@enactprotocol/trust 2.0.0 → 2.0.1

package/dist/sigstore/types.d.ts

@@ -0,0 +1,541 @@
+/**
+ * Sigstore-related type definitions for attestation and verification
+ */
+import type { Bundle } from "sigstore";
+export type SigstoreBundle = Bundle;
+/**
+ * Supported OIDC providers for keyless signing
+ */
+export type OIDCProvider = "github" | "google" | "microsoft" | "gitlab" | "custom";
+/**
+ * OIDC identity information extracted from tokens
+ */
+export interface OIDCIdentity {
+    /** OIDC provider that issued the token */
+    provider: OIDCProvider;
+    /** Subject identifier (e.g., email or user ID) */
+    subject: string;
+    /** Issuer URL */
+    issuer: string;
+    /** Email address if available */
+    email?: string;
+    /** Username for the provider (e.g., GitHub username) */
+    username?: string;
+    /** GitHub-specific: workflow repository */
+    workflowRepository?: string;
+    /** GitHub-specific: workflow ref (branch/tag) */
+    workflowRef?: string;
+    /** GitHub-specific: workflow trigger event */
+    workflowTrigger?: string;
+    /** Raw OIDC token claims */
+    claims?: Record<string, unknown>;
+}
+/**
+ * Options for OIDC authentication
+ */
+export interface OIDCOptions {
+    /** OIDC provider to use */
+    provider: OIDCProvider;
+    /** Custom issuer URL (for custom provider) */
+    issuerURL?: string;
+    /** Client ID for OIDC flow */
+    clientId?: string;
+    /** Redirect URI for OAuth flow */
+    redirectUri?: string;
+    /** Pre-obtained OIDC token (for CI/CD environments) */
+    token?: string;
+}
+/**
+ * Fulcio certificate information
+ */
+export interface FulcioCertificate {
+    /** PEM-encoded certificate chain */
+    certificateChain: string[];
+    /** Certificate serial number */
+    serialNumber: string;
+    /** Certificate not before time */
+    notBefore: Date;
+    /** Certificate not after time */
+    notAfter: Date;
+    /** Subject common name */
+    subject: string;
+    /** Certificate issuer */
+    issuer: string;
+    /** OIDC identity embedded in certificate */
+    identity: OIDCIdentity;
+    /** Raw certificate bytes (DER encoded) */
+    raw?: Uint8Array;
+}
+/**
+ * Options for requesting a Fulcio certificate
+ */
+export interface FulcioCertificateOptions {
+    /** Fulcio server URL (default: public Fulcio instance) */
+    fulcioURL?: string;
+    /** OIDC identity token */
+    identityToken: string;
+    /** Public key to certify */
+    publicKey: string;
+    /** Proof of possession signature */
+    proofOfPossession: string;
+}
+/**
+ * Rekor transparency log entry
+ */
+export interface RekorEntry {
+    /** Log entry UUID */
+    uuid: string;
+    /** Log entry index */
+    logIndex: number;
+    /** Integrated time (Unix timestamp) */
+    integratedTime: number;
+    /** Log ID */
+    logID: string;
+    /** Entry body (base64 encoded) */
+    body: string;
+    /** Signed Entry Timestamp (SET) */
+    signedEntryTimestamp: string;
+    /** Inclusion proof */
+    inclusionProof?: RekorInclusionProof;
+}
+/**
+ * Inclusion proof for a Rekor entry
+ */
+export interface RekorInclusionProof {
+    /** Log index */
+    logIndex: number;
+    /** Root hash of the tree at the time of inclusion */
+    rootHash: string;
+    /** Tree size at time of inclusion */
+    treeSize: number;
+    /** Hashes for the inclusion proof */
+    hashes: string[];
+}
+/**
+ * Options for creating a Rekor entry
+ */
+export interface RekorEntryOptions {
+    /** Rekor server URL (default: public Rekor instance) */
+    rekorURL?: string;
+    /** Artifact hash */
+    artifactHash: string;
+    /** Signature over the artifact */
+    signature: string;
+    /** Signing certificate */
+    certificate: string;
+}
+/**
+ * in-toto Statement (attestation envelope)
+ * @see https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md
+ */
+export interface InTotoStatement<T = unknown> {
+    /** Statement type identifier */
+    _type: "https://in-toto.io/Statement/v1";
+    /** Subjects (artifacts) this attestation covers */
+    subject: InTotoSubject[];
+    /** Predicate type URI */
+    predicateType: string;
+    /** Predicate content */
+    predicate: T;
+}
+/**
+ * Subject of an in-toto statement
+ */
+export interface InTotoSubject {
+    /** Subject name (e.g., file path or artifact identifier) */
+    name: string;
+    /** Digest of the subject in various algorithms */
+    digest: {
+        sha256?: string;
+        sha512?: string;
+        [algorithm: string]: string | undefined;
+    };
+}
+/**
+ * SLSA Provenance predicate v1.0
+ * @see https://slsa.dev/spec/v1.0/provenance
+ */
+export interface SLSAProvenancePredicate {
+    /** Build definition */
+    buildDefinition: {
+        /** Build type URI */
+        buildType: string;
+        /** External parameters */
+        externalParameters: Record<string, unknown>;
+        /** Internal parameters */
+        internalParameters?: Record<string, unknown>;
+        /** Resolved dependencies */
+        resolvedDependencies?: SLSAResourceDescriptor[];
+    };
+    /** Run details */
+    runDetails: {
+        /** Builder information */
+        builder: {
+            /** Builder ID */
+            id: string;
+            /** Builder dependencies */
+            builderDependencies?: SLSAResourceDescriptor[];
+            /** Builder version */
+            version?: Record<string, string>;
+        };
+        /** Build metadata */
+        metadata?: {
+            /** Invocation ID */
+            invocationId?: string;
+            /** Start time */
+            startedOn?: string;
+            /** End time */
+            finishedOn?: string;
+        };
+        /** Byproducts of the build */
+        byproducts?: SLSAResourceDescriptor[];
+    };
+}
+/**
+ * SLSA Resource Descriptor
+ */
+export interface SLSAResourceDescriptor {
+    /** Resource URI */
+    uri?: string;
+    /** Resource digest */
+    digest?: {
+        sha256?: string;
+        sha512?: string;
+        [algorithm: string]: string | undefined;
+    };
+    /** Resource name */
+    name?: string;
+    /** Download location */
+    downloadLocation?: string;
+    /** Media type */
+    mediaType?: string;
+    /** Content (for inline resources) */
+    content?: string;
+    /** Annotations */
+    annotations?: Record<string, unknown>;
+}
+/**
+ * Transparency log entry in bundle format (for reference/extraction)
+ */
+export interface TransparencyLogEntry {
+    /** Log index */
+    logIndex: string;
+    /** Log ID */
+    logId: {
+        keyId: string;
+    };
+    /** Entry kind and version */
+    kindVersion: {
+        kind: "hashedrekord" | "intoto" | "dsse";
+        version: string;
+    };
+    /** Integrated time (Unix timestamp) */
+    integratedTime: string;
+    /** Inclusion promise */
+    inclusionPromise?: {
+        signedEntryTimestamp: string;
+    };
+    /** Inclusion proof */
+    inclusionProof?: {
+        logIndex: string;
+        rootHash: string;
+        treeSize: string;
+        hashes: string[];
+        checkpoint: {
+            envelope: string;
+        };
+    };
+    /** Canonicalized body */
+    canonicalizedBody: string;
+}
+/**
+ * Options for signing an artifact
+ */
+export interface SigningOptions {
+    /** OIDC options for keyless signing */
+    oidc?: OIDCOptions;
+    /** Use public Sigstore infrastructure (default: true) */
+    usePublicInstance?: boolean;
+    /** Custom Fulcio URL */
+    fulcioURL?: string;
+    /** Custom Rekor URL */
+    rekorURL?: string;
+    /** Custom TSA (Timestamp Authority) URL */
+    tsaURL?: string;
+    /** Timeout in milliseconds */
+    timeout?: number;
+}
+/**
+ * Result of a signing operation
+ */
+export interface SigningResult {
+    /** The signed bundle */
+    bundle: SigstoreBundle;
+    /** Signing certificate (if keyless signing used) */
+    certificate?: FulcioCertificate;
+    /** Rekor log entry */
+    rekorEntry?: RekorEntry;
+    /** Timestamp of signing */
+    timestamp: Date;
+}
+/**
+ * Options for verifying an artifact
+ */
+export interface VerificationOptions {
+    /** Trust root to use (default: public Sigstore TUF root) */
+    trustRoot?: TrustRoot;
+    /** Expected identity to verify against */
+    expectedIdentity?: ExpectedIdentity;
+    /** Use public Sigstore infrastructure (default: true) */
+    usePublicInstance?: boolean;
+    /** Verify certificate transparency (default: true) */
+    verifyCertificateTransparency?: boolean;
+    /** Verify timestamp (default: true) */
+    verifyTimestamp?: boolean;
+    /** Timeout in milliseconds */
+    timeout?: number;
+}
+/**
+ * Expected identity for verification
+ */
+export interface ExpectedIdentity {
+    /** Expected certificate subject (email or URI) */
+    subjectAlternativeName?: string;
+    /** Expected OIDC issuer */
+    issuer?: string;
+    /** Expected GitHub workflow repository */
+    workflowRepository?: string;
+    /** Expected GitHub workflow ref */
+    workflowRef?: string;
+}
+/**
+ * Result of a verification operation
+ */
+export interface VerificationResult {
+    /** Whether verification succeeded */
+    verified: boolean;
+    /** Error message if verification failed */
+    error?: string;
+    /** Details about verification checks */
+    details: VerificationDetails;
+    /** Extracted identity from certificate */
+    identity?: OIDCIdentity;
+    /** Timestamp of artifact creation (from Rekor) */
+    timestamp?: Date;
+}
+/**
+ * Detailed verification check results
+ */
+export interface VerificationDetails {
+    /** Signature verification passed */
+    signatureValid: boolean;
+    /** Certificate chain valid */
+    certificateValid: boolean;
+    /** Certificate within validity period (at signing time) */
+    certificateWithinValidity: boolean;
+    /** Rekor entry found and valid */
+    rekorEntryValid: boolean;
+    /** Inclusion proof verified */
+    inclusionProofValid: boolean;
+    /** Identity matches expected (if specified) */
+    identityMatches?: boolean;
+    /** Individual check errors */
+    errors: string[];
+}
+/**
+ * Trust root for Sigstore verification
+ */
+export interface TrustRoot {
+    /** Trusted certificate authorities (for Fulcio) */
+    certificateAuthorities: CertificateAuthority[];
+    /** Trusted transparency logs (for Rekor) */
+    transparencyLogs: TransparencyLog[];
+    /** Timestamp authorities */
+    timestampAuthorities?: TimestampAuthority[];
+}
+/**
+ * Certificate authority configuration
+ */
+export interface CertificateAuthority {
+    /** CA subject */
+    subject: {
+        organization?: string;
+        commonName?: string;
+    };
+    /** Root certificate (PEM or DER) */
+    rootCertificate: string;
+    /** Certificate chain (if intermediate CAs) */
+    certificateChain?: string[];
+    /** Validity period */
+    validFor: {
+        start: Date;
+        end?: Date;
+    };
+}
+/**
+ * Transparency log configuration
+ */
+export interface TransparencyLog {
+    /** Log ID */
+    logId: string;
+    /** Log public key */
+    publicKey: string;
+    /** Log URL */
+    baseUrl: string;
+    /** Hash algorithm used */
+    hashAlgorithm: "sha256" | "sha384" | "sha512";
+    /** Validity period */
+    validFor: {
+        start: Date;
+        end?: Date;
+    };
+}
+/**
+ * Timestamp authority configuration
+ */
+export interface TimestampAuthority {
+    /** TSA subject */
+    subject: {
+        organization?: string;
+        commonName?: string;
+    };
+    /** TSA certificate chain */
+    certificateChain: string[];
+    /** Validity period */
+    validFor: {
+        start: Date;
+        end?: Date;
+    };
+}
+/**
+ * Trust policy for evaluating attestations
+ */
+export interface TrustPolicy {
+    /** Policy name */
+    name: string;
+    /** Policy version */
+    version: string;
+    /** Trusted publishers (by identity) */
+    trustedPublishers: TrustedIdentityRule[];
+    /** Trusted auditors (can vouch for tools) */
+    trustedAuditors: TrustedIdentityRule[];
+    /** Required attestation types */
+    requiredAttestations?: string[];
+    /** Minimum SLSA level required */
+    minimumSLSALevel?: 0 | 1 | 2 | 3 | 4;
+    /** Allow unsigned tools (default: false) */
+    allowUnsigned?: boolean;
+    /** Cache verification results */
+    cacheResults?: boolean;
+}
+/**
+ * Rule for matching trusted identities
+ */
+export interface TrustedIdentityRule {
+    /** Rule name/description */
+    name: string;
+    /** Identity type */
+    type: "email" | "github-workflow" | "gitlab-pipeline" | "uri";
+    /** Pattern to match (supports glob) */
+    pattern: string;
+    /** Expected OIDC issuer */
+    issuer?: string;
+    /** Required claims */
+    requiredClaims?: Record<string, string | string[]>;
+}
+/**
+ * Result of trust policy evaluation
+ */
+export interface TrustPolicyResult {
+    /** Whether the artifact is trusted */
+    trusted: boolean;
+    /** Trust level (0 = unsigned, 1-4 = SLSA levels) */
+    trustLevel: 0 | 1 | 2 | 3 | 4;
+    /** Matched publisher rule (if any) */
+    matchedPublisher?: TrustedIdentityRule;
+    /** Matched auditor rules (if any) */
+    matchedAuditors: TrustedIdentityRule[];
+    /** Policy evaluation details */
+    details: {
+        /** All verified attestations */
+        attestations: VerifiedAttestation[];
+        /** Policy violations */
+        violations: string[];
+        /** Warnings */
+        warnings: string[];
+    };
+}
+/**
+ * A verified attestation with metadata
+ */
+export interface VerifiedAttestation {
+    /** Attestation type */
+    type: string;
+    /** Predicate type */
+    predicateType: string;
+    /** Signer identity */
+    signer: OIDCIdentity;
+    /** Verification timestamp */
+    verifiedAt: Date;
+    /** Full attestation content */
+    attestation: InTotoStatement;
+}
+/**
+ * Enact tool attestation predicate
+ */
+export interface EnactToolPredicate {
+    /** Enact-specific predicate type */
+    type: "https://enact.tools/attestation/tool/v1";
+    /** Tool metadata */
+    tool: {
+        /** Tool name */
+        name: string;
+        /** Tool version */
+        version: string;
+        /** Tool publisher */
+        publisher: string;
+        /** Tool description */
+        description?: string;
+        /** Tool repository */
+        repository?: string;
+    };
+    /** Build information */
+    build?: {
+        /** Build timestamp */
+        timestamp: string;
+        /** Build environment */
+        environment?: Record<string, string>;
+        /** Source commit */
+        sourceCommit?: string;
+    };
+    /** Security audit information */
+    audit?: {
+        /** Auditor identity */
+        auditor: string;
+        /** Audit timestamp */
+        timestamp: string;
+        /** Audit result */
+        result: "passed" | "passed-with-warnings" | "failed";
+        /** Audit notes */
+        notes?: string;
+    };
+}
+/**
+ * Enact attestation bundle (tool manifest + attestations)
+ */
+export interface EnactAttestationBundle {
+    /** Bundle format version */
+    version: "1.0";
+    /** Tool manifest hash */
+    manifestHash: {
+        algorithm: "sha256";
+        digest: string;
+    };
+    /** Publisher attestation (required) */
+    publisherAttestation: SigstoreBundle;
+    /** Auditor attestations (optional) */
+    auditorAttestations?: SigstoreBundle[];
+    /** Provenance attestation (optional) */
+    provenanceAttestation?: SigstoreBundle;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/sigstore/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/sigstore/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAGvC,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC;AAMpC;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEnF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,0CAA0C;IAC1C,QAAQ,EAAE,YAAY,CAAC;IACvB,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8CAA8C;IAC9C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,4BAA4B;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,8CAA8C;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,oCAAoC;IACpC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,gCAAgC;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,SAAS,EAAE,IAAI,CAAC;IAChB,iCAAiC;IACjC,QAAQ,EAAE,IAAI,CAAC;IACf,0BAA0B;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,yBAAyB;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,4CAA4C;IAC5C,QAAQ,EAAE,YAAY,CAAC;IACvB,0CAA0C;IAC1C,GAAG,CAAC,EAAE,UAAU,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAMD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,qBAAqB;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa;IACb,KAAK,EAAE,MAAM,CAAC;IACd,kCAAkC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sBAAsB;IACtB,cAAc,CAAC,EAAE,mBAAmB,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;CACrB;AAMD;;;GAGG;AACH,MAAM,WAAW,eAAe,CAAC,CAAC,GAAG,OAAO;IAC1C,gCAAgC;IAChC,KAAK,EAAE,iCAAiC,CAAC;IACzC,mDAAmD;IACnD,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,yBAAyB;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,wBAAwB;IACxB,SAAS,EAAE,CAAC,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,MAAM,EAAE;QACN,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;KACzC,CAAC;CACH;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC,uBAAuB;IACvB,eAAe,EAAE;QACf,qBAAqB;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,0BAA0B;QAC1B,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5C,0BAA0B;QAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,4BAA4B;QAC5B,oBAAoB,CAAC,EAAE,sBAAsB,EAAE,CAAC;KACjD,CAAC;IACF,kBAAkB;IAClB,UAAU,EAAE;QACV,0BAA0B;QAC1B,OAAO,EAAE;YACP,iBAAiB;YACjB,EAAE,EAAE,MAAM,CAAC;YACX,2BAA2B;YAC3B,mBAAmB,CAAC,EAAE,sBAAsB,EAAE,CAAC;YAC/C,sBAAsB;YACtB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;SAClC,CAAC;QACF,qBAAqB;QACrB,QAAQ,CAAC,EAAE;YACT,oBAAoB;YACpB,YAAY,CAAC,EAAE,MAAM,CAAC;YACtB,iBAAiB;YACjB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,eAAe;YACf,UAAU,CAAC,EAAE,MAAM,CAAC;SACrB,CAAC;QACF,8BAA8B;QAC9B,UAAU,CAAC,EAAE,sBAAsB,EAAE,CAAC;KACvC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,MAAM,CAAC,EAAE;QACP,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;KACzC,CAAC;IACF,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAUD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa;IACb,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,6BAA6B;IAC7B,WAAW,EAAE;QACX,IAAI,EAAE,cAAc,GAAG,QAAQ,GAAG,MAAM,CAAC;QACzC,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,uCAAuC;IACvC,cAAc,EAAE,MAAM,CAAC;IACvB,wBAAwB;IACxB,gBAAgB,CAAC,EAAE;QACjB,oBAAoB,EAAE,MAAM,CAAC;KAC9B,CAAC;IACF,sBAAsB;IACtB,cAAc,CAAC,EAAE;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,UAAU,EAAE;YACV,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;KACH,CAAC;IACF,yBAAyB;IACzB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAMD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,uCAAuC;IACvC,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,yDAAyD;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uBAAuB;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,MAAM,EAAE,cAAc,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,sBAAsB;IACtB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,2BAA2B;IAC3B,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,4DAA4D;IAC5D,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,0CAA0C;IAC1C,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,yDAAyD;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,sDAAsD;IACtD,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,uCAAuC;IACvC,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,kDAAkD;IAClD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,2BAA2B;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mCAAmC;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,qCAAqC;IACrC,QAAQ,EAAE,OAAO,CAAC;IAClB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,OAAO,EAAE,mBAAmB,CAAC;IAC7B,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,kDAAkD;IAClD,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,cAAc,EAAE,OAAO,CAAC;IACxB,8BAA8B;IAC9B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,2DAA2D;IAC3D,yBAAyB,EAAE,OAAO,CAAC;IACnC,kCAAkC;IAClC,eAAe,EAAE,OAAO,CAAC;IACzB,+BAA+B;IAC/B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,+CAA+C;IAC/C,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAMD;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,mDAAmD;IACnD,sBAAsB,EAAE,oBAAoB,EAAE,CAAC;IAC/C,4CAA4C;IAC5C,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,4BAA4B;IAC5B,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iBAAiB;IACjB,OAAO,EAAE;QACP,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,oCAAoC;IACpC,eAAe,EAAE,MAAM,CAAC;IACxB,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,sBAAsB;IACtB,QAAQ,EAAE;QACR,KAAK,EAAE,IAAI,CAAC;QACZ,GAAG,CAAC,EAAE,IAAI,CAAC;KACZ,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,aAAa;IACb,KAAK,EAAE,MAAM,CAAC;IACd,qBAAqB;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,0BAA0B;IAC1B,aAAa,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC9C,sBAAsB;IACtB,QAAQ,EAAE;QACR,KAAK,EAAE,IAAI,CAAC;QACZ,GAAG,CAAC,EAAE,IAAI,CAAC;KACZ,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,kBAAkB;IAClB,OAAO,EAAE;QACP,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,4BAA4B;IAC5B,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB;IACtB,QAAQ,EAAE;QACR,KAAK,EAAE,IAAI,CAAC;QACZ,GAAG,CAAC,EAAE,IAAI,CAAC;KACZ,CAAC;CACH;AAMD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,iBAAiB,EAAE,mBAAmB,EAAE,CAAC;IACzC,6CAA6C;IAC7C,eAAe,EAAE,mBAAmB,EAAE,CAAC;IACvC,iCAAiC;IACjC,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,kCAAkC;IAClC,gBAAgB,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACrC,4CAA4C;IAC5C,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iCAAiC;IACjC,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,IAAI,EAAE,OAAO,GAAG,iBAAiB,GAAG,iBAAiB,GAAG,KAAK,CAAC;IAC9D,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;CACpD;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,oDAAoD;IACpD,UAAU,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,sCAAsC;IACtC,gBAAgB,CAAC,EAAE,mBAAmB,CAAC;IACvC,qCAAqC;IACrC,eAAe,EAAE,mBAAmB,EAAE,CAAC;IACvC,gCAAgC;IAChC,OAAO,EAAE;QACP,gCAAgC;QAChC,YAAY,EAAE,mBAAmB,EAAE,CAAC;QACpC,wBAAwB;QACxB,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,eAAe;QACf,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,sBAAsB;IACtB,MAAM,EAAE,YAAY,CAAC;IACrB,6BAA6B;IAC7B,UAAU,EAAE,IAAI,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,eAAe,CAAC;CAC9B;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,oCAAoC;IACpC,IAAI,EAAE,yCAAyC,CAAC;IAChD,oBAAoB;IACpB,IAAI,EAAE;QACJ,gBAAgB;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,mBAAmB;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,qBAAqB;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,uBAAuB;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,sBAAsB;QACtB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,wBAAwB;IACxB,KAAK,CAAC,EAAE;QACN,sBAAsB;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,wBAAwB;QACxB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,oBAAoB;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,iCAAiC;IACjC,KAAK,CAAC,EAAE;QACN,uBAAuB;QACvB,OAAO,EAAE,MAAM,CAAC;QAChB,sBAAsB;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,mBAAmB;QACnB,MAAM,EAAE,QAAQ,GAAG,sBAAsB,GAAG,QAAQ,CAAC;QACrD,kBAAkB;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC;IACf,yBAAyB;IACzB,YAAY,EAAE;QACZ,SAAS,EAAE,QAAQ,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,uCAAuC;IACvC,oBAAoB,EAAE,cAAc,CAAC;IACrC,sCAAsC;IACtC,mBAAmB,CAAC,EAAE,cAAc,EAAE,CAAC;IACvC,wCAAwC;IACxC,qBAAqB,CAAC,EAAE,cAAc,CAAC;CACxC"}

package/dist/sigstore/types.js

@@ -0,0 +1,5 @@
+/**
+ * Sigstore-related type definitions for attestation and verification
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/sigstore/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/sigstore/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/sigstore/verification.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Sigstore verification module
+ *
+ * This module provides verification capabilities for Sigstore bundles and attestations.
+ * It verifies signatures, certificates, and transparency log entries.
+ *
+ * NOTE: This implementation bypasses TUF (The Update Framework) and uses bundled trusted
+ * roots directly. This is necessary for Bun compatibility because TUF verification fails
+ * with BoringSSL's stricter signature algorithm requirements.
+ */
+import type { SigstoreBundle, VerificationOptions, VerificationResult } from "./types";
+/**
+ * Verify a Sigstore bundle
+ *
+ * @param bundle - The Sigstore bundle to verify
+ * @param artifact - Optional artifact data (for message signature bundles)
+ * @param options - Verification options
+ * @returns Verification result with detailed checks
+ *
+ * @example
+ * ```ts
+ * const result = await verifyBundle(bundle, artifact, {
+ *   expectedIdentity: {
+ *     subjectAlternativeName: "user@example.com",
+ *     issuer: "https://accounts.google.com"
+ *   }
+ * });
+ * if (result.verified) {
+ *   console.log("Bundle verified successfully");
+ * }
+ * ```
+ */
+export declare function verifyBundle(bundle: SigstoreBundle, artifact?: Buffer, options?: VerificationOptions): Promise<VerificationResult>;
+/**
+ * Create a reusable verifier for multiple verifications
+ *
+ * @param options - Verification options
+ * @returns A verifier object that can verify multiple bundles
+ *
+ * @example
+ * ```ts
+ * const verifier = await createBundleVerifier({
+ *   expectedIdentity: { issuer: "https://accounts.google.com" }
+ * });
+ *
+ * // Verify multiple bundles efficiently
+ * for (const bundle of bundles) {
+ *   verifier.verify(bundle);
+ * }
+ * ```
+ */
+export declare function createBundleVerifier(options?: VerificationOptions): Promise<{
+    /**
+     * Verify a bundle using the cached verifier
+     */
+    verify: (bundle: SigstoreBundle, artifact?: Buffer) => Promise<VerificationResult>;
+}>;
+/**
+ * Quick verification check - returns boolean only
+ *
+ * @param bundle - The Sigstore bundle to verify
+ * @param artifact - Optional artifact data
+ * @returns True if verification passes, false otherwise
+ */
+export declare function isVerified(bundle: SigstoreBundle, artifact?: Buffer): Promise<boolean>;
+//# sourceMappingURL=verification.d.ts.map

package/dist/sigstore/verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification.d.ts","sourceRoot":"","sources":["../../src/sigstore/verification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAQH,OAAO,KAAK,EAGV,cAAc,EAEd,mBAAmB,EACnB,kBAAkB,EACnB,MAAM,SAAS,CAAC;AA6CjB;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,cAAc,EACtB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,kBAAkB,CAAC,CAwE7B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,GAAE,mBAAwB;IAMxE;;OAEG;qBACoB,cAAc,aAAa,MAAM,KAAG,OAAO,CAAC,kBAAkB,CAAC;GA+DzF;AAED;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,MAAM,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW5F"}