@enactprotocol/api 2.0.0 → 2.0.1

package/dist/attestations.d.ts

@@ -0,0 +1,253 @@
+/**
+ * Attestation management (v2)
+ * Functions for managing auditor attestations
+ */
+import type { OIDCIdentity, SigstoreBundle } from "@enactprotocol/trust";
+import type { EnactApiClient } from "./client";
+import type { Attestation } from "./types";
+/**
+ * Verified auditor info with full identity details
+ */
+export interface VerifiedAuditor {
+    /** Email from attestation */
+    email: string;
+    /** Full identity from verified certificate (may be undefined if not extractable) */
+    identity: OIDCIdentity | undefined;
+    /** Provider:identity format (e.g., github:keithagroves) */
+    providerIdentity: string;
+}
+/**
+ * Attestation list response
+ */
+export interface AttestationListResponse {
+    attestations: Attestation[];
+    total: number;
+    limit: number;
+    offset: number;
+}
+/**
+ * Get all attestations for a tool version (v2)
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param options - Pagination options
+ * @returns List of attestations with pagination info
+ *
+ * @example
+ * ```ts
+ * const result = await getAttestations(client, "alice/utils/greeter", "1.2.0", {
+ *   limit: 10,
+ *   offset: 0
+ * });
+ * console.log(`Found ${result.total} attestations`);
+ * ```
+ */
+export declare function getAttestations(client: EnactApiClient, name: string, version: string, options?: {
+    limit?: number | undefined;
+    offset?: number | undefined;
+}): Promise<AttestationListResponse>;
+/**
+ * Submit an attestation for a tool version (v2)
+ *
+ * The server will verify the Sigstore bundle against the public Sigstore
+ * infrastructure (Rekor + Fulcio) before accepting.
+ *
+ * @param client - API client instance (must be authenticated)
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param sigstoreBundle - Complete Sigstore bundle
+ * @returns Attestation response with verification result
+ *
+ * @example
+ * ```ts
+ * const result = await submitAttestation(client, "alice/utils/greeter", "1.2.0", {
+ *   "$schema": "https://sigstore.dev/bundle/v1",
+ *   "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+ *   "verificationMaterial": { ... },
+ *   "messageSignature": { ... }
+ * });
+ *
+ * if (result.verification.verified) {
+ *   console.log("Attestation verified and recorded!");
+ * }
+ * ```
+ */
+export declare function submitAttestation(client: EnactApiClient, name: string, version: string, sigstoreBundle: Record<string, unknown>): Promise<{
+    auditor: string;
+    auditorProvider: string;
+    signedAt: Date;
+    rekorLogId: string;
+    rekorLogIndex?: number | undefined;
+    verification: {
+        verified: boolean;
+        verifiedAt: Date;
+        rekorVerified: boolean;
+        certificateVerified: boolean;
+        signatureVerified: boolean;
+    };
+}>;
+/**
+ * Revoke an attestation (v2)
+ *
+ * Only the original auditor can revoke their attestation.
+ *
+ * @param client - API client instance (must be authenticated)
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param auditorEmail - Email of the auditor (from Sigstore certificate)
+ * @returns Revocation confirmation
+ *
+ * @example
+ * ```ts
+ * const result = await revokeAttestation(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "security@example.com"
+ * );
+ * console.log(`Revoked at ${result.revokedAt}`);
+ * ```
+ */
+export declare function revokeAttestation(client: EnactApiClient, name: string, version: string, auditorEmail: string): Promise<{
+    auditor: string;
+    revoked: true;
+    revokedAt: Date;
+}>;
+/**
+ * Check if a tool version has attestations from specific auditors
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param trustedAuditors - List of trusted auditor emails
+ * @returns True if at least one trusted auditor has attested
+ *
+ * @example
+ * ```ts
+ * const isTrusted = await hasAttestation(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   ["security@example.com", "bob@github.com"]
+ * );
+ *
+ * if (isTrusted) {
+ *   console.log("Tool is trusted!");
+ * }
+ * ```
+ */
+export declare function hasAttestation(client: EnactApiClient, name: string, version: string, trustedAuditors: string[]): Promise<boolean>;
+/**
+ * Get the full Sigstore bundle for a specific attestation
+ *
+ * This fetches the complete Sigstore bundle needed for local verification.
+ * Never trust the registry's verification status - always verify locally.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param auditor - Auditor email
+ * @returns Complete Sigstore bundle
+ *
+ * @example
+ * ```ts
+ * const bundle = await getAttestationBundle(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "security@example.com"
+ * );
+ * ```
+ */
+export declare function getAttestationBundle(client: EnactApiClient, name: string, version: string, auditor: string): Promise<SigstoreBundle>;
+/**
+ * Verify an attestation locally using Sigstore (never trust registry)
+ *
+ * This performs cryptographic verification against Rekor transparency log,
+ * Fulcio certificate authority, and validates the signature. The registry's
+ * verification status is NEVER trusted - we always verify locally.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param attestation - Attestation metadata from registry
+ * @param bundleHash - Bundle hash to verify against (sha256:...)
+ * @returns True if attestation is cryptographically valid
+ *
+ * @example
+ * ```ts
+ * const attestations = await getAttestations(client, "alice/utils/greeter", "1.2.0");
+ * const attestation = attestations.attestations[0];
+ *
+ * const isValid = await verifyAttestationLocally(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   attestation,
+ *   "sha256:abc123..."
+ * );
+ *
+ * if (isValid) {
+ *   console.log("Attestation cryptographically verified!");
+ * }
+ * ```
+ */
+export declare function verifyAttestationLocally(client: EnactApiClient, name: string, version: string, attestation: Attestation, bundleHash: string): Promise<boolean>;
+/**
+ * Verify all attestations for a tool and return verified auditors
+ *
+ * This verifies all attestations locally and returns only those that pass
+ * cryptographic verification. Never trusts the registry's verification status.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param bundleHash - Bundle hash to verify against
+ * @returns Array of verified auditor emails
+ *
+ * @example
+ * ```ts
+ * const verifiedAuditors = await verifyAllAttestations(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "sha256:abc123..."
+ * );
+ *
+ * console.log(`Verified auditors: ${verifiedAuditors.join(", ")}`);
+ * ```
+ */
+export declare function verifyAllAttestations(client: EnactApiClient, name: string, version: string, bundleHash: string): Promise<VerifiedAuditor[]>;
+/**
+ * Check if a tool has a trusted attestation (with local verification)
+ *
+ * This checks if at least one attestation exists from a trusted auditor
+ * AND verifies it locally. Never trusts the registry's verification status.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param bundleHash - Bundle hash to verify against
+ * @param trustedAuditors - List of trusted auditor emails
+ * @returns True if at least one trusted auditor's attestation is verified
+ *
+ * @example
+ * ```ts
+ * const isTrusted = await hasTrustedAttestation(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "sha256:abc123...",
+ *   ["security@example.com", "bob@github.com"]
+ * );
+ *
+ * if (isTrusted) {
+ *   console.log("Tool is trusted and verified!");
+ * } else {
+ *   console.log("No trusted attestations found - use 'enact inspect' to review");
+ * }
+ * ```
+ */
+export declare function hasTrustedAttestation(client: EnactApiClient, name: string, version: string, bundleHash: string, trustedAuditors: string[]): Promise<boolean>;
+//# sourceMappingURL=attestations.d.ts.map

package/dist/attestations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestations.d.ts","sourceRoot":"","sources":["../src/attestations.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAkD,MAAM,SAAS,CAAC;AAG3F;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6BAA6B;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,oFAAoF;IACpF,QAAQ,EAAE,YAAY,GAAG,SAAS,CAAC;IACnC,2DAA2D;IAC3D,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AACD;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,uBAAuB,CAAC,CAgBlC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACtC,OAAO,CAAC;IACT,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,IAAI,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACnC,YAAY,EAAE;QACZ,QAAQ,EAAE,OAAO,CAAC;QAClB,UAAU,EAAE,IAAI,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,mBAAmB,EAAE,OAAO,CAAC;QAC7B,iBAAiB,EAAE,OAAO,CAAC;KAC5B,CAAC;CACH,CAAC,CAsBD;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IACT,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,IAAI,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB,CAAC,CAWD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EAAE,GACxB,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,cAAc,CAAC,CAMzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,WAAW,EACxB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC,CAsBlB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,eAAe,EAAE,CAAC,CA+D5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,eAAe,EAAE,MAAM,EAAE,GACxB,OAAO,CAAC,OAAO,CAAC,CAQlB"}

package/dist/attestations.js

@@ -0,0 +1,326 @@
+/**
+ * Attestation management (v2)
+ * Functions for managing auditor attestations
+ */
+import { extractIdentityFromBundle, verifyBundle } from "@enactprotocol/trust";
+import { emailToProviderIdentity } from "./utils";
+/**
+ * Get all attestations for a tool version (v2)
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param options - Pagination options
+ * @returns List of attestations with pagination info
+ *
+ * @example
+ * ```ts
+ * const result = await getAttestations(client, "alice/utils/greeter", "1.2.0", {
+ *   limit: 10,
+ *   offset: 0
+ * });
+ * console.log(`Found ${result.total} attestations`);
+ * ```
+ */
+export async function getAttestations(client, name, version, options) {
+    const params = new URLSearchParams();
+    if (options?.limit !== undefined) {
+        params.set("limit", String(Math.min(options.limit, 100)));
+    }
+    if (options?.offset !== undefined) {
+        params.set("offset", String(options.offset));
+    }
+    const queryString = params.toString();
+    const path = `/tools/${name}/versions/${version}/attestations${queryString ? `?${queryString}` : ""}`;
+    const response = await client.get(path);
+    return response.data;
+}
+/**
+ * Submit an attestation for a tool version (v2)
+ *
+ * The server will verify the Sigstore bundle against the public Sigstore
+ * infrastructure (Rekor + Fulcio) before accepting.
+ *
+ * @param client - API client instance (must be authenticated)
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param sigstoreBundle - Complete Sigstore bundle
+ * @returns Attestation response with verification result
+ *
+ * @example
+ * ```ts
+ * const result = await submitAttestation(client, "alice/utils/greeter", "1.2.0", {
+ *   "$schema": "https://sigstore.dev/bundle/v1",
+ *   "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+ *   "verificationMaterial": { ... },
+ *   "messageSignature": { ... }
+ * });
+ *
+ * if (result.verification.verified) {
+ *   console.log("Attestation verified and recorded!");
+ * }
+ * ```
+ */
+export async function submitAttestation(client, name, version, sigstoreBundle) {
+    const response = await client.post(`/tools/${name}/versions/${version}/attestations`, {
+        bundle: sigstoreBundle,
+    });
+    return {
+        auditor: response.data.auditor,
+        auditorProvider: response.data.auditor_provider,
+        signedAt: new Date(response.data.signed_at),
+        rekorLogId: response.data.rekor_log_id,
+        rekorLogIndex: response.data.rekor_log_index,
+        verification: {
+            verified: response.data.verification.verified,
+            verifiedAt: new Date(response.data.verification.verified_at),
+            rekorVerified: response.data.verification.rekor_verified,
+            certificateVerified: response.data.verification.certificate_verified,
+            signatureVerified: response.data.verification.signature_verified,
+        },
+    };
+}
+/**
+ * Revoke an attestation (v2)
+ *
+ * Only the original auditor can revoke their attestation.
+ *
+ * @param client - API client instance (must be authenticated)
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param auditorEmail - Email of the auditor (from Sigstore certificate)
+ * @returns Revocation confirmation
+ *
+ * @example
+ * ```ts
+ * const result = await revokeAttestation(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "security@example.com"
+ * );
+ * console.log(`Revoked at ${result.revokedAt}`);
+ * ```
+ */
+export async function revokeAttestation(client, name, version, auditorEmail) {
+    const encodedEmail = encodeURIComponent(auditorEmail);
+    const response = await client.delete(`/tools/${name}/versions/${version}/attestations?auditor=${encodedEmail}`);
+    return {
+        auditor: response.data.auditor,
+        revoked: response.data.revoked,
+        revokedAt: new Date(response.data.revoked_at),
+    };
+}
+/**
+ * Check if a tool version has attestations from specific auditors
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param trustedAuditors - List of trusted auditor emails
+ * @returns True if at least one trusted auditor has attested
+ *
+ * @example
+ * ```ts
+ * const isTrusted = await hasAttestation(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   ["security@example.com", "bob@github.com"]
+ * );
+ *
+ * if (isTrusted) {
+ *   console.log("Tool is trusted!");
+ * }
+ * ```
+ */
+export async function hasAttestation(client, name, version, trustedAuditors) {
+    const result = await getAttestations(client, name, version);
+    return result.attestations.some((attestation) => trustedAuditors.includes(attestation.auditor) && attestation.verification?.verified === true);
+}
+/**
+ * Get the full Sigstore bundle for a specific attestation
+ *
+ * This fetches the complete Sigstore bundle needed for local verification.
+ * Never trust the registry's verification status - always verify locally.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param auditor - Auditor email
+ * @returns Complete Sigstore bundle
+ *
+ * @example
+ * ```ts
+ * const bundle = await getAttestationBundle(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "security@example.com"
+ * );
+ * ```
+ */
+export async function getAttestationBundle(client, name, version, auditor) {
+    const encodedAuditor = encodeURIComponent(auditor);
+    const response = await client.get(`/tools/${name}/versions/${version}/trust/attestations/${encodedAuditor}`);
+    return response.data;
+}
+/**
+ * Verify an attestation locally using Sigstore (never trust registry)
+ *
+ * This performs cryptographic verification against Rekor transparency log,
+ * Fulcio certificate authority, and validates the signature. The registry's
+ * verification status is NEVER trusted - we always verify locally.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param attestation - Attestation metadata from registry
+ * @param bundleHash - Bundle hash to verify against (sha256:...)
+ * @returns True if attestation is cryptographically valid
+ *
+ * @example
+ * ```ts
+ * const attestations = await getAttestations(client, "alice/utils/greeter", "1.2.0");
+ * const attestation = attestations.attestations[0];
+ *
+ * const isValid = await verifyAttestationLocally(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   attestation,
+ *   "sha256:abc123..."
+ * );
+ *
+ * if (isValid) {
+ *   console.log("Attestation cryptographically verified!");
+ * }
+ * ```
+ */
+export async function verifyAttestationLocally(client, name, version, attestation, bundleHash) {
+    try {
+        // Fetch the full Sigstore bundle from registry
+        const bundle = await getAttestationBundle(client, name, version, attestation.auditor);
+        // Convert bundle hash to Buffer for verification
+        const hashWithoutPrefix = bundleHash.replace("sha256:", "");
+        const artifactHash = Buffer.from(hashWithoutPrefix, "hex");
+        // Verify using @enactprotocol/trust package (checks Rekor, Fulcio, signatures)
+        const result = await verifyBundle(bundle, artifactHash, {
+            expectedIdentity: {
+                subjectAlternativeName: attestation.auditor,
+            },
+        });
+        return result.verified;
+    }
+    catch (error) {
+        // Verification failed - log error and return false
+        console.error(`Attestation verification failed for ${attestation.auditor}:`, error);
+        return false;
+    }
+}
+/**
+ * Verify all attestations for a tool and return verified auditors
+ *
+ * This verifies all attestations locally and returns only those that pass
+ * cryptographic verification. Never trusts the registry's verification status.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param bundleHash - Bundle hash to verify against
+ * @returns Array of verified auditor emails
+ *
+ * @example
+ * ```ts
+ * const verifiedAuditors = await verifyAllAttestations(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "sha256:abc123..."
+ * );
+ *
+ * console.log(`Verified auditors: ${verifiedAuditors.join(", ")}`);
+ * ```
+ */
+export async function verifyAllAttestations(client, name, version, bundleHash) {
+    const { attestations } = await getAttestations(client, name, version);
+    // Verify all attestations in parallel
+    const verificationResults = await Promise.all(attestations.map(async (attestation) => {
+        try {
+            // Fetch the full Sigstore bundle
+            const bundle = await getAttestationBundle(client, name, version, attestation.auditor);
+            // Convert bundle hash to Buffer for verification
+            const hashWithoutPrefix = bundleHash.replace("sha256:", "");
+            const artifactHash = Buffer.from(hashWithoutPrefix, "hex");
+            // Verify the bundle
+            const result = await verifyBundle(bundle, artifactHash, {
+                expectedIdentity: {
+                    subjectAlternativeName: attestation.auditor,
+                },
+            });
+            if (result.verified) {
+                // Extract full identity from the verified bundle
+                const identity = extractIdentityFromBundle(bundle);
+                // Build provider:identity format using issuer info
+                const providerIdentity = emailToProviderIdentity(attestation.auditor, identity?.issuer, identity?.username);
+                return {
+                    auditor: attestation.auditor,
+                    identity,
+                    providerIdentity,
+                    isValid: true,
+                };
+            }
+            return { auditor: attestation.auditor, isValid: false };
+        }
+        catch {
+            return { auditor: attestation.auditor, isValid: false };
+        }
+    }));
+    // Return only verified auditors with full identity info
+    return verificationResults
+        .filter((result) => result.isValid)
+        .map((result) => ({
+        email: result.auditor,
+        identity: result.identity,
+        providerIdentity: result.providerIdentity,
+    }));
+}
+/**
+ * Check if a tool has a trusted attestation (with local verification)
+ *
+ * This checks if at least one attestation exists from a trusted auditor
+ * AND verifies it locally. Never trusts the registry's verification status.
+ *
+ * @param client - API client instance
+ * @param name - Tool name
+ * @param version - Tool version
+ * @param bundleHash - Bundle hash to verify against
+ * @param trustedAuditors - List of trusted auditor emails
+ * @returns True if at least one trusted auditor's attestation is verified
+ *
+ * @example
+ * ```ts
+ * const isTrusted = await hasTrustedAttestation(
+ *   client,
+ *   "alice/utils/greeter",
+ *   "1.2.0",
+ *   "sha256:abc123...",
+ *   ["security@example.com", "bob@github.com"]
+ * );
+ *
+ * if (isTrusted) {
+ *   console.log("Tool is trusted and verified!");
+ * } else {
+ *   console.log("No trusted attestations found - use 'enact inspect' to review");
+ * }
+ * ```
+ */
+export async function hasTrustedAttestation(client, name, version, bundleHash, trustedAuditors) {
+    const verifiedAuditors = await verifyAllAttestations(client, name, version, bundleHash);
+    // Check if any verified auditor's providerIdentity matches a trusted auditor
+    // providerIdentity is in format "github:username" or "github:email@domain.com"
+    return verifiedAuditors.some((auditor) => {
+        return trustedAuditors.includes(auditor.providerIdentity);
+    });
+}
+//# sourceMappingURL=attestations.js.map

package/dist/attestations.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestations.js","sourceRoot":"","sources":["../src/attestations.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,yBAAyB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAI/E,OAAO,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAuBlD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,OAGC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACtC,MAAM,IAAI,GAAG,UAAU,IAAI,aAAa,OAAO,gBAAgB,WAAW,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAEtG,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAA0B,IAAI,CAAC,CAAC;IACjE,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,cAAuC;IAevC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAChC,UAAU,IAAI,aAAa,OAAO,eAAe,EACjD;QACE,MAAM,EAAE,cAAc;KACvB,CACF,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO;QAC9B,eAAe,EAAE,QAAQ,CAAC,IAAI,CAAC,gBAAgB;QAC/C,QAAQ,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;QAC3C,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY;QACtC,aAAa,EAAE,QAAQ,CAAC,IAAI,CAAC,eAAe;QAC5C,YAAY,EAAE;YACZ,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ;YAC7C,UAAU,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC;YAC5D,aAAa,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc;YACxD,mBAAmB,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,oBAAoB;YACpE,iBAAiB,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,kBAAkB;SACjE;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,YAAoB;IAMpB,MAAM,YAAY,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAClC,UAAU,IAAI,aAAa,OAAO,yBAAyB,YAAY,EAAE,CAC1E,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO;QAC9B,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO;QAC9B,SAAS,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,eAAyB;IAEzB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAE5D,OAAO,MAAM,CAAC,YAAY,CAAC,IAAI,CAC7B,CAAC,WAAW,EAAE,EAAE,CACd,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,YAAY,EAAE,QAAQ,KAAK,IAAI,CAC/F,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,OAAe;IAEf,MAAM,cAAc,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,UAAU,IAAI,aAAa,OAAO,uBAAuB,cAAc,EAAE,CAC1E,CAAC;IACF,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,WAAwB,EACxB,UAAkB;IAElB,IAAI,CAAC;QACH,+CAA+C;QAC/C,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;QAEtF,iDAAiD;QACjD,MAAM,iBAAiB,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;QAE3D,+EAA+E;QAC/E,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE;YACtD,gBAAgB,EAAE;gBAChB,sBAAsB,EAAE,WAAW,CAAC,OAAO;aAC5C;SACF,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mDAAmD;QACnD,OAAO,CAAC,KAAK,CAAC,uCAAuC,WAAW,CAAC,OAAO,GAAG,EAAE,KAAK,CAAC,CAAC;QACpF,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,UAAkB;IAElB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAEtE,sCAAsC;IACtC,MAAM,mBAAmB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC3C,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE;QACrC,IAAI,CAAC;YACH,iCAAiC;YACjC,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;YAEtF,iDAAiD;YACjD,MAAM,iBAAiB,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC5D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;YAE3D,oBAAoB;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE;gBACtD,gBAAgB,EAAE;oBAChB,sBAAsB,EAAE,WAAW,CAAC,OAAO;iBAC5C;aACF,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,iDAAiD;gBACjD,MAAM,QAAQ,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;gBAEnD,mDAAmD;gBACnD,MAAM,gBAAgB,GAAG,uBAAuB,CAC9C,WAAW,CAAC,OAAO,EACnB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,QAAQ,CACnB,CAAC;gBAEF,OAAO;oBACL,OAAO,EAAE,WAAW,CAAC,OAAO;oBAC5B,QAAQ;oBACR,gBAAgB;oBAChB,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,OAAO,EAAE,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,wDAAwD;IACxD,OAAO,mBAAmB;SACvB,MAAM,CACL,CACE,MAAM,EAMN,EAAE,CAAC,MAAM,CAAC,OAAO,CACpB;SACA,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC,OAAO;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;KAC1C,CAAC,CAAC,CAAC;AACR,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAsB,EACtB,IAAY,EACZ,OAAe,EACf,UAAkB,EAClB,eAAyB;IAEzB,MAAM,gBAAgB,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;IAExF,6EAA6E;IAC7E,+EAA+E;IAC/E,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QACvC,OAAO,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACL,CAAC"}