@bounded-systems/conformance-kit 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +4 -2
  2. package/gates/jargon-gate.mjs +159 -0
  3. package/gates/palette-gate.mjs +601 -0
  4. package/integrity/verify/package-lock.json +1207 -0
  5. package/integrity/verify/package.json +10 -0
  6. package/integrity/verify/verify.mjs +8 -3
  7. package/package.json +22 -19
package/integrity/verify/package.json ADDED
@@ -0,0 +1,10 @@
1
+ {
2
+ "name": "@conformance-kit/integrity-verify",
3
+ "version": "0.1.0",
4
+ "private": true,
5
+ "description": "Standalone, offline cryptographic verifier — checks a site serves bytes matching its keyless-signed manifest (sigstore-js, in-process bundle verify).",
6
+ "type": "module",
7
+ "bin": { "verify": "./verify.mjs" },
8
+ "dependencies": { "sigstore": "^2.3.1" },
9
+ "engines": { "node": ">=20" }
10
+ }
package/integrity/verify/verify.mjs CHANGED
@@ -22,7 +22,7 @@
22
22
  // npm-publishable (with its own Sigstore provenance) — the same core a browser
23
23
  // extension or CI policy would consume.
24
24
  import { readFile } from "node:fs/promises";
25
- import { createHash } from "node:crypto";
25
+ import { createHash, X509Certificate } from "node:crypto";
26
26
  import { join } from "node:path";
27
27
  import { verify as sigstoreVerify } from "sigstore";
28
28
 
@@ -77,8 +77,13 @@ if (provenance?.builtAt) {
77
77
 
78
78
  // 1: cryptographic bundle verification, in-process, offline
79
79
  try {
80
- const signer = await sigstoreVerify(bundle, manifest, { certificateIssuer: ISSUER });
81
- const san = signer?.identity?.subjectAlternativeName || "";
80
+ // sigstore-js verify() throws on any crypto failure (signature / Fulcio chain / Rekor
81
+ // inclusion) and returns nothing — so the identity SAN is read from the bundle's leaf cert.
82
+ await sigstoreVerify(bundle, manifest, { certificateIssuer: ISSUER });
83
+ const certB64 = bundle.verificationMaterial?.certificate?.rawBytes
84
+ || bundle.verificationMaterial?.x509CertificateChain?.certificates?.[0]?.rawBytes;
85
+ if (!certB64) throw new Error("no signing certificate in bundle");
86
+ const san = (new X509Certificate(Buffer.from(certB64, "base64")).subjectAltName || "").replace(/^URI:/, "");
82
87
  if (!new RegExp(identityRe).test(san)) throw new Error(`cert identity ${san} !~ ${identityRe}`);
83
88
  log(true, `bundle verified — signature + Fulcio cert + Rekor inclusion (offline), identity ${san}`);
84
89
  } catch (e) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@bounded-systems/conformance-kit",
3
- "version": "0.2.0",
3
+ "version": "0.4.0",
4
4
  "description": "Standalone, site-agnostic web-conformance toolkit: integrity tooling + build gates + provenance generators, all parameterized so a site vendors one kit instead of duplicating scripts.",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -9,24 +9,26 @@
9
9
  "url": "git+https://github.com/bounded-systems/conformance-kit.git"
10
10
  },
11
11
  "bin": {
12
- "ck-gen-sitemanifest": "./integrity/gen-sitemanifest.mjs",
13
- "ck-gen-provenance": "./integrity/gen-provenance.mjs",
14
- "ck-verify-site": "./integrity/verify-site.mjs",
15
- "ck-http-probe": "./integrity/http-probe.mjs",
16
- "ck-structure-audit": "./integrity/structure-audit/audit.mjs",
17
- "ck-gen-sbom": "./gates/sbom/gen-sbom.mjs",
18
- "ck-check-sbom": "./gates/sbom/check-sbom.mjs",
19
- "ck-shacl-runner": "./gates/shacl-runner.mjs",
20
- "ck-seo-gate": "./gates/seo-gate.mjs",
21
- "ck-axe-gate": "./gates/axe-gate.mjs",
22
- "ck-vuln-gate": "./gates/vuln-gate.mjs",
23
- "ck-html-validator-gate": "./gates/html-validator-gate.mjs",
24
- "ck-baseline-gate": "./gates/baseline-gate.mjs",
25
- "ck-readability-gate": "./gates/readability-gate.mjs",
26
- "ck-commonmark-runner": "./gates/commonmark-runner.mjs",
27
- "ck-gen-cid": "./generators/gen-cid.mjs",
28
- "ck-gen-identity": "./generators/gen-identity.mjs",
29
- "ck-gen-snapshots": "./generators/gen-snapshots.mjs"
12
+ "ck-gen-sitemanifest": "integrity/gen-sitemanifest.mjs",
13
+ "ck-gen-provenance": "integrity/gen-provenance.mjs",
14
+ "ck-verify-site": "integrity/verify-site.mjs",
15
+ "ck-http-probe": "integrity/http-probe.mjs",
16
+ "ck-structure-audit": "integrity/structure-audit/audit.mjs",
17
+ "ck-gen-sbom": "gates/sbom/gen-sbom.mjs",
18
+ "ck-check-sbom": "gates/sbom/check-sbom.mjs",
19
+ "ck-shacl-runner": "gates/shacl-runner.mjs",
20
+ "ck-seo-gate": "gates/seo-gate.mjs",
21
+ "ck-axe-gate": "gates/axe-gate.mjs",
22
+ "ck-vuln-gate": "gates/vuln-gate.mjs",
23
+ "ck-html-validator-gate": "gates/html-validator-gate.mjs",
24
+ "ck-baseline-gate": "gates/baseline-gate.mjs",
25
+ "ck-palette-gate": "gates/palette-gate.mjs",
26
+ "ck-jargon-gate": "gates/jargon-gate.mjs",
27
+ "ck-readability-gate": "gates/readability-gate.mjs",
28
+ "ck-commonmark-runner": "gates/commonmark-runner.mjs",
29
+ "ck-gen-cid": "generators/gen-cid.mjs",
30
+ "ck-gen-identity": "generators/gen-identity.mjs",
31
+ "ck-gen-snapshots": "generators/gen-snapshots.mjs"
30
32
  },
31
33
  "scripts": {
32
34
  "test": "node test/run.mjs"
@@ -57,6 +59,7 @@
57
59
  "dependencies": {
58
60
  "@mozilla/readability": "^0.5.0",
59
61
  "@zazuko/env-node": "^2.1.5",
62
+ "an-array-of-english-words": "^2.0.0",
60
63
  "axe-core": "^4.10.0",
61
64
  "jsonld": "^9.0.0",
62
65
  "linkedom": "^0.18.0",