@enactprotocol/trust 2.0.0 → 2.0.1

package/dist/sigstore/cosign.js

@@ -0,0 +1,457 @@
+/**
+ * Cosign CLI integration for interactive OIDC signing
+ *
+ * The sigstore-js library is designed for CI environments where OIDC tokens
+ * are available via environment variables. For interactive local signing,
+ * we shell out to the cosign CLI which handles the browser-based OAuth flow.
+ */
+import { execSync, spawn } from "node:child_process";
+import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+/**
+ * Check if cosign CLI is available
+ */
+export function isCosignAvailable() {
+    try {
+        execSync("which cosign", { encoding: "utf-8", stdio: "pipe" });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get cosign version information
+ */
+export function getCosignVersion() {
+    try {
+        const output = execSync("cosign version", { encoding: "utf-8", stdio: "pipe" });
+        const match = output.match(/GitVersion:\s+v?([\d.]+)/);
+        return match?.[1];
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Sign a blob (file or buffer) using cosign with interactive OIDC
+ *
+ * This opens a browser for OAuth authentication with Sigstore's public
+ * OIDC provider. The signature, certificate, and Rekor entry are bundled
+ * together in the Sigstore bundle format.
+ *
+ * @param data - The data to sign (Buffer or path to file)
+ * @param options - Signing options
+ * @returns The signing result with bundle
+ */
+export async function signWithCosign(data, options = {}) {
+    if (!isCosignAvailable()) {
+        throw new Error("cosign CLI is not installed. Install it with: brew install cosign\n" +
+            "See: https://docs.sigstore.dev/cosign/system_config/installation/");
+    }
+    const { timeout = 120000, outputPath, verbose = false } = options;
+    // Create temp directory for working files
+    const tempDir = join(tmpdir(), `enact-sign-${Date.now()}`);
+    mkdirSync(tempDir, { recursive: true });
+    const blobPath = join(tempDir, "blob");
+    const bundlePath = outputPath ?? join(tempDir, "bundle.json");
+    try {
+        // Write data to temp file if it's a buffer
+        if (Buffer.isBuffer(data)) {
+            writeFileSync(blobPath, data);
+        }
+        else if (typeof data === "string" && existsSync(data)) {
+            // It's a file path, copy to temp location
+            const content = readFileSync(data);
+            writeFileSync(blobPath, content);
+        }
+        else {
+            // It's string content
+            writeFileSync(blobPath, data);
+        }
+        // Run cosign sign-blob with bundle output
+        // The --yes flag auto-confirms the OIDC consent prompt
+        const args = [
+            "sign-blob",
+            "--yes", // Auto-confirm OIDC consent
+            "--bundle",
+            bundlePath,
+            "--output-signature",
+            "/dev/null", // We only want the bundle
+            "--output-certificate",
+            "/dev/null", // Bundle includes the cert
+            blobPath,
+        ];
+        if (verbose) {
+            console.log(`Running: cosign ${args.join(" ")}`);
+        }
+        await new Promise((resolve, reject) => {
+            const proc = spawn("cosign", args, {
+                stdio: verbose ? "inherit" : ["inherit", "pipe", "pipe"],
+                timeout,
+            });
+            let stderr = "";
+            if (!verbose) {
+                proc.stderr?.on("data", (data) => {
+                    stderr += data.toString();
+                });
+            }
+            proc.on("error", (err) => {
+                reject(new Error(`Failed to run cosign: ${err.message}`));
+            });
+            proc.on("close", (code) => {
+                if (code === 0) {
+                    resolve();
+                }
+                else {
+                    // Check for common error patterns
+                    if (stderr.includes("context deadline exceeded") || stderr.includes("timeout")) {
+                        reject(new Error("OIDC authentication timed out. Please try again and complete the browser flow."));
+                    }
+                    else if (stderr.includes("cancelled")) {
+                        reject(new Error("Signing was cancelled."));
+                    }
+                    else {
+                        reject(new Error(`cosign exited with code ${code}: ${stderr || "(no output)"}`));
+                    }
+                }
+            });
+        });
+        // Read the bundle
+        if (!existsSync(bundlePath)) {
+            throw new Error("cosign did not produce a bundle file");
+        }
+        const bundleContent = readFileSync(bundlePath, "utf-8");
+        const bundle = JSON.parse(bundleContent);
+        // Extract signer identity from the bundle if possible
+        const signerIdentity = extractSignerFromBundle(bundle);
+        return {
+            bundle,
+            bundlePath,
+            signerIdentity,
+        };
+    }
+    finally {
+        // Clean up temp files (but not the output bundle if specified)
+        try {
+            if (existsSync(blobPath)) {
+                unlinkSync(blobPath);
+            }
+            if (!outputPath && existsSync(bundlePath)) {
+                unlinkSync(bundlePath);
+            }
+            // Try to remove temp dir
+            if (existsSync(tempDir)) {
+                const { rmdirSync } = require("node:fs");
+                rmdirSync(tempDir, { recursive: true });
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+/**
+ * Sign an in-toto attestation using cosign
+ *
+ * For in-toto attestations, we use cosign attest-blob which wraps the
+ * attestation in a DSSE envelope.
+ *
+ * @param attestation - The in-toto statement to sign
+ * @param options - Signing options
+ * @returns The signing result with bundle
+ */
+export async function attestWithCosign(attestation, options = {}) {
+    if (!isCosignAvailable()) {
+        throw new Error("cosign CLI is not installed. Install it with: brew install cosign\n" +
+            "See: https://docs.sigstore.dev/cosign/system_config/installation/");
+    }
+    const { timeout = 120000, outputPath, verbose = false } = options;
+    // Create temp directory for working files
+    const tempDir = join(tmpdir(), `enact-attest-${Date.now()}`);
+    mkdirSync(tempDir, { recursive: true });
+    const predicatePath = join(tempDir, "predicate.json");
+    const bundlePath = outputPath ?? join(tempDir, "bundle.json");
+    // cosign attest-blob needs a subject file (the thing being attested)
+    // For tool attestations, we'll create a dummy subject file
+    const subjectPath = join(tempDir, "subject");
+    try {
+        // Extract the predicate from the in-toto statement
+        // cosign attest-blob takes the predicate separately
+        const statement = attestation;
+        // Write the predicate to a file
+        writeFileSync(predicatePath, JSON.stringify(statement.predicate, null, 2));
+        // Create a subject file with the expected content
+        // The subject should be the content that matches the digest in the statement
+        // For now, we'll just create a placeholder and rely on the predicate
+        const subjectName = statement.subject?.[0]?.name ?? "tool.yaml";
+        writeFileSync(subjectPath, subjectName);
+        // Use cosign attest-blob
+        // Note: attest-blob is for custom predicates, which is what we have
+        const args = [
+            "attest-blob",
+            "--yes", // Auto-confirm OIDC consent
+            "--bundle",
+            bundlePath,
+            "--predicate",
+            predicatePath,
+            "--type",
+            statement.predicateType,
+            subjectPath,
+        ];
+        if (verbose) {
+            console.log(`Running: cosign ${args.join(" ")}`);
+        }
+        await new Promise((resolve, reject) => {
+            const proc = spawn("cosign", args, {
+                stdio: verbose ? "inherit" : ["inherit", "pipe", "pipe"],
+                timeout,
+            });
+            let stderr = "";
+            if (!verbose) {
+                proc.stderr?.on("data", (data) => {
+                    stderr += data.toString();
+                });
+            }
+            proc.on("error", (err) => {
+                reject(new Error(`Failed to run cosign: ${err.message}`));
+            });
+            proc.on("close", (code) => {
+                if (code === 0) {
+                    resolve();
+                }
+                else {
+                    if (stderr.includes("context deadline exceeded") || stderr.includes("timeout")) {
+                        reject(new Error("OIDC authentication timed out. Please try again and complete the browser flow."));
+                    }
+                    else if (stderr.includes("cancelled")) {
+                        reject(new Error("Signing was cancelled."));
+                    }
+                    else {
+                        reject(new Error(`cosign exited with code ${code}: ${stderr || "(no output)"}`));
+                    }
+                }
+            });
+        });
+        // Read the bundle
+        if (!existsSync(bundlePath)) {
+            throw new Error("cosign did not produce a bundle file");
+        }
+        const bundleContent = readFileSync(bundlePath, "utf-8");
+        const bundle = JSON.parse(bundleContent);
+        // Extract signer identity from the bundle
+        const signerIdentity = extractSignerFromBundle(bundle);
+        return {
+            bundle,
+            bundlePath,
+            signerIdentity,
+        };
+    }
+    finally {
+        // Clean up temp files
+        try {
+            for (const file of [predicatePath, subjectPath]) {
+                if (existsSync(file)) {
+                    unlinkSync(file);
+                }
+            }
+            if (!outputPath && existsSync(bundlePath)) {
+                unlinkSync(bundlePath);
+            }
+            if (existsSync(tempDir)) {
+                const { rmdirSync } = require("node:fs");
+                rmdirSync(tempDir, { recursive: true });
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+/**
+ * Verify a blob signature using cosign
+ *
+ * @param data - The data that was signed
+ * @param bundle - The Sigstore bundle
+ * @param expectedIdentity - Expected signer identity (email)
+ * @param expectedIssuer - Expected OIDC issuer
+ * @returns Whether verification succeeded
+ */
+export async function verifyWithCosign(data, bundle, expectedIdentity, expectedIssuer) {
+    if (!isCosignAvailable()) {
+        throw new Error("cosign CLI is not installed");
+    }
+    const tempDir = join(tmpdir(), `enact-verify-${Date.now()}`);
+    mkdirSync(tempDir, { recursive: true });
+    const blobPath = join(tempDir, "blob");
+    const bundlePath = join(tempDir, "bundle.json");
+    try {
+        // Write data and bundle to temp files
+        if (Buffer.isBuffer(data)) {
+            writeFileSync(blobPath, data);
+        }
+        else {
+            writeFileSync(blobPath, data);
+        }
+        writeFileSync(bundlePath, JSON.stringify(bundle, null, 2));
+        // Build cosign verify-blob command
+        const args = ["verify-blob", "--bundle", bundlePath];
+        if (expectedIdentity) {
+            args.push("--certificate-identity", expectedIdentity);
+        }
+        else {
+            // Use regex to match any identity
+            args.push("--certificate-identity-regexp", ".*");
+        }
+        if (expectedIssuer) {
+            args.push("--certificate-oidc-issuer", expectedIssuer);
+        }
+        else {
+            // Match common Sigstore OIDC issuers
+            args.push("--certificate-oidc-issuer-regexp", "(https://accounts.google.com|https://github.com/login/oauth|https://oauth2.sigstore.dev/auth)");
+        }
+        args.push(blobPath);
+        execSync(`cosign ${args.join(" ")}`, {
+            encoding: "utf-8",
+            stdio: "pipe",
+        });
+        const identity = extractSignerFromBundle(bundle);
+        return {
+            verified: true,
+            error: undefined,
+            identity,
+        };
+    }
+    catch (err) {
+        const error = err instanceof Error ? err.message : String(err);
+        return {
+            verified: false,
+            error,
+        };
+    }
+    finally {
+        // Clean up
+        try {
+            for (const file of [blobPath, bundlePath]) {
+                if (existsSync(file)) {
+                    unlinkSync(file);
+                }
+            }
+            if (existsSync(tempDir)) {
+                const { rmdirSync } = require("node:fs");
+                rmdirSync(tempDir, { recursive: true });
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+/**
+ * Extract signer identity (email) from a Sigstore bundle
+ *
+ * The certificate in the bundle contains the signer's email in the
+ * Subject Alternative Name (SAN) extension.
+ */
+function extractSignerFromBundle(bundle) {
+    try {
+        // The certificate is in verificationMaterial.certificate.rawBytes (base64)
+        const certB64 = bundle?.verificationMaterial?.certificate?.rawBytes;
+        if (!certB64) {
+            return undefined;
+        }
+        // Decode the certificate
+        const certDer = Buffer.from(certB64, "base64");
+        // Simple extraction of email from certificate
+        // Look for the email pattern in the SAN extension
+        // This is a simplified extraction - a proper implementation would parse X.509
+        const certStr = certDer.toString("latin1");
+        // Look for email pattern - match word chars, dots, hyphens, plus before @
+        // and domain after, but stop at non-word characters
+        const emailMatch = certStr.match(/[\w.+-]+@[\w.-]+\.[a-zA-Z]{2,}/);
+        return emailMatch?.[0];
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Verify an attestation bundle using cosign
+ *
+ * @param bundle - The Sigstore bundle containing a DSSE-wrapped attestation
+ * @param expectedIdentity - Expected signer identity (email)
+ * @param expectedIssuer - Expected OIDC issuer
+ * @param predicateType - The attestation predicate type (optional)
+ * @returns Verification result
+ */
+export async function verifyAttestationWithCosign(bundle, expectedIdentity, expectedIssuer, predicateType) {
+    if (!isCosignAvailable()) {
+        throw new Error("cosign CLI is not installed");
+    }
+    const tempDir = join(tmpdir(), `enact-verify-attest-${Date.now()}`);
+    mkdirSync(tempDir, { recursive: true });
+    const bundlePath = join(tempDir, "bundle.json");
+    try {
+        writeFileSync(bundlePath, JSON.stringify(bundle, null, 2));
+        // Build cosign verify-blob-attestation command
+        const args = ["verify-blob-attestation", "--bundle", bundlePath];
+        if (expectedIdentity) {
+            args.push("--certificate-identity", expectedIdentity);
+        }
+        else {
+            args.push("--certificate-identity-regexp", ".*");
+        }
+        if (expectedIssuer) {
+            args.push("--certificate-oidc-issuer", expectedIssuer);
+        }
+        else {
+            // Match common Sigstore OIDC issuers
+            args.push("--certificate-oidc-issuer-regexp", ".*");
+        }
+        if (predicateType) {
+            args.push("--type", predicateType);
+        }
+        // Don't check claims against a subject file
+        args.push("--check-claims=false");
+        // Use /dev/null as the "subject" - attestation verification doesn't need it
+        args.push("/dev/null");
+        // Use spawnSync to avoid shell escaping issues
+        const { spawnSync } = require("node:child_process");
+        const result = spawnSync("cosign", args, {
+            encoding: "utf-8",
+            stdio: "pipe",
+        });
+        if (result.status !== 0) {
+            throw new Error(result.stderr || result.stdout || `cosign exited with code ${result.status}`);
+        }
+        const identity = extractSignerFromBundle(bundle);
+        return {
+            verified: true,
+            error: undefined,
+            identity,
+        };
+    }
+    catch (err) {
+        const error = err instanceof Error ? err.message : String(err);
+        return {
+            verified: false,
+            error,
+        };
+    }
+    finally {
+        try {
+            if (existsSync(bundlePath)) {
+                unlinkSync(bundlePath);
+            }
+            if (existsSync(tempDir)) {
+                const { rmdirSync } = require("node:fs");
+                rmdirSync(tempDir, { recursive: true });
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+//# sourceMappingURL=cosign.js.map

package/dist/sigstore/cosign.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cosign.js","sourceRoot":"","sources":["../../src/sigstore/cosign.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC;QACH,QAAQ,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,gBAAgB,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAChF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QACvD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AA0BD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAqB,EACrB,UAA6B,EAAE;IAE/B,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,qEAAqE;YACnE,mEAAmE,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAElE,0CAA0C;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC3D,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,UAAU,IAAI,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAE9D,IAAI,CAAC;QACH,2CAA2C;QAC3C,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;aAAM,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,0CAA0C;YAC1C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YACnC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnC,CAAC;aAAM,CAAC;YACN,sBAAsB;YACtB,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QAED,0CAA0C;QAC1C,uDAAuD;QACvD,MAAM,IAAI,GAAG;YACX,WAAW;YACX,OAAO,EAAE,4BAA4B;YACrC,UAAU;YACV,UAAU;YACV,oBAAoB;YACpB,WAAW,EAAE,0BAA0B;YACvC,sBAAsB;YACtB,WAAW,EAAE,2BAA2B;YACxC,QAAQ;SACT,CAAC;QAEF,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE;gBACjC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC;gBACxD,OAAO;aACR,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;oBAC/B,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC5B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACvB,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,OAAO,EAAE,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,kCAAkC;oBAClC,IAAI,MAAM,CAAC,QAAQ,CAAC,2BAA2B,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC/E,MAAM,CACJ,IAAI,KAAK,CACP,gFAAgF,CACjF,CACF,CAAC;oBACJ,CAAC;yBAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;wBACxC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;oBAC9C,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,IAAI,KAAK,MAAM,IAAI,aAAa,EAAE,CAAC,CAAC,CAAC;oBACnF,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,kBAAkB;QAClB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,aAAa,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAmB,CAAC;QAE3D,sDAAsD;QACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEvD,OAAO;YACL,MAAM;YACN,UAAU;YACV,cAAc;SACf,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,+DAA+D;QAC/D,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzB,UAAU,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC1C,UAAU,CAAC,UAAU,CAAC,CAAC;YACzB,CAAC;YACD,yBAAyB;YACzB,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;gBACzC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAoC,EACpC,UAA6B,EAAE;IAE/B,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,qEAAqE;YACnE,mEAAmE,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAElE,0CAA0C;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,UAAU,IAAI,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAC9D,qEAAqE;IACrE,2DAA2D;IAC3D,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,mDAAmD;QACnD,oDAAoD;QACpD,MAAM,SAAS,GAAG,WAKjB,CAAC;QAEF,gCAAgC;QAChC,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAE3E,kDAAkD;QAClD,6EAA6E;QAC7E,qEAAqE;QACrE,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,WAAW,CAAC;QAChE,aAAa,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAExC,yBAAyB;QACzB,oEAAoE;QACpE,MAAM,IAAI,GAAG;YACX,aAAa;YACb,OAAO,EAAE,4BAA4B;YACrC,UAAU;YACV,UAAU;YACV,aAAa;YACb,aAAa;YACb,QAAQ;YACR,SAAS,CAAC,aAAa;YACvB,WAAW;SACZ,CAAC;QAEF,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE;gBACjC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC;gBACxD,OAAO;aACR,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;oBAC/B,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC5B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACvB,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,OAAO,EAAE,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,IAAI,MAAM,CAAC,QAAQ,CAAC,2BAA2B,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC/E,MAAM,CACJ,IAAI,KAAK,CACP,gFAAgF,CACjF,CACF,CAAC;oBACJ,CAAC;yBAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;wBACxC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;oBAC9C,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,IAAI,KAAK,MAAM,IAAI,aAAa,EAAE,CAAC,CAAC,CAAC;oBACnF,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,kBAAkB;QAClB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,aAAa,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAmB,CAAC;QAE3D,0CAA0C;QAC1C,MAAM,cAAc,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEvD,OAAO;YACL,MAAM;YACN,UAAU;YACV,cAAc;SACf,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,sBAAsB;QACtB,IAAI,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,EAAE,CAAC;gBAChD,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrB,UAAU,CAAC,IAAI,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;YACD,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC1C,UAAU,CAAC,UAAU,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;gBACzC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAqB,EACrB,MAAsB,EACtB,gBAAyB,EACzB,cAAuB;IAEvB,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAEhD,IAAI,CAAC;QACH,sCAAsC;QACtC,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QACD,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAE3D,mCAAmC;QACnC,MAAM,IAAI,GAAG,CAAC,aAAa,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAErD,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,gBAAgB,CAAC,CAAC;QACxD,CAAC;aAAM,CAAC;YACN,kCAAkC;YAClC,IAAI,CAAC,IAAI,CAAC,+BAA+B,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,IAAI,CAAC,2BAA2B,EAAE,cAAc,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,qCAAqC;YACrC,IAAI,CAAC,IAAI,CACP,kCAAkC,EAClC,+FAA+F,CAChG,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpB,QAAQ,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE;YACnC,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,MAAM;SACd,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QACjD,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,SAAS;YAChB,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/D,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,KAAK;SACN,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,WAAW;QACX,IAAI,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrB,UAAU,CAAC,IAAI,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;YACD,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;gBACzC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,MAAsB;IACrD,IAAI,CAAC;QACH,2EAA2E;QAC3E,MAAM,OAAO,GACX,MAOD,EAAE,oBAAoB,EAAE,WAAW,EAAE,QAAQ,CAAC;QAE/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE/C,8CAA8C;QAC9C,kDAAkD;QAClD,8EAA8E;QAC9E,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE3C,0EAA0E;QAC1E,oDAAoD;QACpD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACnE,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAAsB,EACtB,gBAAyB,EACzB,cAAuB,EACvB,aAAsB;IAEtB,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,uBAAuB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACpE,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAEhD,IAAI,CAAC;QACH,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAE3D,+CAA+C;QAC/C,MAAM,IAAI,GAAG,CAAC,yBAAyB,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAEjE,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,gBAAgB,CAAC,CAAC;QACxD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,CAAC,+BAA+B,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,IAAI,CAAC,2BAA2B,EAAE,cAAc,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,kCAAkC,EAAE,IAAI,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QACrC,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAElC,4EAA4E;QAC5E,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEvB,+CAA+C;QAC/C,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE;YACvC,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,MAAM;SACd,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,IAAI,2BAA2B,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAChG,CAAC;QAED,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QACjD,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,SAAS;YAChB,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/D,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,KAAK;SACN,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC3B,UAAU,CAAC,UAAU,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;gBACzC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/sigstore/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Sigstore integration for Enact
+ *
+ * This module provides Sigstore-based attestation signing and verification
+ * capabilities for the Enact tool ecosystem.
+ */
+export type { OIDCProvider, OIDCIdentity, OIDCOptions, FulcioCertificate, FulcioCertificateOptions, RekorEntry, RekorInclusionProof, RekorEntryOptions, InTotoStatement, InTotoSubject, SLSAProvenancePredicate, SLSAResourceDescriptor, SigstoreBundle, TransparencyLogEntry, SigningOptions, SigningResult, VerificationOptions, VerificationResult, VerificationDetails, ExpectedIdentity, TrustRoot, CertificateAuthority, TransparencyLog, TimestampAuthority, TrustPolicy, TrustedIdentityRule, TrustPolicyResult, VerifiedAttestation, EnactToolPredicate, EnactAttestationBundle, } from "./types";
+export { signArtifact, signAttestation, extractOIDCIdentity, extractCertificateFromBundle, extractIdentityFromBundle, detectOIDCProvider, getOIDCTokenFromEnvironment, FULCIO_PUBLIC_URL, REKOR_PUBLIC_URL, TSA_PUBLIC_URL, OIDC_ISSUERS, } from "./signing";
+export { OAuthIdentityProvider, CallbackServer, OAuthClient, initializeOAuthClient, SIGSTORE_OAUTH_ISSUER, SIGSTORE_CLIENT_ID, } from "./oauth";
+export type { OAuthIdentityProviderOptions, IdentityProvider, } from "./oauth";
+export { isCosignAvailable, getCosignVersion, signWithCosign, attestWithCosign, verifyWithCosign, verifyAttestationWithCosign, } from "./cosign";
+export type { CosignSignOptions, CosignSignResult } from "./cosign";
+export { verifyBundle, createBundleVerifier, isVerified, } from "./verification";
+export { createSubjectFromContent, createSubjectFromFile, createSubjectWithMultipleDigests, createStatement, createSLSAProvenance, createSLSAProvenanceStatement, createEnactToolPredicate, createEnactToolStatement, createEnactAuditPredicate, createEnactAuditStatement, createResourceDescriptorFromFile, createResourceDescriptorFromContent, ENACT_BASE_URL, INTOTO_STATEMENT_TYPE, SLSA_PROVENANCE_TYPE, ENACT_TOOL_TYPE, ENACT_AUDIT_TYPE, ENACT_BUILD_TYPE, } from "./attestation";
+export { createTrustPolicy, createIdentityRule, evaluateTrustPolicy, isTrusted, serializeTrustPolicy, deserializeTrustPolicy, DEFAULT_TRUST_POLICY, PERMISSIVE_POLICY, STRICT_POLICY, } from "./policy";
+export type { SLSAProvenanceOptions, EnactToolAttestationOptions, EnactAuditAttestationOptions, EnactAuditPredicate, } from "./attestation";
+//# sourceMappingURL=index.d.ts.map

package/dist/sigstore/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sigstore/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,YAAY,EAEV,YAAY,EACZ,YAAY,EACZ,WAAW,EAEX,iBAAiB,EACjB,wBAAwB,EAExB,UAAU,EACV,mBAAmB,EACnB,iBAAiB,EAEjB,eAAe,EACf,aAAa,EACb,uBAAuB,EACvB,sBAAsB,EAEtB,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,gBAAgB,EAEhB,SAAS,EACT,oBAAoB,EACpB,eAAe,EACf,kBAAkB,EAClB,WAAW,EACX,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EAEnB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,YAAY,EACZ,eAAe,EACf,mBAAmB,EACnB,4BAA4B,EAC5B,yBAAyB,EACzB,kBAAkB,EAClB,2BAA2B,EAC3B,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,YAAY,GACb,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,WAAW,EACX,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,SAAS,CAAC;AACjB,YAAY,EACV,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,2BAA2B,GAC5B,MAAM,UAAU,CAAC;AAClB,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAGpE,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,UAAU,GACX,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,gCAAgC,EAChC,eAAe,EACf,oBAAoB,EACpB,6BAA6B,EAC7B,wBAAwB,EACxB,wBAAwB,EACxB,yBAAyB,EACzB,yBAAyB,EACzB,gCAAgC,EAChC,mCAAmC,EAEnC,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,EACf,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,SAAS,EACT,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,GACd,MAAM,UAAU,CAAC;AAGlB,YAAY,EACV,qBAAqB,EACrB,2BAA2B,EAC3B,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,eAAe,CAAC"}

package/dist/sigstore/index.js

@@ -0,0 +1,21 @@
+/**
+ * Sigstore integration for Enact
+ *
+ * This module provides Sigstore-based attestation signing and verification
+ * capabilities for the Enact tool ecosystem.
+ */
+// Signing
+export { signArtifact, signAttestation, extractOIDCIdentity, extractCertificateFromBundle, extractIdentityFromBundle, detectOIDCProvider, getOIDCTokenFromEnvironment, FULCIO_PUBLIC_URL, REKOR_PUBLIC_URL, TSA_PUBLIC_URL, OIDC_ISSUERS, } from "./signing";
+// OAuth Identity Provider (for interactive signing)
+export { OAuthIdentityProvider, CallbackServer, OAuthClient, initializeOAuthClient, SIGSTORE_OAUTH_ISSUER, SIGSTORE_CLIENT_ID, } from "./oauth";
+// Cosign CLI integration (fallback for interactive signing)
+export { isCosignAvailable, getCosignVersion, signWithCosign, attestWithCosign, verifyWithCosign, verifyAttestationWithCosign, } from "./cosign";
+// Verification
+export { verifyBundle, createBundleVerifier, isVerified, } from "./verification";
+// Attestation creation
+export { createSubjectFromContent, createSubjectFromFile, createSubjectWithMultipleDigests, createStatement, createSLSAProvenance, createSLSAProvenanceStatement, createEnactToolPredicate, createEnactToolStatement, createEnactAuditPredicate, createEnactAuditStatement, createResourceDescriptorFromFile, createResourceDescriptorFromContent, 
+// Constants
+ENACT_BASE_URL, INTOTO_STATEMENT_TYPE, SLSA_PROVENANCE_TYPE, ENACT_TOOL_TYPE, ENACT_AUDIT_TYPE, ENACT_BUILD_TYPE, } from "./attestation";
+// Trust policy
+export { createTrustPolicy, createIdentityRule, evaluateTrustPolicy, isTrusted, serializeTrustPolicy, deserializeTrustPolicy, DEFAULT_TRUST_POLICY, PERMISSIVE_POLICY, STRICT_POLICY, } from "./policy";
+//# sourceMappingURL=index.js.map

package/dist/sigstore/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sigstore/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA4CH,UAAU;AACV,OAAO,EACL,YAAY,EACZ,eAAe,EACf,mBAAmB,EACnB,4BAA4B,EAC5B,yBAAyB,EACzB,kBAAkB,EAClB,2BAA2B,EAC3B,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,YAAY,GACb,MAAM,WAAW,CAAC;AAEnB,oDAAoD;AACpD,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,WAAW,EACX,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,SAAS,CAAC;AAMjB,4DAA4D;AAC5D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,2BAA2B,GAC5B,MAAM,UAAU,CAAC;AAGlB,eAAe;AACf,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,UAAU,GACX,MAAM,gBAAgB,CAAC;AAExB,uBAAuB;AACvB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,gCAAgC,EAChC,eAAe,EACf,oBAAoB,EACpB,6BAA6B,EAC7B,wBAAwB,EACxB,wBAAwB,EACxB,yBAAyB,EACzB,yBAAyB,EACzB,gCAAgC,EAChC,mCAAmC;AACnC,YAAY;AACZ,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,EACf,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAEvB,eAAe;AACf,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,SAAS,EACT,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,GACd,MAAM,UAAU,CAAC"}

package/dist/sigstore/oauth/client.d.ts

@@ -0,0 +1,38 @@
+/**
+ * OAuth Client
+ *
+ * Wrapper around openid-client for PKCE-based OAuth flow with Sigstore.
+ */
+import { type BaseClient } from "openid-client";
+interface OAuthClientOptions {
+    issuer: string;
+    redirectURL: string;
+    clientID: string;
+    clientSecret: string | undefined;
+}
+/**
+ * Initialize an OAuth client by discovering the issuer's configuration
+ */
+export declare function initializeOAuthClient(options: OAuthClientOptions): Promise<OAuthClient>;
+/**
+ * OAuthClient wraps an openid-client Client instance to maintain
+ * state for the PKCE authorization flow.
+ */
+export declare class OAuthClient {
+    private client;
+    private redirectURL;
+    private verifier;
+    private nonce;
+    private state;
+    constructor(client: BaseClient, redirectURL: string);
+    /**
+     * Get the authorization URL to redirect the user to
+     */
+    get authorizationUrl(): string;
+    /**
+     * Exchange the callback URL for an ID token
+     */
+    getIDToken(callbackURL: string): Promise<string>;
+}
+export {};
+//# sourceMappingURL=client.d.ts.map

package/dist/sigstore/oauth/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/sigstore/oauth/client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,UAAU,EAAsB,MAAM,eAAe,CAAC;AAEpE,UAAU,kBAAkB;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC,CAiB7F;AAED;;;GAGG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,KAAK,CAAS;gBAEV,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM;IAQnD;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,CAS7B;IAED;;OAEG;IACU,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAe9D"}

package/dist/sigstore/oauth/client.js

@@ -0,0 +1,71 @@
+/**
+ * OAuth Client
+ *
+ * Wrapper around openid-client for PKCE-based OAuth flow with Sigstore.
+ */
+import { Issuer, generators } from "openid-client";
+/**
+ * Initialize an OAuth client by discovering the issuer's configuration
+ */
+export async function initializeOAuthClient(options) {
+    const issuer = await Issuer.discover(options.issuer);
+    const client = new issuer.Client(options.clientSecret
+        ? {
+            client_id: options.clientID,
+            client_secret: options.clientSecret,
+            token_endpoint_auth_method: "client_secret_basic",
+        }
+        : {
+            client_id: options.clientID,
+            token_endpoint_auth_method: "none",
+        });
+    return new OAuthClient(client, options.redirectURL);
+}
+/**
+ * OAuthClient wraps an openid-client Client instance to maintain
+ * state for the PKCE authorization flow.
+ */
+export class OAuthClient {
+    client;
+    redirectURL;
+    verifier;
+    nonce;
+    state;
+    constructor(client, redirectURL) {
+        this.client = client;
+        this.redirectURL = redirectURL;
+        this.verifier = generators.codeVerifier(32);
+        this.nonce = generators.nonce(32);
+        this.state = generators.state(16);
+    }
+    /**
+     * Get the authorization URL to redirect the user to
+     */
+    get authorizationUrl() {
+        return this.client.authorizationUrl({
+            scope: "openid email",
+            redirect_uri: this.redirectURL,
+            code_challenge: generators.codeChallenge(this.verifier),
+            code_challenge_method: "S256",
+            state: this.state,
+            nonce: this.nonce,
+        });
+    }
+    /**
+     * Exchange the callback URL for an ID token
+     */
+    async getIDToken(callbackURL) {
+        const params = this.client.callbackParams(callbackURL);
+        const tokenSet = await this.client.callback(this.redirectURL, params, {
+            response_type: "code",
+            code_verifier: this.verifier,
+            state: this.state,
+            nonce: this.nonce,
+        });
+        if (!tokenSet.id_token) {
+            throw new Error("No ID token received from OAuth provider");
+        }
+        return tokenSet.id_token;
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/sigstore/oauth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/sigstore/oauth/client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAmB,MAAM,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AASpE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,OAA2B;IACrE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAC9B,OAAO,CAAC,YAAY;QAClB,CAAC,CAAC;YACE,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,aAAa,EAAE,OAAO,CAAC,YAAY;YACnC,0BAA0B,EAAE,qBAA8B;SAC3D;QACH,CAAC,CAAC;YACE,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,0BAA0B,EAAE,MAAe;SAC5C,CACN,CAAC;IAEF,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,WAAW;IACd,MAAM,CAAa;IACnB,WAAW,CAAS;IACpB,QAAQ,CAAS;IACjB,KAAK,CAAS;IACd,KAAK,CAAS;IAEtB,YAAY,MAAkB,EAAE,WAAmB;QACjD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;YAClC,KAAK,EAAE,cAAc;YACrB,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,cAAc,EAAE,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC;YACvD,qBAAqB,EAAE,MAAM;YAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,UAAU,CAAC,WAAmB;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE;YACpE,aAAa,EAAE,MAAM;YACrB,aAAa,EAAE,IAAI,CAAC,QAAQ;YAC5B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,QAAQ,CAAC,QAAQ,CAAC;IAC3B,CAAC;CACF"}