
1903
|
*/
|
|
1872
|
-
export declare function readSealsSync(dir: string): SealsFile;
|
|
1904
|
+
export declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
|
|
1873
1905
|
|
|
1874
1906
|
/**
|
|
1875
1907
|
* Options for reading and verifying signed attestations.
|
|
@@ -1936,16 +1968,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1936
1968
|
export declare function savePreferences(preferences: UserPreferences): Promise<void>;
|
|
1937
1969
|
|
|
1938
1970
|
/**
|
|
1939
|
-
* Save a public key to the user's home directory
|
|
1971
|
+
* Save a public key to the user's home directory.
|
|
1940
1972
|
*
|
|
1941
1973
|
* This saves the public key as a base64-encoded string (matching the format in config.yaml)
|
|
1942
|
-
* to
|
|
1943
|
-
*
|
|
1944
|
-
*
|
|
1974
|
+
* to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
|
|
1975
|
+
*
|
|
1976
|
+
* Public keys are now stored inline in the team section of config.yaml and no longer
|
|
1977
|
+
* written to the project directory.
|
|
1945
1978
|
*
|
|
1946
1979
|
* @param slug - The identity slug (used for the filename)
|
|
1947
1980
|
* @param publicKey - The base64-encoded public key
|
|
1948
|
-
* @param projectRoot - The project root directory (
|
|
1981
|
+
* @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
|
|
1949
1982
|
* @returns Paths where the key was saved
|
|
1950
1983
|
* @public
|
|
1951
1984
|
*/
|
|
@@ -1963,16 +1996,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1963
1996
|
}
|
|
1964
1997
|
|
|
1965
1998
|
/**
|
|
1966
|
-
* Save a public key to the user's home directory
|
|
1999
|
+
* Save a public key to the user's home directory (sync).
|
|
1967
2000
|
*
|
|
1968
2001
|
* This saves the public key as a base64-encoded string (matching the format in config.yaml)
|
|
1969
|
-
* to
|
|
1970
|
-
*
|
|
1971
|
-
*
|
|
2002
|
+
* to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
|
|
2003
|
+
*
|
|
2004
|
+
* Public keys are now stored inline in the team section of config.yaml and no longer
|
|
2005
|
+
* written to the project directory.
|
|
1972
2006
|
*
|
|
1973
2007
|
* @param slug - The identity slug (used for the filename)
|
|
1974
2008
|
* @param publicKey - The base64-encoded public key
|
|
1975
|
-
* @param projectRoot - The project root directory (
|
|
2009
|
+
* @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
|
|
1976
2010
|
* @returns Paths where the key was saved
|
|
1977
2011
|
* @public
|
|
1978
2012
|
*/
|
|
@@ -2107,6 +2141,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2107
2141
|
keyRef?: string;
|
|
2108
2142
|
/** Data to sign (string or Buffer) */
|
|
2109
2143
|
data: Buffer | string;
|
|
2144
|
+
/** Passphrase for encrypted private keys (optional) */
|
|
2145
|
+
passphrase?: string;
|
|
2110
2146
|
}
|
|
2111
2147
|
|
|
2112
2148
|
/**
|
|
@@ -2171,6 +2207,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2171
2207
|
github?: string | undefined;
|
|
2172
2208
|
/** Base64-encoded Ed25519 public key */
|
|
2173
2209
|
publicKey: string;
|
|
2210
|
+
/** Public key algorithm (optional, for future-proofing format changes) */
|
|
2211
|
+
publicKeyAlgorithm?: 'ed25519' | undefined;
|
|
2174
2212
|
}
|
|
2175
2213
|
|
|
2176
2214
|
/**
|
|
@@ -2419,20 +2457,22 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2419
2457
|
*
|
|
2420
2458
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2421
2459
|
* @param sealsFile - The seals file to write
|
|
2460
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2422
2461
|
* @throws Error if file cannot be written
|
|
2423
2462
|
* @public
|
|
2424
2463
|
*/
|
|
2425
|
-
export declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
|
|
2464
|
+
export declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
|
|
2426
2465
|
|
|
2427
2466
|
/**
|
|
2428
2467
|
* Write seals to the seals.json file (sync).
|
|
2429
2468
|
*
|
|
2430
2469
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2431
2470
|
* @param sealsFile - The seals file to write
|
|
2471
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2432
2472
|
* @throws Error if file cannot be written
|
|
2433
2473
|
* @public
|
|
2434
2474
|
*/
|
|
2435
|
-
export declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
|
|
2475
|
+
export declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
|
|
2436
2476
|
|
|
2437
2477
|
/**
|
|
2438
2478
|
* Write attestations with a cryptographic signature.
|