@enactprotocol/trust 2.0.0 → 2.0.1

package/dist/sigstore/policy.js

@@ -0,0 +1,351 @@
+/**
+ * Trust policy evaluation module
+ *
+ * This module provides functions for creating and evaluating trust policies
+ * that determine whether an artifact should be trusted based on its attestations.
+ */
+import { ENACT_AUDIT_TYPE, ENACT_TOOL_TYPE, SLSA_PROVENANCE_TYPE } from "./attestation";
+import { extractIdentityFromBundle } from "./signing";
+import { verifyBundle } from "./verification";
+// ============================================================================
+// Default Policy
+// ============================================================================
+/**
+ * Default trust policy - requires publisher attestation
+ */
+export const DEFAULT_TRUST_POLICY = {
+    name: "default",
+    version: "1.0",
+    trustedPublishers: [],
+    trustedAuditors: [],
+    requiredAttestations: [ENACT_TOOL_TYPE],
+    minimumSLSALevel: 0,
+    allowUnsigned: false,
+    cacheResults: true,
+};
+/**
+ * Permissive policy - allows unsigned tools (for development)
+ */
+export const PERMISSIVE_POLICY = {
+    name: "permissive",
+    version: "1.0",
+    trustedPublishers: [],
+    trustedAuditors: [],
+    requiredAttestations: [],
+    minimumSLSALevel: 0,
+    allowUnsigned: true,
+    cacheResults: false,
+};
+/**
+ * Strict policy - requires publisher + auditor attestations and SLSA level 2+
+ */
+export const STRICT_POLICY = {
+    name: "strict",
+    version: "1.0",
+    trustedPublishers: [],
+    trustedAuditors: [],
+    requiredAttestations: [ENACT_TOOL_TYPE, ENACT_AUDIT_TYPE],
+    minimumSLSALevel: 2,
+    allowUnsigned: false,
+    cacheResults: true,
+};
+// ============================================================================
+// Policy Creation
+// ============================================================================
+/**
+ * Create a trust policy
+ *
+ * @param options - Policy options
+ * @returns The trust policy
+ *
+ * @example
+ * ```ts
+ * const policy = createTrustPolicy({
+ *   name: "my-org-policy",
+ *   trustedPublishers: [
+ *     { name: "My Team", type: "email", pattern: "*@myorg.com" }
+ *   ],
+ *   minimumSLSALevel: 1
+ * });
+ * ```
+ */
+export function createTrustPolicy(options) {
+    return {
+        ...DEFAULT_TRUST_POLICY,
+        ...options,
+        version: options.version || "1.0",
+    };
+}
+/**
+ * Create a trusted identity rule
+ *
+ * @param name - Rule name
+ * @param type - Identity type
+ * @param pattern - Pattern to match
+ * @param options - Additional options
+ * @returns The identity rule
+ */
+export function createIdentityRule(name, type, pattern, options = {}) {
+    const rule = {
+        name,
+        type,
+        pattern,
+    };
+    if (options.issuer) {
+        rule.issuer = options.issuer;
+    }
+    if (options.requiredClaims) {
+        rule.requiredClaims = options.requiredClaims;
+    }
+    return rule;
+}
+// ============================================================================
+// Policy Evaluation
+// ============================================================================
+/**
+ * Evaluate trust policy for a set of attestations
+ *
+ * @param attestationBundles - Array of Sigstore bundles containing attestations
+ * @param policy - The trust policy to evaluate against
+ * @returns The trust policy evaluation result
+ *
+ * @example
+ * ```ts
+ * const result = await evaluateTrustPolicy(bundles, myPolicy);
+ * if (result.trusted) {
+ *   console.log(`Trusted at level ${result.trustLevel}`);
+ * }
+ * ```
+ */
+export async function evaluateTrustPolicy(attestationBundles, policy) {
+    const result = {
+        trusted: false,
+        trustLevel: 0,
+        matchedAuditors: [],
+        details: {
+            attestations: [],
+            violations: [],
+            warnings: [],
+        },
+    };
+    // If no attestations and unsigned allowed, trust with level 0
+    if (attestationBundles.length === 0) {
+        if (policy.allowUnsigned) {
+            result.trusted = true;
+            result.details.warnings.push("No attestations found - trusting unsigned artifact");
+            return result;
+        }
+        result.details.violations.push("No attestations found and policy requires signed artifacts");
+        return result;
+    }
+    // Verify all attestation bundles and extract information
+    const verifiedAttestations = [];
+    for (const bundle of attestationBundles) {
+        try {
+            const verificationResult = await verifyBundle(bundle);
+            if (!verificationResult.verified) {
+                result.details.violations.push(`Attestation verification failed: ${verificationResult.error}`);
+                continue;
+            }
+            // Extract attestation from DSSE envelope
+            const attestation = extractAttestationFromBundle(bundle);
+            if (!attestation) {
+                result.details.warnings.push("Could not extract attestation from bundle");
+                continue;
+            }
+            const identity = extractIdentityFromBundle(bundle);
+            if (!identity) {
+                result.details.warnings.push("Could not extract identity from bundle");
+                continue;
+            }
+            verifiedAttestations.push({
+                type: attestation.predicateType,
+                predicateType: attestation.predicateType,
+                signer: identity,
+                verifiedAt: new Date(),
+                attestation,
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            result.details.violations.push(`Attestation verification error: ${message}`);
+        }
+    }
+    result.details.attestations = verifiedAttestations;
+    // Check required attestation types
+    if (policy.requiredAttestations && policy.requiredAttestations.length > 0) {
+        const foundTypes = new Set(verifiedAttestations.map((a) => a.predicateType));
+        for (const required of policy.requiredAttestations) {
+            if (!foundTypes.has(required)) {
+                result.details.violations.push(`Required attestation type not found: ${required}`);
+            }
+        }
+    }
+    // Find matching publisher
+    const publisherAttestation = verifiedAttestations.find((a) => a.predicateType === ENACT_TOOL_TYPE);
+    if (publisherAttestation) {
+        const matchedPublisher = findMatchingRule(publisherAttestation.signer, policy.trustedPublishers);
+        if (matchedPublisher) {
+            result.matchedPublisher = matchedPublisher;
+            result.trustLevel = Math.max(result.trustLevel, 1);
+        }
+        else if (policy.trustedPublishers.length > 0) {
+            result.details.violations.push("Publisher identity does not match any trusted publisher rule");
+        }
+    }
+    // Find matching auditors
+    const auditorAttestations = verifiedAttestations.filter((a) => a.predicateType === ENACT_AUDIT_TYPE);
+    for (const auditorAttestation of auditorAttestations) {
+        const matchedAuditor = findMatchingRule(auditorAttestation.signer, policy.trustedAuditors);
+        if (matchedAuditor) {
+            result.matchedAuditors.push(matchedAuditor);
+            result.trustLevel = Math.max(result.trustLevel, 2);
+        }
+    }
+    // Check SLSA provenance for higher trust levels
+    const provenanceAttestation = verifiedAttestations.find((a) => a.predicateType === SLSA_PROVENANCE_TYPE);
+    if (provenanceAttestation) {
+        const slsaLevel = determineSLSALevel(provenanceAttestation.attestation);
+        result.trustLevel = Math.max(result.trustLevel, slsaLevel);
+    }
+    // Check minimum SLSA level
+    if (policy.minimumSLSALevel && result.trustLevel < policy.minimumSLSALevel) {
+        result.details.violations.push(`Trust level ${result.trustLevel} is below minimum required ${policy.minimumSLSALevel}`);
+    }
+    // Determine final trust status
+    result.trusted = result.details.violations.length === 0;
+    return result;
+}
+/**
+ * Quick check if an artifact should be trusted
+ *
+ * @param attestationBundles - Array of Sigstore bundles
+ * @param policy - Trust policy (defaults to DEFAULT_TRUST_POLICY)
+ * @returns True if artifact is trusted
+ */
+export async function isTrusted(attestationBundles, policy = DEFAULT_TRUST_POLICY) {
+    const result = await evaluateTrustPolicy(attestationBundles, policy);
+    return result.trusted;
+}
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Find a matching identity rule for the given identity
+ */
+function findMatchingRule(identity, rules) {
+    for (const rule of rules) {
+        if (matchesIdentityRule(identity, rule)) {
+            return rule;
+        }
+    }
+    return undefined;
+}
+/**
+ * Check if an identity matches a rule
+ */
+function matchesIdentityRule(identity, rule) {
+    // Check issuer first if specified
+    if (rule.issuer && identity.issuer !== rule.issuer) {
+        return false;
+    }
+    // Match based on rule type
+    switch (rule.type) {
+        case "email":
+            return matchesPattern(identity.email || "", rule.pattern);
+        case "github-workflow":
+            return matchesPattern(identity.workflowRepository || "", rule.pattern);
+        case "gitlab-pipeline":
+            // GitLab uses subject for pipeline identity
+            return matchesPattern(identity.subject, rule.pattern);
+        case "uri":
+            return matchesPattern(identity.subject, rule.pattern);
+        default:
+            return false;
+    }
+}
+/**
+ * Match a value against a glob-like pattern
+ * Supports * for any characters and ? for single character
+ */
+function matchesPattern(value, pattern) {
+    // Convert glob pattern to regex
+    const regexPattern = pattern
+        .replace(/[.+^${}()|[\]\\]/g, "\\$&") // Escape regex special chars
+        .replace(/\*/g, ".*") // * matches any characters
+        .replace(/\?/g, "."); // ? matches single character
+    const regex = new RegExp(`^${regexPattern}$`, "i");
+    return regex.test(value);
+}
+/**
+ * Extract in-toto statement from a Sigstore bundle
+ */
+function extractAttestationFromBundle(bundle) {
+    if (!bundle.dsseEnvelope?.payload) {
+        return undefined;
+    }
+    try {
+        const payloadJson = Buffer.from(bundle.dsseEnvelope.payload, "base64").toString("utf8");
+        return JSON.parse(payloadJson);
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Determine SLSA level from provenance attestation
+ */
+function determineSLSALevel(attestation) {
+    if (attestation.predicateType !== SLSA_PROVENANCE_TYPE) {
+        return 0;
+    }
+    // biome-ignore lint/suspicious/noExplicitAny: Predicate structure varies
+    const predicate = attestation.predicate;
+    // SLSA Level 1: Provenance exists
+    if (!predicate?.buildDefinition || !predicate?.runDetails) {
+        return 0;
+    }
+    let level = 1;
+    // SLSA Level 2: Hosted build platform
+    if (predicate.runDetails?.builder?.id) {
+        level = 2;
+    }
+    // SLSA Level 3: Hardened builds (check for specific builder features)
+    if (predicate.buildDefinition?.internalParameters &&
+        predicate.buildDefinition?.resolvedDependencies) {
+        level = 3;
+    }
+    // SLSA Level 4: Would require additional verification of builder security
+    // This is simplified - real implementation would check builder attestations
+    return level;
+}
+// ============================================================================
+// Policy Serialization
+// ============================================================================
+/**
+ * Serialize a trust policy to JSON
+ */
+export function serializeTrustPolicy(policy) {
+    return JSON.stringify(policy, null, 2);
+}
+/**
+ * Deserialize a trust policy from JSON
+ */
+export function deserializeTrustPolicy(json) {
+    const parsed = JSON.parse(json);
+    // Validate required fields
+    if (!parsed.name || typeof parsed.name !== "string") {
+        throw new Error("Invalid trust policy: missing or invalid name");
+    }
+    if (!Array.isArray(parsed.trustedPublishers)) {
+        throw new Error("Invalid trust policy: trustedPublishers must be an array");
+    }
+    if (!Array.isArray(parsed.trustedAuditors)) {
+        throw new Error("Invalid trust policy: trustedAuditors must be an array");
+    }
+    return {
+        ...DEFAULT_TRUST_POLICY,
+        ...parsed,
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist/sigstore/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/sigstore/policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACxF,OAAO,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AAUtD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAgB;IAC/C,IAAI,EAAE,SAAS;IACf,OAAO,EAAE,KAAK;IACd,iBAAiB,EAAE,EAAE;IACrB,eAAe,EAAE,EAAE;IACnB,oBAAoB,EAAE,CAAC,eAAe,CAAC;IACvC,gBAAgB,EAAE,CAAC;IACnB,aAAa,EAAE,KAAK;IACpB,YAAY,EAAE,IAAI;CACnB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAgB;IAC5C,IAAI,EAAE,YAAY;IAClB,OAAO,EAAE,KAAK;IACd,iBAAiB,EAAE,EAAE;IACrB,eAAe,EAAE,EAAE;IACnB,oBAAoB,EAAE,EAAE;IACxB,gBAAgB,EAAE,CAAC;IACnB,aAAa,EAAE,IAAI;IACnB,YAAY,EAAE,KAAK;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAgB;IACxC,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,KAAK;IACd,iBAAiB,EAAE,EAAE;IACrB,eAAe,EAAE,EAAE;IACnB,oBAAoB,EAAE,CAAC,eAAe,EAAE,gBAAgB,CAAC;IACzD,gBAAgB,EAAE,CAAC;IACnB,aAAa,EAAE,KAAK;IACpB,YAAY,EAAE,IAAI;CACnB,CAAC;AAEF,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAgD;IAChF,OAAO;QACL,GAAG,oBAAoB;QACvB,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,KAAK;KAClC,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,IAAiC,EACjC,OAAe,EACf,UAAmF,EAAE;IAErF,MAAM,IAAI,GAAwB;QAChC,IAAI;QACJ,IAAI;QACJ,OAAO;KACR,CAAC;IAEF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAED,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IAC/C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,kBAAoC,EACpC,MAAmB;IAEnB,MAAM,MAAM,GAAsB;QAChC,OAAO,EAAE,KAAK;QACd,UAAU,EAAE,CAAC;QACb,eAAe,EAAE,EAAE;QACnB,OAAO,EAAE;YACP,YAAY,EAAE,EAAE;YAChB,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF,CAAC;IAEF,8DAA8D;IAC9D,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;YACtB,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YACnF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC7F,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yDAAyD;IACzD,MAAM,oBAAoB,GAA0B,EAAE,CAAC;IAEvD,KAAK,MAAM,MAAM,IAAI,kBAAkB,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,kBAAkB,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;YAEtD,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,CAAC;gBACjC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAC5B,oCAAoC,kBAAkB,CAAC,KAAK,EAAE,CAC/D,CAAC;gBACF,SAAS;YACX,CAAC;YAED,yCAAyC;YACzC,MAAM,WAAW,GAAG,4BAA4B,CAAC,MAAM,CAAC,CAAC;YACzD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;gBAC1E,SAAS;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;gBACvE,SAAS;YACX,CAAC;YAED,oBAAoB,CAAC,IAAI,CAAC;gBACxB,IAAI,EAAE,WAAW,CAAC,aAAa;gBAC/B,aAAa,EAAE,WAAW,CAAC,aAAa;gBACxC,MAAM,EAAE,QAAQ;gBAChB,UAAU,EAAE,IAAI,IAAI,EAAE;gBACtB,WAAW;aACZ,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,YAAY,GAAG,oBAAoB,CAAC;IAEnD,mCAAmC;IACnC,IAAI,MAAM,CAAC,oBAAoB,IAAI,MAAM,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;QAE7E,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;YACnD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC9B,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,wCAAwC,QAAQ,EAAE,CAAC,CAAC;YACrF,CAAC;QACH,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,IAAI,CACpD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,eAAe,CAC3C,CAAC;IAEF,IAAI,oBAAoB,EAAE,CAAC;QACzB,MAAM,gBAAgB,GAAG,gBAAgB,CACvC,oBAAoB,CAAC,MAAM,EAC3B,MAAM,CAAC,iBAAiB,CACzB,CAAC;QAEF,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;YAC3C,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAsB,CAAC;QAC1E,CAAC;aAAM,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAC5B,8DAA8D,CAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,mBAAmB,GAAG,oBAAoB,CAAC,MAAM,CACrD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,gBAAgB,CAC5C,CAAC;IAEF,KAAK,MAAM,kBAAkB,IAAI,mBAAmB,EAAE,CAAC;QACrD,MAAM,cAAc,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;QAE3F,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC5C,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAsB,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,MAAM,qBAAqB,GAAG,oBAAoB,CAAC,IAAI,CACrD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,oBAAoB,CAChD,CAAC;IAEF,IAAI,qBAAqB,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,kBAAkB,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;QACxE,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAsB,CAAC;IAClF,CAAC;IAED,2BAA2B;IAC3B,IAAI,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC3E,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAC5B,eAAe,MAAM,CAAC,UAAU,8BAA8B,MAAM,CAAC,gBAAgB,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC;IAExD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,kBAAoC,EACpC,SAAsB,oBAAoB;IAE1C,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;IACrE,OAAO,MAAM,CAAC,OAAO,CAAC;AACxB,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,gBAAgB,CACvB,QAAsB,EACtB,KAA4B;IAE5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,mBAAmB,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,QAAsB,EAAE,IAAyB;IAC5E,kCAAkC;IAClC,IAAI,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2BAA2B;IAC3B,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,OAAO;YACV,OAAO,cAAc,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAE5D,KAAK,iBAAiB;YACpB,OAAO,cAAc,CAAC,QAAQ,CAAC,kBAAkB,IAAI,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzE,KAAK,iBAAiB;YACpB,4CAA4C;YAC5C,OAAO,cAAc,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAExD,KAAK,KAAK;YACR,OAAO,cAAc,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAExD;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,KAAa,EAAE,OAAe;IACpD,gCAAgC;IAChC,MAAM,YAAY,GAAG,OAAO;SACzB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,6BAA6B;SAClE,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,2BAA2B;SAChD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,6BAA6B;IAErD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,YAAY,GAAG,EAAE,GAAG,CAAC,CAAC;IACnD,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAS,4BAA4B,CAAC,MAAsB;IAC1D,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,OAAO,EAAE,CAAC;QAClC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACxF,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAoB,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,WAA4B;IACtD,IAAI,WAAW,CAAC,aAAa,KAAK,oBAAoB,EAAE,CAAC;QACvD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,WAAW,CAAC,SAAgB,CAAC;IAE/C,kCAAkC;IAClC,IAAI,CAAC,SAAS,EAAE,eAAe,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC;QAC1D,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,KAAK,GAAsB,CAAC,CAAC;IAEjC,sCAAsC;IACtC,IAAI,SAAS,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACtC,KAAK,GAAG,CAAC,CAAC;IACZ,CAAC;IAED,sEAAsE;IACtE,IACE,SAAS,CAAC,eAAe,EAAE,kBAAkB;QAC7C,SAAS,CAAC,eAAe,EAAE,oBAAoB,EAC/C,CAAC;QACD,KAAK,GAAG,CAAC,CAAC;IACZ,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAE5E,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAmB;IACtD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEhC,2BAA2B;IAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO;QACL,GAAG,oBAAoB;QACvB,GAAG,MAAM;KACV,CAAC;AACJ,CAAC"}

package/dist/sigstore/signing.d.ts

@@ -0,0 +1,94 @@
+/**
+ * OIDC-based keyless signing using Sigstore
+ *
+ * This module provides keyless signing capabilities using OIDC identity tokens.
+ * It integrates with Fulcio for certificate issuance and Rekor for transparency logging.
+ *
+ * For CI environments (GitHub Actions, GitLab CI, etc.), the sigstore library's
+ * native OIDC support is used. For interactive local signing, we use a native
+ * OAuth implementation that opens a browser for authentication.
+ */
+import { type SignOptions } from "sigstore";
+import type { SigningOptions as EnactSigningOptions, FulcioCertificate, OIDCIdentity, OIDCProvider, SigningResult, SigstoreBundle } from "./types";
+export type { SignOptions };
+/** Public Sigstore Fulcio URL */
+export declare const FULCIO_PUBLIC_URL = "https://fulcio.sigstore.dev";
+/** Public Sigstore Rekor URL */
+export declare const REKOR_PUBLIC_URL = "https://rekor.sigstore.dev";
+/** Public Sigstore TSA URL */
+export declare const TSA_PUBLIC_URL = "https://timestamp.sigstore.dev";
+/** OIDC issuer URLs for known providers */
+export declare const OIDC_ISSUERS: Record<OIDCProvider, string>;
+/**
+ * Detect OIDC provider from issuer URL
+ */
+export declare function detectOIDCProvider(issuer: string): OIDCProvider;
+/**
+ * Extract identity information from an OIDC token
+ *
+ * @param token - The OIDC identity token
+ * @returns Extracted identity information
+ */
+export declare function extractOIDCIdentity(token: string): OIDCIdentity;
+/**
+ * Get OIDC token from environment (for CI/CD environments)
+ *
+ * @param provider - The OIDC provider
+ * @returns The OIDC token if available
+ */
+export declare function getOIDCTokenFromEnvironment(provider: OIDCProvider): string | undefined;
+/**
+ * Sign an artifact using keyless (OIDC) signing
+ *
+ * In CI environments with native OIDC support (GitHub Actions, GitLab CI),
+ * uses the sigstore library directly. For interactive local signing,
+ * uses native OAuth implementation that opens browser for authentication.
+ *
+ * @param artifact - The artifact to sign (as a Buffer)
+ * @param options - Signing options
+ * @returns The signing result including the Sigstore bundle
+ *
+ * @example
+ * ```ts
+ * const artifact = Buffer.from(JSON.stringify(manifest));
+ * const result = await signArtifact(artifact, {
+ *   oidc: { provider: "github" }
+ * });
+ * console.log(result.bundle);
+ * ```
+ */
+export declare function signArtifact(artifact: Buffer, options?: EnactSigningOptions): Promise<SigningResult>;
+/**
+ * Sign an in-toto attestation using keyless signing
+ *
+ * In CI environments with native OIDC support, uses the sigstore library.
+ * For interactive local signing, uses native OAuth with browser authentication.
+ *
+ * @param attestation - The attestation to sign (in-toto statement)
+ * @param options - Signing options
+ * @returns The signing result including the Sigstore bundle
+ *
+ * @example
+ * ```ts
+ * const statement = {
+ *   _type: "https://in-toto.io/Statement/v1",
+ *   subject: [{ name: "tool.yaml", digest: { sha256: "abc123..." } }],
+ *   predicateType: "https://slsa.dev/provenance/v1",
+ *   predicate: { ... }
+ * };
+ * const result = await signAttestation(statement, { oidc: { provider: "github" } });
+ * ```
+ */
+export declare function signAttestation(attestation: Record<string, unknown>, options?: EnactSigningOptions): Promise<SigningResult>;
+/**
+ * Extract certificate information from a Sigstore bundle
+ */
+export declare function extractCertificateFromBundle(bundle: SigstoreBundle): FulcioCertificate | undefined;
+/**
+ * Extract identity from a signing certificate in a bundle
+ *
+ * @param bundle - The Sigstore bundle
+ * @returns The OIDC identity if it can be extracted
+ */
+export declare function extractIdentityFromBundle(bundle: SigstoreBundle): OIDCIdentity | undefined;
+//# sourceMappingURL=signing.d.ts.map

package/dist/sigstore/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/sigstore/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,WAAW,EAAgB,MAAM,UAAU,CAAC;AAG1D,OAAO,KAAK,EACV,cAAc,IAAI,mBAAmB,EACrC,iBAAiB,EACjB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,cAAc,EACf,MAAM,SAAS,CAAC;AAGjB,YAAY,EAAE,WAAW,EAAE,CAAC;AAM5B,iCAAiC;AACjC,eAAO,MAAM,iBAAiB,gCAAgC,CAAC;AAE/D,gCAAgC;AAChC,eAAO,MAAM,gBAAgB,+BAA+B,CAAC;AAE7D,8BAA8B;AAC9B,eAAO,MAAM,cAAc,mCAAmC,CAAC;AAE/D,2CAA2C;AAC3C,eAAO,MAAM,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAMrD,CAAC;AA+BF;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAO/D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAgC/D;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,YAAY,GAAG,MAAM,GAAG,SAAS,CAUtF;AAoCD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,aAAa,CAAC,CAgGxB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,eAAe,CACnC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpC,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,aAAa,CAAC,CAmGxB;AA2ED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,cAAc,GACrB,iBAAiB,GAAG,SAAS,CAmD/B;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,cAAc,GAAG,YAAY,GAAG,SAAS,CAI1F"}