@bradford-tech/supabase-integrity-attest 0.3.1 → 0.4.1

package/esm/src/errors.js

@@ -1,23 +1,48 @@
 // src/errors.ts
+/** Error codes returned by {@linkcode AttestationError}. */
 export var AttestationErrorCode;
 (function (AttestationErrorCode) {
+    /** CBOR decoding or structural validation failed. */
     AttestationErrorCode["INVALID_FORMAT"] = "INVALID_FORMAT";
+    /** X.509 certificate chain verification failed. */
     AttestationErrorCode["INVALID_CERTIFICATE_CHAIN"] = "INVALID_CERTIFICATE_CHAIN";
+    /** Computed nonce does not match the nonce in the leaf certificate. */
     AttestationErrorCode["NONCE_MISMATCH"] = "NONCE_MISMATCH";
+    /** RP ID hash does not match SHA-256 of the app ID. */
     AttestationErrorCode["RP_ID_MISMATCH"] = "RP_ID_MISMATCH";
+    /** Public key hash does not match the provided key ID. */
     AttestationErrorCode["KEY_ID_MISMATCH"] = "KEY_ID_MISMATCH";
+    /** Sign count is not zero (required for attestation). */
     AttestationErrorCode["INVALID_COUNTER"] = "INVALID_COUNTER";
+    /** AAGUID does not match the expected environment (production/development). */
     AttestationErrorCode["INVALID_AAGUID"] = "INVALID_AAGUID";
+    /**
+     * The `consumeChallenge` callback returned `false`, meaning the challenge
+     * was missing, expired, or already consumed. Used by {@linkcode withAttestation}.
+     */
+    AttestationErrorCode["CHALLENGE_INVALID"] = "CHALLENGE_INVALID";
+    /**
+     * An internal or storage callback error occurred (used by
+     * {@linkcode withAttestation}). The original error is attached via
+     * `Error.cause` and is deliberately NOT reflected in the HTTP response
+     * body to avoid leaking database schema or driver diagnostics.
+     */
+    AttestationErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
 })(AttestationErrorCode || (AttestationErrorCode = {}));
+/** Thrown when attestation verification fails. */
 export class AttestationError extends Error {
-    constructor(code, message) {
-        super(message);
+    /** Create an AttestationError with a machine-readable code and human-readable message. */
+    constructor(
+    /** Machine-readable error code. */
+    code, message, options) {
+        super(message, options);
         Object.defineProperty(this, "code", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: code
         });
+        /** Discriminant for `instanceof` checks in catch blocks. Always `"AttestationError"`. */
         Object.defineProperty(this, "name", {
             enumerable: true,
             configurable: true,
@@ -26,17 +51,35 @@ export class AttestationError extends Error {
         });
     }
 }
+/** Error codes returned by {@linkcode AssertionError}. */
 export var AssertionErrorCode;
 (function (AssertionErrorCode) {
+    /** CBOR decoding or structural validation failed. */
     AssertionErrorCode["INVALID_FORMAT"] = "INVALID_FORMAT";
+    /** RP ID hash does not match SHA-256 of the app ID. */
     AssertionErrorCode["RP_ID_MISMATCH"] = "RP_ID_MISMATCH";
+    /** Sign count was not greater than the previously stored value. */
     AssertionErrorCode["COUNTER_NOT_INCREMENTED"] = "COUNTER_NOT_INCREMENTED";
+    /** ECDSA signature verification failed. */
     AssertionErrorCode["SIGNATURE_INVALID"] = "SIGNATURE_INVALID";
+    /** No device key found for the given device ID (used by {@linkcode withAssertion}). */
     AssertionErrorCode["DEVICE_NOT_FOUND"] = "DEVICE_NOT_FOUND";
+    /** An internal or storage callback error occurred (used by {@linkcode withAssertion}). */
     AssertionErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+    /**
+     * The `commitSignCount` callback returned `false`, meaning another
+     * concurrent request already advanced the stored counter past this value.
+     * Indicates an expected race under concurrent load, not a client bug.
+     * Used by {@linkcode withAssertion}.
+     */
+    AssertionErrorCode["SIGN_COUNT_STALE"] = "SIGN_COUNT_STALE";
 })(AssertionErrorCode || (AssertionErrorCode = {}));
+/** Thrown when assertion verification fails. */
 export class AssertionError extends Error {
-    constructor(code, message, options) {
+    /** Create an AssertionError with a machine-readable code and human-readable message. */
+    constructor(
+    /** Machine-readable error code. */
+    code, message, options) {
         super(message, options);
         Object.defineProperty(this, "code", {
             enumerable: true,
@@ -44,6 +87,7 @@ export class AssertionError extends Error {
             writable: true,
             value: code
         });
+        /** Discriminant for `instanceof` checks in catch blocks. Always `"AssertionError"`. */
         Object.defineProperty(this, "name", {
             enumerable: true,
             configurable: true,

package/esm/src/with-assertion.d.ts

@@ -1,27 +1,89 @@
 import { AssertionError } from "./errors.js";
+/** Default HTTP header name for the base64-encoded assertion. */
 export declare const DEFAULT_ASSERTION_HEADER = "X-App-Attest-Assertion";
+/** Default HTTP header name for the device identifier. */
 export declare const DEFAULT_DEVICE_ID_HEADER = "X-App-Attest-Device-Id";
+/** Stored device key material returned by the `getDeviceKey` callback. */
 export type DeviceKey = {
+    /** PEM-encoded ECDSA P-256 public key from attestation. */
     publicKeyPem: string;
+    /** Last verified sign count for this device. */
     signCount: number;
 };
+/**
+ * Library-internal timing spans for an assertion verification, in
+ * milliseconds. Exposed on {@linkcode AssertionContext.timings} so the
+ * wrapped handler can emit them as part of its own Server-Timing response.
+ */
+export type AssertionTimings = {
+    /** Parse request headers and read raw body bytes. */
+    extractMs: number;
+    /** `getDeviceKey` callback wall-clock duration. */
+    getDeviceKeyMs: number;
+    /** Cryptographic verification (CBOR decode, ECDSA verify, counter check). */
+    verifyMs: number;
+    /** `commitSignCount` callback wall-clock duration. */
+    commitMs: number;
+};
+/** Context passed to the inner handler after successful assertion verification. */
 export type AssertionContext = {
+    /** Device identifier from the request. */
     deviceId: string;
+    /** Updated sign count after verification. */
     signCount: number;
+    /** Raw request body bytes (the client data that was signed). */
     rawBody: Uint8Array;
+    /** Library-internal timings, ready to merge into Server-Timing. */
+    timings: AssertionTimings;
 };
+/** Custom function to extract assertion data from an incoming request. */
 export type ExtractAssertionFn = (req: Request) => Promise<{
     assertion: string;
     deviceId: string;
     clientData: Uint8Array;
 }>;
+/** Configuration for the {@linkcode withAssertion} middleware. */
 export type WithAssertionOptions = {
+    /** Apple App ID in the format `TEAMID.bundleId`. */
     appId: string;
+    /** Set to `true` for development environment attestations. */
     developmentEnv?: boolean;
+    /** Retrieve the stored device key for a given device ID. Return `null` if not found. */
     getDeviceKey: (deviceId: string) => Promise<DeviceKey | null>;
-    updateSignCount: (deviceId: string, newSignCount: number) => Promise<void>;
+    /**
+     * Atomically advance the stored sign count. MUST be implemented as a
+     * compare-and-swap: only update if the currently stored value is strictly
+     * less than `newSignCount`. Returns `true` if the row was advanced,
+     * `false` if another concurrent request already advanced past this value.
+     *
+     * Recommended SQL pattern against Postgres:
+     *
+     * ```sql
+     * UPDATE app_attest_devices
+     *    SET sign_count = $1, last_seen_at = now()
+     *  WHERE device_id = $2 AND sign_count < $1
+     * ```
+     *
+     * Return `rowCount > 0`. The library converts `false` into
+     * `AssertionError(SIGN_COUNT_STALE)`.
+     */
+    commitSignCount: (deviceId: string, newSignCount: number) => Promise<boolean>;
+    /** Override the default header-based assertion extraction. */
     extractAssertion?: ExtractAssertionFn;
+    /** Custom error response handler. Defaults to JSON error responses. */
     onError?: (error: AssertionError, req: Request) => Response | Promise<Response>;
 };
+/**
+ * Request handler middleware that verifies App Attest assertions.
+ *
+ * Wraps a handler function with automatic assertion verification,
+ * device key lookup, and atomic sign-count commit. Returns a new handler
+ * that rejects unauthenticated requests with appropriate HTTP error responses.
+ *
+ * The `commitSignCount` callback MUST implement compare-and-swap semantics
+ * (see {@linkcode WithAssertionOptions.commitSignCount}) — a non-atomic
+ * unconditional write will silently corrupt replay protection under
+ * concurrent load.
+ */
 export declare function withAssertion(options: WithAssertionOptions, handler: (req: Request, context: AssertionContext) => Response | Promise<Response>): (req: Request) => Promise<Response>;
 //# sourceMappingURL=with-assertion.d.ts.map

package/esm/src/with-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,MAAM,MAAM,SAAS,GAAG;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,UAAU,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAuErC"}
+{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA+FrC"}

package/esm/src/with-assertion.js

@@ -1,7 +1,9 @@
 // src/with-assertion.ts
 import { verifyAssertion } from "./assertion.js";
 import { AssertionError, AssertionErrorCode } from "./errors.js";
+/** Default HTTP header name for the base64-encoded assertion. */
 export const DEFAULT_ASSERTION_HEADER = "X-App-Attest-Assertion";
+/** Default HTTP header name for the device identifier. */
 export const DEFAULT_DEVICE_ID_HEADER = "X-App-Attest-Device-Id";
 async function defaultExtractAssertion(req) {
     const assertion = req.headers.get(DEFAULT_ASSERTION_HEADER);
@@ -20,6 +22,18 @@ function defaultErrorResponse(error) {
             : 401;
     return new Response(JSON.stringify({ error: error.message, code: error.code }), { status, headers: { "Content-Type": "application/json" } });
 }
+/**
+ * Request handler middleware that verifies App Attest assertions.
+ *
+ * Wraps a handler function with automatic assertion verification,
+ * device key lookup, and atomic sign-count commit. Returns a new handler
+ * that rejects unauthenticated requests with appropriate HTTP error responses.
+ *
+ * The `commitSignCount` callback MUST implement compare-and-swap semantics
+ * (see {@linkcode WithAssertionOptions.commitSignCount}) — a non-atomic
+ * unconditional write will silently corrupt replay protection under
+ * concurrent load.
+ */
 export function withAssertion(options, handler) {
     const appInfo = {
         appId: options.appId,
@@ -30,11 +44,20 @@ export function withAssertion(options, handler) {
         let deviceId;
         let clientData;
         let newSignCount;
-        // Steps 1-4: extract, verify, update sign count
+        const timings = {
+            extractMs: 0,
+            getDeviceKeyMs: 0,
+            verifyMs: 0,
+            commitMs: 0,
+        };
+        // Steps 1-4: extract, verify, commit sign count
         try {
+            const extractStart = performance.now();
             const extracted = await extract(req);
+            timings.extractMs = performance.now() - extractStart;
             deviceId = extracted.deviceId;
             clientData = extracted.clientData;
+            const getKeyStart = performance.now();
             let deviceKey;
             try {
                 deviceKey = await options.getDeviceKey(deviceId);
@@ -42,15 +65,24 @@ export function withAssertion(options, handler) {
             catch (err) {
                 throw new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Storage callback failed", { cause: err });
             }
+            timings.getDeviceKeyMs = performance.now() - getKeyStart;
             if (!deviceKey) {
                 throw new AssertionError(AssertionErrorCode.DEVICE_NOT_FOUND, "Device not found");
             }
+            const verifyStart = performance.now();
             const result = await verifyAssertion(appInfo, extracted.assertion, clientData, deviceKey.publicKeyPem, deviceKey.signCount);
+            timings.verifyMs = performance.now() - verifyStart;
+            const commitStart = performance.now();
+            let committed;
             try {
-                await options.updateSignCount(deviceId, result.signCount);
+                committed = await options.commitSignCount(deviceId, result.signCount);
             }
             catch (err) {
-                throw new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Failed to update sign count", { cause: err });
+                throw new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Failed to commit sign count", { cause: err });
+            }
+            timings.commitMs = performance.now() - commitStart;
+            if (!committed) {
+                throw new AssertionError(AssertionErrorCode.SIGN_COUNT_STALE, `Sign count ${result.signCount} is stale — another concurrent request already advanced past it`);
             }
             newSignCount = result.signCount;
         }
@@ -67,6 +99,7 @@ export function withAssertion(options, handler) {
             deviceId,
             signCount: newSignCount,
             rawBody: clientData,
+            timings,
         });
     };
 }

package/esm/src/with-attestation.d.ts

@@ -0,0 +1,79 @@
+import { AttestationError } from "./errors.js";
+/**
+ * Library-internal timing spans for an attestation verification, in
+ * milliseconds. Exposed on {@linkcode AttestationContext.timings}.
+ */
+export type AttestationTimings = {
+    /** Parse request body + decode base64 fields. */
+    extractMs: number;
+    /** `consumeChallenge` callback wall-clock duration. */
+    consumeChallengeMs: number;
+    /** Cryptographic verification (CBOR decode, cert chain, nonce, key extract). */
+    verifyMs: number;
+    /** `storeDeviceKey` callback wall-clock duration. */
+    storeDeviceKeyMs: number;
+};
+/** Context passed to the inner handler after successful attestation verification. */
+export type AttestationContext = {
+    /** Device identifier (Apple-issued `keyId`) from the request. */
+    deviceId: string;
+    /** PEM-encoded ECDSA P-256 public key extracted from the attestation. */
+    publicKeyPem: string;
+    /** Initial sign count from the attestation (always `0`). */
+    signCount: number;
+    /** Raw App Attest receipt bytes. */
+    receipt: Uint8Array;
+    /** Library-internal timings, ready to merge into Server-Timing. */
+    timings: AttestationTimings;
+};
+/** Custom function to extract attestation data from an incoming request. */
+export type ExtractAttestationFn = (req: Request) => Promise<{
+    deviceId: string;
+    challenge: Uint8Array;
+    attestation: Uint8Array;
+}>;
+/** Configuration for the {@linkcode withAttestation} middleware. */
+export type WithAttestationOptions = {
+    /** Apple App ID in the format `TEAMID.bundleId`. */
+    appId: string;
+    /** Set to `true` for development environment attestations. */
+    developmentEnv?: boolean;
+    /**
+     * Atomically consume a previously-issued challenge. Return `true` if the
+     * challenge was valid, unused, and unexpired (and is now consumed);
+     * `false` otherwise. Implementations should use `DELETE ... RETURNING`
+     * to guarantee single-use semantics.
+     *
+     * The library converts `false` into `AttestationError(CHALLENGE_INVALID)`.
+     */
+    consumeChallenge: (challenge: Uint8Array) => Promise<boolean>;
+    /**
+     * Persist the verified device key row. Caller chooses INSERT vs UPSERT —
+     * re-attesting an existing deviceId is cryptographically safe (Apple has
+     * re-signed) so UPSERT is usually correct.
+     */
+    storeDeviceKey: (row: {
+        deviceId: string;
+        publicKeyPem: string;
+        signCount: number;
+        receipt: Uint8Array;
+    }) => Promise<void>;
+    /** Override the default body-based attestation extraction. */
+    extractAttestation?: ExtractAttestationFn;
+    /** Custom error response handler. Defaults to JSON error responses. */
+    onError?: (error: AttestationError, req: Request) => Response | Promise<Response>;
+};
+/**
+ * Request handler middleware that verifies App Attest attestations.
+ *
+ * Wraps a handler with automatic challenge consumption, cryptographic
+ * attestation verification, and device key persistence. Returns a new
+ * handler that rejects invalid attestations with appropriate HTTP
+ * error responses.
+ *
+ * The symmetric pair of {@linkcode withAssertion} — use this on your
+ * one-time device registration endpoint, then use `withAssertion` on
+ * every protected business endpoint.
+ */
+export declare function withAttestation(options: WithAttestationOptions, handler: (req: Request, context: AttestationContext) => Response | Promise<Response>): (req: Request) => Promise<Response>;
+//# sourceMappingURL=with-attestation.d.ts.map

package/esm/src/with-attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"with-attestation.d.ts","sourceRoot":"","sources":["../../src/src/with-attestation.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAwB,MAAM,aAAa,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,qFAAqF;AACrF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,UAAU,CAAC;IACtB,WAAW,EAAE,UAAU,CAAC;CACzB,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;;;OAOG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D;;;;OAIG;IACH,cAAc,EAAE,CAAC,GAAG,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAwEF;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,kBAAkB,KACxB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAkGrC"}

package/esm/src/with-attestation.js

@@ -0,0 +1,135 @@
+// src/with-attestation.ts
+import { decodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.10/base64.js";
+import { verifyAttestation } from "./attestation.js";
+import { AttestationError, AttestationErrorCode } from "./errors.js";
+/**
+ * Default extractor: reads a JSON body of the shape
+ * `{ keyId: string, challenge: string, attestation: string }` where all
+ * three fields are base64-encoded per Apple's standard wire format.
+ */
+async function defaultExtractAttestation(req) {
+    let body;
+    try {
+        body = await req.json();
+    }
+    catch (err) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Failed to parse attestation request body as JSON: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (typeof body !== "object" || body === null ||
+        typeof body.keyId !== "string" ||
+        typeof body.challenge !== "string" ||
+        typeof body.attestation !== "string") {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Attestation request body must include { keyId, challenge, attestation } as base64 strings");
+    }
+    const typed = body;
+    let challenge;
+    let attestation;
+    try {
+        challenge = decodeBase64(typed.challenge);
+    }
+    catch {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "challenge is not valid base64");
+    }
+    try {
+        attestation = decodeBase64(typed.attestation);
+    }
+    catch {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "attestation is not valid base64");
+    }
+    return { deviceId: typed.keyId, challenge, attestation };
+}
+function defaultErrorResponse(error) {
+    const status = error.code === AttestationErrorCode.INTERNAL_ERROR
+        ? 500
+        : error.code === AttestationErrorCode.INVALID_FORMAT
+            ? 400
+            : 401;
+    return new Response(JSON.stringify({ error: error.message, code: error.code }), { status, headers: { "Content-Type": "application/json" } });
+}
+/**
+ * Request handler middleware that verifies App Attest attestations.
+ *
+ * Wraps a handler with automatic challenge consumption, cryptographic
+ * attestation verification, and device key persistence. Returns a new
+ * handler that rejects invalid attestations with appropriate HTTP
+ * error responses.
+ *
+ * The symmetric pair of {@linkcode withAssertion} — use this on your
+ * one-time device registration endpoint, then use `withAssertion` on
+ * every protected business endpoint.
+ */
+export function withAttestation(options, handler) {
+    const appInfo = {
+        appId: options.appId,
+        developmentEnv: options.developmentEnv ?? false,
+    };
+    const extract = options.extractAttestation ?? defaultExtractAttestation;
+    return async (req) => {
+        let deviceId;
+        let publicKeyPem;
+        let receipt;
+        const timings = {
+            extractMs: 0,
+            consumeChallengeMs: 0,
+            verifyMs: 0,
+            storeDeviceKeyMs: 0,
+        };
+        try {
+            const extractStart = performance.now();
+            const extracted = await extract(req);
+            timings.extractMs = performance.now() - extractStart;
+            deviceId = extracted.deviceId;
+            const consumeStart = performance.now();
+            let challengeOk;
+            try {
+                challengeOk = await options.consumeChallenge(extracted.challenge);
+            }
+            catch (err) {
+                // Static message — the original error is attached via `cause` and
+                // never reaches the wire. Callback errors from Postgres drivers
+                // routinely contain schema details, constraint names, and other
+                // info that must not leak to unauthenticated clients.
+                throw new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "consumeChallenge callback failed", { cause: err });
+            }
+            timings.consumeChallengeMs = performance.now() - consumeStart;
+            if (!challengeOk) {
+                throw new AttestationError(AttestationErrorCode.CHALLENGE_INVALID, "Challenge is missing, expired, or already consumed");
+            }
+            const verifyStart = performance.now();
+            const result = await verifyAttestation(appInfo, deviceId, extracted.challenge, extracted.attestation);
+            timings.verifyMs = performance.now() - verifyStart;
+            publicKeyPem = result.publicKeyPem;
+            receipt = result.receipt;
+            const storeStart = performance.now();
+            try {
+                await options.storeDeviceKey({
+                    deviceId,
+                    publicKeyPem,
+                    signCount: result.signCount,
+                    receipt,
+                });
+            }
+            catch (err) {
+                // Static message — see consumeChallenge catch above.
+                throw new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "storeDeviceKey callback failed", { cause: err });
+            }
+            timings.storeDeviceKeyMs = performance.now() - storeStart;
+        }
+        catch (err) {
+            // Non-AttestationError escapes (unexpected runtime errors, programmer
+            // bugs, etc.) are wrapped as INTERNAL_ERROR with a static message.
+            // The original is attached via `cause` and never reaches the wire.
+            const error = err instanceof AttestationError
+                ? err
+                : new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "Internal error", { cause: err });
+            return options.onError?.(error, req) ?? defaultErrorResponse(error);
+        }
+        return await handler(req, {
+            deviceId,
+            publicKeyPem,
+            signCount: 0,
+            receipt,
+            timings,
+        });
+    };
+}

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@bradford-tech/supabase-integrity-attest",
-  "version": "0.3.1",
+  "version": "0.4.1",
   "description": "Verify Apple App Attest attestations and assertions using WebCrypto.",
+  "homepage": "https://integrity-attest.bradford.tech",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/bradford-tech/supabase-integrity-attest.git"
@@ -22,18 +23,14 @@
       "import": "./esm/attestation.js"
     }
   },
-  "scripts": {
-    "test": "node test_runner.js"
-  },
+  "scripts": {},
   "dependencies": {
     "@noble/curves": "^2.0.1",
     "asn1js": "^3.0.7",
     "cborg": "^4.5.8"
   },
   "devDependencies": {
-    "@types/node": "^20.9.0",
-    "picocolors": "^1.0.0",
-    "@deno/shim-deno-test": "~0.5.0"
+    "@types/node": "^20.9.0"
   },
   "_generatedBy": "dnt@dev"
 }

package/esm/_dnt.test_polyfills.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"_dnt.test_polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.test_polyfills.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,KAAK;QACb,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB;CACF;AAED,OAAO,EAAE,CAAC"}

package/esm/_dnt.test_shims.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"_dnt.test_shims.d.ts","sourceRoot":"","sources":["../src/_dnt.test_shims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAK5C,eAAO,MAAM,aAAa;;CAA2C,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/almost_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"almost_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/almost_equals.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,EAClB,GAAG,CAAC,EAAE,MAAM,QAmBb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/array_includes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"array_includes.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/array_includes.ts"],"names":[],"mappings":"AAMA,0FAA0F;AAC1F,MAAM,MAAM,YAAY,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC;AAOpD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EACnC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,EACvB,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,EACzB,GAAG,CAAC,EAAE,MAAM,GACX,IAAI,CAgCN"}

package/esm/deps/jsr.io/@std/assert/1.0.19/assert.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"assert.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/assert.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,SAAK,GAAG,OAAO,CAAC,IAAI,CAI5D"}

package/esm/deps/jsr.io/@std/assert/1.0.19/assertion_error.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"assertion_error.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/assertion_error.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,cAAe,SAAQ,KAAK;IACvC;;;;OAIG;gBACS,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,YAAY;CAIpD"}

package/esm/deps/jsr.io/@std/assert/1.0.19/equal.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"equal.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/equal.ts"],"names":[],"mappings":"AA0FA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,OAAO,CAgHrD"}

package/esm/deps/jsr.io/@std/assert/1.0.19/equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/equals.ts"],"names":[],"mappings":"AAUA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAC5B,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QAmBb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/exists.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"exists.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/exists.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAC5B,MAAM,EAAE,CAAC,EACT,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,CAOlC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/fail.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"fail.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/fail.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;GAYG;AACH,wBAAgB,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,CAGxC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/false.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"false.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/false.ts"],"names":[],"mappings":"AAIA,uDAAuD;AACvD,MAAM,MAAM,KAAK,GAAG,KAAK,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,GAAG,SAAS,CAAC;AAE3D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,SAAK,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAI1E"}

package/esm/deps/jsr.io/@std/assert/1.0.19/greater.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"greater.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/greater.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,QAMpE"}

package/esm/deps/jsr.io/@std/assert/1.0.19/greater_or_equal.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"greater_or_equal.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/greater_or_equal.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EACpC,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QASb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/instance_of.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"instance_of.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/instance_of.ts"],"names":[],"mappings":"AAIA,sBAAsB;AAEtB,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC;AACzD,4BAA4B;AAC5B,MAAM,MAAM,kBAAkB,CAAC,CAAC,SAAS,cAAc,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC;AAE3E;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAE9B,CAAC,SAAS,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,EAE9C,MAAM,EAAE,OAAO,EACf,YAAY,EAAE,CAAC,EACf,GAAG,SAAK,GACP,OAAO,CAAC,MAAM,IAAI,YAAY,CAAC,CAAC,CAAC,CA6BnC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/is_error.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"is_error.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/is_error.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,KAAK,GAAG,KAAK,EACnD,KAAK,EAAE,OAAO,EAEd,UAAU,CAAC,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAC/C,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAC5B,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,KAAK,IAAI,CAAC,CA8BpB"}

package/esm/deps/jsr.io/@std/assert/1.0.19/less.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"less.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/less.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,QAMjE"}

package/esm/deps/jsr.io/@std/assert/1.0.19/less_or_equal.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"less_or_equal.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/less_or_equal.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EACjC,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QASb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/match.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"match.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/match.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,MAAM,QAMb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/mod.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/mod.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;GAeG;AAEH,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,uBAAuB,CAAC;AACtC,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,oBAAoB,CAAC;AACnC,cAAc,WAAW,CAAC;AAC1B,cAAc,YAAY,CAAC;AAC3B,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,wBAAwB,CAAC;AACvC,cAAc,mBAAmB,CAAC;AAClC,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_equals.ts"],"names":[],"mappings":"AAOA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,QAUtE"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_instance_of.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_instance_of.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_instance_of.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,CAAC,EACtC,MAAM,EAAE,CAAC,EAET,cAAc,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAClD,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAKjC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_match.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_match.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_match.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,MAAM,QAMb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_strict_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_strict_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_strict_equals.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QAYb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/object_match.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"object_match.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/object_match.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,iBAAiB,CAE/B,MAAM,EAAE,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,EAChC,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,EACtC,GAAG,CAAC,EAAE,MAAM,GACX,IAAI,CAUN"}

package/esm/deps/jsr.io/@std/assert/1.0.19/rejects.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"rejects.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/rejects.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,aAAa,CAC3B,EAAE,EAAE,MAAM,WAAW,CAAC,OAAO,CAAC,EAC9B,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CAAC;AACpB;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,KAAK,GAAG,KAAK,EACnD,EAAE,EAAE,MAAM,WAAW,CAAC,OAAO,CAAC,EAE9B,UAAU,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAC9C,WAAW,CAAC,EAAE,MAAM,EACpB,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,CAAC,CAAC,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/strict_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"strict_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/strict_equals.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAClC,MAAM,EAAE,OAAO,EACf,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,IAAI,CAAC,CAgCrB"}