@bradford-tech/supabase-integrity-attest 0.3.2 → 0.4.1

package/esm/assertion.d.ts

@@ -3,7 +3,10 @@
  * `@noble/curves`, keeping the bundle minimal for assertion-only use cases.
  *
  * ```ts
- * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest/assertion";
+ * import {
+ *   verifyAssertion,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest/assertion";
  *
  * const { signCount } = await verifyAssertion(
  *   { appId: "TEAMID.com.example.app" },
@@ -21,5 +24,5 @@ export type { AppInfo, AssertionResult } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode } from "./src/errors.js";
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";
-export type { AssertionContext, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
+export type { AssertionContext, AssertionTimings, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
 //# sourceMappingURL=assertion.d.ts.map

package/esm/assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../src/assertion.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,YAAY,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../src/assertion.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,YAAY,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC"}

package/esm/assertion.js

@@ -3,7 +3,10 @@
  * `@noble/curves`, keeping the bundle minimal for assertion-only use cases.
  *
  * ```ts
- * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest/assertion";
+ * import {
+ *   verifyAssertion,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest/assertion";
  *
  * const { signCount } = await verifyAssertion(
  *   { appId: "TEAMID.com.example.app" },
@@ -18,6 +21,6 @@
  */
 export { verifyAssertion } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode } from "./src/errors.js";
-// withAssertion wrapper
+// withAssertion middleware
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";

package/esm/attestation.d.ts

@@ -3,7 +3,10 @@
  * dependencies (`asn1js`, `@noble/curves`).
  *
  * ```ts
- * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest/attestation";
+ * import {
+ *   verifyAttestation,
+ *   withAttestation,
+ * } from "@bradford-tech/supabase-integrity-attest/attestation";
  *
  * const { publicKeyPem } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
@@ -18,4 +21,6 @@
 export { verifyAttestation } from "./src/attestation.js";
 export type { AppInfo, AttestationResult, VerifyAttestationOptions, } from "./src/attestation.js";
 export { AttestationError, AttestationErrorCode } from "./src/errors.js";
+export { withAttestation } from "./src/with-attestation.js";
+export type { AttestationContext, AttestationTimings, ExtractAttestationFn, WithAttestationOptions, } from "./src/with-attestation.js";
 //# sourceMappingURL=attestation.d.ts.map

package/esm/attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAGzE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,2BAA2B,CAAC"}

package/esm/attestation.js

@@ -3,7 +3,10 @@
  * dependencies (`asn1js`, `@noble/curves`).
  *
  * ```ts
- * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest/attestation";
+ * import {
+ *   verifyAttestation,
+ *   withAttestation,
+ * } from "@bradford-tech/supabase-integrity-attest/attestation";
  *
  * const { publicKeyPem } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
@@ -17,3 +20,5 @@
  */
 export { verifyAttestation } from "./src/attestation.js";
 export { AttestationError, AttestationErrorCode } from "./src/errors.js";
+// withAttestation middleware
+export { withAttestation } from "./src/with-attestation.js";

package/esm/mod.d.ts

@@ -1,17 +1,91 @@
 /**
  * Verify Apple App Attest attestations and assertions using WebCrypto.
  *
+ * This library implements Apple's full
+ * [App Attest](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity)
+ * server-side verification — CBOR decoding, X.509 certificate chain
+ * validation, nonce verification, ECDSA signature checks — using only
+ * WebCrypto APIs so it runs in Supabase Edge Functions, Deno Deploy,
+ * and other edge runtimes with no native dependencies.
+ *
+ * ## Attestation
+ *
+ * Verify a new device and extract its public key:
+ *
  * ```ts
- * import { verifyAttestation, verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest";
  *
- * const { publicKeyPem } = await verifyAttestation(
+ * const { publicKeyPem, receipt, signCount } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
  *   keyId,
  *   challenge,
  *   attestation,
  * );
+ * // Store publicKeyPem and signCount for future assertion verification
+ * ```
+ *
+ * ## Assertion
+ *
+ * Verify ongoing requests from an already-attested device:
+ *
+ * ```ts
+ * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const { signCount } = await verifyAssertion(
+ *   { appId: "TEAMID.com.example.app" },
+ *   assertion,
+ *   clientData,
+ *   publicKeyPem,
+ *   previousSignCount,
+ * );
+ * // Persist the updated signCount
+ * ```
+ *
+ * ## Middleware
+ *
+ * Use the {@linkcode withAttestation} and {@linkcode withAssertion}
+ * wrappers for automatic verification, callback-driven storage, and
+ * typed error handling:
+ *
+ * ```ts
+ * import {
+ *   withAttestation,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const attestHandler = withAttestation(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     consumeChallenge,
+ *     storeDeviceKey,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ ok: true, deviceId: ctx.deviceId }),
+ * );
+ *
+ * const protectedHandler = withAssertion(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     getDeviceKey,
+ *     commitSignCount,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ hello: ctx.deviceId, counter: ctx.signCount }),
+ * );
  * ```
  *
+ * ## Subpath imports
+ *
+ * For smaller bundles, import only what you need:
+ *
+ * - `@bradford-tech/supabase-integrity-attest/attestation` — attestation
+ *   (`verifyAttestation`, `withAttestation`). Full crypto deps.
+ * - `@bradford-tech/supabase-integrity-attest/assertion` — assertion
+ *   (`verifyAssertion`, `withAssertion`). Excludes `asn1js` and
+ *   `@noble/curves` to keep the bundle minimal.
+ *
+ * Full documentation: {@link https://integrity-attest.bradford.tech}
+ *
  * @module
  */
 export type { AppInfo, AttestationResult, VerifyAttestationOptions, } from "./src/attestation.js";
@@ -21,5 +95,7 @@ export { verifyAssertion } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode, AttestationError, AttestationErrorCode, } from "./src/errors.js";
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";
-export type { AssertionContext, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
+export type { AssertionContext, AssertionTimings, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
+export { withAttestation } from "./src/with-attestation.js";
+export type { AttestationContext, AttestationTimings, ExtractAttestationFn, WithAttestationOptions, } from "./src/with-attestation.js";
 //# sourceMappingURL=mod.d.ts.map

package/esm/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../src/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../src/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyFG;AAEH,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,2BAA2B,CAAC"}

package/esm/mod.js

@@ -1,22 +1,98 @@
 /**
  * Verify Apple App Attest attestations and assertions using WebCrypto.
  *
+ * This library implements Apple's full
+ * [App Attest](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity)
+ * server-side verification — CBOR decoding, X.509 certificate chain
+ * validation, nonce verification, ECDSA signature checks — using only
+ * WebCrypto APIs so it runs in Supabase Edge Functions, Deno Deploy,
+ * and other edge runtimes with no native dependencies.
+ *
+ * ## Attestation
+ *
+ * Verify a new device and extract its public key:
+ *
  * ```ts
- * import { verifyAttestation, verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest";
  *
- * const { publicKeyPem } = await verifyAttestation(
+ * const { publicKeyPem, receipt, signCount } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
  *   keyId,
  *   challenge,
  *   attestation,
  * );
+ * // Store publicKeyPem and signCount for future assertion verification
+ * ```
+ *
+ * ## Assertion
+ *
+ * Verify ongoing requests from an already-attested device:
+ *
+ * ```ts
+ * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const { signCount } = await verifyAssertion(
+ *   { appId: "TEAMID.com.example.app" },
+ *   assertion,
+ *   clientData,
+ *   publicKeyPem,
+ *   previousSignCount,
+ * );
+ * // Persist the updated signCount
+ * ```
+ *
+ * ## Middleware
+ *
+ * Use the {@linkcode withAttestation} and {@linkcode withAssertion}
+ * wrappers for automatic verification, callback-driven storage, and
+ * typed error handling:
+ *
+ * ```ts
+ * import {
+ *   withAttestation,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const attestHandler = withAttestation(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     consumeChallenge,
+ *     storeDeviceKey,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ ok: true, deviceId: ctx.deviceId }),
+ * );
+ *
+ * const protectedHandler = withAssertion(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     getDeviceKey,
+ *     commitSignCount,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ hello: ctx.deviceId, counter: ctx.signCount }),
+ * );
  * ```
  *
+ * ## Subpath imports
+ *
+ * For smaller bundles, import only what you need:
+ *
+ * - `@bradford-tech/supabase-integrity-attest/attestation` — attestation
+ *   (`verifyAttestation`, `withAttestation`). Full crypto deps.
+ * - `@bradford-tech/supabase-integrity-attest/assertion` — assertion
+ *   (`verifyAssertion`, `withAssertion`). Excludes `asn1js` and
+ *   `@noble/curves` to keep the bundle minimal.
+ *
+ * Full documentation: {@link https://integrity-attest.bradford.tech}
+ *
  * @module
  */
 export { verifyAttestation } from "./src/attestation.js";
 export { verifyAssertion } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode, AttestationError, AttestationErrorCode, } from "./src/errors.js";
-// withAssertion wrapper
+// withAssertion middleware
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";
+// withAttestation middleware
+export { withAttestation } from "./src/with-attestation.js";

package/esm/src/errors.d.ts

@@ -13,16 +13,32 @@ export declare enum AttestationErrorCode {
     /** Sign count is not zero (required for attestation). */
     INVALID_COUNTER = "INVALID_COUNTER",
     /** AAGUID does not match the expected environment (production/development). */
-    INVALID_AAGUID = "INVALID_AAGUID"
+    INVALID_AAGUID = "INVALID_AAGUID",
+    /**
+     * The `consumeChallenge` callback returned `false`, meaning the challenge
+     * was missing, expired, or already consumed. Used by {@linkcode withAttestation}.
+     */
+    CHALLENGE_INVALID = "CHALLENGE_INVALID",
+    /**
+     * An internal or storage callback error occurred (used by
+     * {@linkcode withAttestation}). The original error is attached via
+     * `Error.cause` and is deliberately NOT reflected in the HTTP response
+     * body to avoid leaking database schema or driver diagnostics.
+     */
+    INTERNAL_ERROR = "INTERNAL_ERROR"
 }
 /** Thrown when attestation verification fails. */
 export declare class AttestationError extends Error {
     /** Machine-readable error code. */
     readonly code: AttestationErrorCode;
+    /** Discriminant for `instanceof` checks in catch blocks. Always `"AttestationError"`. */
     readonly name = "AttestationError";
+    /** Create an AttestationError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
-    code: AttestationErrorCode, message: string);
+    code: AttestationErrorCode, message: string, options?: {
+        cause?: unknown;
+    });
 }
 /** Error codes returned by {@linkcode AssertionError}. */
 export declare enum AssertionErrorCode {
@@ -37,13 +53,22 @@ export declare enum AssertionErrorCode {
     /** No device key found for the given device ID (used by {@linkcode withAssertion}). */
     DEVICE_NOT_FOUND = "DEVICE_NOT_FOUND",
     /** An internal or storage callback error occurred (used by {@linkcode withAssertion}). */
-    INTERNAL_ERROR = "INTERNAL_ERROR"
+    INTERNAL_ERROR = "INTERNAL_ERROR",
+    /**
+     * The `commitSignCount` callback returned `false`, meaning another
+     * concurrent request already advanced the stored counter past this value.
+     * Indicates an expected race under concurrent load, not a client bug.
+     * Used by {@linkcode withAssertion}.
+     */
+    SIGN_COUNT_STALE = "SIGN_COUNT_STALE"
 }
 /** Thrown when assertion verification fails. */
 export declare class AssertionError extends Error {
     /** Machine-readable error code. */
     readonly code: AssertionErrorCode;
+    /** Discriminant for `instanceof` checks in catch blocks. Always `"AssertionError"`. */
     readonly name = "AssertionError";
+    /** Create an AssertionError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
     code: AssertionErrorCode, message: string, options?: {

package/esm/src/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/src/errors.ts"],"names":[],"mappings":"AAEA,4DAA4D;AAC5D,oBAAY,oBAAoB;IAC9B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,mDAAmD;IACnD,yBAAyB,8BAA8B;IACvD,uEAAuE;IACvE,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,0DAA0D;IAC1D,eAAe,oBAAoB;IACnC,yDAAyD;IACzD,eAAe,oBAAoB;IACnC,+EAA+E;IAC/E,cAAc,mBAAmB;CAClC;AAED,kDAAkD;AAClD,qBAAa,gBAAiB,SAAQ,KAAK;IAGvC,mCAAmC;aACnB,IAAI,EAAE,oBAAoB;IAH5C,SAAkB,IAAI,sBAAsB;;IAE1C,mCAAmC;IACnB,IAAI,EAAE,oBAAoB,EAC1C,OAAO,EAAE,MAAM;CAIlB;AAED,0DAA0D;AAC1D,oBAAY,kBAAkB;IAC5B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,mEAAmE;IACnE,uBAAuB,4BAA4B;IACnD,2CAA2C;IAC3C,iBAAiB,sBAAsB;IACvC,uFAAuF;IACvF,gBAAgB,qBAAqB;IACrC,0FAA0F;IAC1F,cAAc,mBAAmB;CAClC;AAED,gDAAgD;AAChD,qBAAa,cAAe,SAAQ,KAAK;IAGrC,mCAAmC;aACnB,IAAI,EAAE,kBAAkB;IAH1C,SAAkB,IAAI,oBAAoB;;IAExC,mCAAmC;IACnB,IAAI,EAAE,kBAAkB,EACxC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/src/errors.ts"],"names":[],"mappings":"AAEA,4DAA4D;AAC5D,oBAAY,oBAAoB;IAC9B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,mDAAmD;IACnD,yBAAyB,8BAA8B;IACvD,uEAAuE;IACvE,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,0DAA0D;IAC1D,eAAe,oBAAoB;IACnC,yDAAyD;IACzD,eAAe,oBAAoB;IACnC,+EAA+E;IAC/E,cAAc,mBAAmB;IACjC;;;OAGG;IACH,iBAAiB,sBAAsB;IACvC;;;;;OAKG;IACH,cAAc,mBAAmB;CAClC;AAED,kDAAkD;AAClD,qBAAa,gBAAiB,SAAQ,KAAK;IAKvC,mCAAmC;aACnB,IAAI,EAAE,oBAAoB;IAL5C,yFAAyF;IACzF,SAAkB,IAAI,sBAAsB;IAC5C,0FAA0F;;IAExF,mCAAmC;IACnB,IAAI,EAAE,oBAAoB,EAC1C,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC;AAED,0DAA0D;AAC1D,oBAAY,kBAAkB;IAC5B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,mEAAmE;IACnE,uBAAuB,4BAA4B;IACnD,2CAA2C;IAC3C,iBAAiB,sBAAsB;IACvC,uFAAuF;IACvF,gBAAgB,qBAAqB;IACrC,0FAA0F;IAC1F,cAAc,mBAAmB;IACjC;;;;;OAKG;IACH,gBAAgB,qBAAqB;CACtC;AAED,gDAAgD;AAChD,qBAAa,cAAe,SAAQ,KAAK;IAKrC,mCAAmC;aACnB,IAAI,EAAE,kBAAkB;IAL1C,uFAAuF;IACvF,SAAkB,IAAI,oBAAoB;IAC1C,wFAAwF;;IAEtF,mCAAmC;IACnB,IAAI,EAAE,kBAAkB,EACxC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}

package/esm/src/errors.js

@@ -16,19 +16,33 @@ export var AttestationErrorCode;
     AttestationErrorCode["INVALID_COUNTER"] = "INVALID_COUNTER";
     /** AAGUID does not match the expected environment (production/development). */
     AttestationErrorCode["INVALID_AAGUID"] = "INVALID_AAGUID";
+    /**
+     * The `consumeChallenge` callback returned `false`, meaning the challenge
+     * was missing, expired, or already consumed. Used by {@linkcode withAttestation}.
+     */
+    AttestationErrorCode["CHALLENGE_INVALID"] = "CHALLENGE_INVALID";
+    /**
+     * An internal or storage callback error occurred (used by
+     * {@linkcode withAttestation}). The original error is attached via
+     * `Error.cause` and is deliberately NOT reflected in the HTTP response
+     * body to avoid leaking database schema or driver diagnostics.
+     */
+    AttestationErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
 })(AttestationErrorCode || (AttestationErrorCode = {}));
 /** Thrown when attestation verification fails. */
 export class AttestationError extends Error {
+    /** Create an AttestationError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
-    code, message) {
-        super(message);
+    code, message, options) {
+        super(message, options);
         Object.defineProperty(this, "code", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: code
         });
+        /** Discriminant for `instanceof` checks in catch blocks. Always `"AttestationError"`. */
         Object.defineProperty(this, "name", {
             enumerable: true,
             configurable: true,
@@ -52,9 +66,17 @@ export var AssertionErrorCode;
     AssertionErrorCode["DEVICE_NOT_FOUND"] = "DEVICE_NOT_FOUND";
     /** An internal or storage callback error occurred (used by {@linkcode withAssertion}). */
     AssertionErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+    /**
+     * The `commitSignCount` callback returned `false`, meaning another
+     * concurrent request already advanced the stored counter past this value.
+     * Indicates an expected race under concurrent load, not a client bug.
+     * Used by {@linkcode withAssertion}.
+     */
+    AssertionErrorCode["SIGN_COUNT_STALE"] = "SIGN_COUNT_STALE";
 })(AssertionErrorCode || (AssertionErrorCode = {}));
 /** Thrown when assertion verification fails. */
 export class AssertionError extends Error {
+    /** Create an AssertionError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
     code, message, options) {
@@ -65,6 +87,7 @@ export class AssertionError extends Error {
             writable: true,
             value: code
         });
+        /** Discriminant for `instanceof` checks in catch blocks. Always `"AssertionError"`. */
         Object.defineProperty(this, "name", {
             enumerable: true,
             configurable: true,

package/esm/src/with-assertion.d.ts

@@ -10,6 +10,21 @@ export type DeviceKey = {
     /** Last verified sign count for this device. */
     signCount: number;
 };
+/**
+ * Library-internal timing spans for an assertion verification, in
+ * milliseconds. Exposed on {@linkcode AssertionContext.timings} so the
+ * wrapped handler can emit them as part of its own Server-Timing response.
+ */
+export type AssertionTimings = {
+    /** Parse request headers and read raw body bytes. */
+    extractMs: number;
+    /** `getDeviceKey` callback wall-clock duration. */
+    getDeviceKeyMs: number;
+    /** Cryptographic verification (CBOR decode, ECDSA verify, counter check). */
+    verifyMs: number;
+    /** `commitSignCount` callback wall-clock duration. */
+    commitMs: number;
+};
 /** Context passed to the inner handler after successful assertion verification. */
 export type AssertionContext = {
     /** Device identifier from the request. */
@@ -18,6 +33,8 @@ export type AssertionContext = {
     signCount: number;
     /** Raw request body bytes (the client data that was signed). */
     rawBody: Uint8Array;
+    /** Library-internal timings, ready to merge into Server-Timing. */
+    timings: AssertionTimings;
 };
 /** Custom function to extract assertion data from an incoming request. */
 export type ExtractAssertionFn = (req: Request) => Promise<{
@@ -33,8 +50,24 @@ export type WithAssertionOptions = {
     developmentEnv?: boolean;
     /** Retrieve the stored device key for a given device ID. Return `null` if not found. */
     getDeviceKey: (deviceId: string) => Promise<DeviceKey | null>;
-    /** Persist the new sign count after successful verification. */
-    updateSignCount: (deviceId: string, newSignCount: number) => Promise<void>;
+    /**
+     * Atomically advance the stored sign count. MUST be implemented as a
+     * compare-and-swap: only update if the currently stored value is strictly
+     * less than `newSignCount`. Returns `true` if the row was advanced,
+     * `false` if another concurrent request already advanced past this value.
+     *
+     * Recommended SQL pattern against Postgres:
+     *
+     * ```sql
+     * UPDATE app_attest_devices
+     *    SET sign_count = $1, last_seen_at = now()
+     *  WHERE device_id = $2 AND sign_count < $1
+     * ```
+     *
+     * Return `rowCount > 0`. The library converts `false` into
+     * `AssertionError(SIGN_COUNT_STALE)`.
+     */
+    commitSignCount: (deviceId: string, newSignCount: number) => Promise<boolean>;
     /** Override the default header-based assertion extraction. */
     extractAssertion?: ExtractAssertionFn;
     /** Custom error response handler. Defaults to JSON error responses. */
@@ -44,8 +77,13 @@ export type WithAssertionOptions = {
  * Request handler middleware that verifies App Attest assertions.
  *
  * Wraps a handler function with automatic assertion verification,
- * device key lookup, and sign count management. Returns a new handler
+ * device key lookup, and atomic sign-count commit. Returns a new handler
  * that rejects unauthenticated requests with appropriate HTTP error responses.
+ *
+ * The `commitSignCount` callback MUST implement compare-and-swap semantics
+ * (see {@linkcode WithAssertionOptions.commitSignCount}) — a non-atomic
+ * unconditional write will silently corrupt replay protection under
+ * concurrent load.
  */
 export declare function withAssertion(options: WithAssertionOptions, handler: (req: Request, context: AssertionContext) => Response | Promise<Response>): (req: Request) => Promise<Response>;
 //# sourceMappingURL=with-assertion.d.ts.map

package/esm/src/with-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;CACrB,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D,gEAAgE;IAChE,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAuErC"}
+{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA+FrC"}

package/esm/src/with-assertion.js

@@ -26,8 +26,13 @@ function defaultErrorResponse(error) {
  * Request handler middleware that verifies App Attest assertions.
  *
  * Wraps a handler function with automatic assertion verification,
- * device key lookup, and sign count management. Returns a new handler
+ * device key lookup, and atomic sign-count commit. Returns a new handler
  * that rejects unauthenticated requests with appropriate HTTP error responses.
+ *
+ * The `commitSignCount` callback MUST implement compare-and-swap semantics
+ * (see {@linkcode WithAssertionOptions.commitSignCount}) — a non-atomic
+ * unconditional write will silently corrupt replay protection under
+ * concurrent load.
  */
 export function withAssertion(options, handler) {
     const appInfo = {
@@ -39,11 +44,20 @@ export function withAssertion(options, handler) {
         let deviceId;
         let clientData;
         let newSignCount;
-        // Steps 1-4: extract, verify, update sign count
+        const timings = {
+            extractMs: 0,
+            getDeviceKeyMs: 0,
+            verifyMs: 0,
+            commitMs: 0,
+        };
+        // Steps 1-4: extract, verify, commit sign count
         try {
+            const extractStart = performance.now();
             const extracted = await extract(req);
+            timings.extractMs = performance.now() - extractStart;
             deviceId = extracted.deviceId;
             clientData = extracted.clientData;
+            const getKeyStart = performance.now();
             let deviceKey;
             try {
                 deviceKey = await options.getDeviceKey(deviceId);
@@ -51,15 +65,24 @@ export function withAssertion(options, handler) {
             catch (err) {
                 throw new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Storage callback failed", { cause: err });
             }
+            timings.getDeviceKeyMs = performance.now() - getKeyStart;
             if (!deviceKey) {
                 throw new AssertionError(AssertionErrorCode.DEVICE_NOT_FOUND, "Device not found");
             }
+            const verifyStart = performance.now();
             const result = await verifyAssertion(appInfo, extracted.assertion, clientData, deviceKey.publicKeyPem, deviceKey.signCount);
+            timings.verifyMs = performance.now() - verifyStart;
+            const commitStart = performance.now();
+            let committed;
             try {
-                await options.updateSignCount(deviceId, result.signCount);
+                committed = await options.commitSignCount(deviceId, result.signCount);
             }
             catch (err) {
-                throw new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Failed to update sign count", { cause: err });
+                throw new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Failed to commit sign count", { cause: err });
+            }
+            timings.commitMs = performance.now() - commitStart;
+            if (!committed) {
+                throw new AssertionError(AssertionErrorCode.SIGN_COUNT_STALE, `Sign count ${result.signCount} is stale — another concurrent request already advanced past it`);
             }
             newSignCount = result.signCount;
         }
@@ -76,6 +99,7 @@ export function withAssertion(options, handler) {
             deviceId,
             signCount: newSignCount,
             rawBody: clientData,
+            timings,
         });
     };
 }

package/esm/src/with-attestation.d.ts

@@ -0,0 +1,79 @@
+import { AttestationError } from "./errors.js";
+/**
+ * Library-internal timing spans for an attestation verification, in
+ * milliseconds. Exposed on {@linkcode AttestationContext.timings}.
+ */
+export type AttestationTimings = {
+    /** Parse request body + decode base64 fields. */
+    extractMs: number;
+    /** `consumeChallenge` callback wall-clock duration. */
+    consumeChallengeMs: number;
+    /** Cryptographic verification (CBOR decode, cert chain, nonce, key extract). */
+    verifyMs: number;
+    /** `storeDeviceKey` callback wall-clock duration. */
+    storeDeviceKeyMs: number;
+};
+/** Context passed to the inner handler after successful attestation verification. */
+export type AttestationContext = {
+    /** Device identifier (Apple-issued `keyId`) from the request. */
+    deviceId: string;
+    /** PEM-encoded ECDSA P-256 public key extracted from the attestation. */
+    publicKeyPem: string;
+    /** Initial sign count from the attestation (always `0`). */
+    signCount: number;
+    /** Raw App Attest receipt bytes. */
+    receipt: Uint8Array;
+    /** Library-internal timings, ready to merge into Server-Timing. */
+    timings: AttestationTimings;
+};
+/** Custom function to extract attestation data from an incoming request. */
+export type ExtractAttestationFn = (req: Request) => Promise<{
+    deviceId: string;
+    challenge: Uint8Array;
+    attestation: Uint8Array;
+}>;
+/** Configuration for the {@linkcode withAttestation} middleware. */
+export type WithAttestationOptions = {
+    /** Apple App ID in the format `TEAMID.bundleId`. */
+    appId: string;
+    /** Set to `true` for development environment attestations. */
+    developmentEnv?: boolean;
+    /**
+     * Atomically consume a previously-issued challenge. Return `true` if the
+     * challenge was valid, unused, and unexpired (and is now consumed);
+     * `false` otherwise. Implementations should use `DELETE ... RETURNING`
+     * to guarantee single-use semantics.
+     *
+     * The library converts `false` into `AttestationError(CHALLENGE_INVALID)`.
+     */
+    consumeChallenge: (challenge: Uint8Array) => Promise<boolean>;
+    /**
+     * Persist the verified device key row. Caller chooses INSERT vs UPSERT —
+     * re-attesting an existing deviceId is cryptographically safe (Apple has
+     * re-signed) so UPSERT is usually correct.
+     */
+    storeDeviceKey: (row: {
+        deviceId: string;
+        publicKeyPem: string;
+        signCount: number;
+        receipt: Uint8Array;
+    }) => Promise<void>;
+    /** Override the default body-based attestation extraction. */
+    extractAttestation?: ExtractAttestationFn;
+    /** Custom error response handler. Defaults to JSON error responses. */
+    onError?: (error: AttestationError, req: Request) => Response | Promise<Response>;
+};
+/**
+ * Request handler middleware that verifies App Attest attestations.
+ *
+ * Wraps a handler with automatic challenge consumption, cryptographic
+ * attestation verification, and device key persistence. Returns a new
+ * handler that rejects invalid attestations with appropriate HTTP
+ * error responses.
+ *
+ * The symmetric pair of {@linkcode withAssertion} — use this on your
+ * one-time device registration endpoint, then use `withAssertion` on
+ * every protected business endpoint.
+ */
+export declare function withAttestation(options: WithAttestationOptions, handler: (req: Request, context: AttestationContext) => Response | Promise<Response>): (req: Request) => Promise<Response>;
+//# sourceMappingURL=with-attestation.d.ts.map

package/esm/src/with-attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"with-attestation.d.ts","sourceRoot":"","sources":["../../src/src/with-attestation.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAwB,MAAM,aAAa,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,qFAAqF;AACrF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,UAAU,CAAC;IACtB,WAAW,EAAE,UAAU,CAAC;CACzB,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;;;OAOG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D;;;;OAIG;IACH,cAAc,EAAE,CAAC,GAAG,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAwEF;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,kBAAkB,KACxB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAkGrC"}

package/esm/src/with-attestation.js

@@ -0,0 +1,135 @@
+// src/with-attestation.ts
+import { decodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.10/base64.js";
+import { verifyAttestation } from "./attestation.js";
+import { AttestationError, AttestationErrorCode } from "./errors.js";
+/**
+ * Default extractor: reads a JSON body of the shape
+ * `{ keyId: string, challenge: string, attestation: string }` where all
+ * three fields are base64-encoded per Apple's standard wire format.
+ */
+async function defaultExtractAttestation(req) {
+    let body;
+    try {
+        body = await req.json();
+    }
+    catch (err) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Failed to parse attestation request body as JSON: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (typeof body !== "object" || body === null ||
+        typeof body.keyId !== "string" ||
+        typeof body.challenge !== "string" ||
+        typeof body.attestation !== "string") {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Attestation request body must include { keyId, challenge, attestation } as base64 strings");
+    }
+    const typed = body;
+    let challenge;
+    let attestation;
+    try {
+        challenge = decodeBase64(typed.challenge);
+    }
+    catch {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "challenge is not valid base64");
+    }
+    try {
+        attestation = decodeBase64(typed.attestation);
+    }
+    catch {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "attestation is not valid base64");
+    }
+    return { deviceId: typed.keyId, challenge, attestation };
+}
+function defaultErrorResponse(error) {
+    const status = error.code === AttestationErrorCode.INTERNAL_ERROR
+        ? 500
+        : error.code === AttestationErrorCode.INVALID_FORMAT
+            ? 400
+            : 401;
+    return new Response(JSON.stringify({ error: error.message, code: error.code }), { status, headers: { "Content-Type": "application/json" } });
+}
+/**
+ * Request handler middleware that verifies App Attest attestations.
+ *
+ * Wraps a handler with automatic challenge consumption, cryptographic
+ * attestation verification, and device key persistence. Returns a new
+ * handler that rejects invalid attestations with appropriate HTTP
+ * error responses.
+ *
+ * The symmetric pair of {@linkcode withAssertion} — use this on your
+ * one-time device registration endpoint, then use `withAssertion` on
+ * every protected business endpoint.
+ */
+export function withAttestation(options, handler) {
+    const appInfo = {
+        appId: options.appId,
+        developmentEnv: options.developmentEnv ?? false,
+    };
+    const extract = options.extractAttestation ?? defaultExtractAttestation;
+    return async (req) => {
+        let deviceId;
+        let publicKeyPem;
+        let receipt;
+        const timings = {
+            extractMs: 0,
+            consumeChallengeMs: 0,
+            verifyMs: 0,
+            storeDeviceKeyMs: 0,
+        };
+        try {
+            const extractStart = performance.now();
+            const extracted = await extract(req);
+            timings.extractMs = performance.now() - extractStart;
+            deviceId = extracted.deviceId;
+            const consumeStart = performance.now();
+            let challengeOk;
+            try {
+                challengeOk = await options.consumeChallenge(extracted.challenge);
+            }
+            catch (err) {
+                // Static message — the original error is attached via `cause` and
+                // never reaches the wire. Callback errors from Postgres drivers
+                // routinely contain schema details, constraint names, and other
+                // info that must not leak to unauthenticated clients.
+                throw new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "consumeChallenge callback failed", { cause: err });
+            }
+            timings.consumeChallengeMs = performance.now() - consumeStart;
+            if (!challengeOk) {
+                throw new AttestationError(AttestationErrorCode.CHALLENGE_INVALID, "Challenge is missing, expired, or already consumed");
+            }
+            const verifyStart = performance.now();
+            const result = await verifyAttestation(appInfo, deviceId, extracted.challenge, extracted.attestation);
+            timings.verifyMs = performance.now() - verifyStart;
+            publicKeyPem = result.publicKeyPem;
+            receipt = result.receipt;
+            const storeStart = performance.now();
+            try {
+                await options.storeDeviceKey({
+                    deviceId,
+                    publicKeyPem,
+                    signCount: result.signCount,
+                    receipt,
+                });
+            }
+            catch (err) {
+                // Static message — see consumeChallenge catch above.
+                throw new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "storeDeviceKey callback failed", { cause: err });
+            }
+            timings.storeDeviceKeyMs = performance.now() - storeStart;
+        }
+        catch (err) {
+            // Non-AttestationError escapes (unexpected runtime errors, programmer
+            // bugs, etc.) are wrapped as INTERNAL_ERROR with a static message.
+            // The original is attached via `cause` and never reaches the wire.
+            const error = err instanceof AttestationError
+                ? err
+                : new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "Internal error", { cause: err });
+            return options.onError?.(error, req) ?? defaultErrorResponse(error);
+        }
+        return await handler(req, {
+            deviceId,
+            publicKeyPem,
+            signCount: 0,
+            receipt,
+            timings,
+        });
+    };
+}

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@bradford-tech/supabase-integrity-attest",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "description": "Verify Apple App Attest attestations and assertions using WebCrypto.",
+  "homepage": "https://integrity-attest.bradford.tech",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/bradford-tech/supabase-integrity-attest.git"
@@ -22,18 +23,14 @@
       "import": "./esm/attestation.js"
     }
   },
-  "scripts": {
-    "test": "node test_runner.js"
-  },
+  "scripts": {},
   "dependencies": {
     "@noble/curves": "^2.0.1",
     "asn1js": "^3.0.7",
     "cborg": "^4.5.8"
   },
   "devDependencies": {
-    "@types/node": "^20.9.0",
-    "picocolors": "^1.0.0",
-    "@deno/shim-deno-test": "~0.5.0"
+    "@types/node": "^20.9.0"
   },
   "_generatedBy": "dnt@dev"
 }

package/esm/_dnt.test_polyfills.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"_dnt.test_polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.test_polyfills.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,KAAK;QACb,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB;CACF;AAED,OAAO,EAAE,CAAC"}

package/esm/_dnt.test_shims.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"_dnt.test_shims.d.ts","sourceRoot":"","sources":["../src/_dnt.test_shims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAK5C,eAAO,MAAM,aAAa;;CAA2C,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/almost_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"almost_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/almost_equals.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,EAClB,GAAG,CAAC,EAAE,MAAM,QAmBb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/array_includes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"array_includes.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/array_includes.ts"],"names":[],"mappings":"AAMA,0FAA0F;AAC1F,MAAM,MAAM,YAAY,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC;AAOpD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EACnC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,EACvB,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,EACzB,GAAG,CAAC,EAAE,MAAM,GACX,IAAI,CAgCN"}

package/esm/deps/jsr.io/@std/assert/1.0.19/assert.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"assert.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/assert.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,SAAK,GAAG,OAAO,CAAC,IAAI,CAI5D"}

package/esm/deps/jsr.io/@std/assert/1.0.19/assertion_error.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"assertion_error.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/assertion_error.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,cAAe,SAAQ,KAAK;IACvC;;;;OAIG;gBACS,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,YAAY;CAIpD"}

package/esm/deps/jsr.io/@std/assert/1.0.19/equal.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"equal.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/equal.ts"],"names":[],"mappings":"AA0FA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,OAAO,CAgHrD"}

package/esm/deps/jsr.io/@std/assert/1.0.19/equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/equals.ts"],"names":[],"mappings":"AAUA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAC5B,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QAmBb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/exists.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"exists.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/exists.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAC5B,MAAM,EAAE,CAAC,EACT,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,CAOlC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/fail.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"fail.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/fail.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;GAYG;AACH,wBAAgB,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,CAGxC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/false.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"false.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/false.ts"],"names":[],"mappings":"AAIA,uDAAuD;AACvD,MAAM,MAAM,KAAK,GAAG,KAAK,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,GAAG,SAAS,CAAC;AAE3D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,SAAK,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAI1E"}

package/esm/deps/jsr.io/@std/assert/1.0.19/greater.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"greater.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/greater.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,QAMpE"}

package/esm/deps/jsr.io/@std/assert/1.0.19/greater_or_equal.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"greater_or_equal.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/greater_or_equal.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EACpC,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QASb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/instance_of.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"instance_of.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/instance_of.ts"],"names":[],"mappings":"AAIA,sBAAsB;AAEtB,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC;AACzD,4BAA4B;AAC5B,MAAM,MAAM,kBAAkB,CAAC,CAAC,SAAS,cAAc,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC;AAE3E;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAE9B,CAAC,SAAS,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,EAE9C,MAAM,EAAE,OAAO,EACf,YAAY,EAAE,CAAC,EACf,GAAG,SAAK,GACP,OAAO,CAAC,MAAM,IAAI,YAAY,CAAC,CAAC,CAAC,CA6BnC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/is_error.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"is_error.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/is_error.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,KAAK,GAAG,KAAK,EACnD,KAAK,EAAE,OAAO,EAEd,UAAU,CAAC,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAC/C,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAC5B,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,KAAK,IAAI,CAAC,CA8BpB"}

package/esm/deps/jsr.io/@std/assert/1.0.19/less.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"less.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/less.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,QAMjE"}

package/esm/deps/jsr.io/@std/assert/1.0.19/less_or_equal.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"less_or_equal.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/less_or_equal.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EACjC,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QASb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/match.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"match.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/match.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,MAAM,QAMb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/mod.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/mod.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;GAeG;AAEH,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,uBAAuB,CAAC;AACtC,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,oBAAoB,CAAC;AACnC,cAAc,WAAW,CAAC;AAC1B,cAAc,YAAY,CAAC;AAC3B,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,wBAAwB,CAAC;AACvC,cAAc,mBAAmB,CAAC;AAClC,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_equals.ts"],"names":[],"mappings":"AAOA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,QAUtE"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_instance_of.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_instance_of.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_instance_of.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,CAAC,EACtC,MAAM,EAAE,CAAC,EAET,cAAc,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAClD,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAKjC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_match.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_match.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_match.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,MAAM,QAMb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/not_strict_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"not_strict_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/not_strict_equals.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,QAYb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/object_match.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"object_match.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/object_match.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,iBAAiB,CAE/B,MAAM,EAAE,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,EAChC,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,EACtC,GAAG,CAAC,EAAE,MAAM,GACX,IAAI,CAUN"}

package/esm/deps/jsr.io/@std/assert/1.0.19/rejects.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"rejects.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/rejects.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,aAAa,CAC3B,EAAE,EAAE,MAAM,WAAW,CAAC,OAAO,CAAC,EAC9B,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CAAC;AACpB;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,KAAK,GAAG,KAAK,EACnD,EAAE,EAAE,MAAM,WAAW,CAAC,OAAO,CAAC,EAE9B,UAAU,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAC9C,WAAW,CAAC,EAAE,MAAM,EACpB,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,CAAC,CAAC,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/strict_equals.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"strict_equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/strict_equals.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAClC,MAAM,EAAE,OAAO,EACf,QAAQ,EAAE,CAAC,EACX,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,IAAI,CAAC,CAgCrB"}

package/esm/deps/jsr.io/@std/assert/1.0.19/string_includes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"string_includes.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/string_includes.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,MAAM,QAMb"}

package/esm/deps/jsr.io/@std/assert/1.0.19/throws.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"throws.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/throws.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAC1B,EAAE,EAAE,MAAM,OAAO,EACjB,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC;AACX;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,YAAY,CAAC,CAAC,SAAS,KAAK,GAAG,KAAK,EAClD,EAAE,EAAE,MAAM,OAAO,EAEjB,UAAU,EAAE,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,EAC9C,WAAW,CAAC,EAAE,MAAM,EACpB,GAAG,CAAC,EAAE,MAAM,GACX,CAAC,CAAC"}

package/esm/deps/jsr.io/@std/assert/1.0.19/unimplemented.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"unimplemented.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/unimplemented.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,CAGjD"}

package/esm/deps/jsr.io/@std/assert/1.0.19/unreachable.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"unreachable.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/assert/1.0.19/unreachable.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,CAG/C"}

package/esm/deps/jsr.io/@std/internal/1.0.12/build_message.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"build_message.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/internal/1.0.12/build_message.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEvD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,WAAW,CACzB,QAAQ,EAAE,QAAQ;AAClB;;;GAGG;AACH,UAAU,UAAQ,GACjB,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAWvB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,CASrD;AAED,4CAA4C;AAC5C,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,YAAY,CAC1B,UAAU,EAAE,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAC7C,OAAO,GAAE,mBAAwB,EACjC,YAAY,CAAC,EAAE,CACb,UAAU,EAAE,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAC7C,UAAU,EAAE,OAAO,EACnB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,KAC1B,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,GACrC,MAAM,EAAE,CA8BV"}

package/esm/deps/jsr.io/@std/internal/1.0.12/diff.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/internal/1.0.12/diff.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEvD,2DAA2D;AAC3D,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,CAAC,EAAE,MAAM,CAAC;IACV,2BAA2B;IAC3B,EAAE,EAAE,MAAM,CAAC;CACZ;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,CAanD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,KAAK,IAAI,aAAa,CAWvE;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,SAAS,CAAC,CAAC,EACzB,CAAC,EAAE,CAAC,EAAE,EACN,CAAC,EAAE,CAAC,EAAE,EACN,OAAO,EAAE,aAAa,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,WAAW,EACnB,kBAAkB,EAAE,MAAM,GACzB,KAAK,CAAC;IACP,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,CAAC,CAAC;CACV,CAAC,CAgCD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,QAAQ,CACtB,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,MAAM,EACT,MAAM,EAAE,WAAW,EACnB,kBAAkB,EAAE,MAAM,EAC1B,GAAG,EAAE,MAAM,EACX,KAAK,CAAC,EAAE,aAAa,EACrB,IAAI,CAAC,EAAE,aAAa,GACnB,aAAa,CAsBf;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,CAwEvD"}

package/esm/deps/jsr.io/@std/internal/1.0.12/diff_str.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"diff_str.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/internal/1.0.12/diff_str.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAqB,UAAU,EAAE,MAAM,YAAY,CAAC;AAGhE;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAY/C;AAKD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,UAAQ,GAAG,MAAM,EAAE,CAiBnE;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,EACxB,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,GAC3B,UAAU,CAAC,MAAM,CAAC,EAAE,CAetB;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAkDlE"}

package/esm/deps/jsr.io/@std/internal/1.0.12/format.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"format.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/internal/1.0.12/format.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,SAAS,GAAG,CACtB,CAAC,EAAE,OAAO,EACV,OAAO,EAAE;IACP,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,CAAC;IAChB,aAAa,EAAE,OAAO,CAAC;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;CAC3B,KACE,MAAM,CAAC;AAEZ;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,CAmBzC"}

package/esm/deps/jsr.io/@std/internal/1.0.12/styles.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"styles.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/internal/1.0.12/styles.ts"],"names":[],"mappings":"AAqCA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAExC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE1C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzC;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAExC;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzC;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE3C;AAWD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEpD"}

package/esm/deps/jsr.io/@std/internal/1.0.12/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/internal/1.0.12/types.ts"],"names":[],"mappings":"AAGA,kDAAkD;AAClD,MAAM,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;AAEnD;;;GAGG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,iBAAiB,CAAC,CAAC,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;AAEvE;;;GAGG;AACH,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAChC,IAAI,EAAE,QAAQ,GAAG,YAAY,CAAC;IAC9B,KAAK,EAAE,CAAC,CAAC;CACV,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,CAAC,CAAC,IAAI;IACjC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC;IAC1B,KAAK,EAAE,CAAC,CAAC;IACT,OAAO,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;CAC3B,CAAC"}

package/esm/src/cose.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cose.d.ts","sourceRoot":"","sources":["../../src/src/cose.ts"],"names":[],"mappings":"AAGA,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,UAAU,GAAG,UAAU,CAkBvE;AAED,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,SAAS,CAAC,CASpB"}

package/esm/tests/assertion-entry.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"assertion-entry.test.d.ts","sourceRoot":"","sources":["../../src/tests/assertion-entry.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/assertion.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"assertion.test.d.ts","sourceRoot":"","sources":["../../src/tests/assertion.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/attestation-entry.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"attestation-entry.test.d.ts","sourceRoot":"","sources":["../../src/tests/attestation-entry.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/attestation.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"attestation.test.d.ts","sourceRoot":"","sources":["../../src/tests/attestation.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/authdata.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authdata.test.d.ts","sourceRoot":"","sources":["../../src/tests/authdata.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/certificate.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"certificate.test.d.ts","sourceRoot":"","sources":["../../src/tests/certificate.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/cose.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cose.test.d.ts","sourceRoot":"","sources":["../../src/tests/cose.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/der.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"der.test.d.ts","sourceRoot":"","sources":["../../src/tests/der.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/errors.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"errors.test.d.ts","sourceRoot":"","sources":["../../src/tests/errors.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/fixtures/apple-attestation.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"apple-attestation.d.ts","sourceRoot":"","sources":["../../../src/tests/fixtures/apple-attestation.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AAEH,eAAO,MAAM,iBAAiB;;;;IAK5B,oDAAoD;;IAIpD,oDAAoD;;;;;;;;CAQrD,CAAC"}

package/esm/tests/fixtures/generate-assertion.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"generate-assertion.d.ts","sourceRoot":"","sources":["../../../src/tests/fixtures/generate-assertion.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,UAAU,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,aAAa,CAAC;CACxB;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,yBAAyB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CAuDnC"}

package/esm/tests/utils.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.test.d.ts","sourceRoot":"","sources":["../../src/tests/utils.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}

package/esm/tests/with-assertion.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"with-assertion.test.d.ts","sourceRoot":"","sources":["../../src/tests/with-assertion.test.ts"],"names":[],"mappings":"AACA,OAAO,2BAA2B,CAAC"}