@enactprotocol/trust 2.0.0 → 2.0.2

package/dist/hash.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Hash utilities for content integrity verification
+ */
+import type { FileHashOptions, HashAlgorithm, HashResult } from "./types";
+/**
+ * Hash a string or buffer using the specified algorithm
+ *
+ * @param content - The content to hash
+ * @param algorithm - The hash algorithm to use (default: sha256)
+ * @returns Hash result with algorithm and digest
+ *
+ * @example
+ * ```ts
+ * const result = hashContent("hello world");
+ * console.log(result.digest); // "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+ * ```
+ */
+export declare function hashContent(content: string | Buffer, algorithm?: HashAlgorithm): HashResult;
+/**
+ * Hash a buffer directly
+ *
+ * @param buffer - The buffer to hash
+ * @param algorithm - The hash algorithm to use (default: sha256)
+ * @returns Hash result with algorithm and digest
+ *
+ * @example
+ * ```ts
+ * const buffer = Buffer.from("hello world");
+ * const result = hashBuffer(buffer);
+ * ```
+ */
+export declare function hashBuffer(buffer: Buffer, algorithm?: HashAlgorithm): HashResult;
+/**
+ * Hash a file using streaming to support large files
+ *
+ * @param filePath - Path to the file to hash
+ * @param options - Hashing options including algorithm and progress callback
+ * @returns Promise resolving to hash result
+ *
+ * @throws Error if file doesn't exist or cannot be read
+ *
+ * @example
+ * ```ts
+ * const result = await hashFile("/path/to/file.txt", {
+ *   algorithm: "sha256",
+ *   onProgress: (read, total) => {
+ *     console.log(`${(read / total * 100).toFixed(1)}% complete`);
+ *   }
+ * });
+ * ```
+ */
+export declare function hashFile(filePath: string, options?: FileHashOptions): Promise<HashResult>;
+//# sourceMappingURL=hash.d.ts.map

package/dist/hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../src/hash.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1E;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,SAAS,GAAE,aAAwB,GAClC,UAAU,CASZ;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,GAAE,aAAwB,GAAG,UAAU,CAE1F;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,UAAU,CAAC,CA6CrB"}

package/dist/hash.js

@@ -0,0 +1,104 @@
+/**
+ * Hash utilities for content integrity verification
+ */
+import { createHash } from "node:crypto";
+import { createReadStream, statSync } from "node:fs";
+/**
+ * Hash a string or buffer using the specified algorithm
+ *
+ * @param content - The content to hash
+ * @param algorithm - The hash algorithm to use (default: sha256)
+ * @returns Hash result with algorithm and digest
+ *
+ * @example
+ * ```ts
+ * const result = hashContent("hello world");
+ * console.log(result.digest); // "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+ * ```
+ */
+export function hashContent(content, algorithm = "sha256") {
+    const hash = createHash(algorithm);
+    hash.update(content);
+    const digest = hash.digest("hex");
+    return {
+        algorithm,
+        digest,
+    };
+}
+/**
+ * Hash a buffer directly
+ *
+ * @param buffer - The buffer to hash
+ * @param algorithm - The hash algorithm to use (default: sha256)
+ * @returns Hash result with algorithm and digest
+ *
+ * @example
+ * ```ts
+ * const buffer = Buffer.from("hello world");
+ * const result = hashBuffer(buffer);
+ * ```
+ */
+export function hashBuffer(buffer, algorithm = "sha256") {
+    return hashContent(buffer, algorithm);
+}
+/**
+ * Hash a file using streaming to support large files
+ *
+ * @param filePath - Path to the file to hash
+ * @param options - Hashing options including algorithm and progress callback
+ * @returns Promise resolving to hash result
+ *
+ * @throws Error if file doesn't exist or cannot be read
+ *
+ * @example
+ * ```ts
+ * const result = await hashFile("/path/to/file.txt", {
+ *   algorithm: "sha256",
+ *   onProgress: (read, total) => {
+ *     console.log(`${(read / total * 100).toFixed(1)}% complete`);
+ *   }
+ * });
+ * ```
+ */
+export async function hashFile(filePath, options = {}) {
+    const { algorithm = "sha256", onProgress } = options;
+    // Validate file exists and get size
+    let fileSize;
+    try {
+        const stats = statSync(filePath);
+        if (!stats.isFile()) {
+            throw new Error(`Path is not a file: ${filePath}`);
+        }
+        fileSize = stats.size;
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to access file: ${error.message}`);
+        }
+        throw error;
+    }
+    return new Promise((resolve, reject) => {
+        const hash = createHash(algorithm);
+        const stream = createReadStream(filePath);
+        let bytesRead = 0;
+        stream.on("data", (chunk) => {
+            hash.update(chunk);
+            const chunkSize = typeof chunk === "string" ? Buffer.byteLength(chunk) : chunk.length;
+            bytesRead += chunkSize;
+            if (onProgress) {
+                onProgress(bytesRead, fileSize);
+            }
+        });
+        stream.on("end", () => {
+            const digest = hash.digest("hex");
+            resolve({
+                algorithm,
+                digest,
+            });
+        });
+        stream.on("error", (error) => {
+            reject(new Error(`Failed to read file: ${error.message}`));
+        });
+    });
+}
+//# sourceMappingURL=hash.js.map

package/dist/hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.js","sourceRoot":"","sources":["../src/hash.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAa,UAAU,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAGrD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CACzB,OAAwB,EACxB,YAA2B,QAAQ;IAEnC,MAAM,IAAI,GAAS,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAElC,OAAO;QACL,SAAS;QACT,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc,EAAE,YAA2B,QAAQ;IAC5E,OAAO,WAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,QAAgB,EAChB,UAA2B,EAAE;IAE7B,MAAM,EAAE,SAAS,GAAG,QAAQ,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAErD,oCAAoC;IACpC,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,EAAE,CAAC,CAAC;QACrD,CAAC;QACD,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;IACxB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAS,UAAU,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAsB,EAAE,EAAE;YAC3C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnB,MAAM,SAAS,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;YACtF,SAAS,IAAI,SAAS,CAAC;YAEvB,IAAI,UAAU,EAAE,CAAC;gBACf,UAAU,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAClC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACpB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClC,OAAO,CAAC;gBACN,SAAS;gBACT,MAAM;aACP,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAY,EAAE,EAAE;YAClC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @enactprotocol/trust
+ *
+ * Sigstore integration, attestation generation/verification,
+ * and trust system for Enact.
+ */
+export declare const version = "0.1.0";
+export { hashContent, hashBuffer, hashFile } from "./hash";
+export { generateKeyPair, isValidPEMKey, getKeyTypeFromPEM } from "./keys";
+export * from "./sigstore";
+export type { HashAlgorithm, HashResult, FileHashOptions, KeyType, KeyFormat, KeyPair, KeyGenerationOptions, } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,OAAO,UAAU,CAAC;AAG/B,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAG3D,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAG3E,cAAc,YAAY,CAAC;AAG3B,YAAY,EACV,aAAa,EACb,UAAU,EACV,eAAe,EACf,OAAO,EACP,SAAS,EACT,OAAO,EACP,oBAAoB,GACrB,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,14 @@
+/**
+ * @enactprotocol/trust
+ *
+ * Sigstore integration, attestation generation/verification,
+ * and trust system for Enact.
+ */
+export const version = "0.1.0";
+// Hash utilities
+export { hashContent, hashBuffer, hashFile } from "./hash";
+// Key management
+export { generateKeyPair, isValidPEMKey, getKeyTypeFromPEM } from "./keys";
+// Sigstore integration (attestation signing, verification, trust policies)
+export * from "./sigstore";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,iBAAiB;AACjB,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAE3D,iBAAiB;AACjB,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAE3E,2EAA2E;AAC3E,cAAc,YAAY,CAAC"}

package/dist/keys.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Key management utilities for cryptographic operations
+ */
+import type { KeyGenerationOptions, KeyPair, KeyType } from "./types";
+/**
+ * Generate a new cryptographic key pair
+ *
+ * @param options - Key generation options
+ * @returns Generated key pair with public and private keys
+ *
+ * @example
+ * ```ts
+ * // Generate RSA key pair
+ * const rsaKeys = generateKeyPair({
+ *   type: "rsa",
+ *   modulusLength: 2048
+ * });
+ *
+ * // Generate Ed25519 key pair
+ * const ed25519Keys = generateKeyPair({
+ *   type: "ed25519"
+ * });
+ * ```
+ */
+export declare function generateKeyPair(options: KeyGenerationOptions): KeyPair;
+/**
+ * Validate a PEM-formatted key
+ *
+ * @param key - The key to validate (public or private)
+ * @param expectedType - Expected key type (public or private)
+ * @returns True if key is valid PEM format
+ */
+export declare function isValidPEMKey(key: string, expectedType?: "public" | "private"): boolean;
+/**
+ * Parse key type from a PEM key string
+ *
+ * @param key - PEM-formatted key string
+ * @returns Detected key type or undefined if cannot be determined
+ */
+export declare function getKeyTypeFromPEM(key: string): KeyType | undefined;
+//# sourceMappingURL=keys.d.ts.map

package/dist/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAEtE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAiBtE;AA2DD;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,GAAG,EAAE,MAAM,EACX,YAAY,GAAE,QAAQ,GAAG,SAAqB,GAC7C,OAAO,CAUT;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAyBlE"}

package/dist/keys.js

@@ -0,0 +1,130 @@
+/**
+ * Key management utilities for cryptographic operations
+ */
+import { generateKeyPairSync } from "node:crypto";
+/**
+ * Generate a new cryptographic key pair
+ *
+ * @param options - Key generation options
+ * @returns Generated key pair with public and private keys
+ *
+ * @example
+ * ```ts
+ * // Generate RSA key pair
+ * const rsaKeys = generateKeyPair({
+ *   type: "rsa",
+ *   modulusLength: 2048
+ * });
+ *
+ * // Generate Ed25519 key pair
+ * const ed25519Keys = generateKeyPair({
+ *   type: "ed25519"
+ * });
+ * ```
+ */
+export function generateKeyPair(options) {
+    const { type, format = "pem", modulusLength = 2048, passphrase } = options;
+    const keyPairOptions = getKeyPairOptions(type, modulusLength, format, passphrase);
+    const nodeKeyType = getNodeKeyType(type);
+    // TypeScript has very strict overloads for generateKeyPairSync
+    // We use any here as we've validated the types through our own KeyType
+    // biome-ignore lint/suspicious/noExplicitAny: Node.js crypto API has complex overloads
+    const { publicKey, privateKey } = generateKeyPairSync(nodeKeyType, keyPairOptions);
+    return {
+        publicKey: publicKey.toString(),
+        privateKey: privateKey.toString(),
+        type,
+        format,
+    };
+}
+/**
+ * Convert our KeyType to Node.js crypto key type
+ */
+function getNodeKeyType(type) {
+    switch (type) {
+        case "rsa":
+            return "rsa";
+        case "ed25519":
+            return "ed25519";
+        case "ecdsa":
+            return "ec";
+    }
+}
+/**
+ * Get key pair generation options for Node.js crypto
+ */
+function getKeyPairOptions(type, modulusLength, format, passphrase) {
+    const baseOptions = {
+        publicKeyEncoding: {
+            type: "spki",
+            format,
+        },
+        privateKeyEncoding: {
+            type: "pkcs8",
+            format,
+            ...(passphrase && {
+                cipher: "aes-256-cbc",
+                passphrase,
+            }),
+        },
+    };
+    // Add type-specific options
+    if (type === "rsa") {
+        return {
+            ...baseOptions,
+            modulusLength,
+        };
+    }
+    if (type === "ecdsa") {
+        return {
+            ...baseOptions,
+            namedCurve: "prime256v1", // Also known as secp256r1 or P-256
+        };
+    }
+    // Ed25519 doesn't need additional options
+    return baseOptions;
+}
+/**
+ * Validate a PEM-formatted key
+ *
+ * @param key - The key to validate (public or private)
+ * @param expectedType - Expected key type (public or private)
+ * @returns True if key is valid PEM format
+ */
+export function isValidPEMKey(key, expectedType = "private") {
+    if (expectedType === "public") {
+        return key.includes("-----BEGIN PUBLIC KEY-----") && key.includes("-----END PUBLIC KEY-----");
+    }
+    return ((key.includes("-----BEGIN PRIVATE KEY-----") && key.includes("-----END PRIVATE KEY-----")) ||
+        (key.includes("-----BEGIN ENCRYPTED PRIVATE KEY-----") &&
+            key.includes("-----END ENCRYPTED PRIVATE KEY-----")));
+}
+/**
+ * Parse key type from a PEM key string
+ *
+ * @param key - PEM-formatted key string
+ * @returns Detected key type or undefined if cannot be determined
+ */
+export function getKeyTypeFromPEM(key) {
+    // Check if it's a valid PEM key first
+    if (!isValidPEMKey(key, "private") && !isValidPEMKey(key, "public")) {
+        return undefined;
+    }
+    // Check for explicit algorithm markers
+    if (key.includes("RSA")) {
+        return "rsa";
+    }
+    // Length-based heuristic (RSA keys are much longer)
+    // RSA 2048: ~1700 chars, RSA 4096: ~3200 chars
+    // Ed25519: ~120 chars
+    // ECDSA P-256: ~200-300 chars
+    if (key.length > 1000) {
+        return "rsa";
+    }
+    if (key.length < 200) {
+        return "ed25519";
+    }
+    // ECDSA falls somewhere in between
+    return "ecdsa";
+}
+//# sourceMappingURL=keys.js.map

package/dist/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAGlD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,eAAe,CAAC,OAA6B;IAC3D,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,KAAK,EAAE,aAAa,GAAG,IAAI,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE3E,MAAM,cAAc,GAAG,iBAAiB,CAAC,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IAClF,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IAEzC,+DAA+D;IAC/D,uEAAuE;IACvE,uFAAuF;IACvF,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,WAAkB,EAAE,cAAqB,CAAC,CAAC;IAEjG,OAAO;QACL,SAAS,EAAE,SAAS,CAAC,QAAQ,EAAE;QAC/B,UAAU,EAAE,UAAU,CAAC,QAAQ,EAAE;QACjC,IAAI;QACJ,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAa;IACnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf,KAAK,SAAS;YACZ,OAAO,SAAS,CAAC;QACnB,KAAK,OAAO;YACV,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,IAAa,EACb,aAAqB,EACrB,MAA6B,EAC7B,UAAmB;IAEnB,MAAM,WAAW,GAA4B;QAC3C,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM;SACP;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM;YACN,GAAG,CAAC,UAAU,IAAI;gBAChB,MAAM,EAAE,aAAa;gBACrB,UAAU;aACX,CAAC;SACH;KACF,CAAC;IAEF,4BAA4B;IAC5B,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO;YACL,GAAG,WAAW;YACd,aAAa;SACd,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO;YACL,GAAG,WAAW;YACd,UAAU,EAAE,YAAY,EAAE,mCAAmC;SAC9D,CAAC;IACJ,CAAC;IAED,0CAA0C;IAC1C,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,GAAW,EACX,eAAqC,SAAS;IAE9C,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAC,QAAQ,CAAC,4BAA4B,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CAAC;IAChG,CAAC;IAED,OAAO,CACL,CAAC,GAAG,CAAC,QAAQ,CAAC,6BAA6B,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC;QAC1F,CAAC,GAAG,CAAC,QAAQ,CAAC,uCAAuC,CAAC;YACpD,GAAG,CAAC,QAAQ,CAAC,qCAAqC,CAAC,CAAC,CACvD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,sCAAsC;IACtC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,CAAC;QACpE,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,uCAAuC;IACvC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oDAAoD;IACpD,+CAA+C;IAC/C,sBAAsB;IACtB,8BAA8B;IAC9B,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACrB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,mCAAmC;IACnC,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/sigstore/attestation.d.ts

@@ -0,0 +1,245 @@
+/**
+ * Attestation generation module
+ *
+ * This module provides functions for creating in-toto attestations and SLSA provenance
+ * statements that can be signed using Sigstore.
+ */
+import type { EnactToolPredicate, InTotoStatement, InTotoSubject, SLSAProvenancePredicate, SLSAResourceDescriptor } from "./types";
+/**
+ * The primary Enact website/registry URL
+ * Used for attestation types, tool URLs, and documentation references
+ */
+export declare const ENACT_BASE_URL = "https://enact.tools";
+/** in-toto statement type */
+export declare const INTOTO_STATEMENT_TYPE = "https://in-toto.io/Statement/v1";
+/** SLSA Provenance predicate type v1.0 */
+export declare const SLSA_PROVENANCE_TYPE = "https://slsa.dev/provenance/v1";
+/** Enact tool attestation predicate type */
+export declare const ENACT_TOOL_TYPE = "https://enact.tools/attestation/tool/v1";
+/** Enact audit attestation predicate type */
+export declare const ENACT_AUDIT_TYPE = "https://enact.tools/attestation/audit/v1";
+/** Enact build type for SLSA provenance */
+export declare const ENACT_BUILD_TYPE = "https://enact.tools/build/v1";
+/**
+ * Create an in-toto subject from content
+ *
+ * @param name - The subject name (e.g., file path or artifact identifier)
+ * @param content - The content to hash
+ * @returns The in-toto subject with sha256 digest
+ *
+ * @example
+ * ```ts
+ * const subject = createSubjectFromContent("tool.yaml", yamlContent);
+ * // { name: "tool.yaml", digest: { sha256: "abc123..." } }
+ * ```
+ */
+export declare function createSubjectFromContent(name: string, content: string | Buffer): InTotoSubject;
+/**
+ * Create an in-toto subject from a file
+ *
+ * @param name - The subject name (can differ from file path)
+ * @param filePath - Path to the file to hash
+ * @returns Promise resolving to the in-toto subject
+ *
+ * @example
+ * ```ts
+ * const subject = await createSubjectFromFile("my-tool@1.0.0", "/path/to/tool.yaml");
+ * ```
+ */
+export declare function createSubjectFromFile(name: string, filePath: string): Promise<InTotoSubject>;
+/**
+ * Create an in-toto subject with multiple digest algorithms
+ *
+ * @param name - The subject name
+ * @param content - The content to hash
+ * @returns Subject with both sha256 and sha512 digests
+ */
+export declare function createSubjectWithMultipleDigests(name: string, content: string | Buffer): InTotoSubject;
+/**
+ * Create a generic in-toto statement
+ *
+ * @param subjects - The subjects (artifacts) covered by this attestation
+ * @param predicateType - The predicate type URI
+ * @param predicate - The predicate content
+ * @returns The in-toto statement
+ *
+ * @example
+ * ```ts
+ * const statement = createStatement(
+ *   [subject],
+ *   "https://example.com/predicate/v1",
+ *   { customField: "value" }
+ * );
+ * ```
+ */
+export declare function createStatement<T>(subjects: InTotoSubject[], predicateType: string, predicate: T): InTotoStatement<T>;
+/**
+ * Options for creating SLSA provenance
+ */
+export interface SLSAProvenanceOptions {
+    /** Build type URI (e.g., "https://enact.tools/build/v1") */
+    buildType: string;
+    /** Builder ID (e.g., "https://github.com/enact-dev/enact-cli") */
+    builderId: string;
+    /** External parameters (inputs to the build) */
+    externalParameters?: Record<string, unknown>;
+    /** Internal parameters (builder-controlled) */
+    internalParameters?: Record<string, unknown>;
+    /** Source dependencies */
+    resolvedDependencies?: SLSAResourceDescriptor[];
+    /** Build invocation ID */
+    invocationId?: string;
+    /** Build start time */
+    startedOn?: Date;
+    /** Build finish time */
+    finishedOn?: Date;
+}
+/**
+ * Create a SLSA provenance predicate
+ *
+ * @param options - Provenance options
+ * @returns The SLSA provenance predicate
+ *
+ * @example
+ * ```ts
+ * const provenance = createSLSAProvenance({
+ *   buildType: "https://enact.tools/build/v1",
+ *   builderId: "https://github.com/enact-dev/enact-cli@v2.0.0",
+ *   externalParameters: {
+ *     manifestPath: "tool.yaml"
+ *   }
+ * });
+ * ```
+ */
+export declare function createSLSAProvenance(options: SLSAProvenanceOptions): SLSAProvenancePredicate;
+/**
+ * Create a SLSA provenance statement for an artifact
+ *
+ * @param subjects - The artifacts to attest
+ * @param options - Provenance options
+ * @returns The complete in-toto statement with SLSA provenance
+ */
+export declare function createSLSAProvenanceStatement(subjects: InTotoSubject[], options: SLSAProvenanceOptions): InTotoStatement<SLSAProvenancePredicate>;
+/**
+ * Options for creating an Enact tool attestation
+ */
+export interface EnactToolAttestationOptions {
+    /** Tool name */
+    name: string;
+    /** Tool version */
+    version: string;
+    /** Tool publisher identity (email or URI) */
+    publisher: string;
+    /** Tool description */
+    description?: string;
+    /** Tool repository URL */
+    repository?: string;
+    /** Build timestamp */
+    buildTimestamp?: Date;
+    /** Build environment info */
+    buildEnvironment?: Record<string, string>;
+    /** Source commit SHA */
+    sourceCommit?: string;
+    /** Bundle hash (for remote signing) */
+    bundleHash?: string;
+}
+/**
+ * Create an Enact tool attestation predicate
+ *
+ * @param options - Tool attestation options
+ * @returns The Enact tool predicate
+ *
+ * @example
+ * ```ts
+ * const toolPredicate = createEnactToolPredicate({
+ *   name: "my-tool",
+ *   version: "1.0.0",
+ *   publisher: "user@example.com",
+ *   description: "A useful tool"
+ * });
+ * ```
+ */
+export declare function createEnactToolPredicate(options: EnactToolAttestationOptions): EnactToolPredicate;
+/**
+ * Create an Enact tool attestation statement
+ *
+ * @param manifestContent - The tool manifest content
+ * @param options - Tool attestation options
+ * @returns The complete in-toto statement for the tool
+ */
+export declare function createEnactToolStatement(manifestContent: string | Buffer, options: EnactToolAttestationOptions): InTotoStatement<EnactToolPredicate>;
+/**
+ * Options for creating an Enact audit attestation
+ */
+export interface EnactAuditAttestationOptions {
+    /** Tool name being audited */
+    toolName: string;
+    /** Tool version being audited */
+    toolVersion: string;
+    /** Auditor identity (email or URI) */
+    auditor: string;
+    /** Audit result */
+    result: "passed" | "passed-with-warnings" | "failed";
+    /** Audit timestamp */
+    timestamp?: Date;
+    /** Audit notes */
+    notes?: string;
+}
+/**
+ * Audit predicate structure
+ */
+export interface EnactAuditPredicate {
+    type: typeof ENACT_AUDIT_TYPE;
+    tool: {
+        name: string;
+        version: string;
+    };
+    audit: {
+        auditor: string;
+        timestamp: string;
+        result: "passed" | "passed-with-warnings" | "failed";
+        notes?: string;
+    };
+}
+/**
+ * Create an Enact audit attestation predicate
+ *
+ * @param options - Audit attestation options
+ * @returns The Enact audit predicate
+ */
+export declare function createEnactAuditPredicate(options: EnactAuditAttestationOptions): EnactAuditPredicate;
+/**
+ * Create an Enact audit attestation statement
+ *
+ * @param manifestContent - The tool manifest content being audited
+ * @param options - Audit attestation options
+ * @returns The complete in-toto statement for the audit
+ */
+export declare function createEnactAuditStatement(manifestContent: string | Buffer, options: EnactAuditAttestationOptions): InTotoStatement<EnactAuditPredicate>;
+/**
+ * Create a SLSA resource descriptor for a file
+ *
+ * @param filePath - Path to the file
+ * @param options - Additional descriptor options
+ * @returns Promise resolving to the resource descriptor
+ */
+export declare function createResourceDescriptorFromFile(filePath: string, options?: {
+    uri?: string;
+    name?: string;
+    downloadLocation?: string;
+    mediaType?: string;
+}): Promise<SLSAResourceDescriptor>;
+/**
+ * Create a SLSA resource descriptor from content
+ *
+ * @param content - The content
+ * @param options - Descriptor options
+ * @returns The resource descriptor
+ */
+export declare function createResourceDescriptorFromContent(content: string | Buffer, options?: {
+    uri?: string;
+    name?: string;
+    downloadLocation?: string;
+    mediaType?: string;
+}): SLSAResourceDescriptor;
+//# sourceMappingURL=attestation.d.ts.map

package/dist/sigstore/attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/sigstore/attestation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EACV,kBAAkB,EAClB,eAAe,EACf,aAAa,EACb,uBAAuB,EACvB,sBAAsB,EACvB,MAAM,SAAS,CAAC;AAMjB;;;GAGG;AACH,eAAO,MAAM,cAAc,wBAAwB,CAAC;AAEpD,6BAA6B;AAC7B,eAAO,MAAM,qBAAqB,oCAAoC,CAAC;AAEvE,0CAA0C;AAC1C,eAAO,MAAM,oBAAoB,mCAAmC,CAAC;AAErE,4CAA4C;AAC5C,eAAO,MAAM,eAAe,4CAA0C,CAAC;AAEvE,6CAA6C;AAC7C,eAAO,MAAM,gBAAgB,6CAA2C,CAAC;AAEzE,2CAA2C;AAC3C,eAAO,MAAM,gBAAgB,iCAA+B,CAAC;AAM7D;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,aAAa,CAQ9F;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAQxB;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAC9C,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,GAAG,MAAM,GACvB,aAAa,CAWf;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAC/B,QAAQ,EAAE,aAAa,EAAE,EACzB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,CAAC,GACX,eAAe,CAAC,CAAC,CAAC,CAOpB;AAMD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,kEAAkE;IAClE,SAAS,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,0BAA0B;IAC1B,oBAAoB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAChD,0BAA0B;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,uBAAuB;IACvB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,wBAAwB;IACxB,UAAU,CAAC,EAAE,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,uBAAuB,CAwC5F;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,aAAa,EAAE,EACzB,OAAO,EAAE,qBAAqB,GAC7B,eAAe,CAAC,uBAAuB,CAAC,CAG1C;AAMD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,gBAAgB;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,cAAc,CAAC,EAAE,IAAI,CAAC;IACtB,6BAA6B;IAC7B,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,wBAAwB;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,2BAA2B,GAAG,kBAAkB,CAmCjG;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,eAAe,EAAE,MAAM,GAAG,MAAM,EAChC,OAAO,EAAE,2BAA2B,GACnC,eAAe,CAAC,kBAAkB,CAAC,CAIrC;AAMD;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,mBAAmB;IACnB,MAAM,EAAE,QAAQ,GAAG,sBAAsB,GAAG,QAAQ,CAAC;IACrD,sBAAsB;IACtB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,kBAAkB;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,OAAO,gBAAgB,CAAC;IAC9B,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,KAAK,EAAE;QACL,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,QAAQ,GAAG,sBAAsB,GAAG,QAAQ,CAAC;QACrD,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,4BAA4B,GACpC,mBAAmB,CAmBrB;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACvC,eAAe,EAAE,MAAM,GAAG,MAAM,EAChC,OAAO,EAAE,4BAA4B,GACpC,eAAe,CAAC,mBAAmB,CAAC,CAOtC;AAMD;;;;;;GAMG;AACH,wBAAsB,gCAAgC,CACpD,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE;IACP,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;CACf,GACL,OAAO,CAAC,sBAAsB,CAAC,CAejC;AAED;;;;;;GAMG;AACH,wBAAgB,mCAAmC,CACjD,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,OAAO,GAAE;IACP,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;CACf,GACL,sBAAsB,CAexB"}