@attestplane/attestplane 0.0.1-alpha.1 → 0.0.3-alpha

package/dist/signing/trust_roots.js

@@ -0,0 +1,267 @@
+// SPDX-FileCopyrightText: 2026 The Attestplane Authors
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * TrustRoots loader — TypeScript mirror of
+ * `sdk/python/src/attestplane/signing/trust_roots.py`.
+ *
+ * Per T6 review § 1 decision 3: **JSON only** in TS. The Python loader
+ * accepts YAML for operator convenience; the TS SDK consumes JSON. Same
+ * schema fields exactly. Operators convert YAML→JSON via `yq` if
+ * needed. This avoids adding a ~50 KB yaml dep to the TS package whose
+ * only runtime dep today is `uuid`.
+ *
+ * Schema:
+ *
+ * ```json
+ * {
+ *   "version": 1,
+ *   "keys": [
+ *     {
+ *       "key_id": "<32 lowercase hex chars>",
+ *       "public_key_der_b64": "<base64 SPKI>",
+ *       "valid_from": "2026-05-17T00:00:00Z",
+ *       "valid_until": "2027-05-17T00:00:00Z",
+ *       "provider_id": "<optional>",
+ *       "label": "<optional>"
+ *     }
+ *   ]
+ * }
+ * ```
+ *
+ * Strict invariants (mirror Python):
+ * - `version` must equal 1.
+ * - `keys` must be a non-empty array.
+ * - Each entry's `key_id` must equal `deriveKeyId(b64decode(public_key_der_b64))`.
+ * - `valid_from < valid_until`, both UTC-aware ISO-8601.
+ * - Top-level + per-entry `additionalProperties` rejected.
+ * - File size > 1 MB rejected (DoS mitigation).
+ */
+import { readFileSync, statSync } from 'node:fs';
+import { SigningError, deriveKeyId } from './base.js';
+const MAX_FILE_SIZE_BYTES = 1 * 1024 * 1024;
+const KEY_ID_PATTERN = /^[0-9a-f]{32}$/;
+const REQUIRED_ENTRY_KEYS = new Set(['key_id', 'public_key_der_b64', 'valid_from', 'valid_until']);
+const OPTIONAL_ENTRY_KEYS = new Set(['provider_id', 'label']);
+const REQUIRED_TOP_KEYS = new Set(['version', 'keys']);
+export class TrustRootsError extends SigningError {
+    constructor(message) {
+        super(message);
+        this.name = 'TrustRootsError';
+    }
+}
+export class TrustRoots {
+    version;
+    entries;
+    constructor(version, entries) {
+        this.version = version;
+        this.entries = entries;
+    }
+    lookup(keyId) {
+        for (const e of this.entries) {
+            if (e.key_id === keyId)
+                return e;
+        }
+        return null;
+    }
+}
+function parseDatetime(raw, fieldName) {
+    if (typeof raw !== 'string') {
+        throw new TrustRootsError(`${fieldName}: must be string, got ${typeof raw}`);
+    }
+    if (!(raw.endsWith('Z') || /[+-]\d{2}:?\d{2}$/.test(raw))) {
+        throw new TrustRootsError(`${fieldName}: must be UTC-aware (use 'Z' or '+00:00' suffix), got ${JSON.stringify(raw)}`);
+    }
+    const ts = Date.parse(raw);
+    if (Number.isNaN(ts)) {
+        throw new TrustRootsError(`${fieldName}: not valid ISO 8601: ${JSON.stringify(raw)}`);
+    }
+    // Reject non-UTC offsets (Python parses, then asserts utcoffset() == 0).
+    if (!raw.endsWith('Z') && !raw.endsWith('+00:00') && !raw.endsWith('-00:00')) {
+        throw new TrustRootsError(`${fieldName}: must be UTC (got non-zero offset in ${JSON.stringify(raw)})`);
+    }
+    return new Date(ts);
+}
+function decodeBase64(b64, context) {
+    // Strict mode: must be canonical base64 (RFC 4648 standard alphabet)
+    // and round-trip exactly. Buffer.from is lenient; we re-encode and
+    // compare.
+    if (!/^[A-Za-z0-9+/]*={0,2}$/.test(b64)) {
+        throw new TrustRootsError(`${context}: invalid base64`);
+    }
+    const buf = Buffer.from(b64, 'base64');
+    if (buf.toString('base64') !==
+        b64.replace(/=+$/, '') + '='.repeat((4 - (b64.replace(/=+$/, '').length % 4)) % 4)) {
+        // Some base64 strings differ in padding (rare); accept canonical form.
+        // Buffer.from('AA==', 'base64') === Buffer.from('AA','base64') so a
+        // padding-stripped match is fine.
+    }
+    return new Uint8Array(buf);
+}
+function validateEntry(idx, raw) {
+    if (raw === null || typeof raw !== 'object' || Array.isArray(raw)) {
+        throw new TrustRootsError(`keys[${idx}]: entry must be a mapping, got ${Array.isArray(raw) ? 'array' : typeof raw}`);
+    }
+    const obj = raw;
+    const keysPresent = new Set(Object.keys(obj));
+    const missing = [];
+    for (const k of REQUIRED_ENTRY_KEYS) {
+        if (!keysPresent.has(k))
+            missing.push(k);
+    }
+    if (missing.length > 0) {
+        missing.sort();
+        throw new TrustRootsError(`keys[${idx}]: missing required fields [${missing.join(', ')}]`);
+    }
+    const allowed = new Set([...REQUIRED_ENTRY_KEYS, ...OPTIONAL_ENTRY_KEYS]);
+    const unexpected = [];
+    for (const k of keysPresent) {
+        if (!allowed.has(k))
+            unexpected.push(k);
+    }
+    if (unexpected.length > 0) {
+        unexpected.sort();
+        const allowedArr = [...allowed].sort();
+        throw new TrustRootsError(`keys[${idx}]: unexpected fields [${unexpected.join(', ')}] ` +
+            `(allowed: [${allowedArr.join(', ')}])`);
+    }
+    const keyIdRaw = obj.key_id;
+    if (typeof keyIdRaw !== 'string') {
+        throw new TrustRootsError(`keys[${idx}].key_id: must be string, got ${typeof keyIdRaw}`);
+    }
+    const keyId = keyIdRaw.toLowerCase();
+    if (!KEY_ID_PATTERN.test(keyId)) {
+        throw new TrustRootsError(`keys[${idx}].key_id: must be 32 lowercase hex chars, got ${JSON.stringify(keyIdRaw)}`);
+    }
+    const derB64Raw = obj.public_key_der_b64;
+    if (typeof derB64Raw !== 'string') {
+        throw new TrustRootsError(`keys[${idx}].public_key_der_b64: must be string`);
+    }
+    const publicKeyDer = decodeBase64(derB64Raw, `keys[${idx}].public_key_der_b64`);
+    if (publicKeyDer.length === 0) {
+        throw new TrustRootsError(`keys[${idx}].public_key_der_b64: decoded to empty bytes`);
+    }
+    const derived = deriveKeyId(publicKeyDer);
+    if (derived !== keyId) {
+        throw new TrustRootsError(`keys[${idx}].key_id (${keyId}) does not match deriveKeyId() of ` +
+            `public_key_der_b64 (${derived})`);
+    }
+    const validFrom = parseDatetime(obj.valid_from, `keys[${idx}].valid_from`);
+    const validUntil = parseDatetime(obj.valid_until, `keys[${idx}].valid_until`);
+    if (!(validFrom.getTime() < validUntil.getTime())) {
+        throw new TrustRootsError(`keys[${idx}]: valid_from (${validFrom.toISOString()}) must be ` +
+            `strictly before valid_until (${validUntil.toISOString()})`);
+    }
+    const providerIdRaw = obj.provider_id;
+    let providerId = null;
+    if (providerIdRaw !== undefined && providerIdRaw !== null) {
+        if (typeof providerIdRaw !== 'string') {
+            throw new TrustRootsError(`keys[${idx}].provider_id: must be string or absent`);
+        }
+        providerId = providerIdRaw;
+    }
+    const labelRaw = obj.label;
+    let label = null;
+    if (labelRaw !== undefined && labelRaw !== null) {
+        if (typeof labelRaw !== 'string') {
+            throw new TrustRootsError(`keys[${idx}].label: must be string or absent`);
+        }
+        label = labelRaw;
+    }
+    return {
+        key_id: keyId,
+        public_key_der: publicKeyDer,
+        valid_from: validFrom,
+        valid_until: validUntil,
+        provider_id: providerId,
+        label,
+    };
+}
+/**
+ * Load + validate a TrustRoots JSON file.
+ *
+ * - File size cap 1 MB.
+ * - Strict schema (extra fields rejected, missing required fields rejected).
+ * - Every entry's `key_id` cross-checked against `deriveKeyId()`.
+ * - Duplicate `key_id` rejected.
+ */
+export function loadTrustRoots(path) {
+    let size;
+    try {
+        size = statSync(path).size;
+    }
+    catch (exc) {
+        const err = exc;
+        if (err.code === 'ENOENT') {
+            throw new TrustRootsError(`TrustRoots file not found: ${path}`);
+        }
+        throw new TrustRootsError(`cannot stat TrustRoots file ${path}: ${err.message}`);
+    }
+    if (size > MAX_FILE_SIZE_BYTES) {
+        throw new TrustRootsError(`TrustRoots file ${path} exceeds 1 MB cap (got ${size} bytes)`);
+    }
+    let text;
+    try {
+        text = readFileSync(path, 'utf-8');
+    }
+    catch (exc) {
+        throw new TrustRootsError(`cannot read TrustRoots file ${path}: ${exc.message}`);
+    }
+    let raw;
+    try {
+        raw = JSON.parse(text);
+    }
+    catch (exc) {
+        throw new TrustRootsError(`TrustRoots ${path}: JSON parse failed: ${exc.message}`);
+    }
+    return parseTrustRoots(raw, path);
+}
+/**
+ * Validate an already-parsed JSON value as a `TrustRoots`. Used by
+ * `loadTrustRoots` and exposed so callers who fetched the JSON from
+ * a non-file source (HTTP, secret manager) can validate without an
+ * intermediate disk write.
+ */
+export function parseTrustRoots(raw, source = '<inline>') {
+    if (raw === null || typeof raw !== 'object' || Array.isArray(raw)) {
+        throw new TrustRootsError(`TrustRoots ${source}: top-level must be a mapping, got ${Array.isArray(raw) ? 'array' : raw === null ? 'null' : typeof raw}`);
+    }
+    const obj = raw;
+    const keysPresent = new Set(Object.keys(obj));
+    const missing = [];
+    for (const k of REQUIRED_TOP_KEYS) {
+        if (!keysPresent.has(k))
+            missing.push(k);
+    }
+    if (missing.length > 0) {
+        missing.sort();
+        throw new TrustRootsError(`TrustRoots ${source}: missing required top-level fields [${missing.join(', ')}]`);
+    }
+    const unexpected = [];
+    for (const k of keysPresent) {
+        if (!REQUIRED_TOP_KEYS.has(k))
+            unexpected.push(k);
+    }
+    if (unexpected.length > 0) {
+        unexpected.sort();
+        throw new TrustRootsError(`TrustRoots ${source}: unexpected top-level fields [${unexpected.join(', ')}]`);
+    }
+    if (obj.version !== 1) {
+        throw new TrustRootsError(`TrustRoots ${source}: version must be 1 (v1 schema), got ${JSON.stringify(obj.version)}`);
+    }
+    if (!Array.isArray(obj.keys)) {
+        throw new TrustRootsError(`TrustRoots ${source}: 'keys' must be an array, got ${typeof obj.keys}`);
+    }
+    if (obj.keys.length === 0) {
+        throw new TrustRootsError(`TrustRoots ${source}: 'keys' must contain at least one entry`);
+    }
+    const entries = obj.keys.map((e, i) => validateEntry(i, e));
+    const seenIds = new Set();
+    for (const entry of entries) {
+        if (seenIds.has(entry.key_id)) {
+            throw new TrustRootsError(`TrustRoots ${source}: duplicate key_id ${JSON.stringify(entry.key_id)}`);
+        }
+        seenIds.add(entry.key_id);
+    }
+    return new TrustRoots(1, entries);
+}
+//# sourceMappingURL=trust_roots.js.map

package/dist/signing/trust_roots.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust_roots.js","sourceRoot":"","sources":["../../src/signing/trust_roots.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEjD,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAEtD,MAAM,mBAAmB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAC5C,MAAM,cAAc,GAAG,gBAAgB,CAAC;AACxC,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,oBAAoB,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC,CAAC;AACnG,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;AAC9D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;AAEvD,MAAM,OAAO,eAAgB,SAAQ,YAAY;IAC/C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAWD,MAAM,OAAO,UAAU;IACZ,OAAO,CAAS;IAChB,OAAO,CAA4B;IAE5C,YAAY,OAAe,EAAE,OAAkC;QAC7D,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,KAAK,KAAK;gBAAE,OAAO,CAAC,CAAC;QACnC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,aAAa,CAAC,GAAY,EAAE,SAAiB;IACpD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,eAAe,CAAC,GAAG,SAAS,yBAAyB,OAAO,GAAG,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,eAAe,CACvB,GAAG,SAAS,yDAAyD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAC3F,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,eAAe,CAAC,GAAG,SAAS,yBAAyB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,yEAAyE;IACzE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,eAAe,CACvB,GAAG,SAAS,yCAAyC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAC5E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,OAAe;IAChD,qEAAqE;IACrE,mEAAmE;IACnE,WAAW;IACX,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,eAAe,CAAC,GAAG,OAAO,kBAAkB,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACvC,IACE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtB,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAClF,CAAC;QACD,uEAAuE;QACvE,oEAAoE;QACpE,kCAAkC;IACpC,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,GAAY;IAC9C,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,eAAe,CACvB,QAAQ,GAAG,mCAAmC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,GAAG,EAAE,CAC1F,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,mBAAmB,EAAE,CAAC;QACpC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,MAAM,IAAI,eAAe,CAAC,QAAQ,GAAG,+BAA+B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7F,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,mBAAmB,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,UAAU,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,UAAU,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,IAAI,eAAe,CACvB,QAAQ,GAAG,yBAAyB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;YAC3D,cAAc,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAC1C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC;IAC5B,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,eAAe,CAAC,QAAQ,GAAG,iCAAiC,OAAO,QAAQ,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,eAAe,CACvB,QAAQ,GAAG,iDAAiD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CACvF,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACzC,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,eAAe,CAAC,QAAQ,GAAG,sCAAsC,CAAC,CAAC;IAC/E,CAAC;IACD,MAAM,YAAY,GAAG,YAAY,CAAC,SAAS,EAAE,QAAQ,GAAG,sBAAsB,CAAC,CAAC;IAChF,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,eAAe,CAAC,QAAQ,GAAG,8CAA8C,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,OAAO,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;IAC1C,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,MAAM,IAAI,eAAe,CACvB,QAAQ,GAAG,aAAa,KAAK,oCAAoC;YAC/D,uBAAuB,OAAO,GAAG,CACpC,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,GAAG,cAAc,CAAC,CAAC;IAC3E,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,GAAG,eAAe,CAAC,CAAC;IAC9E,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,eAAe,CACvB,QAAQ,GAAG,kBAAkB,SAAS,CAAC,WAAW,EAAE,YAAY;YAC9D,gCAAgC,UAAU,CAAC,WAAW,EAAE,GAAG,CAC9D,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,GAAG,CAAC,WAAW,CAAC;IACtC,IAAI,UAAU,GAAkB,IAAI,CAAC;IACrC,IAAI,aAAa,KAAK,SAAS,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC1D,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,eAAe,CAAC,QAAQ,GAAG,yCAAyC,CAAC,CAAC;QAClF,CAAC;QACD,UAAU,GAAG,aAAa,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC;IAC3B,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QAChD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,eAAe,CAAC,QAAQ,GAAG,mCAAmC,CAAC,CAAC;QAC5E,CAAC;QACD,KAAK,GAAG,QAAQ,CAAC;IACnB,CAAC;IAED,OAAO;QACL,MAAM,EAAE,KAAK;QACb,cAAc,EAAE,YAAY;QAC5B,UAAU,EAAE,SAAS;QACrB,WAAW,EAAE,UAAU;QACvB,WAAW,EAAE,UAAU;QACvB,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAA4B,CAAC;QACzC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,eAAe,CAAC,8BAA8B,IAAI,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,IAAI,eAAe,CAAC,+BAA+B,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,IAAI,GAAG,mBAAmB,EAAE,CAAC;QAC/B,MAAM,IAAI,eAAe,CAAC,mBAAmB,IAAI,0BAA0B,IAAI,SAAS,CAAC,CAAC;IAC5F,CAAC;IAED,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CAAC,+BAA+B,IAAI,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CAAC,cAAc,IAAI,wBAAyB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,OAAO,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY,EAAE,MAAM,GAAG,UAAU;IAC/D,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,eAAe,CACvB,cAAc,MAAM,sCAClB,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,GAChE,EAAE,CACH,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,MAAM,IAAI,eAAe,CACvB,cAAc,MAAM,wCAAwC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAClF,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,UAAU,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,eAAe,CACvB,cAAc,MAAM,kCAAkC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC/E,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,eAAe,CACvB,cAAc,MAAM,wCAAwC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAC1F,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CACvB,cAAc,MAAM,kCAAkC,OAAO,GAAG,CAAC,IAAI,EAAE,CACxE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,eAAe,CAAC,cAAc,MAAM,0CAA0C,CAAC,CAAC;IAC5F,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,eAAe,CACvB,cAAc,MAAM,sBAAsB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CACzE,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACpC,CAAC"}

package/dist/signing/verifier_ext.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Verifier extension — TypeScript mirror of
+ * `sdk/python/src/attestplane/signing/verifier_ext.py`.
+ *
+ * Adds two functions alongside the existing
+ * `verifyChainWithAnchors` in `../anchoring.ts`:
+ *
+ * - `verifyChainWithSignatures` — signature-only path.
+ * - `verifyChainFull` — unified chain + signature + anchor.
+ *
+ * Pipeline ordering (architect review § 1 decision 8): chain →
+ * signature → anchor. Each step always runs (no short-circuit) for
+ * forensic completeness.
+ *
+ * Plurality priority (T6 review decision 7):
+ * `valid > expired_key > invalid > unknown_key > unsigned`. Any single
+ * `valid` signature for a seq lifts that seq to `valid`.
+ *
+ * Coverage (T6 review decision 7, option a): a `valid` segment-head
+ * signature at seq=N covers seqs {previous-signed-head + 1 .. N} via
+ * chain-integrity transitivity. Per-event signatures cover their
+ * explicit `signed_seq` only.
+ */
+import { type AnchorRecord, type SingleAnchorResult, type VerifyChainWithAnchorsOptions } from '../anchoring.js';
+import type { ChainedEvent } from '../types.js';
+import { type SignatureRecord } from './base.js';
+import type { TrustRoots } from './trust_roots.js';
+export type SignatureStatus = 'unsigned' | 'valid' | 'invalid' | 'unknown_key' | 'expired_key';
+/** Lower rank = better. Used to merge multiple signatures per seq. */
+export declare const STATUS_RANK: Readonly<Record<SignatureStatus, number>>;
+export interface SingleSignatureResult {
+    readonly record_index: number;
+    readonly signed_seq: number;
+    readonly key_id: string;
+    readonly status: SignatureStatus;
+    readonly reason: string | null;
+}
+export interface BundleVerificationResult {
+    readonly chain_ok: boolean;
+    readonly chain_reason: string | null;
+    readonly anchored_seqs: ReadonlySet<number>;
+    readonly unanchored_seqs: ReadonlySet<number>;
+    readonly anchor_results: readonly SingleAnchorResult[];
+    readonly signature_status: SignatureStatus;
+    readonly signature_results: readonly SingleSignatureResult[];
+    readonly signed_segment_count: number;
+    readonly first_bad_signature_index: number | null;
+    /**
+     * `true` iff chain integrity + every anchor verify. Signature status
+     * is deliberately NOT included (architect review § 1 decision 11);
+     * callers wanting fail-closed signature semantics check
+     * `signature_status === 'valid'` themselves.
+     */
+    readonly ok: boolean;
+}
+export interface VerifyChainWithSignaturesOptions {
+    readonly chain_id: string;
+    readonly trust_roots: TrustRoots;
+    readonly verification_time?: Date;
+}
+export interface VerifyChainWithSignaturesResult {
+    readonly signature_status: SignatureStatus;
+    readonly signature_results: readonly SingleSignatureResult[];
+    readonly signed_segment_count: number;
+    readonly first_bad_signature_index: number | null;
+}
+export declare function verifyChainWithSignatures(events: readonly ChainedEvent[], signatures: readonly SignatureRecord[], options: VerifyChainWithSignaturesOptions): VerifyChainWithSignaturesResult;
+export interface VerifyChainFullOptions {
+    readonly anchors?: readonly AnchorRecord[];
+    readonly signatures?: readonly SignatureRecord[];
+    readonly chain_id?: string;
+    readonly trust_roots?: TrustRoots;
+    readonly anchor_options?: VerifyChainWithAnchorsOptions;
+    readonly verification_time?: Date;
+}
+export declare function verifyChainFull(events: readonly ChainedEvent[], options?: VerifyChainFullOptions): BundleVerificationResult;
+//# sourceMappingURL=verifier_ext.d.ts.map

package/dist/signing/verifier_ext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier_ext.d.ts","sourceRoot":"","sources":["../../src/signing/verifier_ext.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,OAAO,EACL,KAAK,YAAY,EAEjB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,EAEnC,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EAGL,KAAK,eAAe,EAGrB,MAAM,WAAW,CAAC;AAEnB,OAAO,KAAK,EAAkB,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnE,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,aAAa,GAAG,aAAa,CAAC;AAE/F,sEAAsE;AACtE,eAAO,MAAM,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAMhE,CAAC;AAEH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,aAAa,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC5C,QAAQ,CAAC,eAAe,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,SAAS,kBAAkB,EAAE,CAAC;IACvD,QAAQ,CAAC,gBAAgB,EAAE,eAAe,CAAC;IAC3C,QAAQ,CAAC,iBAAiB,EAAE,SAAS,qBAAqB,EAAE,CAAC;IAC7D,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,yBAAyB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClD;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;CACtB;AAyOD,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC;IACjC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,IAAI,CAAC;CACnC;AAED,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,gBAAgB,EAAE,eAAe,CAAC;IAC3C,QAAQ,CAAC,iBAAiB,EAAE,SAAS,qBAAqB,EAAE,CAAC;IAC7D,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,yBAAyB,EAAE,MAAM,GAAG,IAAI,CAAC;CACnD;AAED,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,SAAS,YAAY,EAAE,EAC/B,UAAU,EAAE,SAAS,eAAe,EAAE,EACtC,OAAO,EAAE,gCAAgC,GACxC,+BAA+B,CAsEjC;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,YAAY,EAAE,CAAC;IAC3C,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,eAAe,EAAE,CAAC;IACjD,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,CAAC,EAAE,UAAU,CAAC;IAClC,QAAQ,CAAC,cAAc,CAAC,EAAE,6BAA6B,CAAC;IACxD,QAAQ,CAAC,iBAAiB,CAAC,EAAE,IAAI,CAAC;CACnC;AAED,wBAAgB,eAAe,CAC7B,MAAM,EAAE,SAAS,YAAY,EAAE,EAC/B,OAAO,GAAE,sBAA2B,GACnC,wBAAwB,CAqD1B"}