@eddacraft/anvil-policy 0.1.0

package/LICENSE

@@ -0,0 +1,14 @@
+Copyright (c) 2026 EddaCraft. All rights reserved.
+
+PROPRIETARY AND CONFIDENTIAL
+
+This software and associated documentation files (the "Software") are the
+exclusive property of EddaCraft. Unauthorised copying, modification,
+distribution, or use of this Software, via any medium, is strictly prohibited
+without the express written permission of EddaCraft.
+
+The Software is provided for evaluation and testing purposes only to authorised
+beta testers. No licence is granted to use, copy, modify, or distribute the
+Software for any other purpose.
+
+For licensing enquiries, contact: legal@eddacraft.com

package/dist/bundle-manager.d.ts

@@ -0,0 +1,183 @@
+/**
+ * OPA Bundle Manager - Download, cache, and manage OPA policy bundles
+ *
+ * Handles downloading, caching, and validating OPA policy bundles from remote
+ * servers. Bundles are tarball files containing .rego policy files and optional
+ * data.json files.
+ */
+/**
+ * Authentication configuration for bundle downloads
+ */
+export interface BundleAuthConfig {
+    /** Authentication type */
+    type: 'basic' | 'bearer';
+    /** Username for basic auth */
+    username?: string;
+    /** Environment variable name containing the password for basic auth */
+    password_env?: string;
+    /** Environment variable name containing the token for bearer auth */
+    token_env?: string;
+}
+/**
+ * Configuration for a single policy bundle
+ */
+export interface BundleConfig {
+    /** Unique name for this bundle */
+    name: string;
+    /** URL to download the bundle from */
+    url: string;
+    /** How often to check for updates (ms) */
+    refresh_interval_ms?: number;
+    /** Public key for signature verification (PEM format or path to key file) */
+    signature_key?: string;
+    /** Expected SHA256 checksum of the bundle */
+    checksum?: string;
+    /** HTTP headers to include in download request */
+    headers?: Record<string, string>;
+    /** Authentication configuration */
+    auth?: BundleAuthConfig;
+}
+/**
+ * Cache index entry for a downloaded bundle
+ */
+export interface BundleCacheEntry {
+    /** Bundle name */
+    name: string;
+    /** Original download URL */
+    url: string;
+    /** Local path to extracted bundle */
+    path: string;
+    /** When the bundle was downloaded */
+    downloaded_at: number;
+    /** When to check for updates */
+    expires_at: number;
+    /** SHA256 checksum of the downloaded tarball */
+    checksum: string;
+    /** Size in bytes of the downloaded tarball */
+    size_bytes: number;
+    /** Whether signature was verified */
+    signature_verified: boolean;
+    /** ETag from server for conditional requests */
+    etag?: string;
+    /** Last-Modified header from server */
+    last_modified?: string;
+}
+/**
+ * Bundle manager configuration
+ */
+export interface BundleManagerConfig {
+    /** Directory to store cached bundles */
+    cacheDir?: string;
+    /** Bundle configurations */
+    bundles?: BundleConfig[];
+    /** Whether to verify signatures when available */
+    verifySignatures?: boolean;
+    /** Connection timeout in ms */
+    timeoutMs?: number;
+}
+/**
+ * Result of a bundle sync operation
+ */
+export interface BundleSyncResult {
+    /** Bundle name */
+    name: string;
+    /** Whether sync was successful */
+    success: boolean;
+    /** Whether bundle was updated */
+    updated: boolean;
+    /** Error message if failed */
+    error?: string;
+    /** Path to the bundle if successful */
+    path?: string;
+}
+/**
+ * Manages OPA policy bundle download, caching, and updates
+ */
+export declare class BundleManager {
+    private readonly cacheDir;
+    private readonly bundles;
+    private readonly verifySignatures;
+    private readonly timeoutMs;
+    private index;
+    private indexDirty;
+    private readonly indexPath;
+    constructor(config?: BundleManagerConfig);
+    /**
+     * Add or update a bundle configuration
+     */
+    addBundle(config: BundleConfig): void;
+    /**
+     * Remove a bundle configuration
+     */
+    removeBundle(name: string): boolean;
+    /**
+     * Get all configured bundle names
+     */
+    getBundleNames(): string[];
+    /**
+     * Sync all configured bundles, downloading or updating as needed
+     */
+    syncAll(): Promise<BundleSyncResult[]>;
+    /**
+     * Download or update a specific bundle
+     */
+    downloadBundle(name: string): Promise<BundleSyncResult>;
+    /**
+     * Get the cached path for a bundle, returning null if not cached
+     */
+    getBundle(name: string): Promise<string | null>;
+    /**
+     * Get cache entry metadata for a bundle
+     */
+    getBundleEntry(name: string): Promise<BundleCacheEntry | null>;
+    /**
+     * Invalidate a specific bundle cache, removing downloaded files
+     */
+    invalidateBundle(name: string): Promise<boolean>;
+    /**
+     * Clear all cached bundles
+     */
+    clearCache(): Promise<void>;
+    /**
+     * Get cache statistics
+     */
+    getCacheStats(): Promise<{
+        bundleCount: number;
+        totalSizeBytes: number;
+        lastSync: number;
+    }>;
+    /**
+     * Ensure cache directory exists
+     */
+    private ensureCacheDir;
+    /**
+     * Load cache index from disk
+     */
+    private loadIndex;
+    /**
+     * Save cache index to disk
+     */
+    private saveIndex;
+    /**
+     * Build authorization header from auth config
+     */
+    private buildAuthHeader;
+    /**
+     * Download a file from URL to destination
+     */
+    private downloadFile;
+    /**
+     * Compute SHA256 checksum of a file
+     */
+    private computeChecksum;
+    /**
+     * Verify signature of a file using public key
+     */
+    private verifySignature;
+    /**
+     * Extract a tarball to destination directory
+     */
+    private extractBundle;
+}
+export declare function getBundleManager(config?: BundleManagerConfig): BundleManager;
+//# sourceMappingURL=bundle-manager.d.ts.map

package/dist/bundle-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle-manager.d.ts","sourceRoot":"","sources":["../src/bundle-manager.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAiCH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0BAA0B;IAC1B,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;IACzB,8BAA8B;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uEAAuE;IACvE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,kCAAkC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,0CAA0C;IAC1C,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6EAA6E;IAC7E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,mCAAmC;IACnC,IAAI,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uCAAuC;IACvC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAWD;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4BAA4B;IAC5B,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB,kDAAkD;IAClD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,+BAA+B;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,iCAAiC;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA4B;IACpD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAC3C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IAEnC,OAAO,CAAC,KAAK,CAAiC;IAC9C,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,MAAM,GAAE,mBAAwB;IAc5C;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAIrC;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAInC;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;IAI1B;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAW5C;;OAEG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA0J7D;;OAEG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAmBrD;;OAEG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAKpE;;OAEG;IACG,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA0BtD;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAWjC;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC;QAC7B,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;QACvB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IAWF;;OAEG;YACW,cAAc;IAM5B;;OAEG;YACW,SAAS;IA0BvB;;OAEG;YACW,SAAS;IAUvB;;OAEG;IACH,OAAO,CAAC,eAAe;IAoBvB;;OAEG;IACH,OAAO,CAAC,YAAY;IA6GpB;;OAEG;YACW,eAAe;IAK7B;;OAEG;YACW,eAAe;IAyB7B;;OAEG;YACW,aAAa;CAqB5B;AAUD,wBAAgB,gBAAgB,CAAC,MAAM,CAAC,EAAE,mBAAmB,GAAG,aAAa,CAK5E"}

package/dist/bundle-manager.js

@@ -0,0 +1,498 @@
+/**
+ * OPA Bundle Manager - Download, cache, and manage OPA policy bundles
+ *
+ * Handles downloading, caching, and validating OPA policy bundles from remote
+ * servers. Bundles are tarball files containing .rego policy files and optional
+ * data.json files.
+ */
+import { existsSync, mkdirSync, unlinkSync, readFileSync, createWriteStream, rmSync, } from 'node:fs';
+import { readFile, writeFile, rm, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { createHash, createVerify } from 'node:crypto';
+import https from 'node:https';
+import http from 'node:http';
+import { pipeline } from 'node:stream/promises';
+import { createGunzip } from 'node:zlib';
+import { extract } from 'tar';
+import { createDebugger } from './utils/debug.js';
+const debug = createDebugger('policy');
+/**
+ * Default cache directory for policy bundles
+ */
+const DEFAULT_CACHE_DIR = join(homedir(), '.anvil', 'policy-cache', 'bundles');
+/**
+ * Default refresh interval: 5 minutes
+ */
+const DEFAULT_REFRESH_INTERVAL_MS = 5 * 60 * 1000;
+/**
+ * Manages OPA policy bundle download, caching, and updates
+ */
+export class BundleManager {
+    cacheDir;
+    bundles;
+    verifySignatures;
+    timeoutMs;
+    index = null;
+    indexDirty = false;
+    indexPath;
+    constructor(config = {}) {
+        this.cacheDir = config.cacheDir || DEFAULT_CACHE_DIR;
+        this.indexPath = join(this.cacheDir, 'index.json');
+        this.verifySignatures = config.verifySignatures ?? true;
+        this.timeoutMs = config.timeoutMs ?? 30000;
+        this.bundles = new Map();
+        if (config.bundles) {
+            for (const bundle of config.bundles) {
+                this.bundles.set(bundle.name, bundle);
+            }
+        }
+    }
+    /**
+     * Add or update a bundle configuration
+     */
+    addBundle(config) {
+        this.bundles.set(config.name, config);
+    }
+    /**
+     * Remove a bundle configuration
+     */
+    removeBundle(name) {
+        return this.bundles.delete(name);
+    }
+    /**
+     * Get all configured bundle names
+     */
+    getBundleNames() {
+        return Array.from(this.bundles.keys());
+    }
+    /**
+     * Sync all configured bundles, downloading or updating as needed
+     */
+    async syncAll() {
+        const results = [];
+        for (const name of this.bundles.keys()) {
+            const result = await this.downloadBundle(name);
+            results.push(result);
+        }
+        return results;
+    }
+    /**
+     * Download or update a specific bundle
+     */
+    async downloadBundle(name) {
+        const config = this.bundles.get(name);
+        if (!config) {
+            return {
+                name,
+                success: false,
+                updated: false,
+                error: `Bundle configuration not found: ${name}`,
+            };
+        }
+        try {
+            await this.ensureCacheDir();
+            const index = await this.loadIndex();
+            const existingEntry = index.entries[name];
+            const bundleDir = join(this.cacheDir, name);
+            // Check if we have a valid cached bundle that hasn't expired
+            if (existingEntry && existsSync(bundleDir)) {
+                if (Date.now() < existingEntry.expires_at) {
+                    debug(`Bundle ${name} is still valid, skipping download`);
+                    return {
+                        name,
+                        success: true,
+                        updated: false,
+                        path: existingEntry.path,
+                    };
+                }
+            }
+            // Validate URL: enforce HTTPS (allow localhost for development/testing)
+            const parsedBundleUrl = new URL(config.url);
+            const isLocalhost = parsedBundleUrl.hostname === 'localhost' || parsedBundleUrl.hostname === '127.0.0.1';
+            if (parsedBundleUrl.protocol !== 'https:' && !isLocalhost) {
+                throw new Error(`Bundle URL must use HTTPS: ${config.url}`);
+            }
+            // Download the bundle
+            debug(`Downloading bundle ${name} from ${config.url}`);
+            const tempFile = join(this.cacheDir, `${name}.tar.gz.tmp`);
+            try {
+                const downloadResult = await this.downloadFile(config.url, tempFile, config.headers, existingEntry?.etag, existingEntry?.last_modified, config.auth);
+                // Handle 304 Not Modified
+                if (downloadResult.notModified && existingEntry) {
+                    // Update expiration time
+                    existingEntry.expires_at =
+                        Date.now() + (config.refresh_interval_ms || DEFAULT_REFRESH_INTERVAL_MS);
+                    this.indexDirty = true;
+                    await this.saveIndex();
+                    return {
+                        name,
+                        success: true,
+                        updated: false,
+                        path: existingEntry.path,
+                    };
+                }
+                // Verify checksum if provided
+                const actualChecksum = await this.computeChecksum(tempFile);
+                if (config.checksum && actualChecksum !== config.checksum) {
+                    throw new Error(`Checksum mismatch for bundle ${name}: expected ${config.checksum}, got ${actualChecksum}`);
+                }
+                // Verify signature if key is provided
+                let signatureVerified = false;
+                if (config.signature_key && this.verifySignatures) {
+                    signatureVerified = await this.verifySignature(tempFile, `${tempFile}.sig`, config.signature_key);
+                    if (!signatureVerified) {
+                        throw new Error(`Signature verification failed for bundle ${name}`);
+                    }
+                }
+                // Remove old bundle directory
+                if (existsSync(bundleDir)) {
+                    rmSync(bundleDir, { recursive: true, force: true });
+                }
+                // Extract bundle
+                mkdirSync(bundleDir, { recursive: true });
+                await this.extractBundle(tempFile, bundleDir);
+                // Update cache index
+                const stats = readFileSync(tempFile);
+                const entry = {
+                    name,
+                    url: config.url,
+                    path: bundleDir,
+                    downloaded_at: Date.now(),
+                    expires_at: Date.now() + (config.refresh_interval_ms || DEFAULT_REFRESH_INTERVAL_MS),
+                    checksum: actualChecksum,
+                    size_bytes: stats.length,
+                    signature_verified: signatureVerified,
+                    etag: downloadResult.etag,
+                    last_modified: downloadResult.lastModified,
+                };
+                index.entries[name] = entry;
+                index.last_sync = Date.now();
+                this.indexDirty = true;
+                await this.saveIndex();
+                // Clean up temp file
+                if (existsSync(tempFile)) {
+                    unlinkSync(tempFile);
+                }
+                debug(`Bundle ${name} downloaded and extracted to ${bundleDir}`);
+                return {
+                    name,
+                    success: true,
+                    updated: true,
+                    path: bundleDir,
+                };
+            }
+            finally {
+                // Clean up temp file on error
+                if (existsSync(tempFile)) {
+                    try {
+                        unlinkSync(tempFile);
+                    }
+                    catch {
+                        // Ignore cleanup errors
+                    }
+                }
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            debug(`Failed to download bundle ${name}: ${message}`);
+            return {
+                name,
+                success: false,
+                updated: false,
+                error: message,
+            };
+        }
+    }
+    /**
+     * Get the cached path for a bundle, returning null if not cached
+     */
+    async getBundle(name) {
+        const index = await this.loadIndex();
+        const entry = index.entries[name];
+        if (!entry) {
+            return null;
+        }
+        if (!existsSync(entry.path)) {
+            // Cache entry exists but files are missing
+            delete index.entries[name];
+            this.indexDirty = true;
+            await this.saveIndex();
+            return null;
+        }
+        return entry.path;
+    }
+    /**
+     * Get cache entry metadata for a bundle
+     */
+    async getBundleEntry(name) {
+        const index = await this.loadIndex();
+        return index.entries[name] || null;
+    }
+    /**
+     * Invalidate a specific bundle cache, removing downloaded files
+     */
+    async invalidateBundle(name) {
+        const index = await this.loadIndex();
+        const entry = index.entries[name];
+        if (!entry) {
+            return false;
+        }
+        // Remove bundle directory
+        const bundleDir = join(this.cacheDir, name);
+        if (existsSync(bundleDir)) {
+            try {
+                rmSync(bundleDir, { recursive: true, force: true });
+            }
+            catch (error) {
+                debug(`Failed to remove bundle directory ${bundleDir}`, error);
+            }
+        }
+        // Remove from index
+        delete index.entries[name];
+        this.indexDirty = true;
+        await this.saveIndex();
+        return true;
+    }
+    /**
+     * Clear all cached bundles
+     */
+    async clearCache() {
+        try {
+            await rm(this.cacheDir, { recursive: true, force: true });
+            this.index = null;
+            this.indexDirty = false;
+            debug('Bundle cache cleared');
+        }
+        catch (error) {
+            debug('Failed to clear bundle cache', error);
+        }
+    }
+    /**
+     * Get cache statistics
+     */
+    async getCacheStats() {
+        const index = await this.loadIndex();
+        const entries = Object.values(index.entries);
+        return {
+            bundleCount: entries.length,
+            totalSizeBytes: entries.reduce((sum, e) => sum + e.size_bytes, 0),
+            lastSync: index.last_sync,
+        };
+    }
+    /**
+     * Ensure cache directory exists
+     */
+    async ensureCacheDir() {
+        if (!existsSync(this.cacheDir)) {
+            await mkdir(this.cacheDir, { recursive: true });
+        }
+    }
+    /**
+     * Load cache index from disk
+     */
+    async loadIndex() {
+        if (this.index) {
+            return this.index;
+        }
+        try {
+            const content = await readFile(this.indexPath, 'utf-8');
+            this.index = JSON.parse(content);
+            // Validate structure
+            if (!this.index.version || !this.index.entries) {
+                throw new Error('Invalid index structure');
+            }
+        }
+        catch (error) {
+            debug('Cache index missing or corrupted, creating new one', error);
+            this.index = {
+                version: 1,
+                entries: {},
+                last_sync: 0,
+            };
+            this.indexDirty = true;
+        }
+        return this.index;
+    }
+    /**
+     * Save cache index to disk
+     */
+    async saveIndex() {
+        if (!this.indexDirty || !this.index) {
+            return;
+        }
+        await this.ensureCacheDir();
+        await writeFile(this.indexPath, JSON.stringify(this.index, null, 2), 'utf-8');
+        this.indexDirty = false;
+    }
+    /**
+     * Build authorization header from auth config
+     */
+    buildAuthHeader(auth) {
+        if (auth.type === 'basic') {
+            const username = auth.username || '';
+            const passwordEnv = auth.password_env || '';
+            const password = passwordEnv ? process.env[passwordEnv] || '' : '';
+            const credentials = Buffer.from(`${username}:${password}`).toString('base64');
+            return `Basic ${credentials}`;
+        }
+        if (auth.type === 'bearer') {
+            const tokenEnv = auth.token_env || '';
+            const token = tokenEnv ? process.env[tokenEnv] || '' : '';
+            if (token) {
+                return `Bearer ${token}`;
+            }
+        }
+        return null;
+    }
+    /**
+     * Download a file from URL to destination
+     */
+    downloadFile(url, dest, headers, etag, lastModified, auth) {
+        return new Promise((resolve, reject) => {
+            const parsedUrl = new URL(url);
+            const isHttps = parsedUrl.protocol === 'https:';
+            const httpModule = isHttps ? https : http;
+            const requestHeaders = {
+                'User-Agent': 'Anvil-BundleManager/1.0',
+                ...headers,
+            };
+            // Add authentication header if configured
+            if (auth) {
+                const authHeader = this.buildAuthHeader(auth);
+                if (authHeader) {
+                    requestHeaders['Authorization'] = authHeader;
+                }
+            }
+            // Add conditional request headers
+            if (etag) {
+                requestHeaders['If-None-Match'] = etag;
+            }
+            if (lastModified) {
+                requestHeaders['If-Modified-Since'] = lastModified;
+            }
+            const options = {
+                hostname: parsedUrl.hostname,
+                port: parsedUrl.port || (isHttps ? 443 : 80),
+                path: parsedUrl.pathname + parsedUrl.search,
+                method: 'GET',
+                headers: requestHeaders,
+                timeout: this.timeoutMs,
+            };
+            const request = httpModule.request(options, (response) => {
+                // Handle redirects
+                if (response.statusCode === 301 || response.statusCode === 302) {
+                    const redirectUrl = response.headers.location;
+                    if (!redirectUrl) {
+                        reject(new Error('Redirect without location header'));
+                        return;
+                    }
+                    this.downloadFile(redirectUrl, dest, headers, etag, lastModified, auth)
+                        .then(resolve)
+                        .catch(reject);
+                    return;
+                }
+                // Handle 304 Not Modified
+                if (response.statusCode === 304) {
+                    resolve({ notModified: true });
+                    return;
+                }
+                if (response.statusCode !== 200) {
+                    reject(new Error(`Download failed: HTTP ${response.statusCode}`));
+                    return;
+                }
+                const file = createWriteStream(dest);
+                response.pipe(file);
+                file.on('finish', () => {
+                    file.close();
+                    resolve({
+                        notModified: false,
+                        etag: response.headers.etag,
+                        lastModified: response.headers['last-modified'],
+                    });
+                });
+                file.on('error', (err) => {
+                    file.close();
+                    if (existsSync(dest)) {
+                        unlinkSync(dest);
+                    }
+                    reject(err);
+                });
+            });
+            request.on('error', (err) => {
+                if (existsSync(dest)) {
+                    unlinkSync(dest);
+                }
+                reject(err);
+            });
+            request.on('timeout', () => {
+                request.destroy();
+                if (existsSync(dest)) {
+                    unlinkSync(dest);
+                }
+                reject(new Error(`Download timeout after ${this.timeoutMs}ms`));
+            });
+            request.end();
+        });
+    }
+    /**
+     * Compute SHA256 checksum of a file
+     */
+    async computeChecksum(filePath) {
+        const content = readFileSync(filePath);
+        return createHash('sha256').update(content).digest('hex');
+    }
+    /**
+     * Verify signature of a file using public key
+     */
+    async verifySignature(filePath, signaturePath, publicKey) {
+        try {
+            if (!existsSync(signaturePath)) {
+                debug(`Signature file not found: ${signaturePath}`);
+                return false;
+            }
+            const fileContent = readFileSync(filePath);
+            const signature = readFileSync(signaturePath);
+            const verify = createVerify('SHA256');
+            verify.update(fileContent);
+            verify.end();
+            return verify.verify(publicKey, signature);
+        }
+        catch (error) {
+            debug('Signature verification error', error);
+            return false;
+        }
+    }
+    /**
+     * Extract a tarball to destination directory
+     */
+    async extractBundle(tarPath, destDir) {
+        const { resolve, sep } = await import('node:path');
+        const resolvedDest = resolve(destDir);
+        await pipeline(createReadStream(tarPath), createGunzip(), extract({
+            cwd: destDir,
+            strip: 0,
+            filter: (entryPath) => {
+                const resolved = resolve(destDir, entryPath);
+                if (resolved !== resolvedDest && !resolved.startsWith(resolvedDest + sep)) {
+                    debug(`Zip-slip blocked: ${entryPath} escapes ${destDir}`);
+                    return false;
+                }
+                return true;
+            },
+        }));
+    }
+}
+// Import createReadStream for extraction
+import { createReadStream } from 'node:fs';
+/**
+ * Create a singleton bundle manager
+ */
+let defaultManager = null;
+export function getBundleManager(config) {
+    if (!defaultManager || config) {
+        defaultManager = new BundleManager(config);
+    }
+    return defaultManager;
+}