@clef-sh/core 0.1.7-beta.48 → 0.1.8-beta.52

package/dist/artifact/packer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA+G9F"}
+{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAIjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAoI9F"}

package/dist/artifact/signer.d.ts

@@ -0,0 +1,66 @@
+import type { PackedArtifact, SignatureAlgorithm } from "./types";
+import type { KmsProvider } from "../kms";
+/**
+ * Build the canonical signing payload from an artifact.
+ *
+ * The payload is a deterministic newline-separated string of all
+ * security-relevant fields. The signature covers everything the
+ * runtime acts on — version, identity, environment, revision, timing,
+ * integrity hash, key list, expiry, and envelope fields.
+ *
+ * `ciphertextHash` transitively covers the ciphertext content, so the
+ * (potentially large) ciphertext itself is not included.
+ *
+ * Keys are sorted to ensure deterministic ordering regardless of
+ * insertion order in the source object.
+ */
+export declare function buildSigningPayload(artifact: PackedArtifact): Buffer;
+/**
+ * Generate an Ed25519 signing key pair.
+ * Returns base64-encoded DER keys (SPKI for public, PKCS8 for private).
+ */
+export declare function generateSigningKeyPair(): {
+    publicKey: string;
+    privateKey: string;
+};
+/**
+ * Sign an artifact payload with an Ed25519 private key.
+ *
+ * @param payload - Canonical signing payload from {@link buildSigningPayload}
+ * @param privateKeyBase64 - Base64-encoded DER PKCS8 private key
+ * @returns Base64-encoded Ed25519 signature
+ */
+export declare function signEd25519(payload: Buffer, privateKeyBase64: string): string;
+/**
+ * Sign an artifact payload with a KMS asymmetric signing key (ECDSA_SHA_256).
+ *
+ * The KMS `sign` method receives a SHA-256 digest (not the raw payload),
+ * matching AWS KMS `MessageType: "DIGEST"` semantics.
+ *
+ * @param payload - Canonical signing payload from {@link buildSigningPayload}
+ * @param kms - KMS provider with `sign` method
+ * @param signingKeyId - ARN or ID of the KMS asymmetric signing key
+ * @returns Base64-encoded ECDSA signature
+ */
+export declare function signKms(payload: Buffer, kms: KmsProvider, signingKeyId: string): Promise<string>;
+/**
+ * Verify a signature against a public key.
+ *
+ * The algorithm is derived from the key's type (Ed25519 or EC), not from
+ * the artifact's claimed `signatureAlgorithm` field. This prevents an
+ * attacker from downgrading the verification algorithm.
+ *
+ * @param payload - Canonical signing payload from {@link buildSigningPayload}
+ * @param signatureBase64 - Base64-encoded signature to verify
+ * @param publicKeyBase64 - Base64-encoded DER SPKI public key
+ * @returns true if the signature is valid
+ */
+export declare function verifySignature(payload: Buffer, signatureBase64: string, publicKeyBase64: string): boolean;
+/**
+ * Detect the signature algorithm from a DER SPKI public key.
+ *
+ * @param publicKeyBase64 - Base64-encoded DER SPKI public key
+ * @returns The corresponding SignatureAlgorithm
+ */
+export declare function detectAlgorithm(publicKeyBase64: string): SignatureAlgorithm;
+//# sourceMappingURL=signer.d.ts.map

package/dist/artifact/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/artifact/signer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAE1C;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,cAAc,GAAG,MAAM,CAiBpE;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAUlF;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAQ7E;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,WAAW,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,GACtB,OAAO,CAgBT;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,kBAAkB,CAU3E"}

package/dist/artifact/types.d.ts

@@ -9,6 +9,8 @@ export interface ArtifactEnvelope {
     /** KMS encryption algorithm (e.g. "SYMMETRIC_DEFAULT"). */
     algorithm: string;
 }
+/** Supported artifact signature algorithms. */
+export type SignatureAlgorithm = "Ed25519" | "ECDSA_SHA256";
 /** JSON envelope for a packed artifact. Language-agnostic, forward-compatible. */
 export interface PackedArtifact {
     version: 1;
@@ -30,6 +32,10 @@ export interface PackedArtifact {
     envelope?: ArtifactEnvelope;
     /** ISO-8601 expiry timestamp. Artifact is rejected after this time. */
     expiresAt?: string;
+    /** Base64-encoded cryptographic signature over the canonical artifact payload. */
+    signature?: string;
+    /** Algorithm used to produce the signature. */
+    signatureAlgorithm?: SignatureAlgorithm;
 }
 /** Configuration for the `pack` command. */
 export interface PackConfig {
@@ -41,6 +47,10 @@ export interface PackConfig {
     outputPath: string;
     /** TTL in seconds — embeds an `expiresAt` timestamp in the artifact envelope. */
     ttl?: number;
+    /** Ed25519 private key for artifact signing (base64-encoded DER PKCS8). */
+    signingKey?: string;
+    /** KMS asymmetric signing key ARN/ID (ECDSA_SHA_256). Mutually exclusive with signingKey. */
+    signingKmsKeyId?: string;
 }
 /** Result of a pack operation. */
 export interface PackResult {

package/dist/artifact/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,wEAAwE;IACxE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,wEAAwE;IACxE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/index.d.mts

@@ -34,6 +34,7 @@ export { ServiceIdentityManager, PartialRotationError } from "./service-identity
 export { resolveIdentitySecrets } from "./artifact/resolve";
 export type { ResolvedSecrets } from "./artifact/resolve";
 export { ArtifactPacker } from "./artifact/packer";
-export type { PackedArtifact, PackConfig, PackResult, ArtifactEnvelope } from "./artifact/types";
+export type { PackedArtifact, PackConfig, PackResult, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
+export { buildSigningPayload, generateSigningKeyPair, signEd25519, signKms, verifySignature, detectAlgorithm, } from "./artifact/signer";
 export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts

@@ -34,6 +34,7 @@ export { ServiceIdentityManager, PartialRotationError } from "./service-identity
 export { resolveIdentitySecrets } from "./artifact/resolve";
 export type { ResolvedSecrets } from "./artifact/resolve";
 export { ArtifactPacker } from "./artifact/packer";
-export type { PackedArtifact, PackConfig, PackResult, ArtifactEnvelope } from "./artifact/types";
+export type { PackedArtifact, PackConfig, PackResult, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
+export { buildSigningPayload, generateSigningKeyPair, signEd25519, signKms, verifySignature, detectAlgorithm, } from "./artifact/signer";
 export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EACL,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACzF,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,IAAI,mBAAmB,EACpC,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAC1F,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACjG,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EACL,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACzF,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,IAAI,mBAAmB,EACpC,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAC1F,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,cAAc,EACd,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,WAAW,EACX,OAAO,EACP,eAAe,EACf,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC"}

package/dist/index.js

@@ -3633,13 +3633,13 @@ var require_age_encryption = __commonJS({
         }
         return { seed, k2sig };
       }
-      function sign(message, secretKey, opts2 = {}) {
+      function sign2(message, secretKey, opts2 = {}) {
         const { seed, k2sig } = prepSig(message, secretKey, opts2);
         const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac4);
         const sig = drbg(seed, k2sig);
         return sig.toBytes(opts2.format);
       }
-      function verify(signature, message, publicKey, opts2 = {}) {
+      function verify2(signature, message, publicKey, opts2 = {}) {
         const { lowS, prehash, format } = validateSigOpts(opts2, defaultSigOpts);
         publicKey = abytes4(publicKey, void 0, "publicKey");
         message = validateMsgAndHash(message, prehash);
@@ -3679,8 +3679,8 @@ var require_age_encryption = __commonJS({
         utils,
         lengths,
         Point,
-        sign,
-        verify,
+        sign: sign2,
+        verify: verify2,
         recoverPublicKey,
         Signature,
         hash
@@ -6950,15 +6950,18 @@ __export(src_exports, {
   SopsMissingError: () => SopsMissingError,
   SopsVersionError: () => SopsVersionError,
   assertSops: () => assertSops,
+  buildSigningPayload: () => buildSigningPayload,
   checkAll: () => checkAll,
   checkDependency: () => checkDependency,
   collectCIContext: () => collectCIContext,
   deriveAgePublicKey: () => deriveAgePublicKey,
+  detectAlgorithm: () => detectAlgorithm,
   detectFormat: () => detectFormat,
   findRequest: () => findRequest,
   formatAgeKeyFile: () => formatAgeKeyFile,
   generateAgeIdentity: () => generateAgeIdentity,
   generateRandomValue: () => generateRandomValue,
+  generateSigningKeyPair: () => generateSigningKeyPair,
   getPendingKeys: () => getPendingKeys,
   isHighEntropy: () => isHighEntropy,
   isKmsEnvelope: () => isKmsEnvelope,
@@ -6990,8 +6993,11 @@ __export(src_exports, {
   shannonEntropy: () => shannonEntropy,
   shouldIgnoreFile: () => shouldIgnoreFile,
   shouldIgnoreMatch: () => shouldIgnoreMatch,
+  signEd25519: () => signEd25519,
+  signKms: () => signKms,
   upsertRequest: () => upsertRequest,
-  validateAgePublicKey: () => validateAgePublicKey
+  validateAgePublicKey: () => validateAgePublicKey,
+  verifySignature: () => verifySignature
 });
 module.exports = __toCommonJS(src_exports);
 
@@ -11447,7 +11453,87 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 // src/artifact/packer.ts
 var fs16 = __toESM(require("fs"));
 var path18 = __toESM(require("path"));
+var crypto4 = __toESM(require("crypto"));
+
+// src/artifact/signer.ts
 var crypto3 = __toESM(require("crypto"));
+function buildSigningPayload(artifact) {
+  const fields = [
+    "clef-sig-v1",
+    String(artifact.version),
+    artifact.identity,
+    artifact.environment,
+    artifact.revision,
+    artifact.packedAt,
+    artifact.ciphertextHash,
+    [...artifact.keys].sort().join(","),
+    artifact.expiresAt ?? "",
+    artifact.envelope?.provider ?? "",
+    artifact.envelope?.keyId ?? "",
+    artifact.envelope?.wrappedKey ?? "",
+    artifact.envelope?.algorithm ?? ""
+  ];
+  return Buffer.from(fields.join("\n"), "utf-8");
+}
+function generateSigningKeyPair() {
+  const pair = crypto3.generateKeyPairSync("ed25519");
+  return {
+    publicKey: pair.publicKey.export({ type: "spki", format: "der" }).toString(
+      "base64"
+    ),
+    privateKey: pair.privateKey.export({ type: "pkcs8", format: "der" }).toString(
+      "base64"
+    )
+  };
+}
+function signEd25519(payload, privateKeyBase64) {
+  const keyObj = crypto3.createPrivateKey({
+    key: Buffer.from(privateKeyBase64, "base64"),
+    format: "der",
+    type: "pkcs8"
+  });
+  const signature = crypto3.sign(null, payload, keyObj);
+  return signature.toString("base64");
+}
+async function signKms(payload, kms, signingKeyId) {
+  if (!kms.sign) {
+    throw new Error(
+      "KMS provider does not support signing. Ensure the provider implements the sign() method."
+    );
+  }
+  const digest = crypto3.createHash("sha256").update(payload).digest();
+  const signature = await kms.sign(signingKeyId, digest);
+  return signature.toString("base64");
+}
+function verifySignature(payload, signatureBase64, publicKeyBase64) {
+  const keyObj = crypto3.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const signature = Buffer.from(signatureBase64, "base64");
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") {
+    return crypto3.verify(null, payload, keyObj, signature);
+  }
+  if (keyType === "ec") {
+    return crypto3.verify("sha256", payload, keyObj, signature);
+  }
+  throw new Error(`Unsupported key type for signature verification: ${keyType}`);
+}
+function detectAlgorithm(publicKeyBase64) {
+  const keyObj = crypto3.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") return "Ed25519";
+  if (keyType === "ec") return "ECDSA_SHA256";
+  throw new Error(`Unsupported key type: ${keyType}`);
+}
+
+// src/artifact/packer.ts
 var ArtifactPacker = class {
   constructor(encryption, matrixManager, kms) {
     this.encryption = encryption;
@@ -11459,6 +11545,11 @@ var ArtifactPacker = class {
    * values to the service identity's recipient, and write a JSON envelope.
    */
   async pack(config, manifest, repoRoot) {
+    if (config.signingKey && config.signingKmsKeyId) {
+      throw new Error(
+        "Cannot specify both signingKey (Ed25519) and signingKmsKeyId (KMS). Choose one."
+      );
+    }
     const resolved = await resolveIdentitySecrets(
       config.identity,
       config.environment,
@@ -11487,8 +11578,8 @@ var ArtifactPacker = class {
       }
       const kmsConfig = resolved.envConfig.kms;
       const wrapped = await this.kms.wrap(kmsConfig.keyId, Buffer.from(ephemeralPrivateKey));
-      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
-      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+      const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
       artifact = {
         version: 1,
         identity: config.identity,
@@ -11515,8 +11606,8 @@ var ArtifactPacker = class {
       } catch {
         throw new Error("Failed to age-encrypt artifact. Check recipient key.");
       }
-      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
-      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+      const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
       artifact = {
         version: 1,
         identity: config.identity,
@@ -11535,6 +11626,18 @@ var ArtifactPacker = class {
     if (config.ttl && config.ttl > 0) {
       artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
     }
+    if (config.signingKey) {
+      const payload = buildSigningPayload(artifact);
+      artifact.signature = signEd25519(payload, config.signingKey);
+      artifact.signatureAlgorithm = "Ed25519";
+    } else if (config.signingKmsKeyId) {
+      if (!this.kms) {
+        throw new Error("KMS provider required for KMS signing but none was provided.");
+      }
+      const payload = buildSigningPayload(artifact);
+      artifact.signature = await signKms(payload, this.kms, config.signingKmsKeyId);
+      artifact.signatureAlgorithm = "ECDSA_SHA256";
+    }
     const json = JSON.stringify(artifact, null, 2);
     const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
     fs16.writeFileSync(tmpOutput, json, "utf-8");
@@ -11587,15 +11690,18 @@ var ArtifactPacker = class {
   SopsMissingError,
   SopsVersionError,
   assertSops,
+  buildSigningPayload,
   checkAll,
   checkDependency,
   collectCIContext,
   deriveAgePublicKey,
+  detectAlgorithm,
   detectFormat,
   findRequest,
   formatAgeKeyFile,
   generateAgeIdentity,
   generateRandomValue,
+  generateSigningKeyPair,
   getPendingKeys,
   isHighEntropy,
   isKmsEnvelope,
@@ -11627,8 +11733,11 @@ var ArtifactPacker = class {
   shannonEntropy,
   shouldIgnoreFile,
   shouldIgnoreMatch,
+  signEd25519,
+  signKms,
   upsertRequest,
-  validateAgePublicKey
+  validateAgePublicKey,
+  verifySignature
 });
 /*! Bundled license information: