npm - @clef-sh/runtime - Versions diffs - 0.1.6-beta.32 → 0.1.12 - Mend

@clef-sh/runtime 0.1.6-beta.32 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/README.md +65 -0
package/dist/artifact-decryptor.d.ts +47 -0
package/dist/artifact-decryptor.d.ts.map +1 -0
package/dist/artifact-decryptor.js +151 -0
package/dist/artifact-decryptor.js.map +1 -0
package/dist/decrypt.d.ts.map +1 -1
package/dist/decrypt.js +3 -1
package/dist/decrypt.js.map +1 -1
package/dist/disk-cache.d.ts +1 -0
package/dist/disk-cache.d.ts.map +1 -1
package/dist/disk-cache.js +5 -10
package/dist/disk-cache.js.map +1 -1
package/dist/encrypted-artifact-store.d.ts +27 -0
package/dist/encrypted-artifact-store.d.ts.map +1 -0
package/dist/encrypted-artifact-store.js +46 -0
package/dist/encrypted-artifact-store.js.map +1 -0
package/dist/index.d.ts +9 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +10 -1
package/dist/index.js.map +1 -1
package/dist/kms/aws.d.ts +1 -0
package/dist/kms/aws.d.ts.map +1 -1
package/dist/kms/aws.js +14 -0
package/dist/kms/aws.js.map +1 -1
package/dist/kms/types.d.ts +2 -0
package/dist/kms/types.d.ts.map +1 -1
package/dist/poller.d.ts +47 -6
package/dist/poller.d.ts.map +1 -1
package/dist/poller.js +141 -71
package/dist/poller.js.map +1 -1
package/dist/secrets-cache.d.ts +1 -1
package/dist/secrets-cache.d.ts.map +1 -1
package/dist/secrets-cache.js +13 -1
package/dist/secrets-cache.js.map +1 -1
package/dist/signature.d.ts +44 -0
package/dist/signature.d.ts.map +1 -0
package/dist/signature.js +93 -0
package/dist/signature.js.map +1 -0
package/dist/sources/http.d.ts.map +1 -1
package/dist/sources/http.js +12 -2
package/dist/sources/http.js.map +1 -1
package/package.json +1 -1

package/dist/signature.js ADDED Viewed

@@ -0,0 +1,93 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildSigningPayload = buildSigningPayload;
+exports.verifySignature = verifySignature;
+const crypto = __importStar(require("crypto"));
+/**
+ * Build the canonical signing payload from an artifact.
+ *
+ * Must produce the same output as the core signer's buildSigningPayload
+ * to enable cross-package sign/verify. The format is a deterministic
+ * newline-separated string of all security-relevant fields.
+ */
+function buildSigningPayload(artifact) {
+    const fields = [
+        "clef-sig-v2",
+        String(artifact.version),
+        artifact.identity,
+        artifact.environment,
+        artifact.revision,
+        artifact.packedAt,
+        artifact.ciphertextHash,
+        [...artifact.keys].sort().join(","),
+        artifact.expiresAt ?? "",
+        artifact.envelope?.provider ?? "",
+        artifact.envelope?.keyId ?? "",
+        artifact.envelope?.wrappedKey ?? "",
+        artifact.envelope?.algorithm ?? "",
+        artifact.envelope?.iv ?? "",
+        artifact.envelope?.authTag ?? "",
+    ];
+    return Buffer.from(fields.join("\n"), "utf-8");
+}
+/**
+ * Verify a signature against a public key.
+ *
+ * The algorithm is derived from the key's type (Ed25519 or EC), not from
+ * the artifact's claimed signatureAlgorithm field.
+ *
+ * @param payload - Canonical signing payload
+ * @param signatureBase64 - Base64-encoded signature to verify
+ * @param publicKeyBase64 - Base64-encoded DER SPKI public key
+ * @returns true if the signature is valid
+ */
+function verifySignature(payload, signatureBase64, publicKeyBase64) {
+    const keyObj = crypto.createPublicKey({
+        key: Buffer.from(publicKeyBase64, "base64"),
+        format: "der",
+        type: "spki",
+    });
+    const signature = Buffer.from(signatureBase64, "base64");
+    const keyType = keyObj.asymmetricKeyType;
+    if (keyType === "ed25519") {
+        return crypto.verify(null, payload, keyObj, signature);
+    }
+    if (keyType === "ec") {
+        return crypto.verify("sha256", payload, keyObj, signature);
+    }
+    throw new Error(`Unsupported key type for signature verification: ${keyType}`);
+}
+//# sourceMappingURL=signature.js.map

package/dist/signature.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"signature.js","sourceRoot":"","sources":["../src/signature.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,kDAmBC;AAaD,0CAoBC;AApFD,+CAAiC;AAyBjC;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,QAA0B;IAC5D,MAAM,MAAM,GAAG;QACb,aAAa;QACb,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;QACxB,QAAQ,CAAC,QAAQ;QACjB,QAAQ,CAAC,WAAW;QACpB,QAAQ,CAAC,QAAQ;QACjB,QAAQ,CAAC,QAAQ;QACjB,QAAQ,CAAC,cAAc;QACvB,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC;QACnC,QAAQ,CAAC,SAAS,IAAI,EAAE;QACxB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE;QACjC,QAAQ,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;QAC9B,QAAQ,CAAC,QAAQ,EAAE,UAAU,IAAI,EAAE;QACnC,QAAQ,CAAC,QAAQ,EAAE,SAAS,IAAI,EAAE;QAClC,QAAQ,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE;QAC3B,QAAQ,CAAC,QAAQ,EAAE,OAAO,IAAI,EAAE;KACjC,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,eAAe,CAC7B,OAAe,EACf,eAAuB,EACvB,eAAuB;IAEvB,MAAM,MAAM,GAAG,MAAM,CAAC,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC;QAC3C,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IAEzD,MAAM,OAAO,GAAG,MAAM,CAAC,iBAAiB,CAAC;IACzC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,oDAAoD,OAAO,EAAE,CAAC,CAAC;AACjF,CAAC"}

package/dist/sources/http.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/sources/http.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9D,+CAA+C;AAC/C,qBAAa,kBAAmB,YAAW,cAAc;IACvD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;gBAEjB,GAAG,EAAE,MAAM;IAIjB,KAAK,IAAI,OAAO,CAAC,mBAAmB,CAAC;IAU3C,QAAQ,IAAI,MAAM;~~CAGnB~~"}
1	+ {"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/sources/http.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9D,+CAA+C;AAC/C,qBAAa,kBAAmB,YAAW,cAAc;IACvD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;gBAEjB,GAAG,EAAE,MAAM;IAIjB,KAAK,IAAI,OAAO,CAAC,mBAAmB,CAAC;IAU3C,QAAQ,IAAI,MAAM;CAYnB"}

package/dist/sources/http.js CHANGED Viewed

@@ -10,14 +10,24 @@ class HttpArtifactSource {
     async fetch() {
         const res = await fetch(this.url);
         if (!res.ok) {
-            throw new Error(`Failed to fetch artifact from ${this.url}: ${res.status}`);
+            throw new Error(`Failed to fetch artifact from ${this.describe()}: ${res.status}`);
         }
         const raw = await res.text();
         const etag = res.headers.get("etag") ?? undefined;
         return { raw, contentHash: etag };
     }
     describe() {
-        return `HTTP ${this.url}`;
+        try {
+            const parsed = new URL(this.url);
+            if (parsed.username || parsed.password) {
+                parsed.username = "***";
+                parsed.password = "";
+            }
+            return `HTTP ${parsed.href}`;
+        }
+        catch {
+            return "HTTP <invalid-url>";
+        }
     }
 }
 exports.HttpArtifactSource = HttpArtifactSource;

package/dist/sources/http.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/sources/http.ts"],"names":[],"mappings":";;;AAEA,+CAA+C;AAC/C,MAAa,kBAAkB;IACZ,GAAG,CAAS;IAE7B,YAAY,GAAW;QACrB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,~~GAAG~~,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;~~QAC9E~~,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;QAClD,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,QAAQ;QACN,~~OAAO~~,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC;~~IAC5B~~,CAAC;CACF;~~AApBD~~,~~gDAoBC~~"}
1	+ {"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/sources/http.ts"],"names":[],"mappings":";;;AAEA,+CAA+C;AAC/C,MAAa,kBAAkB;IACZ,GAAG,CAAS;IAE7B,YAAY,GAAW;QACrB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,QAAQ,EAAE,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;QAClD,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,QAAQ;QACN,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACvC,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;gBACxB,MAAM,CAAC,QAAQ,GAAG,EAAE,CAAC;YACvB,CAAC;YACD,OAAO,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,oBAAoB,CAAC;QAC9B,CAAC;IACH,CAAC;CACF;AA7BD,gDA6BC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@clef-sh/runtime",
-  "version": "0.1.6-beta.32",
+  "version": "0.1.12",
   "description": "Lightweight runtime secrets engine for Clef — VCS-native fetch, age decrypt, in-memory cache",
   "repository": {
     "type": "git",